1 Introduction

Functional encryption Functional encryption (FE), formally introduced by Boneh et al. [20] and O’Neill [59], redefines the classical encryption procedure with the motivation to overcome the limitation of the “all-or-nothing” paradigm of decryption. In a traditional encryption system, there is a single secret key such that a user given a ciphertext can either recover the whole message or learns nothing about it, depending on the availability of the secret key. FE in contrast provides fine grained access control over encrypted data by generating artistic secret keys according to the desired functions of the encrypted data to be disclosed. More specifically, in a public-key FE scheme for a function class \({\mathcal {F}}\), there is a setup authority which produces a master secret key and publishes a master public key. Using the master secret key, the setup authority can derive secret keys or functional decryption keys \({\textsf{SK}}_f\) associated to functions \(f \in {\mathcal {F}}\). Anyone can encrypt messages \({\textsf{msg}}\) belonging to a specified message space \({\textsf{msg}}\in {\mathbb {M}}\) using the master public key to produce a ciphertext \({\textsf{CT}}\). The ciphertext \({\textsf{CT}}\) along with a secret key \({\textsf{SK}}_f\) recovers the function of the message \(f({\textsf{msg}})\) at the time of decryption, while unable to extract any other information about \({\textsf{msg}}\). More specifically, the security of FE requires collusion resistance meaning that any polynomial number of secret keys together cannot gather more information about an encrypted message except the union of what each of the secret keys can learn individually.

FE for attribute-weighted sum Recently, Abdalla et al. [3] proposed an FE scheme for a new class of functionalities which they termed as “attribute-weighted sums”. This is a generalization of the inner product functional encryption (IPFE) [1, 7]. In such a scheme, a database of N attribute-value pairs \((x_i, z_i)_{i = 1, \ldots , N}\) are encrypted using the master public key of the scheme, where \(x_i\) is a public attribute (e.g., demographic data) and \(z_i\) is a private attribute containing sensitive information (e.g., salary, medical condition, loans, college admission outcomes). A recipient having a secret key corresponding to a weight function f can learn the attribute-weighted sum of the database, i.e., \(\sum _{i = 1}^N f(x_i) z_i\). The attribute-weighted sum functionality appears naturally in several real life applications. For instance, as discussed by Abdalla et al. [3] if we consider the weight function f as a boolean predicate, then the attribute-weighted sum functionality \(\sum _{i=1}^N f(x_i)z_i\) would correspond to the average \(z_i\) over all users whose attribute \({\varvec{x}}_i\) satisfies the predicate f. Important practical scenarios include average salaries of minority groups holding a particular job (\(z_i = \) salary) and approval ratings of an election candidate amongst specific demographic groups in a particular state (\(z_i = \) rating). Similarly, if \(z_i\) is boolean, then the attribute-weighted sum becomes \(\sum _{i:z_i=1}f(x_i)\). This could capture for instance the number of and average age of smokers with lung cancer (\(z_i = \) lung cancer, \(f = \) numbers/age).

The work of [3] considered a more general case of the notion where the domain and range of the weight functions are vectors over some finite field \({\mathbb {Z}}_p\). In particular, the database consists of N pairs of public/private attribute vectors \(({\varvec{x}}_i, {\varvec{z}}_i)_{i = 1, \ldots , N}\) which is encrypted to a ciphertext \({\textsf{CT}}\). A secret key \({\textsf{SK}}_f\) generated for a weight function f allows a recipient to learn \(\sum _{i=1}^N f({\varvec{x}}_i)^{\top } {\varvec{z}}_i\) from \({\textsf{CT}}\) without revealing any information about the private attribute vectors \(({\varvec{z}}_i)_{i = 1, \ldots , N}\). To handle a large database where the number of users are not a-priori bounded, Abdalla et al. considered the notion of unbounded-slot FE scheme for attribute-weighted sum. Thus, in their scheme, the number of slots N is not fixed while generating the system parameters and any secret key \({\textsf{SK}}_f\) can decrypt an encrypted database having an arbitrary number of slots. Another advantage of unbounded-slot FE is that the same system parameters and secret keys can be reused for different databases with variable lengths, which saves storage space and reduces communication cost significantly.

The unbounded-slot FE of [3] supports expressive function class of arithmetic branching programs (ABPs) which is capable of capturing boolean formulas, boolean span programs, combinatorial computations, and arithmetic span programs. The FE scheme of [3] is built in asymmetric bilinear groups of prime order and is proven secure in the simulation-based security model, which is known to be the desirable security model for FE [20, 59], under the k-Linear (k-Lin)/Matrix Diffie–Hellman (\({\textsf{MDDH}}\)) assumption. Moreover, their scheme enjoys ciphertext size that grows with the number of slots and the size of the private attribute vectors but is independent of the size of the public attribute vectors. Towards constructing their unbounded-slot scheme, Abdalla et al. first constructed a one-slot scheme and then bootstrap to the unbounded-slot scheme via a semi-generic transformation.

However, one significant limitation of the FE scheme of [3] is that the scheme only achieves semi-adaptive security. While semi-adaptive security, where the adversary is restricted to making secret key queries only after making the ciphertext queries, may be sufficient for certain applications, it is much weaker compared to the strongest and most natural notion of adaptive security which lets the adversary request secret keys both before and after making the ciphertext queries. Thus it is desirable to have an adaptively secure scheme for this important functionality that supports unbounded number of slots.

One artifact of the standard techniques for proving adaptive security of FE schemes based on the so called dual system encryption methodology [45, 46, 64] is the use of a core information theoretic transition limiting the appearance of an attribute in the description of the associated functions at most once (or an a-priori bounded number of times at the expense of ciphertext and key sizes scaling with that upper bound [47, 55, 65]). Recently Kowalczyk and Wee [44] and Lin and Luo [49] presented advanced techniques to overcome the one-use restriction. However, their techniques were designed in the context of attribute-based encryption (ABE) where attributes are totally public. Currently, it is not known how to remove the one-use restriction in the context of adaptively secure FE schemes where attributes are not fully public as is the case for the attribute-weighted sum functionality. This leads us to the following open problem explicitly posed by Abdalla et al. [3]:

Open Problem

Can we construct adaptively simulation-secure one-slot/unbounded-slot FE scheme for the attribute-weighted sum functionality with the weight functions expressed as arithmetic branching programs featuring compact ciphertexts, that is, having ciphertexts that do not grow with the number of appearances of the attributes within the weight functions, from the k-Lin assumption?

Our contributions In this work, we resolve the above open problem. More precisely, we make the following contributions.

(a):

We start by presenting the first one-slot FE scheme for the attribute-weighted sum functionality with the weight functions represented as ABPs that achieves adaptive simulation-based security and compact ciphertexts, that is, the ciphertext size is independent of the number of appearances of the attributes within the weight functions. The scheme is secure against an adversary who is allowed to make an a-priori bounded number of ciphertext queries and an unbounded (polynomial) number of secret key queries both before and after the ciphertext queries, which is the best possible level of security one could hope to achieve in adaptive simulation-based framework [20]. Since simulation-based security also implies indistinguishability-based security and indistinguishability-based security against single and multiple ciphertexts are equivalent [20, 59], the proposed FE scheme is also adaptively secure in the indistinguishability-based model against adversaries making unbounded number of ciphertext and secret key queries in any arbitrary order.

(b):

We next bootstrap our one-slot scheme to an unbounded-slot scheme that also achieves simulation-based adaptive security against a bounded number of ciphertext queries and an unbounded polynomial number of secret key queries. Just like our one-slot scheme, the ciphertexts of our unbounded-slot scheme also do not depend on the number of appearances of the attributes within the weight functions. However, the caveat here is that the number of pre-ciphertext secret key queries is a priori bounded and all parameters of the scheme, namely, the master public key, ciphertexts, and secret keys scale linearly with that upper bound.

Like Abdalla et al. [3], our FE schemes are build upon asymmetric bilinear groups of prime order. We prove the security of our FE schemes based on the standard (bilateral) k-Lin/ (bilateral) \({\textsf{MDDH}}\) assumption(s) [31]. Thus our results can be summarized as follows.

Theorem 1

(Informal) Under the (bilateral) k-Lin/MDDH assumption(s), there exist adaptively simulation secure one-slot/unbounded-slot FE scheme for attribute-weighted sums against a bounded number of ciphertext and an unbounded number of secret-key queries, and having compact ciphertexts, that is, without the one-use restriction, in bilinear groups of prime order.

The bilateral \({\textsf{MDDH}}\) assumption is the plain MDDH assumption except that the elements are available in the exponents of both source groups of a bilinear group simultaneously. This assumption has recently been utilized in the context of achieving FE for quadratic functions in the standard model [5, 67] and broadcast encryption scheme with \(O(N^{1/3})\) parameter sizes from bilinear maps, where N is the total number of users in the system [68]. Unlike [3], our construction is semi-generic and is built upon two cryptographic building blocks, namely a slotted inner product functional encryption (IPFE) [49, 51], which is a hybrid of a public-key IPFE and a private-key function-hiding IPFE, and an information theoretic primitive called arithmetic key garbling scheme (AKGS) [41, 49]. For bootstrapping from one-slot to unbounded-slot construction, we make use of the same semi-generic transformation proposed in [3], but analyze its security in the adaptive simulation-based setting as opposed to the semi-adaptive setting. Table 1 shows the current state of the art in the development of efficient attribute-hidingFootnote 1FE schemes under standard computational assumptions.

On the technical side, our contributions lie in extending the recent framework of Lin and Luo [49]. The techniques of [49] are developed to achieve compact ciphertexts, that is, without the one-use restriction in the context of indistinguishability-based adaptively secure ABE (that is, for payload-hiding security and not attribute-hiding). In this work, we extend their techniques to overcome the one-use restriction into the context of adaptive simulation-based attribute-hiding security for the first time. The high level approach of [49] to mitigate the one-use restriction is to replace the core information theoretic step of the dual system technique with a computational step. However the application of this strategy in their framework crucially rely on the payload hiding security requirement, that is, the adversaries are not allowed to query secret keys that enable a successful decryption. In contrast, in the setting of attribute-hiding, adversaries are allowed to request secret keys enabling successful decryption and extending the technique of [49] into this context appears to be non-trivial. We resolve this by developing a three-slot variant of their framework, integrating the pre-image sampleability of the inner product functionality [28, 59], and carefully exploiting the structures of the underlying building blocks, namely AKGS and slotted IPFE.

Table 1 Current state of the art in attribute-hiding FE

Current vs preliminary versions A preliminary version [30] of this work has appeared in Asiacrypt 2021. This paper includes a significant and considerable amount of technical contributions compared to the preliminary version [30]. The previous version contains only the constructions of our single key, single ciphertext secure one-slot FE scheme and the one-slot FE scheme without providing any concrete security analysis of these protocols. Further, the single key, single ciphertext secure one-slot extFE (extended FE) scheme was absent in the preliminary version which only includes the one-slot extFE scheme without any security proof. In this current version, we not only present the single key, single ciphertext secure one-slot extFE scheme but provide formal security analysis of all these FE schemes. We emphasize that proving adaptive security for extFE scheme is more challenging since additional slots are required to hide the extra private attribute. Apart from the one-slot FE schemes, we discuss the transformation of bootstrapping the one-slot FE to unbounded-slot FE scheme that preserves the level of adaptive security of the underlying one-slot extFE scheme where the vectors associated to secret keys are available in the exponent of a source group. Note that, the transformation of Abdalla et al. [3] was presented for the case of selective security whereas we demonstrate that the same transformation can lead to (a level of) adaptive security under the bilateral MDDH assumption. Moreover in the Appendix, for the shake of completeness, we present an adaptively secure one-slot extFE scheme where the secret key vectors are available in clear.

Related works Even before it was formally introduced by [20], FE has been studied for various simplistic functionalities such as equality testing [17, 23, 63], subset membership [19, 21, 62], inner product predicates [43], and \({\textsf{NC}}^1\) access policies [39]. Sahai and Seyalioglu [61] and Gorbunov, Vaikuntanathan, and Wee [36] considered the problem of constructing FE for general functions under standard computational assumptions. Main drawbacks of these constructions are that the schemes support a-priori bounded number of functional keys and ciphertext size grows linearly with the number of secret keys of the system. Moreover, the ciphertext size is non-succinct meaning that the ciphertext size scales with the worst-case circuit size of the functions in the function class. Goldwasser et al. [35] built a succinct FE scheme for general circuits, which enables the authority to release only one secret decryption key under the LWE assumption. Here, succinctness means that the ciphertext size depends on the maximum depth of function class supported by the scheme rather than the size of it. Another line of works [12, 33, 50,51,52, 60] based on multilinear maps [25, 32], constructs collusion resistant FE scheme for general circuits with succinct ciphertexts. Since multilinear maps are highly inefficient and suffers from many non-trivial attacks [22, 24, 53], consequently these FE schemes are not assumed to be secure any more. As it seems hard to achieve efficient FE schemes for general circuits from standard assumptions since such an FE scheme would directly imply \(i{\mathcal {O}}\) for general circuits [10, 11, 15], building efficient FE schemes for specific practically useful classes of function has drawn special attention in the community, e.g. attribute-based encryption [4, 8, 9, 18, 27, 37], predicate encryption (PE) [38, 43, 45], partially-hiding PE [28, 66], IPFE [1, 7, 26, 42, 50, 51] attribute-based IPFE [2] and FE for quadratic functions [5, 14, 34, 48, 67, 68].

Paper organization We discuss detailed technical overview of our results in Sect. 2. The preliminaries, definitions and tools are provided in Sect. 3. We present our 1-key 1-ciphertext secure 1-slot FE and fully collusion-resistant 1-slot FE for attribute-weighted sums in Sects. 4.1 and 4.2 respectively. We build unbounded slot FE scheme with the restriction that the number of pre-ciphertext key queries is bounded. For this, we present 1-key 1-ciphertext 1-slot extended FE scheme in Sect. 5.1 which plays an important role in the security reduction of the (pre-ciphertext) bounded key 1-slot extended FE scheme described in Sect. 5.2 where the secret key vector is available in the exponent of a pairing group. Finally, we present the transformation of unbounded-slot FE scheme with adaptive simulation-security in Sect. 6. We present an instantiation of AKGS in Appendix A. As a side contribution, we present a 1-key 1-ciphertext 1-slot extended FE scheme in Appendix B and then using it, construct a fully collusion-resistant 1-slot extended FE scheme in Appendix C. However, the 1-slot extended FE scheme can not be used in the transformation of achieving the unbounded-slot FE from a 1-slot extended FE.

2 Technical overview

In this section, we present our main technical ideas. Let \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) be a bilinear group of prime order p and \([\![a]\!]_i\) denotes \(g_i^a\) for any \(a \in {\mathbb {Z}}_p\) and \(i \in \{1, 2, T\}\), which notation can also be extended in case of vectors and matrices. At the top most level of strategy, we follow [3] to first design an adaptively simulation-secure one-slot FE scheme and then apply a compiler to bootstrap to an unbounded-slot scheme. For the later part, we use the same compiler as the one presented in [3]. However, [3] only showed that the compiler works in the context of semi-adaptive security, that is, they show that their compiler can bootstrap a semi-adaptively secure one-slot FE scheme to a semi-adaptively secure unbounded-slot scheme. In contrast, we analyze the security of the same transformation in the context of the simulation-based adaptive security framework. We observe that in order to prove the adaptive security for the compiler, the (bilateral) k-Lin/(bilateral) \({\textsf{MDDH}}\) assumption is needed whereas for semi-adaptive security, the plain k-Lin/\({\textsf{MDDH}}\) was sufficient [3]. Moreover, we are only able to establish the simulation-based adaptive security for the transformation for settings where only a bounded number of secret-key queries are allowed prior to making the ciphertext queries.

The majority of our technical ideas in this paper lies in the design and analysis of our one-slot scheme which we describe first in this technical overview. Next, we would briefly explain the modifications to our one-slot scheme leading to our extended one-slot scheme, followed by explaining our analysis of the one-slot to unbounded-slot bootstrapping compiler from [3] applied on our one-slot extended FE (extFE) scheme.

Recall that the adaptive simulation security of an FE scheme is proven by showing the indistinguishability between a real game with all the real algorithms and an ideal game where a simulator simulates all the ciphertexts and secret keys queried by the adversary. When an adversary makes a pre-ciphertext query for some function f, the simulator provides the secret key to the adversary. When the adversary makes a challenge ciphertext query for an attribute vector pair \(({\varvec{x}}, {\varvec{z}})\), the simulator receives the information of \({\varvec{x}}\) but not \({\varvec{z}}\). Instead it receives the functional values \(f({\varvec{x}})^\top {\varvec{z}}\) for all the pre-ciphertext secret keys. Based on this information, the simulator must simulate the challenge ciphertext. Finally, when an adversary makes a secret-key query for some function f after making a ciphertext query, the simulator receives f along with the functional value \(f({\varvec{x}})^\top {\varvec{z}}\) for that key and simulates the key based on this information.

2.1 Designing adaptively simulation secure one-slot extFE

Abdalla et al. [3] built their one-slot FE scheme for attribute-weighted sums by extending the techniques devised by Wee [66] in the context of partially hiding predicate encryptions for predicates expressed as ABPs over public attributes followed by inner product evaluations over private attributes. The proof strategy of [3, 66] is designed to achieve selective type security where during the security reduction, the challenge ciphertext is made completely random and then the secret keys are simulated using the functional value and the randomness used in the challenge ciphertext. In particular, its simulated secret key is divided into two parts—the first part is computed similar to the original key generation algorithm and is used for decrypting the honestly computed ciphertext whereas the second part contains the functional value and is used for decrypting the simulated ciphertext correctly. However, in the adaptive setting, we must embed the correct functional values for the functions associated with the pre-ciphertext secret keys into the challenge ciphertext and therefore the proof technique of [3, 66] does not seem to extend to the adaptive setting. Datta et al. [29] designed an adaptively simulation secure predicate encryption scheme for the same class of predicates as [66], but their ciphertexts do not preserve compactness as they had to impose a read-once restriction on the attributes due to the usual information theoretic argument required in dual system encryption.

Overcoming the one-use restriction of the dual system proof techniques for adaptive security, Lin and Luo [49] developed new techniques to obtain adaptive indistinguishability secure ABE with compact ciphertexts for the class of predicates expressed as ABPs. [49] takes a semi-generic approach to design their ABE schemes. Their main idea is to replace the core information theoretic step of the dual system methodology with a computational step and thereby avoid the one-use restriction. Two main ingredients of [49] are arithmetic key garbling scheme (AKGS) which is the information theoretic component and function-hiding slotted inner product functional encryption (IPFE) which is the computational component. We try to adopt the techniques of [49] into our setting of simulation-based security for FE without the one-use restriction. However, a straight-forward adaptation of the [49] framework into our setting presents several challenges which we overcome with new ideas. Before describing those challenges and our ideas, we first give a high-level overview of the two primitives, namely, AKGS and function-hiding slotted IPFE.

Arithmetic key garbling schemes The notion of partial garbling scheme was proposed in [41] and recently it was further refined by [49] in the context of arithmetic computations. The refined notion is called arithmetic key garbling scheme (AKGS) which garbles a function \(f: {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{n^{\prime }}\) along with two secrets \(\alpha , \beta \in {\mathbb {Z}}_p\) so that the evaluation with an input \({\varvec{x}} \in {\mathbb {Z}}_p^n\) gives the value \(\alpha f({\varvec{x}}) + \beta \). Note that the evaluation does not reveal any information about \(\alpha \) and \(\beta \). In particular, the AKGS has the following algorithms:

  • \((\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}) \leftarrow {\textsf {Garble}}(\alpha f({\varvec{x}}) +\beta ; {\varvec{r}})\): The garbling algorithm outputs \((m+1)\) affine label functions \(L_1, \ldots , L_{m+1}\), described by their coefficient vectors \(\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}\) over \({\mathbb {Z}}_p\), using the randomness \({\varvec{r}} \in {\mathbb {Z}}_p^{m}\) where \((m+1)\) denotes the size of the function f.

  • \(\gamma \leftarrow {\textsf {Eval}}(f, {\varvec{x}}, \ell _1, \ldots , \ell _{m+1})\): The linear evaluation procedure recovers \(\gamma = \alpha f({\varvec{x}}) + \beta \) using the input \({\varvec{x}}\) and the label function values \(\ell _j = L_j({\varvec{x}}) = {\varvec{\ell }_j} \cdot {(1, {\varvec{x}})} \in {\mathbb {Z}}_p\).

AKGS is a partial garbling process as it only hides \(\alpha , \beta \) which is captured by the usual simulation security given by [41]. The simulator produces simulated labels \(({\widehat{\ell }}_1, \ldots , {\widehat{\ell }}_{m+1}) \leftarrow {\textsf {SimGarble}}(f, {\varvec{x}}, \alpha f({\varvec{x}}) + \beta )\) which is the same distribution as the actual label function values evaluated at input \({\varvec{x}}\). Additionally, [49] defines piecewise security of AKGS that consists of two structural properties, namely reverse sampleability and marginal randomness. The partial garbling scheme for ABPs of Ishai and Wee [41] directly implies a piecewise secure AKGS for ABPs. (See Sect. 3.6 for further details.)

Function-hiding slotted IPFE A private-key function-hiding inner product functional encryption (IPFE) scheme based on a bilinear group \({{\textsf{G}}}= ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) generates secret keys \({\textsf{IPFE}}.{\textsf{SK}}\) for vectors \([\![{\varvec{v}}]\!]_2 \in {\mathbb {G}}_2^{n}\) and produces ciphertexts \({\textsf{IPFE}}.{\textsf{CT}}\) for vectors \([\![{\varvec{u}}]\!]_1 \in {\mathbb {G}}_1^n\) using the master secret key of the system. Both the key generation and encryption algorithm perform linear operations in the exponent of the source groups \({\mathbb {G}}_2, {\mathbb {G}}_1\) respectively. The decryption recovers the inner product \([\![{{\varvec{v}}} \cdot {{\varvec{u}}}]\!]_T \in {\mathbb {G}}_T\) in the exponent of the target group. The sizes of the secret keys, \({\textsf{IPFE}}.{\textsf{SK}}\), and ciphertexts, \({\textsf{IPFE}}.{\textsf{CT}}\), in such a system grow linearly with the sizes of the vectors \({\varvec{v}}\) and \({\varvec{u}}\) respectively. Roughly, the function-hiding security of an IPFE ensures that no information about the vectors \({\varvec{v}}, {\varvec{u}}\) is revealed from \({\textsf{IPFE}}.{\textsf{SK}}\) and \({\textsf{IPFE}}.{\textsf{CT}}\) except the inner product value \({{\varvec{v}}} \cdot {{\varvec{u}}}\) which is trivially extracted using the decryption algorithm. A slotted version of IPFE introduced in [49, 51] is a hybrid between a secret-key function-hiding IPFE and a public-key IPFE. The index set of the vectors \({\varvec{u}}\) is divided into two subsets: public slots \(S_{{\textsf {pub}}}\) and private slot \(S_{{\textsf {priv}}}\) so that the vector \({\varvec{u}}\) is written as \({\varvec{u}} = ({\varvec{u}}_{{\textsf {pub}}} ~ \Vert ~{\varvec{u}}_{{\textsf {priv}}})\). With addition to the usual (secret-key) encryption algorithm, the slotted IPFE has another encryption algorithm that uses the master public key of the system to encrypt the public slots of \({\varvec{u}}\), i.e. vectors with \({\varvec{u}}_{{\textsf {priv}}} = {\varvec{0}}\). The slotted IPFE preserves the function-hiding security with respect to the private slots only as anyone can encrypt arbitrary vectors into the public slots.

2.1.1 Our one-slot FE

We first see how to combine IPFE and AKGS for constructing an FE scheme. Suppose we want to design an FE scheme that generates a secret key for a function \(f: {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) and encrypts the message \(({\varvec{x}}, z) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p\) where \({\varvec{x}}\) is public and z is private. The functionality outputs \(zf({\varvec{x}})\). It is easy to observe that this is a simple form of the one-slot FE scheme that we desire to construct in this section. Let us recall that AKGS garbles a function \(z f({\varvec{x}})\) (with \(\beta = 0\)) using a random coin \({\varvec{r}} \in {\mathbb {Z}}_p^m\) and outputs a set of coefficient vectors \((\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1})\) representing level functions \(L_1, \ldots , L_{m+1}\). A crucial property of AKGS [41, 49] is that the first m level functions are linear in \({\varvec{x}}\) and the \((m+1)\)-th level function only depends on z. In particular, we have the following

$$\begin{aligned} L_j({\varvec{x}}) = {\varvec{\ell }_i} \cdot {(1, {\varvec{x}})},~ \text { for }j \in [m]~\text { and }~~ L_{m+1}(z) = {({\varvec{r}}[m], 1)} \cdot {(-1, z)} \end{aligned}$$

. The linearity of AKGS allows us to encode the garbling coefficients into IPFE secret keys and encrypt the vectors \((1, {\varvec{x}}), (-1, z)\) into IPFE ciphertexts. At the time of decryption, we can recover the level values by applying the IPFE decryption algorithm and finally employ the evaluation algorithm of AKGS to get the final output.

$$\begin{aligned} \begin{array}{l l} {\textsf {SK}}_f : &{} \begin{array}{l} {\textsf {IPFE.KeyGen}}([\![\varvec{\ell }_j]\!]_2) ~~~~~~\text { for }j \in [m] \\ {\textsf {IPFE.KeyGen}}([\![({\varvec{r}}[m], 1)]\!]_2) \end{array}\\ {\textsf {CT}}_{{\varvec{x}}, z} : &{} \begin{array}{l} {\textsf {IPFE.Enc}}([\![(1, {\varvec{x}})]\!]_1) \\ {\textsf {IPFE.Enc}}([\![(-1, z)]\!]_1) \end{array}\\ \end{array} \end{aligned}$$

Note that the decryption algorithm first recovers the level values in the exponent of the target group \({\mathbb {G}}_T\) and then use the linear evaluation algorithm of AKGS to obtain \([\![zf({\varvec{x}})]\!]_T = {\textsf {Eval}}(f, {\varvec{x}}, [\![\ell _1]\!]_T, \ldots , [\![\ell _{m+1}]\!]_T)\) where \([\![\ell _j]\!]_T\)’s are obtained by the IPFE decryption algorithm. Using this idea, we move forward to discussing our one-slot FE scheme.

We aim to design our decryption algorithm such that given a secret key for a weight function ABP \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{n^{\prime }}\) with coordinate functions \(f_1, \ldots , f_{n^{\prime }} : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) and an encryption of an attribute vector pair \(({\varvec{x}}, {\varvec{z}})\in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\), the decryption algorithm would first recover the value for each coordinate \({\varvec{z}}[t]f_t({\varvec{x}})\) masked with a random scalar \(\beta _t\), that is, \({\varvec{z}}[t]f_t({\varvec{x}}) + \beta _t\) and then sum over all these values to obtain the desired functional value (we take the scalars \(\{\beta _t\}_{t\in [n^{\prime }]}\) such that \(\sum _{t=1}^{n^{\prime }} \beta _t = 0 \mod p\)). Thus we want our key generation algorithm to use AKGS to garble the functions \({\varvec{z}}[t]f_t({\varvec{x}}) + \beta _t\). Note that here, \(\beta _t\) is a constant but \({\varvec{z}}[t]\) is a variable. While doing this garbling, we also want the label functions to involve either only the variables \({\varvec{x}}\) or the variable \({\varvec{z}}[t]\). This is because, in the construction we need to handle \({\varvec{x}}\) and \({\varvec{z}}[t]\) separately since \({\varvec{x}}\) is public whereas \({\varvec{z}}[t]\) is private. This is unlike [49] which garbles \(\alpha f({\varvec{x}})+\beta \) where both \(\alpha , \beta \) are known constants and only \({\varvec{x}}\) is a variable. To solve this issue, we garble an extended ABP where we extend the original ABP \(f_t\) by adding a new sink node and connecting the original sink node of \(f_t\) to this new sink node with a directed edge labeled with the variable \({\varvec{z}}[t]\).

We also make use of a particular instantiation of AKGS given by [41] where we observe that the first m coefficient vectors \(\varvec{\ell }_{1, t}, \ldots , \varvec{\ell }_{m, t}\) are independent of \({\varvec{z}}[t]\) and the last coefficient vector \(\varvec{\ell }_{m+1, t}\) involves only the variable \({\varvec{z}}[t]\). In the setup phase, two pairs of IPFE keys \(({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}})\) and \((\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}})\) for a slotted IPFE are generated for appropriate public and private index sets. The first instance of IPFE is used to handle the public attributes \({\varvec{x}}\), whereas the second instance for the private attributes \({\varvec{z}}\). Let \(f = (f_1, \ldots , f_{n^{\prime }}) : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{n^{\prime }}\) be a given weight function ABP such that \(f_t : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) is the t-th coordinate ABP of f. To produce a secret-key \({\textsf{SK}}_f\), we proceed as follows:

  • Sample vectors \(\varvec{\alpha }, \varvec{\beta }_t \leftarrow {\mathbb {Z}}_p^k\) such that \(\sum _{t \in [n^{\prime }]} \varvec{\beta }_t[\iota ] = 0 \mod p ~ \forall \iota \in [k]\)

  • Suppose we want to base the security of the proposed scheme under the \({\textsf{MDDH}}_k\) assumption. Generate k instances of the garblings \((\varvec{\ell }_{1, t}^{(\iota )}, \ldots , \varvec{\ell }_{m+1, t}^{(\iota )}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }[\iota ] {\varvec{z}}[t] f_t({\varvec{x}})+\varvec{\beta }_t[\iota ]; {\varvec{r}}_{t}^{(\iota )})\) for \(\iota \in [k]\) where \({\varvec{r}}_{t}^{(\iota )} \leftarrow {\mathbb {Z}}_p^{m}\). Using the instantiation of AKGS given by [41], we have that the \((m+1)\)-th label functions \(L_{m+1, t}^{(\iota )}\) take the form \(L_{m+1, t}^{(\iota )}({\varvec{z}}[t]) = \varvec{\alpha }[\iota ]{\varvec{z}}[t] - r_{t}^{(\iota )}[m]\) with \(\varvec{\alpha }[\iota ]\) a constant.

  • Compute the IPFE secret keys

    $$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}&= {\textsf{IPFE}}.{\textsf{KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}]\!]_2)\\ {\textsf{IPFE}}.{\textsf{SK}}_{j, t}&= {\textsf{IPFE}}.{\textsf{KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{j, t}]\!]_2) \text { for } j \in [m]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}&= {\textsf{IPFE}}.{\textsf{KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{m+1, t} ]\!]_2) \end{aligned}$$

    where the vectors are given by

    $$\begin{aligned} {\varvec{v}}&= (\varvec{\alpha }, {\varvec{0}}_{kn} ~ \Vert ~0, {\varvec{0}}_{n}, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }})\\ {\varvec{v}}_{j, t}&= (\varvec{\ell }_{j, t}^{(1)},\ldots , \varvec{\ell }_{j, t}^{(k)} ~ \Vert ~0, {\varvec{0}}_{n}, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }}) \text { for } j \in [m]\\ {\varvec{v}}_{m+1, t}&= ({\varvec{r}}_{t}^{(1)}[m],\ldots , {\varvec{r}}_{t}^{(k)}[m], \varvec{\alpha } ~ \Vert ~0,0,0,0,0,0,0) \end{aligned}$$
  • Return \({\textsf{SK}}_f = ({\textsf{IPFE}}.{\textsf{SK}}, \{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t\in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\)

Here, we separate public and private slots by \(`` ~ \Vert ~"\) and \({\varvec{0}}_n\) denotes a vector of all zero elements of length n. We add zero vectors beforehand which have no role in the correctness and will only be used in the security analysis. The purpose of keeping these zero vectors is to get an idea regarding the length of vectors that are needed to argue adaptive security of our scheme. Now, to produce a ciphertext \({\textsf{CT}}\) for some attribute vectors \(({\varvec{x}}, {\varvec{z}})\), we use the following steps:

  • Sample \({\varvec{s}} \leftarrow {\mathbb {Z}}_p^k\) and use the slotted encryption of IPFE to compute the ciphertexts

    $$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}&= {\textsf{IPFE}}.{\textsf{Slot}}{\textsf{Enc}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{u}}]\!]_1)\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t&= {\textsf{IPFE}}.{\textsf{Slot}}{\textsf{Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{h}}_t]\!]_1) ~ \text { for all } t \in [n^{\prime }] \end{aligned}$$

    where the vectors are given by

    $$\begin{aligned} {\varvec{u}}&= ({\varvec{s}}, {\varvec{s}}\otimes {\varvec{x}}),~~ {\varvec{h}}_t = (-{\varvec{s}}, {\varvec{s}} \cdot {\varvec{z}}[t]) ~ \text { for all } t \in [n^{\prime }] \end{aligned}$$

    We denote \(\otimes \) by the usual tensor product.

  • return \({\textsf{CT}}= ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\)

Decryption first uses IPFE.Dec to compute

$$\begin{aligned} {{\varvec{v}}} \cdot {{\varvec{u}}}&= [\![{\varvec{\alpha }} \cdot {{\varvec{s}}}]\!]_T \end{aligned}$$
(1)
$$\begin{aligned} {{\varvec{v}}_{j, t}} \cdot {{\varvec{u}}}&= [\![\sum _{\iota } {\varvec{s}}[\iota ] ({\varvec{\ell }_{j, t}^{(\iota )}} \cdot {(1, {\varvec{x}})})]\!]_T = [\![\ell _{j, t}]\!]_T ~~ \text { for } j \in [m], t \in [n^{\prime }] \end{aligned}$$
(2)
$$\begin{aligned} {{\varvec{v}}_{m+1, t}} \cdot {{\varvec{h}}_t}&= [\![\sum _{\iota } {\varvec{s}}[\iota ] (\varvec{\alpha }[\iota ] {\varvec{z}}[t] - {\varvec{r}}_{t}^{(\iota )}[m])]\!]_T = [\![\ell _{m+1, t}]\!]_T ~~\text { for } t \in [n^{\prime }] \end{aligned}$$
(3)

and then apply the evaluation procedure of AKGS to get

$$\begin{aligned} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) = [\![({\varvec{\alpha }} \cdot {{\varvec{s}}}) \cdot {\varvec{z}}[t]f_t({\varvec{x}}) + {\varvec{\beta }_t} \cdot {{\varvec{s}}}]\!]_T. \end{aligned}$$
(4)

Finally, multiplying all these evaluated values and utilizing the fact \(\sum _{t \in [n^{\prime }]} {\varvec{\beta }_t} \cdot {{\varvec{s}}} = 0\), we recover \(f({\varvec{x}})^{\top }{\varvec{z}} = \sum _{t\in [n^{\prime }]} {\varvec{z}}[t] f_t({\varvec{x}})\).

The simulator for our one-slot FE Scheme We now describe our simulator of the adaptive game for our one-slot FE scheme. Note that the private slots on the right side of \(`` ~ \Vert ~"\) will be used by the simulator and we program them during the security analysis. For the q-th secret-key query corresponding to a function \(f_q = (f_{q, 1}, \ldots , f_{q, n^{\prime }})\), the simulator sets public slots of all the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) for \(j \in \{1, \ldots , m_q+1\}\) as in the original key generation algorithm. Instead of using the linear combination of the label vectors, the simulator uses freshly sampled garblings to set the private slots. The pre-challenge secret key \({\textsf{SK}}_{f_q}\) takes the form

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_q&= {\textsf{IPFE}}.{\textsf{KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![\varvec{\alpha }[\iota ], {\varvec{0}}_{kn} ~ \Vert ~\widetilde{\alpha }_q, {\varvec{0}}_{n}, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }}]\!]_2) \\ {\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}&= {\textsf{IPFE}}.{\textsf{KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![\varvec{\ell }_{q, j, t}^{(1)}, \ldots , \varvec{\ell }_{q, j, t}^{(k)} ~ \Vert ~\widetilde{\varvec{\ell }}_{q, j, t}, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }}]\!]_2) ~~~\text { for } j \in [m_q] \\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}&= {\textsf{IPFE}}.{\textsf{KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{r}}_{t}^{(1)}[m_q], \ldots , {\varvec{r}}_{t}^{(k)}[m_q], \varvec{\alpha } ~ \Vert ~0, 0, \widetilde{{\varvec{r}}}_{q, t}[m_q], \widetilde{\alpha }_q, 0, 0, 0]\!]_2) \end{aligned}$$

where \((\widetilde{\varvec{\ell }}_{q, 1, t}, \ldots , \widetilde{\varvec{\ell }}_{q, m_q, t}) \leftarrow {\textsf {Garble}}(\widetilde{\alpha }_q {\varvec{z}}[t] f_{q, t}({\varvec{x}}) +{\widetilde{\beta }}_{q, t}; \widetilde{{\varvec{r}}}_{q, t}), {\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t} \leftarrow {\mathbb {Z}}_p\) such that \(\sum _{t \in [n^{\prime }]} {\widetilde{\beta }}_{q, t} = 0 \mod p\). We write \({\varvec{0}}_{n}\) as a vector of length n with all zero elements. To simulate the ciphertext for the challenge attribute \({\varvec{x}}^*\), the simulator uses the set of all functional values \({\mathcal {V}} = \{(f_q, f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*) : q \in [Q_{{\textsf {pre}}}]\}\) to compute a dummy vector \({\varvec{d}}\) satisfying \(f_q({\varvec{x}}^*)^{\top }{\varvec{d}} = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* \text { for all } q \in [Q_{{\textsf {pre}}}]\). Since the inner product functionality is pre-image sampleable and both \(f_q, {\varvec{x}}^*\) are known to the simulator, a dummy vector \({\varvec{d}}\) can be efficiently computed via a polynomial time algorithm given by O’Niell [59]. The simulated ciphertext becomes

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}&= {\textsf{IPFE}}.{\textsf{Enc}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{0}}_k, {\varvec{0}}_{kn} ~ \Vert ~1, {\varvec{x}}^*, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }}]\!]_1)\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t&= {\textsf{IPFE}}.{\textsf{Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{0}}_{k}, {\varvec{0}}_{k} ~ \Vert ~1, 0, -1, {\varvec{d}}[t], 0, 0, 0]\!]_1) \end{aligned}$$

The post-challenge secret-key query for the q-th function \(f_q = (f_{q, 1}, \ldots , f_{q, n^{\prime }})\) with \(q > Q_{{\textsf {pre}}}\) is answered using the simulator of AKGS. In particular, we choose \(\beta _{q, t} \leftarrow {\mathbb {Z}}_p\) satisfying \(\sum _{t \in [n^{\prime }]} \beta _{q, t} = 0 \mod p\) and compute the simulated labels as follows:

$$\begin{aligned} (\widehat{\ell }_{q, 1, 1}, \ldots , \widehat{\ell }_{q, m_q+1, 1})&\leftarrow {\textsf {SimGarble}}(f_{q, 1}, {\varvec{x}}^*, {\widetilde{\alpha }}_q \cdot f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + \beta _{q, 1}) \end{aligned}$$
(5)
$$\begin{aligned} (\widehat{\ell }_{q, 1, t}, \ldots , \widehat{\ell }_{q, m_q+1, t})&\leftarrow {\textsf {SimGarble}}(f_{q, t}, {\varvec{x}}^*, \beta _{q, t}) ~~\text { for } 1 < t \le n^{\prime } \end{aligned}$$
(6)

Note that, for post-challenge secret keys the functional value \(f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*\) is known and hence the simulator can directly embed the value into the secret keys. The post-challenge secret key \({\textsf{SK}}_{f_q}\) takes the form

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_q&= {\textsf{IPFE}}.{\textsf{KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![\varvec{\alpha }, {\varvec{0}}_{kn} ~ \Vert ~\widetilde{\alpha }_q, {\varvec{0}}_{n}, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }}]\!]_2) \\ {\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}&= {\textsf{IPFE}}.{\textsf{KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![\varvec{\ell }_{j, t}^{(1)}, \ldots , \varvec{\ell }_{j, t}^{(k)} ~ \Vert ~\ell _{q, j, t}, {\varvec{0}}_{n}, {\varvec{0}}_{n^{\prime }}, {\varvec{0}}_{n^{\prime }}]\!]_2) ~~~\text { for } j \in [m_q]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}&= {\textsf{IPFE}}.{\textsf{KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{r}}_{t}^{(1)}[m_q],\ldots , {\varvec{r}}_{t}^{(k)}[m_q], \varvec{\alpha } ~ \Vert ~\ell _{q, m_q+1, t}, 0, 0, 0, 0, 0, 0]\!]_2) \end{aligned}$$

2.1.2 Security analysis of our one-slot FE scheme

To show the adaptive simulation-based security of our FE scheme, we follow a sequence of hybrid experiments to move from the real game to the ideal game with the simulated algorithms described above. The security analysis has three steps where in the first step we apply function-hiding IPFE and MDDH assumption to use freshly sampled garblings instead of linearly combined coefficient vectors. In the second step, the dummy vector \({\varvec{d}}\) is utilized in the challenge ciphertext to handle pre-challenge secret-key queries (more details are given below). Finally, in the third step, we use the simulator of AKGS for simulating the post-challenge secret-key queries.

2.1.3 Step 1

We start with the real adaptive simulation security game with all the real algorithms described above. The first step is to activate the hidden slots in the ciphertext vectors. By the slot-mode correctness of the IPFE where we replace the SlotEnc algorithm with the \({\textsf{Enc}}\) algorithm of slotted IPFE.

In the next hybrid, the level values are computed through only the hidden slots. We rely on the function-hiding security of IPFE to set the key and ciphertext vectors as follows

where \({\overline{\alpha }}_q = {\varvec{\alpha }_q} \cdot {{\varvec{s}}} , \overline{\varvec{\ell }}_{q, j, t} = \sum _{\iota } {\varvec{s}}[\iota ] \varvec{\ell }^{(\iota )}_{q, j, t}\) and \(\overline{{\varvec{r}}}_{q, t}[m_q] = \sum _{\iota } {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t}[m_q]\). Since the inner product values between the vectors remain the same, the indistinguishability follows from the function-hiding property of IPFE. Next, the level values are computed using fresh randomness. More precisely, the MDDH assumption is used to set the key vectors as

where \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t} \leftarrow {\mathbb {Z}}_p\) satisfying \(\sum _{t \in [n^{\prime }]} {\widetilde{\beta }}_{q, t} = 0 \mod p\) and \((\widetilde{\varvec{\ell }}_{q, 1, t}, \ldots , \widetilde{\varvec{\ell }}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}(\widetilde{\alpha }_q{\varvec{z}}[t] f_{q, t}({\varvec{x}}) + {\widetilde{\beta }}_{q, t}; \widetilde{{\varvec{r}}}_{q, t}) \). The indistinguishability follows from the MDDH assumption in the source group \({\mathbb {G}}_2\). This completes the first step of the security analysis.

2.1.4 Step 2

In the second step, we face several technical obstacles in tackling the secret key queries that are submitted before challenge ciphertext is computed. We briefly explain at a high level, the main challenges in adapting the [49] technique into our setting and our ideas to overcome those challenges.

1.:

To handle the pre-challenge secret-key queries, [49] formulates new properties of AKGS such as reverse sampling and marginal randomness. Using such structural properties of AKGS, their main motivation was to reversely sample the first garbling label using the challenge attribute so that it can be shifted into the ciphertext component and make the remaining labels uniformly random. This procedure works fine for arguing zero advantage for the adversary at the end of the hybrid sequence in case of ABE as functions in the queried secret keys do not vanish on the challenge attribute and hence the challenge ciphertext can never be decrypted using such secret keys available to the adversary such that the value \(\alpha f({\varvec{x}}) + \beta \) becomes completely random. But, FE permits the adversary to have secret keys that decrypts the challenge ciphertext, that is, we cannot afford to have \(f_t({\varvec{x}}){\varvec{z}}[t] + \beta _t\) completely random. In order to handle this, we carefully integrate the techniques of pre-image sampleability [29, 59] with the reverse sampling and marginal randomness properties of AKGS to handle the pre-challenge queries.

2.:

The security proof of [49] implements a version of the dual system encryption methodology [45, 46, 64] via the function-hiding slotted IPFE. Since the ABE is only payload hiding, the usual dual system encryption technique is sufficient for achieving adaptive security where only one hidden subspace is required. More precisely, the secret keys are made of two slots, out of which the first public slot contains the honestly computed components which may be used to decrypt any honestly computed ciphertext and the other hidden slot is used to embed its interaction with the challenge ciphertext. This dual system encryption technique has been used in several prior works [29, 45, 46, 49, 55, 57, 58, 64]. Here, a single hidden slot is enough to handle the interaction between all ciphertext and secret-key queries since by the game restrictions, no secret key queried by the adversary can decrypt the challenge ciphertext and thus their interactions with the challenge ciphertext always result in random outputs. For our application, a portion of the attribute must be kept hidden from an adversary in the context of FE, who is allowed to have polynomially many secret keys that successfully decrypts the challenge ciphertext. The usual dual system encryption is not sufficient for our purpose. We require three hidden subspaces or slots for our security reduction. We sample a dummy vector \({\varvec{d}}\) obtained via the pre-image sampling algorithm [59] and execute our three-slot dual system encryption variant devised by extending the framework of [49].

figure a

The first hidden subspace of the challenge ciphertext is kept for handling the interactions with the post-ciphertext secret keys. The second hidden subspace is required to place the dummy vector (obtained from pre-image sampleability) which helps in simulating the interactions between the challenge ciphertext and the pre-ciphertext secret keys. The last hidden subspace is used as a temporary way station to switch each pre-ciphertext secret key from interacting with the original hidden attribute of the challenge ciphertext to interacting with the dummy attribute sampled using the pre-image sampleability.

We extend the framework of [49] to implement a three-slot dual system encryption procedure for simulating adaptive queries in our one-slot FE scheme. We do this via a loop which takes care of the pre-ciphertext key queries one-by-one. In the q-th execution of the loop, the vectors related to the pre-ciphertext secret keys and the vector \({\varvec{h}}_t\) of the ciphertext take the form

figure b

where \(Q_{{\textsf {pre}}}\) denotes the total number of pre-ciphertext key queries. In order to establish the indistinguishability between the hybrids in the loop, we actually rely on a computational problem, namely the 1-key 1-ciphertext simulation security of a secret-key FE scheme for attribute-weighted sums where the single key query is made before making the challenge ciphertext query. This scheme is presented in Sect. 4.1. The security of (secret-key) one FE scheme follows from the piecewise security of AKGS and the function-hiding security of IPFE. This is the core indistinguishability step that have been information theoretic in all prior applications of the extended dual system encryption methodology for adaptive attribute-hiding security [28, 56]. Built on the techniques of [49], we are able to make this core indistinguishability step computational and thus remove the one-use restriction in the context of adaptive attribute-hiding security for the first time.

At the end of the loop, all the pre-ciphertext secret keys are made to interact with the the dummy vector sitting in the 2nd slot of \({\varvec{h}}_t\). The 3rd slot of \({\varvec{h}}_t\) are filled with zeros since we these subspaces will not be required in the rest of the hybrids. Using the function-hiding security of IPFE, we set the vectors

The second step of the security analysis is now over as all the pre-challenge secret keys decrypt the challenge ciphertext using dummy vector \({\varvec{d}}\), instead of using the private attribute \({\varvec{z}}^*\).

2.1.5 Step 3

However, we still require \({\varvec{z}}^*\) to be present in the vector \({\varvec{h}}_t\) for the successful decryption of the challenge ciphertext by post-challenge secret keys since we have not yet altered the forms of the post-ciphertext secret keys. The last step of the security analysis is similar to the selective game of [3] where the simulator of AKGS is employed to remove \({\varvec{z}}^*\) from the challenge ciphertext and functional values are directly plugged into the post-challenge secret keys. First, we use the honestly computed value \(\widetilde{\ell }_{q, j, t} = \widetilde{L}_{q, j, t}({\varvec{x}}^*)\) for \(j \in [m_q]\) and \(\widetilde{\ell }_{q, m_q+1, t} = \widetilde{\alpha }_q {\varvec{z}}^*[t] -\widetilde{{\varvec{r}}}_{q, t}[m_q]\) while simulating the keys. After that, we utilize simulator of AKGS to simulate \(\widetilde{\alpha }_q \cdot {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + \widetilde{\beta }_{q, t}\) using \(\widehat{\ell }_{q, j, t}\).

Finally, we change the distribution of \(\{\widetilde{\beta }_{q, t}\}\) to embed the value \({\widetilde{\alpha }}_q \cdot f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + \widetilde{\beta }_{q, 1}\) into \(\widehat{\ell }_{q, j, 1}\) and the value \(\widetilde{\beta }_{q, t}\) into \(\widehat{\ell }_{q, j, 1}\) for \(1 < t \le n^{\prime }\), as in Eqs. (5) and (6). We observe that this is exactly the same as the simulator of our FE scheme.

2.1.6 From one-slot FE to one-slot extFE

We extend our one-slot FE to an extended FE scheme which is required for applying the compiler of [3] to bootstrap to the unbounded-slot FE scheme. In an extFE scheme, as opposed to just taking a weight function f as input, the key generation procedure additionally takes a vector \({\varvec{y}}\) as input. Similarly, the encryption algorithm takes an additional vector \({\varvec{w}}\) in addition to a usual public/private vector pair \(({\varvec{x}}, {\varvec{z}})\) such that

$$\begin{aligned} {\textsf{SK}}_{f, {\varvec{y}}} \leftarrow {\textsf {KeyGen}}({\textsf {MSK}}, (f, {\varvec{y}})), ~~ {\textsf{CT}}\leftarrow {\textsf {Enc}}({\textsf {MPK}}, ({\varvec{x}}, {\varvec{z}} ~ \Vert ~{\varvec{w}})) \end{aligned}$$

The decryption procedure recovers \(f({\varvec{x}})^\top {\varvec{z}}+{\varvec{y}}^\top {\varvec{w}}\) instead of \(f({\varvec{x}})^\top {\varvec{z}}\) like a regular one-slot scheme. The main idea is to use the linearity of the Eval algorithm of AKGS. We add an extra term \(\psi _t = \nu _t\cdot ({\varvec{\alpha }} \cdot {{\varvec{s}}}) {\varvec{y}}^{\top }{\varvec{w}}\) to the first garbling value \(\ell _{1, t}\) so that Eq. (4) becomes

$$\begin{aligned}&{\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t} + \psi _t]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) \\&\quad = {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) \cdot [\![\psi _t]\!]_T\\&\quad = [\![({\varvec{\alpha }} \cdot {{\varvec{s}}}) \cdot (f_t({\varvec{x}}){\varvec{z}}[t] + \nu _t {\varvec{y}}^{\top }{\varvec{w}})+ {\varvec{\beta }_t} \cdot {{\varvec{s}}}]\!]_T \end{aligned}$$

where \(\nu _t \leftarrow {\mathbb {Z}}_p\) for \(t\in [n^{\prime }]\) be such that \(\sum _{t \in [n^{\prime }]} \nu _t = 1 \mod p\). Therefore, multiplying all the evaluated terms and using the inner product \({{\varvec{v}}} \cdot {{\varvec{u}}} = {\varvec{\alpha }} \cdot {{\varvec{s}}}\), as in our one-slot FE scheme, we get \([\![f({\varvec{x}})^{\top } {\varvec{z}} + {\varvec{y}}^{\top }{\varvec{w}}]\!]_T\) using the fact that \(\sum _{t \in [n^{\prime }]} {\varvec{\beta }_t} \cdot {{\varvec{s}}} = 0\). The security analysis is similar to our one-slot scheme.

2.2 Bootstrapping from one-slot FE to unbounded-slot FE

Abdalla et al. [3] devised a compiler that upgrades the one-slot FE into an unbounded-slot FE scheme where the number of slots N can be arbitrarily chosen at the time of encryption. The transformation also preserves the compactness of ciphertexts of the underlying one-slot scheme. However, their transformation actually needs a one-slot extFE scheme as defined above.

The extFE scheme of [3] is built in a bilinear group \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) where ciphertexts are encoded in the group \({\mathbb {G}}_1\) and secret keys in the group \({\mathbb {G}}_2\). Interestingly, the structure of the extFE scheme of [3] is such that the key generation procedure can still be run if the vector \({\varvec{y}}\) is given in the exponent of \({\mathbb {G}}_2\), that is, \([\![{\varvec{y}}]\!]_2\). The decryption, given \(({\textsf{SK}}_{f, {\varvec{y}}}, (f, [\![{\varvec{y}}]\!]_2)), ({\textsf{CT}}, {\varvec{x}})\), recovers \([\![f({\varvec{x}})^{\top }{\varvec{z}} + {\varvec{y}}^{\top }{\varvec{w}}]\!]_T\) without leaking any additional information about the vectors \({\varvec{z}}, {\varvec{w}}\). Now, the unbounded-slot FE (ubdFE) scheme follows a natural masking procedure over the original one-slot scheme. More specifically, we use N extFE encryptions to obtain ciphertexts \(\{{\textsf {CT}}_i\}_{i \in [N]}\) where \({\textsf {CT}}_i\) encrypts \(({\varvec{x}}_i, {\varvec{z}}_i ~ \Vert ~{\varvec{w}}_i)\) with \(\sum _{i \in [N]} {\varvec{w}}_i = {\varvec{0}}\) mod p. The decryption procedure first computes individual sum \([\![f({\varvec{x}}_i)^{\top }{\varvec{z}}_i + {\varvec{y}}^{\top }{\varvec{w}}_i]\!]_T\) and then multiply all the sums to learn \(\sum _{i \in [N]} f({\varvec{x}}_i)^{\top }{\varvec{z}}_i\) via solving a discrete logarithm problem (using brute force). Abdalla et al. [3] proved the semi-adaptive simulation-based security of the scheme assuming MDDH assumption in the source group \({\mathbb {G}}_2\). The main idea was to gradually shift the sum \(\sum _{i \in [2, N]} f({\varvec{x}}_i)^{\top } {\varvec{z}}_i \) from the last \((N-1)\) ciphertexts \(\{{\textsf{CT}}_i\}_{i \in [2, N]}\) to the first component of the ciphertext \({\textsf{CT}}_1\).

We apply the same high level strategy for proving the adaptive simulation security of the transformation. However, in order to do so, we face two main obstacles. First, the reduction must incorporate the decryption results of all the pre-ciphertext secret keys into the challenge ciphertext. Therefore, for all the pre-ciphertext secret key queries \((f, {\varvec{y}})\), the reduction needs to know \([\![{\varvec{y}}]\!]_1\) in order to simulate the challenge ciphertext and \([\![{\varvec{y}}]\!]_2\) to simulate the key. The reason why \({\varvec{y}}\) cannot be made available to the reduction in the clear at a high level, is that the shifting of the sums into the first ciphertext component \({\textsf{CT}}_1\) from a subsequent ciphertext component, say \({\textsf{CT}}_{\eta }\), once both \({\textsf{CT}}_1\) and \({\textsf{CT}}_{\eta }\) are in the simulated form is to be done via a computational transition based on some \({\textsf{MDDH}}\)-like assumption. In case of [3], there was no pre-ciphertext key queries and hence the \({\textsf{MDDH}}\) assumption in \({\mathbb {G}}_2\) was sufficient. However, in our case, the MDDH assumption only in the source group \({\mathbb {G}}_2\) is not sufficient to shift the sum \(\sum _{i \in [2, N]} f({\varvec{x}}_i)^{\top } {\varvec{z}}_i\) to the first ciphertext component without changing the adversary’s view. Thus, we consider the bilateral MDDH (bMDDH) assumption [5, 31, 67] which allows the vector components to be available in the exponent of both the source groups \({\mathbb {G}}_1, {\mathbb {G}}_2\):

$$\begin{aligned} \{[\![{\varvec{y}}]\!]_1, [\![{\varvec{y}}]\!]_2, [\![{\varvec{y}}^{\top }{\varvec{w}}_i]\!]_1, [\![{\varvec{y}}^{\top }{\varvec{w}}_i]\!]_2\} {\mathop {\approx }\limits ^{c}} \{[\![{\varvec{y}}]\!]_1, [\![{\varvec{y}}]\!]_2, [\![{\varvec{u}}]\!]_1, [\![{\varvec{u}}]\!]_2\} \end{aligned}$$

where \({\varvec{u}}\) is uniform.

The second and more subtle obstacle arises in handling the pre-ciphertext secret key queries in the simulated game. The simulator algorithm of [3] uses the simulator of the underlying one-slot scheme to simulate the ciphertext and secret key components for the first slot while it generates all other ciphertexts and secret key components normally. Now recall that in the simulated adaptive security game, the simulator embed the outputs of all the functions \(\{f_q\}_{q\in [Q_{{\textsf {pre}}}]}\), for which the pre-ciphertext secret key queries are made, on the challenge message \(\{({\varvec{x}}_i, {\varvec{z}}_i)\}_{i \in [N]}\), that is, the values \(\{\sum _{i\in [N]} f_q({\varvec{x}}_i)^\top {\varvec{z}}_i \}_{q\in [Q_{{\textsf {pre}}}]}\) into the challenge ciphertext. Since the simulator is only generating the ciphertext and secret key components for the first slot in simulated format, we must embed the functional values \(\{\sum _{i\in [N]} f_q({\varvec{x}}_i)^\top {\varvec{z}}_i \}_{q\in [Q_{{\textsf {pre}}}]}\) into the ciphertext component corresponding to the first slot. As for the one-slot scheme, we aim to make use of the pre-image sampling procedure for this embedding. However, this means we need to solve the system of equations \(\{f_q({\varvec{x}}_1)^\top {\varvec{d}}_1 + {\varvec{y}}_q^\top {\varvec{d}}_2 = \sum _{i\in [N]} f_q({\varvec{x}}_i)^\top {\varvec{z}}_i\}_{q \in [Q_{\textsf {pre}}]}\) for \(({\varvec{d}}_1, {\varvec{d}}_2)\). Clearly, this system of equations may not possess a solution since the right-hand side contains the sum of the functional values for all the slots while the left-hand side only involves entries corresponding to the first slot. Further, even if solution exists information theoretically, finding it out in polynomial time may not be possible given the fact that the simulator does not receive the vectors \(\{{\varvec{y}}_q\}_{q \in [Q_{\textsf {pre}}]}\) in the clear, rather in the exponent of group elements.

In fact, there is no known technique to solve a system of linear equations efficiently if the co-efficient matrix is provided in the exponent of a pairing group, rather than given in the clear. We observe that if the number of pre-ciphertext queries is known in advance then the functional values corresponding to those secret key queries can be directly hardwired into the vectors linked with the ciphertext. In other words, we add more hidden subspaces, one for each pre-ciphertext query, to our current system. It enables successful decryption of the challenge ciphertext by all the pre-ciphertext key queries. We emphasize that the number of post-ciphertext secret key queries can be still arbitrary (but polynomially bounded) since the reduction directly hardwire the functional value into the secret keys while simulating such queries of the adversary.

To implement this idea, rather than solving the above system of equations, we instead solve the system of equations

$$\begin{aligned} f_q({\varvec{x}}^*)^\top {\varvec{d}}_1 + {\varvec{y}}_q^\top {\varvec{d}}_2 + {\varvec{e}}_q^\top {\varvec{d}}_3 = \sum _{i\in [N]} f_q({\varvec{x}}_i)^\top {\varvec{z}}_i, \text { where }q \in [Q_{\textsf {pre}}] \end{aligned}$$

for \(({\varvec{d}}_1, {\varvec{d}}_2, {\varvec{d}}_3)\), where \({\varvec{e}}_q\) is the q-th unit vector. Note that this system of equations can be easily solved by sampling the vectors \({\varvec{d}}_1, {\varvec{d}}_2\) randomly and then setting the q-th entry of the vector \({\varvec{d}}_3\) to be \(\sum _{i\in [N]} f_q({\varvec{x}}_i)^\top {\varvec{z}}_i - f_q({\varvec{x}}^*)^\top {\varvec{d}}_1 - {\varvec{y}}_q^\top {\varvec{d}}_2\) for all \(q \in [Q_{\textsf {pre}}]\). We note that the q-th entry of the vector \({\varvec{d}}_3\) is used to hardwire the functional value corresponding to the q-th pre-ciphertext query. However, this strategy would necessitate the introduction of \(Q_{\textsf {pre}}\) many additional subspaces into the ciphertext and secret key components for the underlying one-slot extFE scheme to accommodate for \({\varvec{d}}_3\). (Those subspaces will contain 0s in the real scheme and only become active in the security proof). This, in turn, requires setting a bound on \(Q_{\textsf {pre}}\), that is, the number of pre-ciphertext secret key queries, for both the underlying extFE scheme and the resulting ubdFE scheme. We provide further details in the security analysis of the extFE scheme.

Based on the bMDDH assumption and the above pre-image sampling strategy, we are able to show that the ubdFE scheme provides adaptive simulation-based security against a bounded number of pre-ciphertext secret key queries and an arbitrary polynomial number of post-ciphertext secret key queries if the underlying extFE scheme is adaptive simulation secure against such many secret key queries.

3 Preliminaries

In this section, we provide the necessary definitions and backgrounds that will be used in the sequence.

3.1 Notations

We denote by \(\lambda \) the security parameter that belongs to the set of natural number \({\mathbb {N}}\) and \(1^{\lambda }\) denotes its unary representation. We use the notation \(s \leftarrow S\) to indicate the fact that s is sampled uniformly at random from the finite set S. For a distribution \({\mathcal {X}}\), we write \(x \leftarrow {\mathcal {X}}\) to denote that x is sampled at random according to distribution \({\mathcal {X}}\). A function \({\textsf {negl}}: {\mathbb {N}} \rightarrow {\mathbb {R}}\) is said to be a negligible function of \(\lambda \), if for every \(c \in {\mathbb {N}}\) there exists a \(\lambda _c \in {\mathbb {N}}\) such that for all \(\lambda > \lambda _c\), \(|{\textsf {negl}}(\lambda )|< \lambda ^{-c}\).

Let Expt be an interactive security experiment played between a challenger and an adversary, which always outputs a single bit. We assume that \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}}\) is a function of \(\lambda \) and it is parametrized by an adversary \({\mathcal {A}}\) and a cryptographic protocol \({\textsf {C}}\). Let \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 0}\) and \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 1}\) be two such experiment. The experiments are computationally/statistically indistinguishable if for any PPT/computationally unbounded adversary \({\mathcal {A}}\) there exists a negligible function negl such that for all \(\lambda \in {\mathbb {N}}\),

$$\begin{aligned} {\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {C}}}(\lambda ) = |{\text {Pr}}[1 \leftarrow {\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 0}(1^{\lambda })] - {\text {Pr}}[1 \leftarrow {\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 1}(1^{\lambda })]| < {\textsf {negl}}(\lambda ) \end{aligned}$$

We write \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 0} {\mathop {\approx }\limits ^{c}} {\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 1}\) if they are computationally indistinguishable (or simply indistinguishable). Similarly, \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 0} {\mathop {\approx }\limits ^{s}} {\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 1}\) means statistically indistinguishable and \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 0} \equiv {\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {C}}, 1}\) means they are identically distributed.

For \(n \in {\mathbb {N}}\), we denote [n] the set \(\{1, 2, \ldots , n\}\) and for \(n, m \in {\mathbb {N}}\) with \(n < m\), we denote [nm] be the set \(\{n, n+1, \ldots , m\}\). We use lowercase boldface, e.g., \({\varvec{v}}\), to denote column vectors in \({\mathbb {Z}}_p^n\) and uppercase boldface, e.g., \({\textbf{M}}\), to denote matrices in \({\mathbb {Z}}_p^{n \times m}\) for \(p,n,m \in {\mathbb {N}}\). The i-th component of a vector \({\varvec{v}} \in {\mathbb {Z}}_p^n\) is written as \({\varvec{v}}[i]\) and the (ij)-th element of a matrix \({\textbf{M}} \in {\mathbb {Z}}_p^{n \times m}\) is denoted by \({\textbf{M}}[i, j]\). The transpose of a matrix \({\textbf{M}}\) is denoted by \({\textbf{M}}^{\top }\) such that \({\textbf{M}}^{\top }[i, j] = {\textbf{M}}[j, i]\). To write a vector of length n with all zero elements, we write \({\varvec{0}}_n\) or simply \({\varvec{0}}\) when the length is clear from the context. Let \({\varvec{u}}, {\varvec{v}} \in {\mathbb {Z}}_p^n\), then the inner product between the vectors is denoted as \({{\varvec{u}}} \cdot {{\varvec{v}}} = {\varvec{u}}^{\top } {\varvec{v}} = \sum _{i \in [n]} {\varvec{u}}[i]{\varvec{v}}[i] \in {\mathbb {Z}}_p\).

Let \(f: {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) be an affine function with coefficient vector \({\textbf{f}} = ({\textbf{f}}[{\textsf {const}}], {\textbf{f}}[{\textsf {coef}}_1], \ldots , {\textbf{f}}[{\textsf {coef}}_n])\). Then for any \({\varvec{x}} \in {\mathbb {Z}}_p^n\), we have

$$\begin{aligned} f({\varvec{x}}) = {\textbf{f}}[{\textsf {const}}] + \sum _{i \in [n]} {\textbf{f}}[{\textsf {coef}}_i] {\varvec{x}}[i] \in {\mathbb {Z}}_p. \end{aligned}$$

3.2 Bilinear groups and hardness assumptions

We use a pairing group generator \({\mathcal {G}}\) that takes as input \(1^{\lambda }\) and outputs a tuple \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) where \({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T\) are groups of prime order \(p = p(\lambda )\) and \(g_i\) is a generator of the group \({\mathbb {G}}_i\) for \(i \in \{1, 2\}\). The map \(e : {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_T\) satisfies the following properties:

  • bilinear: \(e(g_1^a, g_2^b) = e(g_1, g_2)^{ab}\) for all \(a, b \in {\mathbb {Z}}_p\).

  • non-degenerate: \(e(g_1, g_2)\) generates \({\mathbb {G}}_T\).

The group operations in \({\mathbb {G}}_i\) for \(i \in \{1, 2, T\}\) and the map e are efficiently computable in deterministic polynomial time in the security parameter \(\lambda \). For a matrix \({\textbf{A}}\) and each \(i \in \{1, 2, T\}\), we use the notation \([\![{\textbf{A}}]\!]_i\) to denote \(g_i^{{\textbf{A}}}\) where the exponentiation is element-wise. The group operation is written additively while using the bracket notation, i.e. \([\![{\textbf{A}}_i + {\textbf{B}}]\!]_i = [\![{\textbf{A}}]\!] + [\![{\textbf{B}}]\!]_i\) for matrices \({\textbf{A}}\) and \({\textbf{B}}\). Observe that, given \({\textbf{A}}\) and \([\![{\textbf{B}}]\!]_i\), we can efficiently compute \([\![{\textbf{A}}{\textbf{B}}]\!]_i = {\textbf{A}}\cdot [\![{\textbf{B}}]\!]_i\). We write the pairing operation multiplicatively, i.e. \(e([\![{\textbf{A}}]\!]_1, [\![{\textbf{B}}]\!]_2) = [\![{\textbf{A}}]\!]_1[\![{\textbf{B}}]\!]_2 = [\![{\textbf{A}}{\textbf{B}}]\!]_T\).

Assumption 1

(Matrix Diffie–Hellman Assumption) Let \(k = k(\lambda ), \ell = \ell (\lambda ), q = q(\lambda )\) be positive integers. We say that the \({\textsf{MDDH}}_{k, \ell }^q\) assumption holds in \({\mathbb {G}}_i\) (\(i \in \{1, 2, T\}\)) if for all PPT adversary \({\mathcal {A}}\) there exists a negligible function \({\textsf{negl}}\) such that

$$\begin{aligned} {{\textsf {Adv}}}_{{\mathcal {A}}}^{{\textsf{MDDH}}_{k, \ell }^q}(\lambda )&= |{Pr}[1 \leftarrow {\mathcal {A}}({{\textsf{G}}}, [\![{\textbf{A}}]\!]_i, [\![{\textbf{S}}^{\top }{\textbf{A}}]\!]_i)] - {Pr}[1 \leftarrow {\mathcal {A}}({{\textsf{G}}}, [\![{\textbf{A}}]\!]_i, [\![{\textbf{U}}]\!]_i)]| \\&< {{\textsf {negl}}}(\lambda ) \end{aligned}$$

where \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e) \leftarrow {\mathcal {G}}(1^{\lambda }), {\textbf{A}} \leftarrow {\mathbb {Z}}_p^{k \times \ell }, {\textbf{S}} \leftarrow {\mathbb {Z}}_p^{k \times q}\) and \({\textbf{U}} \leftarrow {\mathbb {Z}}_p^{q \times \ell }\).

Escala et al. [31] showed that the k-Linear (\(k\text {-}{\textsf{Lin}}\)) assumption [16] implies \({\textsf{MDDH}}_{k, k+1}^1\) and \({\textsf{MDDH}}_{k, k+1}^1\) implies \({\textsf{MDDH}}_{k, \ell }^q\) for all \(k, q \in {\mathbb {N}}\) and \(\ell > k\) with a tight security reduction. Henceforth, we will use \({\textsf{MDDH}}_k\) to denote \({\textsf{MDDH}}_{k,k+1}^1\).

We consider bilateral \({\textsf{MDDH}}_{k, \ell }^q\) assumption which is a strengthening of the \({\textsf{MDDH}}_{k, \ell }^q\) assumption. The bilateral \({\textsf{MDDH}}_{k, \ell }^q\) assumption is defined as follows.

Assumption 2

(Bilateral Matrix Diffie–Hellman Assumption) Let \(k = k(\lambda ), \ell = \ell (\lambda ), q = q(\lambda )\) be positive integers. We say that the bilateral \({\textsf{MDDH}}_{k, \ell }^q\) \({(}{\textsf{bMDDH}}_{k, \ell }^q{)}\) assumption holds if for all PPT adversary \({\mathcal {A}}\) there exists a negligible function \({\textsf{negl}}\) such that

$$\begin{aligned}{} & {} {{\textsf {Adv}}}_{{\mathcal {A}}}^{{\textsf{bMDDH}}_{k, \ell }^q}(\lambda ) = |{Pr}[1 \leftarrow {\mathcal {A}}({{\textsf{G}}}, \{[\![{\textbf{A}}]\!]_i, [\![{\textbf{S}}^{\top }{\textbf{A}}]\!]_i\}_{i \in \{1, 2\}})] \\{} & {} \quad - {Pr}[1 \leftarrow {\mathcal {A}}({{\textsf{G}}}, \{[\![{\textbf{A}}]\!]_i, [\![{\textbf{U}}]\!]_i\}_{i \in \{1, 2\}})]| < {{\textsf {negl}}}(\lambda ) \end{aligned}$$

where \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e) \leftarrow {\mathcal {G}}(1^{\lambda }), {\textbf{A}} \leftarrow {\mathbb {Z}}_p^{k \times \ell }, {\textbf{S}} \leftarrow {\mathbb {Z}}_p^{k \times q}\) and \({\textbf{U}} \leftarrow {\mathbb {Z}}_p^{q \times \ell }\).

We consider the following lemma which will be useful in our security proof. This lemma is a direct adaptation of Lemma 1 of [3] in context of \({\textsf{bMDDH}}\).

Lemma 1

For any \(Q \in {\mathbb {N}}\) and \(\{\mu _q\}_{q \in [Q]} \in {\mathbb {Z}}_p\), we have

$$\begin{aligned}&\{ [\![-{\varvec{w}}^{\top } {\varvec{y}}_q]\!]_1, [\![-{\varvec{w}}^{\top } {\varvec{y}}_q]\!]_2,{} & {} [\![\mu _q + {\varvec{w}}^{\top } {\varvec{y}}_q]\!]_1, [\![\mu _q+ {\varvec{w}}^{\top } {\varvec{y}}_q]\!]_2,{} & {} [\![{\varvec{y}}_q]\!]_1, [\![{\varvec{y}}_q]\!]_2\}_{q \in [Q]}, \\ {\mathop {\approx }\limits ^{c}}&\{ [\![\mu _q - {\varvec{w}}^{\top } {\varvec{y}}_q]\!]_1, [\![\mu _q-{\varvec{w}}^{\top } {\varvec{y}}_q]\!]_2,{} & {} [\![ {\varvec{w}}^{\top } {\varvec{y}}_q]\!]_1, [\![{\varvec{w}}^{\top } {\varvec{y}}_q]\!]_2,{} & {} [\![{\varvec{y}}_q]\!]_1, [\![{\varvec{y}}_q]\!]_2\}_{q \in [Q]} \end{aligned}$$

where \({\varvec{w}}, \{{\varvec{y}}_q\}_{q\in [Q]} \leftarrow {\mathbb {Z}}_p^k\), under the \({\textsf{bMDDH}}_{k,Q}^1\) assumption. More specifically, for any adversary \({\mathcal {A}}\) distinguishing the two distributions, there exists an adversary \({\mathcal {B}}\) against the \({\textsf{bMDDH}}_{k,Q}^1\) problem such that the distinguishing advantage of \({\mathcal {A}}\) is bounded by \(2\cdot {\textsf{Adv}}^{{\textsf{bMDDH}}_{k, Q}^1}_{{\mathcal {B}}}(\lambda )\).

Proof

The lemma can be proved by three simple hybrids as follows:

where \(u_q\) is uniform over \({\mathbb {Z}}_p\). The first computational indistinguishability holds due to \({\textsf{bMDDH}}_{k, Q}^1\) assumption. The second indistinguishability is statistical as we have changed the variable \(u_q\) by \(u_q-\mu _q\) where both \(\mu _q, u_q\) are uniform over \({\mathbb {Z}}_p\). Finally, the last computational indistinguishability holds again due to \({\textsf{bMDDH}}_{k, Q}^1\) assumption. \(\square \)

3.3 Arithmetic branching program

Arithmetic Branching Program (ABP) is a computational model [54] that can be used to model boolean formula, boolean branching program or arithmetic formula through a linear time reduction with a constant blow-up in their respective sizes. In this work, we consider ABP over \({\mathbb {Z}}_p\).

Definition 1

(Arithmetic Branching Program) An arithmetic branching program (ABP) over \({\mathbb {Z}}_p^n\) is a weighted directed acyclic graph \((V, E, \phi , v_0, v_1)\), where V is the set of all vertices, E is the set of all edges, \(\phi : E \rightarrow ({\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p)\) specifies an affine weight function for each edge, and \(v_0, v_1 \in V\) are two distinguished vertices (called the source and the sink respectively). The in-degree of \(v_0\) and the out-degree of \(v_1\) are 0. It computes a function \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) given by

$$\begin{aligned} \displaystyle f({\varvec{x}}) = \sum _{P \in {\mathfrak {P}}} \prod _{e \in P} \phi (e)({\varvec{x}}) \end{aligned}$$

where \({\mathfrak {P}}\) is the set of all \(v_0\text {-}v_1\) path and \(e \in P\) denotes an edge in the path \(P \in {\mathfrak {P}}\). The size of the ABP is |V|, the number of vertices.

We denote by \({\mathcal {F}}_{{\textsf {ABP}}}^{(n)}\) the class of ABPs over \({\mathbb {Z}}_p^n\):

$$\begin{aligned} {\mathcal {F}}_{{\textsf {ABP}}}^{(n)} = \{f | f \text { is an }{\textsf {ABP}} \text { over } {\mathbb {Z}}_p ^n \text { for some prime } p \text { and positive integer } n\} \end{aligned}$$

The class of ABP can be extended in a coordinate-wise manner to a ABPs \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{n^{\prime }}\). More precisely, an ABP \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{n^{\prime }}\) has all its weight functions \(\phi = (\phi _1, \ldots , \phi _{n^{\prime }}) : E \rightarrow ({\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{n^{\prime }})\) with each coordinate function \(\phi _t\) for \(t\in [n^{\prime }]\) of \(\phi \) being an affine function in \({\varvec{x}}\) having scalar constants and coefficients. Therefore, such a function f can be viewed as \(f=(f_1, \ldots , f_{n^{\prime }})\) with each coordinate function \(f_t : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) being an ABP that has the same underlying graph structure as that of f and having \(\phi _t : E \rightarrow ({\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p)\) as the weight functions. The class of all such functions is given by

$$\begin{aligned} {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })} = \{f = (f_1, \ldots , f_{n^{\prime }}):{\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p^{(n^{\prime })} | f_t \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n)} \text { for } t \in [n^{\prime }]\} \end{aligned}$$

Thus \({\mathcal {F}}_{{{\textsf {ABP}}}}^{(n)}\) can alternatively be viewed as \({\mathcal {F}}_{{\textsf {ABP}}}^{(n, 1)}\).

Lemma 2

([40]) Let \(f = (V, E, \phi , v_0, v_1) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, 1)}\) be an \({\textsf{ABP}}\) of size m and \(v_0, v_2, \ldots , v_{m-1}, v_1\) be stored topologically. Let \({\textbf{M}}\) be a square matrix of order \((m-1)\) defined by

$$\begin{aligned} {\textbf{M}}[i+1, j] = {\left\{ \begin{array}{ll} 0, &{} i > j; \\ -1, &{} i =j;\\ 0, &{} i< j, e_{i, j} = (v_i, v_j) \not \in E;\\ \phi (e_{i, j}), &{} i<j, e_{i, j} = (v_i, v_j) \in E. \end{array}\right. } \end{aligned}$$

Then the entries of \({\textbf{M}}\) are affine in \({\varvec{x}}\) and \(f({\varvec{x}}) = {det}({\textbf{M}})\).

3.4 Functional encryption for attribute-weighted sum

We formally present the syntax of FE for attribute-weighted sum and define adaptive simulation security of the primitive. We consider the function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\) and message space \({\mathcal {M}} = ({\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }})^* \).

Definition 2

(The Attribute-Weighted Sum Functionality) For any \(n, n^{\prime } \in {\mathbb {N}}\), the class of attribute-weighted sum functionalities is defined as

$$\begin{aligned} \left\{ ({\varvec{x}}\in {\mathbb {Z}}_p^n, {\varvec{z}}\in {\mathbb {Z}}_p^{n^{\prime }}) \mapsto f({\varvec{x}})^\top {\varvec{z}} = \sum _{t\in [n^{\prime }]} f_t({\varvec{x}}){\varvec{z}}[t] \mid f=(f_1, \ldots , f_{n^{\prime }}) \in {\mathcal {F}}_{{\textsf{ABP}}}^{(n, n^{\prime })}\right\} \end{aligned}$$

Definition 3

(Functional Encryption for Attribute-Weighted Sum) An unbounded-slot FE for attribute-weighted sum associated to the function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\) and the message space \({\mathcal {M}}\) consists of four PPT algorithms defined as follows:

The setup algorithm takes as input a security parameter \(\lambda \) along with two positive integers \(n, n^{\prime }\) representing the lengths of message vectors. It outputs the master secret-key \({\textsf{MSK}}\) and the master public-key \({\textsf{MPK}}\).

The key generation algorithm takes as input \({\textsf{MSK}}\) and a function \(f \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\). It outputs a secret-key \({\textsf{SK}}_f\) and make f available publicly.

The encryption algorithm takes as input \({\textsf{MPK}}\) and a message \(({\varvec{x}}_i, {\varvec{z}}_i)_{i \in [N]} \in ({\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }})^*\). It outputs a ciphertext \({\textsf{CT}}\) and make \(({\varvec{x}}_i)_{i \in [N]}\) available publicly.

The decryption algorithm takes as input \({\textsf{SK}}_f\) and \({\textsf{CT}}\) along with f and \(({\varvec{x}}_i)_{i \in [N]}\). It outputs a value in \({\mathbb {Z}}_p\).

Correctness The unbounded-slot FE for attribute-weighted sum is said to be correct if for all \(({\varvec{x}}_i, {\varvec{z}}_i)_{i \in [N]} \in ({\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }})^*\) and \(f \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\), we get

We consider adaptively simulation-based security of FE for attribute-weighted sum.

Definition 4

Let (Setup, KeyGen, Enc, Dec) be an unbounded-slot FE for attribute-weighted sum for function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\) and message space \({\mathcal {M}}\). The scheme is said to be \((Q_{{\textsf {pre}}}, Q_{{\textsf{CT}}}, Q_{{\textsf {post}}})\)-adaptively simulation secure if for any PPT adversary \({\mathcal {A}}\) making at most \(Q_{\textsf{CT}}\) ciphertext queries and \(Q_{{\textsf {pre}}}, Q_{{\textsf {post}}}\) secret key queries before and after the ciphertext queries respectively, we have \({{\textsf {Expt}}}_{{\mathcal {A}}}^{{{\textsf {Real}}},{{\textsf {ubdFE}}}}(1^{\lambda }) {\mathop {\approx }\limits ^{c}} {{\textsf {Expt}}}_{{\mathcal {A}}}^{{{\textsf {Ideal}}},{{\textsf {ubdFE}}}}(1^{\lambda })\), where the experiments are defined as follows. Also, an unbounded-slot FE for attribute-weighted sums is said to be \(({\textsf{poly}}, Q_{{\textsf{CT}}}, {\textsf{poly}})\)-adaptively simulation secure if it is \((Q_{{\textsf {pre}}}, Q_{{\textsf{CT}}}, Q_{{\textsf {post}}})\)-adaptively simulation secure as well as \(Q_{{\textsf {pre}}}\) and \(Q_{{\textsf {post}}}\) are unbounded polynomials in the security parameter \(\lambda \).

figure c

3.5 Function-hiding slotted inner product functional encryption

A slotted inner product functional encryption (slotted IPFE), as defined by Lin and Luo [49], is a hybrid variant of secret-key and public-key IPFE. More specifically, the index set S of the vectors is partitioned into two sets \(S_{{\textsf {pub}}}\) containing public slots and \(S_{{\textsf {priv}}}\) containing the private slots. While computing secret-keys, the slotted IPFE encodes elements of the vector in public/private slots using the master secret-key, similar to the case of secret-key IPFE. However, the encryption procedure is only allowed to encode vector elements in the public slots using master public-key as is the case for public-key IPFE. Lin and Luo [49] demonstrated that slotted IPFE lets us use the dual system encryption techniques [45, 46, 64] during the security analysis of the cryptographic constructions built from it.Following Lin and Luo [49] we consider the definition of slotted IPFE with respect to some pairing group , that is, all the vectors and inner products in the scheme are encoded in the exponent of the underlying pairing group.

We present the formal notion of slotted IPFE almost verbatim from [49].

Definition 5

(Slotted Inner Product Functional Encryption, [49]) Let \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) be a tuple of pairing groups of prime order p. A slotted inner product functional encryption (IPFE) scheme based on \({{\textsf{G}}}\) consists of 5 efficient algorithms:

The setup algorithm takes as input a security parameter \(\lambda \) and two disjoint index sets, the public slot \(S_{{{\textsf {pub}}}}\) and the private slot \(S_{{{\textsf {priv}}}}\). It outputs the master secret-key \({\textsf{IPFE}}.{\textsf{MSK}}\) and the master public-key \({\textsf{IPFE}}.{\textsf{MPK}}\). Let \(S = S_{{{\textsf {pub}}}} \cup S_{{{\textsf {priv}}}}\) be the whole index set and \(|S|, |S_{{{\textsf {pub}}}}|, |S_{{{\textsf {priv}}}}|\) denote the number of indices in S, \(S_{{{\textsf {pub}}}}\) and \(S_{{{\textsf {priv}}}}\) respectively.

The key generation algorithm takes as input \({\textsf{IPFE}}.{\textsf{MSK}}\) and a vector \([\![{\varvec{v}}]\!]_2 \in {\mathbb {G}}_2^{|S|}\). It outputs a secret-key \({\textsf{IPFE}}.{\textsf{SK}}\) for \({\varvec{v}} \in {\mathbb {Z}}_p^{|S|}\).

The encryption algorithm takes as input \({\textsf{IPFE}}.{\textsf{MSK}}\) and a vector \([\![{\varvec{u}}]\!]_1 \in {\mathbb {G}}_1^{|S|}\). It outputs a ciphertext \({\textsf{IPFE}}.{\textsf{CT}}\) for \({\varvec{u}} \in {\mathbb {Z}}_p^{|S|}\).

The decryption algorithm takes as input a secret-key \({\textsf{IPFE}}.{\textsf{SK}}\) and a ciphertext \({\textsf{IPFE}}.{\textsf{CT}}\). It outputs an element from \({\mathbb {G}}_T\).

The slot encryption algorithm takes as input \({\textsf{IPFE}}.{\textsf{MPK}}\) and a vector \([\![{\varvec{u}}]\!]_1 \in {\mathbb {G}}_1^{|S_{{{\textsf {pub}}}}|}\). It outputs a ciphertext \({\textsf{IPFE}}.{\textsf{CT}}\) for \(({\varvec{u}}|| {\varvec{0}}_{|S_{{{\textsf {priv}}}}|}) \in {\mathbb {Z}}_p^{|S|}\).

Correctness The correctness of a slotted IPFE scheme requires the following two properties.

  • Decryption Correctness: The slotted IPFE is said to satisfy decryption correctness if for all \({\varvec{u}}, {\varvec{v}} \in {\mathbb {Z}}_p^{|S|}\), we have

  • Slot-Mode Correctness: The slotted IPFE is said to satisfy the slot-mode correctness if for all vectors \({\varvec{u}} \in {\mathbb {Z}}_p^{|S_{{{\textsf {pub}}}}|}\), we have

    $$\begin{aligned}&\Bigg \{ ({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}}, {\textsf{IPFE}}.{\textsf{CT}}) : \begin{array}{l} ({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}}) \leftarrow {{\textsf {Setup}}}(1^{\lambda }, S_{{{\textsf {pub}}}}, S_{{{\textsf {priv}}}}), \\ {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {{\textsf {Enc}}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{u}}|| {\varvec{0}}_{|S_{{{\textsf {priv}}}}|}]\!]_1) \end{array} \Bigg \}, \\ \equiv&\Bigg \{ ({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}}, {\textsf{IPFE}}.{\textsf{CT}}) : \begin{array}{l} ({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}}) \leftarrow {{\textsf {Setup}}}(1^{\lambda }, S_{{{\textsf {pub}}}}, S_{{{\textsf {priv}}}}), \\ {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {{\textsf {SlotEnc}}}({\textsf{IPFE}}.{\textsf{MPK}}, [\![{\varvec{u}}]\!]_1) \end{array} \Bigg \} \end{aligned}$$

Security Let \(({\textsf{IPFE}}.{{\textsf {Setup}}}, {\textsf{IPFE}}.{{\textsf {KeyGen}}}, {\textsf{IPFE}}.{{\textsf {Enc}}}, {\textsf{IPFE}}.{{\textsf {Dec}}}, {\textsf{IPFE}}.{{\textsf {SlotEnc}}})\) be a slotted IPFE. The scheme is said to be adaptively function-hiding secure if for all PPT adversary \({\mathcal {A}}\), we have \({{\textsf {Expt}}}_{{\mathcal {A}}}^{{{\textsf {FH-IPFE}}}}(1^{\lambda }, 0) {\mathop {\approx }\limits ^{c}} {{\textsf {Expt}}}_{{\mathcal {A}}}^{{{\textsf {FH-IPFE}}}}(1^{\lambda }, 1)\), where the experiment \({{\textsf {Expt}}}_{{\mathcal {A}}}^{{{\textsf {FH-IPFE}}}}(1^{\lambda }, b)\) for \(b \in \{0,1\}\) is defined as follows:

figure d

where \({\varvec{v}}_j|_{S_{{{\textsf {pub}}}}}\) represents the elements of \({\varvec{v}}_j\) sitting at the indices in \(S_{{{\textsf {pub}}}}\).

Lemma 3

([48, 49]) Let \({{\textsf{G}}} = ({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) be a tuple of pairing groups of prime order p and \(k \ge 1\) an integer constant. If \({{\textsf {MDDH}}}_k\) holds in both groups \({\mathbb {G}}_1, {\mathbb {G}}_2\), then there is an adaptively function-hiding secure \({\textsf{IPFE}}\) scheme based on \({{\textsf{G}}}\).

3.6 Arithmetic key garbling scheme

Lin and Luo [49] introduced arithmetic key garbling scheme (AKGS). The notion of AKGS is an information theoretic primitive, inspired by randomized encodings [13] and partial garbling schemes [41]. It garbles a function \(f: {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) (possibly of size \((m+1)\)) along with two secrets \(z, \beta \in {\mathbb {Z}}_p\) and produces affine label functions \(L_1, \ldots , L_{m+1} : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\). Given f, an input \({\varvec{x}} \in {\mathbb {Z}}_p^n\) and the values \(L_1({\varvec{x}}), \ldots , L_{m+1}({\varvec{x}})\), there is an efficient algorithm which computes \(z f({\varvec{x}}) + \beta \) without revealing any information about z and \(\beta \).

Definition 6

(Arithmetic Key Garbling Scheme (AKGS), [41, 49]) An arithmetic garbling scheme (AKGS) for a function class \({\mathcal {F}} = \{f\}\), where \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\), consists of two efficient algorithms:

The garbling is a randomized algorithm that takes as input a description of the function \(z f({\varvec{x}}) + \beta \) with \(f \in {\mathcal {F}}\) and scalars \(z, \beta \in {\mathbb {Z}}_p\) where \(z, {\varvec{x}}\) are treated as variables. It outputs \((m+1)\) affine functions \(L_1, \ldots , L_{m+1}: {\mathbb {Z}}_p^{n+1} \rightarrow {\mathbb {Z}}_p\) which are called label functions that specifies how input is encoded as labels. Pragmatically, it outputs the coefficient vectors \(\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}\).

\({\textsf {Eval}}(f, {\varvec{x}}, \ell _1, \ldots , \ell _{m+1})\) The evaluation is a deterministic algorithm that takes as input a function \(f \in {\mathcal {F}}\), an input vector \({\varvec{x}} \in {\mathbb {Z}}_p^n\) and integers \(\ell _1, \ldots , \ell _{m+1} \in {\mathbb {Z}}_p\) which are supposed to be the values of the label functions at \(({\varvec{x}}, z)\). It outputs a value in \({\mathbb {Z}}_p\).

Correctness The AKGS is said to be correct if for all \(f: {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p \in {\mathcal {F}}, z, \beta \in {\mathbb {Z}}_p\) and \({\varvec{x}} \in {\mathbb {Z}}_p^n\), we have

$$\begin{aligned} {\text {Pr}}&\Bigg [ {{\textsf {Eval}}}(f, {\varvec{x}}, \ell _1, \ldots , \ell _{m+1}) = z f({\varvec{x}}) + \beta : \begin{array}{l} (\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}) \leftarrow {{\textsf {Garble}}}(z f({\varvec{x}}) + \beta ), \\ \ell _j \leftarrow L_j({\varvec{x}}, z) \text { for } j \in [m+1] \end{array} \Bigg ] \\&= 1 \end{aligned}$$

The scheme have deterministic shape, meaning that m is determined solely by f, independent of \(z, \beta \) and the randomness in Garble. The number of label functions, \((m+1)\), is called the garbling size of f under this scheme.

Linearity The AKGS is said to be linear if the following conditions hold:

  • \({{\textsf {Garble}}}(z f({\varvec{x}}) + \beta )\) uses a uniformly random vector \({\varvec{r}} \leftarrow {\mathbb {Z}}_p^{m^{\prime }}\) as its randomness, where \(m^{\prime }\) is determined solely by f, independent of \(z, \beta \).

  • The coefficient vectors \(\varvec{\ell }_1, \ldots , \varvec{\ell }_{m}\) produced by \({{\textsf {Garble}}}(z f({\varvec{x}}) + \beta )\) are linear in \(({\varvec{x}}, \beta , {\varvec{r}})\) whereas the vector \(\varvec{\ell }_{m+1}\) is linear in \(z, {\varvec{r}}\).

  • \({{\textsf {Eval}}}(f, {\varvec{x}}, \ell _1, \ldots , \ell _{m+1})\) is linear in \(\ell _1, \ldots , \ell _{m+1}\).

Simulation-based security In this work, we consider linear AKGS for our application. Now, we state the usual simulation-based security of AKGS, which is similar to the security of partial garbling scheme [41].

An AKGS = (Garble, Eval) for a function class \({\mathcal {F}}\) is secure if there exists an efficient algorithm SimGarble such that for all \(f: {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p, z, \beta \in {\mathbb {Z}}_p\) and \({\varvec{x}} \in {\mathbb {Z}}_p^n\), the following distributions are identically distributed:

$$\begin{aligned}{} & {} \Bigg \{ (\ell _1, \ldots , \ell _{m+1}) : \begin{array}{l} (\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}) \leftarrow {{\textsf {Garble}}}(z f({\varvec{x}}) + \beta ), \\ \ell _j \leftarrow L_j({\varvec{x}}, z) \text { for } j \in [m+1] \end{array} \Bigg \},\\{} & {} \bigg \{ ({\widehat{\ell }}_1, \ldots , {\widehat{\ell }}_{m+1}) : ({\widehat{\ell }}_1, \ldots , {\widehat{\ell }}_{m+1}) \leftarrow {\textsf{SimGarble}}(f, {\varvec{x}}, z f({\varvec{x}}) + \beta )\bigg \} \end{aligned}$$

The simulation security of AKGS is used to obtain semi-adaptive or selective security of FE for attribute-weighted sum [3], however it is not sufficient for achieving adaptive security. We consider the piecewise security of AKGS proposed by Lin and Luo [49] where they used it to get adaptive security for ABE.

Definition 7

(Piecewise Security of AKGS, [49]) An AKGS = (Garble, Eval) for a function class \({\mathcal {F}}\) is piecewise secure if the following conditions hold:

  • The first label value is reversely sampleable from the other labels together with f and \({\varvec{x}}\). This reconstruction is perfect even given all the other label functions. Formally, there exists an efficient algorithm RevSamp such that for all \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p \in {\mathcal {F}}, z, \beta \in {\mathbb {Z}}_p\) and \({\varvec{x}} \in {\mathbb {Z}}_p^n\), the following distributions are identical:

  • For the other labels, each is marginally random even given all the label functions after it. Formally, this means for all \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p \in {\mathcal {F}}, z, \beta \in {\mathbb {Z}}_p, {\varvec{x}} \in {\mathbb {Z}}_p^n\) and all \(j \in [2, m+1]\), the following distributions are identical:

    $$\begin{aligned}{} & {} \Bigg \{ (\ell _{j}, \varvec{\ell }_{j+1},\ldots , \varvec{\ell }_{m+1}) : \begin{array}{l} (\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}) \leftarrow {{\textsf {Garble}}}(z f({\varvec{x}}) + \beta ), \\ \ell _{j} \leftarrow L_j({\varvec{x}}, z)\end{array} \Bigg \},\\{} & {} \Bigg \{ (\ell _j, \varvec{\ell }_{j+1},\ldots , \varvec{\ell }_{m+1}) : \begin{array}{l} (\varvec{\ell }_1, \ldots , \varvec{\ell }_{m+1}) \leftarrow {{\textsf {Garble}}}(z f({\varvec{x}}) + \beta ), \\ \ell _j \leftarrow {\mathbb {Z}}_p \end{array} \Bigg \} \end{aligned}$$

Lemma 4

([49]) A piecewise secure AKGS = (Garble, Eval) for a function class \({\mathcal {F}}\) is also simulation secure.

We now define special structural properties of AKGS as given in [49], related to the piecewise security of it.

Definition 8

(Special Piecewise Security of AKGS, [49]) An AKGS = (Garble, Eval) for a function class \({\mathcal {F}}\) is special piecewise secure if for any \(f : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p \in {\mathcal {F}}, z, \beta \in {\mathbb {Z}}_p\) and \({\varvec{x}} \in {\mathbb {Z}}_p^n\), it has the following special form:

  • The first label value \(\ell _1\) is always non-zero, i.e., \({{\textsf {Eval}}}(f, {\varvec{x}}, 1, 0, \ldots , 0) \ne 0\) where we take \(\ell _1 = 1\) and \(\ell _j = 0\) for \(1 < j \le (m+1)\).

  • Let \({\varvec{r}} \leftarrow {\mathbb {Z}}_p^{m^{\prime }}\) be the randomness used in \({{\textsf {Garble}}}(z f({\varvec{x}}) + \beta )\). For all \(j \in [2, m+1]\). the label function \(L_j\) produced by \({{\textsf {Garble}}}(z f({\varvec{x}}) + \beta ; {\varvec{r}})\) can be written as

    $$\begin{aligned} L_j({\varvec{x}}) = k_j {\varvec{r}}[j-1] + L^{\prime }_j({\varvec{x}}; z, \beta , {\varvec{r}}[j], {\varvec{r}}[j+1], \ldots , {\varvec{r}}[m^{\prime }]) \end{aligned}$$

    where \(k_j \in {\mathbb {Z}}_p\) is a non-zero constant (not depending on \({\varvec{x}}, z, \beta , {\varvec{r}}\)) and \(L_j^{\prime }\) is an affine function of \({\varvec{x}}\) whose coefficient vector is linear in \((z, \beta , {\varvec{r}}[j], {\varvec{r}}[j+1], \ldots , {\varvec{r}}[m^{\prime }])\). The component \({\varvec{r}}[j-1]\) is called the randomizer of \(L_j\) and \(\ell _j\).

Lemma 5

([49]) A special piecewise secure AKGS = (Garble, Eval) for a function class \({\mathcal {F}}\) is also piecewise secure. The RevSamp algorithm (required in piecewise security) obtained for a special piecewise secure AKGS is linear in \(\gamma , \ell _2, \ldots , \ell _{m+1}\) and perfectly recovers \(\ell _1\) even if the randomness of Garble is not uniformly sampled. More specifically, we have the following:

$$\begin{aligned} {{\textsf {Eval}}}(f, {\varvec{x}}, \ell _1, \ldots , \ell _{m+1})&= \ell _1 {{\textsf {Eval}}}(f, {\varvec{x}}, 1, 0, \ldots , 0) + {{\textsf {Eval}}}(f, {\varvec{x}}, 0, \ell _2, \ldots , \ell _{m+1}) \end{aligned}$$
(7)
$$\begin{aligned} {{\textsf {RevSamp}}}(f, {\varvec{x}}, \gamma , \ell _2, \ldots , \ell _{m+1})&= ({{\textsf {Eval}}}(f, {\varvec{x}}, 1, 0, \ldots , 0))^{-1}(\gamma - {{\textsf {Eval}}}(f, {\varvec{x}}, 0, \ell _2, \ldots , \ell _{m+1})) \end{aligned}$$
(8)

Note that, Eq. (7) follows from the linearity of Eval and Eq. (8) ensures that RevSamp perfectly computes \(\ell _1\) (which can be verified by Eq. (7) with \(\gamma = z f({\varvec{x}}) + \beta \)).

Lemma 6

([49]) A piecewise secure AKGS = (Garble, Eval) is also special piecewise secure after an appropriate change of variable for the randomness used by Garble.

4 One-slot FE for attribute-weighted sums

4.1 Secret key 1-key 1-ciphertext secure one-slot FE for attribute-weighted sums

In this section, we first describe a private-key one-slot FE scheme for the attribute-weighted sum functionality that is proven simulation secure against a single ciphertext query and a single secret key query either before or after the ciphertext query. This scheme would be crucially embedded into the hidden slots for our full-fledged public-key one-slot FE scheme for attribute-weighted sums presented in the next section. We describe the construction for any fixed value of the security parameter \(\lambda \) and suppress the appearance of \(\lambda \) for simplicity of notations. Let \(({\textsf{Garble}}, {\textsf{Eval}})\) be a special piecewise secure AKGS for a function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\), \({{\textsf{G}}}=({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) a tuple of pairing groups of prime order p, and \(({\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Setup}}. {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{KeyGen}}, {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Enc}}, {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Dec}})\) a secret-key function-hiding \({\textsf{SK}}\text {-}{\textsf{IPFE}}\) based on \({{\textsf{G}}}\).

Setup(\({\varvec{1}}^{{\varvec{n}}}, {\varvec{1}}^{{\varvec{n}}^{{\varvec{\prime }}}}\)) Define the index sets as follows

$$\begin{aligned} S_{{\textsf {1-FE}}} = \big \{{\textsf {const}}, \{{\textsf {coef}}_{i}\}_{i\in [n]}, \{{\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}_{\tau \in [n^{\prime }]}\big \}, {{\widehat{S}}}_{{\textsf {1-FE}}} = \{\widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}^*}\} \end{aligned}$$

It generates

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{MSK}}\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Setup}}(S_{{\textsf {1-FE}}}), \quad \widehat{{\textsf{IPFE}}.{\textsf{MSK}}} \leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Setup}} ({{\widehat{S}}}_{{\textsf {1-FE}}}). \end{aligned}$$

Finally, it returns \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\).

KeyGen(MSK, \({\varvec{f}}\)) Let \(f\in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\) be a function such that \(f=(f_1, \ldots , f_{n^{\prime }}): {\mathbb {Z}}_p^{n}\times {\mathbb {Z}}_p^{n^{\prime }} \rightarrow {\mathbb {Z}}_p\) where \(f_1, \ldots , f_{n^{\prime }} : {\mathbb {Z}}_p^n \rightarrow {\mathbb {Z}}_p\) are ABPs of size \((m+1)\). Sample \(\beta _t \leftarrow {\mathbb {Z}}_p\) for \(t \in [n^{\prime }]\) such that \(\sum _{t \in [n^{\prime }]} \beta _t = 0 \mod p\). Next, sample independent random vectors \({\varvec{r}}_t \leftarrow {\mathbb {Z}}_p^{m}\) for garbling and compute the coefficient vectors

$$\begin{aligned} (\varvec{\ell }_{1, t}, \ldots , \varvec{\ell }_{m, t}, \varvec{\ell }_{m+1,t}) \leftarrow {\textsf {Garble}}({\varvec{z}}[t] f_t({\varvec{x}}) + \beta _t; {\varvec{r}}_t) \end{aligned}$$

for all \(t \in [n^{\prime }]\). Here we make use of the instantiation of the AKGS described in Sect. 3.6. From the description of that AKGS instantiation, we note that the \((m+1)\)-th label function \(\varvec{\ell }_{m+1, t}\) would be of the form \(\varvec{\ell }_{m+1,t}={\varvec{z}}[t]-{\varvec{r}}_t[m]\). Also all the label functions \(\varvec{\ell }_{1,t},\ldots ,\varvec{\ell }_{m,t} \) involve only the variables \({\varvec{x}}\) and not the variable \({\varvec{z}}[t]\). Next, for all \(j \in [m]\) and \(t \in [n^{\prime }]\), it defines the vectors \({\varvec{v}}_{j, t}\) corresponding to the label functions \(\varvec{\ell }_{j,t}\) obtained from the partial garbling:

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_{j, t}\)

\(\varvec{\ell }_{j, t}[{\textsf {const}}]\)

\(\varvec{\ell }_{j, t}[{\textsf {coef}}_i]\)

0

0

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{v}}_{m+1, t}\)

\({\varvec{r}}_{t}[m]\)

1

0

It generates the secret-keys as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_{j, t}&\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{j, t}]\!]_2){} & {} \text { for } j \in [m], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}&\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{m+1, t}]\!]_2){} & {} \text { for } t \in [n^{\prime }] \end{aligned}$$

It returns the secret-key as \({\textsf{SK}}_f = (\{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\).

It sets the vectors

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{u}}\)

1

\({\varvec{x}}[i]\)

0

0

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{h}}_{t}\)

\(-1\)

\({\varvec{z}}[t]\)

0

for all \(t \in [n^{\prime }]\). It encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}&\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Enc}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{u}}]\!]_1)&\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t&\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{h}}_t]\!]_1) ~~~ \text { for } t \in [n^{\prime }] \end{aligned}$$

and returns the ciphertext as \({\textsf{CT}}= ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

It parses the secret-key \({\textsf{SK}}_f = (\{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) and the ciphertext \({\textsf{CT}}= ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\). It uses the decryption algorithm of SK-IPFE to compute

$$\begin{aligned}{}[\![\ell _{j, t}]\!]_T = {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{j, t}, {\textsf{IPFE}}.{\textsf{CT}})&\text { for } j \in [m], t \in [n^{\prime }]\\ [\![\ell _{m+1, t}]\!]_T ={\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Dec}}(\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}, \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t)&\text { for } t \in [n^{\prime }] \end{aligned}$$

Next, it utilizes the evaluation procedure of AKGS and obtain a combined value

$$\begin{aligned}{}[\![\rho ]\!]_T = \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T). \end{aligned}$$

Finally, it returns a value \(\rho \) by solving a discrete logarithm problem. Similar to [3], we assume that the desired attribute-weighted sum lies within a specified polynomial-sized domain so that discrete logarithm can be solved via brute force.

Correctness By the correctness of IPFE, we have for all \(j \in [m],t\in [n^{\prime }]\), \({\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{j, t}, {\textsf{IPFE}}.{\textsf{CT}}) = [\![\ell _{j, t}]\!]_T = [\![L_{j,t}({\varvec{x}})]\!]_T\) and for all \(t \in [n^{\prime }]\), \({\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf{Dec}}( \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}, \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t) = [\![\ell _{m+1, t}]\!]_T = [\![{\varvec{z}}[t] - {\varvec{r}}_t[m]]\!]_T\). Next, using the correctness of AKGS and the linearity of the Eval function, we have

$$\begin{aligned} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T)&= [\![f_t({\varvec{x}}){\varvec{z}}[t] + \beta _t]\!]_T \end{aligned}$$

Therefore, we get by multiplying

$$\begin{aligned}{}[\![\rho ]\!]_T&= \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) \\&= \left[ \!\left[ \sum _{t=1}^{n^{\prime }} {\textsf {Eval}}(f_t, {\varvec{x}}, \ell _{1, t}, \ldots , \ell _{m+1, t})\right] \!\right] _T \\&= \left[ \!\left[ \sum _{t = 1}^{n^{\prime }} f_t({\varvec{x}}){\varvec{z}}[t] + \beta _t \right] \!\right] _T \\&= \left[ \!\left[ {f({\varvec{x}})^{\top } {\varvec{z}}}\right] \!\right] _T \end{aligned}$$

where the last equality holds since \(\sum _{t \in [n^{\prime }]} \beta _t = 0 \mod p\).

4.1.1 Security analysis

Theorem 2

The 1-FE scheme for attribute-weighted sum is 1-key, 1-ciphertext adaptive simulation secure as per Definition 4 assuming the AKGS is piecewise secure as per Definition 7 and the IPFE is function hiding as per Definition 5.

We proceeds with the description of the simulator and then security reduction of our 1-key 1-ciphertext secure one-slot FE. Recall that, we have designed the 1-key 1-ciphertext secure one-slot FE for the purpose of showing the indistinguishability in a particular hybrid required in the security reduction of the one-slot FE of Sect. 4.2. In that particular hybrid, we deal with a single pre-ciphertext secret key query of the one-slot FE scheme. Thus, while proving the security of our 1-key 1-ciphertext secure one-slot FE, we assume that the adversary queries a single secret key before the challenge ciphertext is sent. However, we emphasize that if we consider the single secret key query after the challenge phase then the security can also be proved using the techniques involved in the security reduction (in Sect. 4.2.1) of our one-slot FE.

4.1.2 The simulator

We describe the simulator for the 1-FE scheme. Let us assume that f is the only secret-key query made by the adversary before it sends the challenge ciphertext vectors.

To generate the master secret-key, it executes as follows:

1.:

Define the index sets as follows

$$\begin{aligned} S_{{\textsf {1-FE}}} = \big \{{\textsf {const}}, \{{\textsf {coef}}_{i}\}_{i\in [n]}, \{{\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}_{\tau \in [n^{\prime }]}\big \}, {{\widehat{S}}}_{{\textsf {1-FE}}} = \{\widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}^*}\} \end{aligned}$$
2.:

It then generates

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{MSK}}\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Setup}}(S_{{\textsf {1-FE}}}) \text { and } \widehat{{\textsf{IPFE}}.{\textsf{MSK}}} \leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Setup}}({{\widehat{S}}}_{{\textsf {1-FE}}}) \end{aligned}$$

.

3.:

It outputs \({\textsf{MSK}}^* = ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\).

On input \({\textsf {MSK}}^*\) and a function \(f = (f_{ 1}, \ldots f_{ n^{\prime }}) \in {\mathcal {F}}_{{\textsf{ABP}}}^{(n, n^{\prime })}\), the simulator proceeds as in the original scheme:

1.:

It first samples \(\{\beta _{t} \leftarrow {\mathbb {Z}}_p\}_{t\in [n^{\prime }]}\) and \(\{{\varvec{r}}_{t} = ({\varvec{r}}_{t}[1], \ldots , {\varvec{r}}_{t}[m]) \leftarrow {\mathbb {Z}}_p^{m}\}_{t\in [n^{\prime }]}\) where it holds that \(\sum _{t \in [n^{\prime }]} \beta _{t} = 0 \mod p\).

2.:

Next, it computes the coefficient vectors for the label functions as

$$\begin{aligned} (\varvec{\ell }_{1, t}, \ldots , \varvec{\ell }_{m, t}, \varvec{\ell }_{m+1,t}) \leftarrow {\textsf {Garble}}({\varvec{z}}^*[t] f_t({\varvec{x}}^*) + \beta _t; {\varvec{r}}_t) \end{aligned}$$

for each \( t \in [n^{\prime }]\). From the description of AKGS, we note that the \((m+1)\)-th label function \(\varvec{\ell }_{m+1, t}\) would be of the form \(\varvec{\ell }_{m+1,t}={\varvec{z}}[t]-{\varvec{r}}_t[m]\).

3.:

It sets the following vectors

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}^*_{\tau }\)

\({\varvec{v}}_{j, t}\)

\(\varvec{\ell }_{ j, t}[{\textsf {const}}]\)

\(\varvec{\ell }_{ j, t}[{\textsf {coef}}_i]\)

0

0

for all \(j \in [m]\) and \(t \in [n^{\prime }]\). It also sets the following vectors

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{v}}_{m+1, t}\)

\({\varvec{r}}_{t}[m]\)

1

0

for all \(t \in [n^{\prime }]\).

4.:

It generates the IPFE secret-keys

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_{ j, t}&\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{ j, t}]\!]_2){} & {} \text { for } j \in [m], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}&\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{m+1, t}]\!]_2){} & {} \text { for } t \in [n^{\prime }] \end{aligned}$$
5.:

Finally, it returns the secret-key

$$\begin{aligned} {\textsf{SK}}_{f} = ( \{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]}). \end{aligned}$$

On input \({\textsf{MSK}}^*\), a vector \({\varvec{x}}^* \in {\mathbb {Z}}_p^n\) and the tuple \((f, f({\varvec{x}}^*)^{\top }{\varvec{z}}^*)\) for some \(f \in {\mathcal {F}}_{{\textsf{ABP}}}^{(n, n^{\prime })}\) and \({\varvec{z}}^* \in {\mathbb {Z}}_p^{n^{\prime }}\) the simulator executes the following steps:

1.:

It samples a dummy vector \({\varvec{d}} \leftarrow D\) from the set

$$\begin{aligned} D = \{{\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}: f({\varvec{x}}^*)^{\top }{\varvec{d}} = f({\varvec{x}}^*)^{\top }{\varvec{z}}^* \}. \end{aligned}$$

The simulator does this by finding a random vector \({\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}\) such that \(\sum _{t \in [n^{\prime }]} f_{ t}({\varvec{x}}^*) {\varvec{z}}^*[t] = \sum _{t \in [n^{\prime }]} f_{ t}({\varvec{x}}^*) {\varvec{d}}[t]\). Hence, D is identical to the set \(D_{{\textsf{IP}}} = \{{\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}: {(f_{ 1}({\varvec{x}}^*), \ldots , f_{ n^{\prime }}({\varvec{x}}^*))} \cdot {({\varvec{d}}[1], \ldots , {\varvec{d}}[n^{\prime }])} = f({\varvec{x}}^*)^{\top }{\varvec{z}}^* \}.\) A vector \({\varvec{d}}\) from a set of the form \(D_{{\textsf{IP}}}\) can be efficiently sampled via a polynomial time algorithm given by O’Neill [59] as the inner product functionality is pre-image-sampleable. Therefore, given \({\varvec{x}}^*\) and \((f, f({\varvec{x}}^*)^{\top }{\varvec{z}}^*)\), the simulator can find a dummy vector \({\varvec{d}}\) such that \(f({\varvec{x}}^*)^{\top }{\varvec{d}} = f({\varvec{x}}^*)^{\top }{\varvec{z}}^*\).

2.:

Next, it sets the following vectors

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}^*_{\tau }\)

\({\varvec{u}}\)

1

\({\varvec{x}}^*[i]\)

0

0

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{h}}_{t}\)

−1

\({\varvec{d}}[t]\)

0

for all \(t \in [n^{\prime }]\).

3.:

It encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Enc}}({\textsf{IPFE}}.{\textsf{MPK}}, [\![{\varvec{u}}]\!]_1)&\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t \leftarrow {\textsf{SK}}\text {-}{\textsf{IPFE}}.{\textsf {Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MPK}}}, [\![{\varvec{h}}_t]\!]_1)&\text { for } t \in [n^{\prime }] \end{aligned}$$
4.:

It returns the ciphertext as \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

4.1.3 Hybrids and reductions

Fig. 1
figure 1

Structure of the hybrid reduction proving Theorem 2

Proof

We employ a sequence of hybrid experiments to demonstrate the indistinguishability between the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{ {\textsf {Real}}, {\textsf {1-FE}}}(1^{\lambda })\) and the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}}, {\textsf {1-FE}}}(1^{\lambda })\) with the simulator described above where \({\mathcal {A}}\) is any PPT adversary. We assume that in each experiment, \({\mathcal {A}}\) queries the single secret-key query for a function \(f \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\) before submitting the challenge message \(({\varvec{x}}^*, {\varvec{z}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\). The overall hybrid reduction is shown in Fig. 1.

Hybrid : This is the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real}}, {\textsf {1-FE}}}(1^{\lambda })\) defined in Sect. 3.4. The secret-key \({\textsf{SK}}_f = (\{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) is associated with the vectors \({\varvec{v}}_{j, t}\) given by

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_{j, t}\)

\(\varvec{\ell }_{j, t}[{\textsf {const}}]\)

\(\varvec{\ell }_{j, t}[{\textsf {coef}}_i]\)

0

0

for \(j \in [m]\) and \(t \in [n^{\prime }]\) and

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{v}}_{m+1, t}\)

\({\varvec{r}}_{t}[m]\)

1

0

for \(t \in [n^{\prime }]\) where

$$\begin{aligned} (\varvec{\ell }_{1, t}, \ldots , \varvec{\ell }_{m, t}, \varvec{\ell }_{m+1,t}) \leftarrow {\textsf {Garble}}({\varvec{z}}^*[t] f_{t}({\varvec{x}}^*) + \beta _{t}; {\varvec{r}}_{t}) \end{aligned}$$

such that \(f = (f_{1}, \ldots , f_{n^{\prime }})\in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\), \({\varvec{r}}_{t} \leftarrow {\mathbb {Z}}_p^{m}\) and \(\beta _{ t} \leftarrow {\mathbb {Z}}_p\) with \(\sum _{t \in [n^{\prime }]} \beta _{t} = 0 \mod p\). The challenge ciphertext \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\) corresponds to \(({\varvec{x}}^*, {\varvec{z}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\) is associated with the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\) given by

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{u}}\)

1

\({\varvec{x}}^*[i]\)

0

0

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{h}}_{t}\)

\(-1\)

\({\varvec{z}}^*[t]\)

0

for \(t\in [n^{\prime }]\). In the subsequent hybrids, we’ll omit the names of the indices of the vectors \(\{{\varvec{v}}_{j,t}\}_{j\in [m+1], t\in [n^{\prime }]}, {\varvec{u}}, \{{\varvec{h}}_t\}_{t\in [n^{\prime }]}\) and we’ll assume that the entries of those vectors lie in those indices as in the order mentioned in \({{\textsf{H}}}_0\).

Hybrid : This hybrid is exactly the same as \({\textsf {H}}_0\) except that we change the vectors \({\varvec{v}}_{1, t}\) in the secret-key and \({\varvec{u}}\) in the challenge ciphertext as follows.

Here \(\delta _{t\tau }\) is the Kronecker Delta where \(\delta _{t\tau }= 1\) if \(t = \tau \), and 0 otherwise. Thus the difference between \({{\textsf{H}}}_0\) and \({{\textsf{H}}}_1\) is that instead of embedding the coefficient vectors \(\varvec{\ell }_{1, t}\) of the label functions \(L_{1,t}\) obtained from \({\textsf{Garble}}({\varvec{z}}^*[t] f_t({\varvec{x}}^*) + \beta _t; {\varvec{r}}_t)\), we embed the value of the label functions \(L_{1,t}({\varvec{x}}^*) = \ell _{1,t}\) within the ciphertext vector \({\varvec{u}}\). Note that the inner products \({{\varvec{v}}_{1, t}} \cdot {{\varvec{u}}} = \ell _{1, t}\), for all \(t \in [n^{\prime }]\), remain the same as in \({\textsf {H}}_0\). Therefore, the function hiding security of IPFE ensures the indistinguishability between the hybrids \({\textsf {H}}_0\) and \({\textsf {H}}_1\).

Hybrid : This hybrid is identical to \({\textsf {H}}_1\) except that we replace the actual garbling values \(\ell _{1, t}\) with the reverse sampling \({\widetilde{\ell }}_{1, t}\) of AKGS computed as

$$\begin{aligned} {\widetilde{\ell }}_{1, t} \leftarrow {\textsf {RevSamp}}(f_t, {\varvec{x}}^*, f_t({\varvec{x}}^*){\varvec{z}}^*[t]+\beta _t, \ell _{2, t}, \ldots , \ell _{m,t}, \ell _{m+1, t}) \end{aligned}$$

where \(\ell _{j, t} = L_{j, t}({\varvec{x}}^*)\) for all \(j \in [2,m]\) and \(\ell _{m+1, t} = {\varvec{z}}^*[t] - {\varvec{r}}_t[m]\) obtained by running \({\textsf{Garble}}({\varvec{z}}^*[t] f_t({\varvec{x}}^*) + \beta _t; {\varvec{r}}_t)\) honestly. Therefore, the challenge ciphertext is now associated with the vectors

For each \(t \in [n^{\prime }]\), the piecewise security of AKGS guarantees that given \((\varvec{\ell }_{2, t}, \ldots , \varvec{\ell }_{m, t}, \varvec{\ell }_{m+1, t})\), the actual garbling \(\ell _{1, t}\) and the reversely sampled value \({\widetilde{\ell }}_{1, t}\) are identically distributed. Hence, the hybrids \({\textsf {H}}_1\) and \({\textsf {H}}_2\) are indistinguishable by the reverse sampleability of AKGS.

Hybrid \(({\varvec{j}} \in [{\varvec{m}}])\): This is analogous to \({\textsf {H}}_2\) except that we change the secret-key as follows. For all \(j^{\prime }\) such that \(1< j^{\prime } < j\), the coefficient vector \(\varvec{\ell }_{j^{\prime }, t}\) is taken away from \({\varvec{v}}_{j^{\prime }, t}\) and a random value \(\ell _{j^{\prime }, t}^{\prime } \leftarrow {\mathbb {Z}}_p\) is put into \({\varvec{v}}_{j^{\prime }, t}[{\textsf {const}}]\). The modified secret-key is now associated with the vectors

Note that, in this hybrid \(\widetilde{\ell }_{1, t}\) is reversely sampled using the random values \(\ell _{2, t}^{\prime }, \ldots , \ell _{j-1,t}^{\prime }\) and the actual values \(\ell _{j, t}, \ldots , \ell _{m+1,t}\) for each \(t \in [n^{\prime }]\). Observe that \({{\textsf{H}}}_{3,1}\) coincides with \({{\textsf{H}}}_2\). We will show that for all \(j\in [2,m]\), the hybrids \({{\textsf{H}}}_{3, (j-1)}\) and \({{\textsf{H}}}_{3,j}\) are indistinguishable via the following sequence of sub-hybrids, namely, \(\{{{\textsf{H}}}_{3,j,1}, {{\textsf{H}}}_{3,j,2}, {{\textsf{H}}}_{3,j,3}\}_{j\in [2,m]}\).

Hybrid \(({\varvec{j}} \in [{\varvec{2,m}}])\): This is exactly same as \({\textsf {H}}_{3, (j-1)}\) except that the coefficient vector \(\varvec{\ell }_{j, t}\) is removed from \({\varvec{v}}_{j, t}\) and \({\varvec{v}}_{j, t}[{\textsf {sim}}_{\tau }^*]\) is set to \(\delta _{t\tau }\). We hardwire the actual garbling value \(\ell _{j, \tau } = L_{j, \tau }({\varvec{x}}^*)\) into \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) to ensure the inner product \({{\varvec{v}}_{j, \tau }} \cdot {{\varvec{u}}}\) remains the same as in \({\textsf {H}}_{3, (j-1)}\). The changes in the vectors associated with the secret-key and the challenge ciphertext are given below.

Therefore, the hybrids \({\textsf {H}}_{3, (j-1)}\) and \({\textsf {H}}_{3, j, 1}\) are indistinguishable by the function hiding security of IPFE.

Hybrid \(({\varvec{j}} \in [{\varvec{2,m}}])\): It proceeds exactly the same as \({\textsf {H}}_{3, j, 1}\) except that the label \(\ell _{j, \tau }\) (sitting at \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\)) is replaced with a random value \(\ell _{j, \tau }^{\prime } \leftarrow {\mathbb {Z}}_p\). The vectors associated to the challenge ciphertext are given by

where \(\ell _{j, \tau }^{\prime }\) are randomly sampled from \({\mathbb {Z}}_p\). Now the first label \(\widetilde{\ell }_{1, t}\) is reversely sampled using the random values \(\ell _{2, t}^{\prime }, \ldots , \ell _{j, t}^{\prime }\) and the actual labels \(\ell _{j+1, t} = L_{j+1,t}({\varvec{x}}^*), \ldots , \ell _{m,t}=L_{m,t}({\varvec{x}}^*), \ell _{m+1, t} = -{\varvec{r}}_t[m] + {\varvec{z}}^*[t]\). Hence, the marginal randomness property of AKGS ensures that the hybrids \({\textsf {H}}_{3, j, 1}\) and \({\textsf {H}}_{3, j, 2}\) are identically distributed.

Hybrid \(({\varvec{j}} \in [{\varvec{2,m}}])\): This hybrid is exactly the same as \({\textsf {H}}_{3, j, 2}\) except that the random value \(\ell _{j, \tau }^{\prime }\) is sifted from \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) to \({\varvec{v}}_{j, t}[{\textsf {const}}]\). Also, the positions \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) and \({\varvec{v}}_{j, t}[{\textsf {sim}}_{\tau }^*]\) are set to zero. The vectors associated to the secret-key and the challenge ciphertext become

Since the inner products \({{\varvec{v}}_{j, t}} \cdot {{\varvec{u}}}\) for all \(j\in [m], t\in [n^{\prime }]\) remain the same as in \({\textsf {H}}_{3, j, 2}\), the indistinguishability between the hybrids \({\textsf {H}}_{3, j, 2}\) and \({\textsf {H}}_{3, j, 3}\) follows from the function hiding security of IPFE. We observe that the hybrids \({\textsf {H}}_{3, j, 3}\) is identical to \({\textsf {H}}_{3, j}\) for all \(j \in [2,m]\).

Hybrid : It proceeds exactly the same as hybrid \({\textsf {H}}_{3,m}\) except that the the actual garbling value \(\ell _{m+1, t} = {\varvec{z}}^*[t] -{\varvec{r}}_t[m]\) for the label function \(L_{m+1,t}\) obtained from the \({\textsf{Garble}}\) algorithm is used in \({\varvec{h}}_t[\widehat{{\textsf {sim}}^*}]\). The changes are given by

Since the inner products \({{\varvec{v}}_{m+1,t}} \cdot {{\varvec{h}}_t}\) for all \(t \in [n^{\prime }]\) remain the same as in \({\textsf {H}}_{3,m}\), the indistinguishability between the hybrids \({\textsf {H}}_{3,m}\) and \({\textsf {H}}_4\) follows from the function hiding security of IPFE.

Hybrid : It is exactly the same as \({\textsf {H}}_4\) except that the actual label \(\ell _{m+1, t}\) is now replaced with a random value \(\ell _{m+1, t}^{\prime } \leftarrow {\mathbb {Z}}_p\). The vectors used in the challenge ciphertext are as follows.

Note that, in this hybrid the labels \(\widetilde{\ell }_{1, t}\) for \(t \in [n^{\prime }]\) are now reversely sampled using all random values \(\ell _{2, t}^{\prime }, \ldots , \ell _{m+1, t}^{\prime }\) which are randomly picked from \({\mathbb {Z}}_p\). By the marginal randomness property of AKGS, the hybrids \({\textsf {H}}_4\) and \({\textsf {H}}_5\) are identically distributed.

Hybrid : This hybrid proceeds exactly the same as \({\textsf {H}}_5\) except that the random values \(\ell _{m+1, t}^{\prime }\) are shifted from \({\varvec{h}}_t[\widehat{{\textsf {sim}}^*}]\) to \({\varvec{v}}_{m+1,t}[\widehat{{\textsf {const}}}]\). The changes are indicated as follows.

Observe that the inner products \({{\varvec{v}}_{m+1,t}} \cdot {{\varvec{h}}_t}\) for \(t \in [n^{\prime }]\) are unchanged as in \({\textsf {H}}_5\). Hence, the function hiding security of IPFE ensures the indistinguishability between the hybrids \({\textsf {H}}_5\) and \({\textsf {H}}_6\).

Hybrid : It is analogous to \({\textsf {H}}_6\) except that the values \(f_t({\varvec{x}}^*) {\varvec{z}}^*[t]\) is removed from \(\widetilde{\ell }_{1, t}\) for all \(1 < t \le n^{\prime }\) and the value \(f({\varvec{x}}^*)^{\top }{\varvec{z}}^*\) is directly encoded into the label \(\widetilde{\ell }_{1, 1}\). For this, we replace the random elements \(\beta _t\) by \(\beta ^{\prime }_t = \beta _t - f_t({\varvec{x}}^*) {\varvec{z}}^*[t]\) for all \(1 < t \le n^{\prime }\) and change the element \(\beta _1\) with \(\beta ^{\prime }_1 = \beta _1 - f_1({\varvec{x}}^*) {\varvec{z}}^*[1] + f({\varvec{x}}^*)^{\top }{\varvec{z}}^*\). Note that, the distributions

$$\begin{aligned} \{\beta _t \leftarrow {\mathbb {Z}}_p : \sum _{t\in [n^{\prime }]} \beta _t = 0\} \text { and } \{\beta ^{\prime }_t : \sum _{t\in [n^{\prime }]} \beta _t = 0\} \end{aligned}$$

are statistically close since \(\{\beta ^{\prime }_t\}_{t\in [n^{\prime }]}\) are also uniform over \({\mathbb {Z}}_p\) and \(\sum _{t \in [n^{\prime }]} \beta ^{\prime }_t = 0\). Thus the vectors of the challenge ciphertext become

where the labels \(\widetilde{\ell }_{1, \tau }\) are given by

$$\begin{aligned} \widetilde{\ell }_{1, 1}&\leftarrow {\textsf {RevSamp}}(f_1, {\varvec{x}}^*, f_1({\varvec{x}}^*){\varvec{z}}^*[1]+\beta _1^{\prime }, \ell _{2, 1}, \ldots , \ell _{m+1, 1})\\&= {\textsf {RevSamp}}(f_1, {\varvec{x}}^*, f({\varvec{x}}^*)^{\top }{\varvec{z}}^*+\beta _1, \ell _{2, 1}, \ldots , \ell _{m+1, 1})\\ \widetilde{\ell }_{1, \tau }&\leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, f_\tau ({\varvec{x}}^*){\varvec{z}}[\tau ]+\beta _{\tau }, \ell _{2, \tau }, \ldots , \ell _{m+1, \tau }) ~~ \forall 1 < \tau \le n^{\prime }\\&= {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, \beta _{\tau }, \ell _{2, \tau }, \ldots , \ell _{m+1, \tau }) \end{aligned}$$

Thus, \({\textsf {H}}_6\) and \({\textsf {H}}_7\) are indistinguishable as they are statistically close.

Hybrid : This hybrid is exactly the same as \({\textsf {H}}_7\) except that we use a dummy vector \({\varvec{d}}\) such that \(f({\varvec{x}}^*)^{\top } {\varvec{z}}^* = f({\varvec{x}}^*)^{\top } {\varvec{d}}\) while generating \(\widetilde{\ell }_{1, 1}\). After the secret-key query made by \({\mathcal {A}}\), the dummy vector \({\varvec{d}}\) can be sampled via an efficient algorithm which only need \(f_1({\varvec{x}}^*), \ldots , f_{n^{\prime }}({\varvec{x}}^*)\) and \(f({\varvec{x}}^*)^{\top } {\varvec{z}}^*\). This is due to the pre-image-sampleability property of inner product functionality demonstrated by [59]. Thus, the vector \({\varvec{u}}\) associated with the challenge ciphertext is now defined as

where the labels \(\{\widetilde{\ell }_{1,\tau }\}_{\tau \in [n^{\prime }]}\) are computed as

$$\begin{aligned} \widetilde{\ell }_{1, 1}&\leftarrow {\textsf {RevSamp}}(f_1, {\varvec{x}}^*, f({\varvec{x}}^*)^{\top }{\varvec{d}}+\beta _1, \ell _{2, 1}, \ldots , \ell _{m+1, 1})\\ \widetilde{\ell }_{1, \tau }&\leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, \beta _{\tau }, \ell _{2, \tau }, \ldots , \ell _{m+1, \tau }) ~~ \forall 1 < \tau \le n^{\prime }. \end{aligned}$$

Above, we write the full expression of the vector \({\varvec{u}}\) as opposed to its compressed expression used so far in order to highlight the change. Since the inner products \({{\varvec{v}}_{j, t}} \cdot {{\varvec{u}}}\) for \(j \in [m], t \in [n^{\prime }]\) are unaltered between the two hybrids, the function hiding security of IPFE preserved the indistinguishability of the hybrids \({\textsf {H}}_7\) and \({\textsf {H}}_8\).

Hybrid : The following sequence of hybrids is basically the reverse of the previous hybrids with \({\varvec{z}}^*\) replaced with \({\varvec{d}}\). Therefore, in this hybrid the vectors of the challenge ciphertext are distributed as

where \(\widetilde{\ell }_{1, \tau } \leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, f_{\tau }({\varvec{x}}^*){\varvec{d}}[\tau ] + \beta _{\tau }, \ell _{2, \tau }, \ldots , \ell _{m+1, \tau })\). This can be done by replacing \(\beta _{1}\) by \(\beta _1 - f({\varvec{x}}^*)^{\top }{\varvec{d}} + f_{1}({\varvec{x}}^*){\varvec{d}}[1]\) and for \(\tau > 1\), \(\beta _{\tau }\) is replaced by \(\beta _{\tau } + f_{\tau }({\varvec{x}}^*){\varvec{d}}[\tau ]\). Note that, \({\textsf {H}}_8\) and \({\textsf {H}}_{9}\) are statistically close.

Hybrid : In this hybrid we change the vectors \({\varvec{v}}_{m+1,t}\) and \({\varvec{h}}_t\) as follows

where \(\ell _{m+1,t}^{\prime } \leftarrow {\mathbb {Z}}_p\). The indistinguishability between the hybrids \({\textsf {H}}_{9}\) and \({\textsf {H}}_{10}\) follows from the function hiding security of IPFE.

Hybrid : It is exactly the same as \({\textsf {H}}_{10}\) except that the random value \(\ell _{m+1, t}^{\prime } \leftarrow {\mathbb {Z}}_p\) is changed to actual \(\ell _{m+1, t} = {\varvec{d}}[t] -{\varvec{r}}_t[m] \). Then the vectors in the challenge ciphertext become

The hybrids \({\textsf {H}}_{10}\) and \({\textsf {H}}_{11}\) are identical due to the marginal randomness property of AKGS.

Hybrid : In this hybrid we change the vectors \({\varvec{v}}_{m+1,t}\) and \({\varvec{h}}_t\) as follows

The indistinguishability between the hybrids \({\textsf {H}}_{11}\) and \({\textsf {H}}_{12}\) follows from the function hiding security of IPFE.

Hybrid \(({\varvec{j}} \in [{\varvec{m}}-{\varvec{1}}])\): It is analogous to \({\textsf {H}}_{12}\) except the secret-key is modified as follows. For all \(j^{\prime }\) such that \(m+1-j \le j^{\prime } < m+1\), the random value \(\ell _{j^{\prime }, t}^{\prime } \leftarrow {\mathbb {Z}}_p\) is discarded from \({\varvec{v}}_{j^{\prime }, t}[{\textsf {const}}]\) and the coefficient vector \(\varvec{\ell }_{j^{\prime }, t}\) is used in \({\varvec{v}}_{j^{\prime }, t}\).

In this hybrid, the label \(\widetilde{\ell }_{1, t}\) is reversely sampled using the random values \(\ell _{2, t}^{\prime }, \ldots , \ell _{m+1-j, t}^{\prime }\) and the actual values \(\ell _{m-j+2, t}, \ldots , \ell _{m+1,t}\) for each \(t \in [n^{\prime }]\). The hybrids \({{\textsf{H}}}_{13, m+1-(j-1)}\) and \({{\textsf{H}}}_{13, m+1-j}\) can be shown to be indistinguishable via the following sequence of sub-hybrids, namely, \(\{{{\textsf{H}}}_{13, m+1-j,1}, {{\textsf{H}}}_{13, m+1-j,2}, {{\textsf{H}}}_{13, m+1-j,3}\}\).

Hybrid \(({\varvec{j}} \in [{\varvec{m}}-{\varvec{1}}])\): It proceeds exactly the same as \({\textsf {H}}_{13, m+1-(j-1)}\) except that the random values \(\ell _{m+1-j, t}^{\prime }\) are sifted from \({\varvec{v}}_{m+1-j, t}[{\textsf {const}}]\) to \({\varvec{u}}[{\textsf {sim}}_\tau ^*]\). We modify vectors associated with the secret-key and the challenge ciphertext as follows

The indistinguishability between the hybrids \({\textsf {H}}_{13, m+1-(j- 1)}\) and \({\textsf {H}}_{13, m+1-j, 1}\) follows from the function hiding security of IPFE.

Hybrid \(({\varvec{j}} \in [{\varvec{m}}-1])\): It is exactly same as \({\textsf {H}}_{13, m+1-j, 1}\) except that the random values \(\ell _{m+1-j, \tau }^{\prime }\) at \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) are now replaced with the actual labels \(\ell _{m+1-j, \tau } = L_{m+1-j, \tau }({\varvec{x}}^*)\). The change in the vector \({\varvec{u}}\) associated to the challenge ciphertext is indicated as below.

The indistinguishability between the hybrids \({\textsf {H}}_{13, m+1-j, 1}\) and \({\textsf {H}}_{13, m+1-j, 2}\) follows from the marginal randomness property of AKGS.

Hybrid \(({\varvec{j \in [m-1]}})\): It proceeds analogously to \({\textsf {H}}_{13, m+1-j, 2}\) except that instead of the actual labels \(\ell _{m+1-j, t} = L_{m+1-j, t}({\varvec{x}}^*)\) we use the coefficient vectors \(\varvec{\ell }_{m+1-j, t}\) to set \({\varvec{v}}_{m+1-j, t}\). Also, the positions \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) are set to zero to keep the inner products \({{\varvec{v}}_{m+1-j, t}} \cdot {{\varvec{u}}}\) unaltered as in \({\textsf {H}}_{13, m+1-j, 2}\). The changes in vectors associated with the secret-key and the challenge ciphertext are shown below.

figure e

The indistinguishability between the hybrids \({\textsf {H}}_{13, m+1-j, 2}\) and \({\textsf {H}}_{13, m+1-j, 3}\) follows from the function hiding security of IPFE. We observe that \({\textsf {H}}_{13, m+1-j, 3}\) is identical to \({\textsf {H}}_{13, m+1-j}\) for all \(j \in [m-1]\).

Hybrid : This hybrid proceeds exactly the same as \({\textsf {H}}_{13, 2}\) except that the reversely sampled labels \(\widetilde{\ell }_{1, \tau }\) are replaced with the actual labels \(\ell _{1, \tau } = L_{1, \tau }({\varvec{x}}^*)\) when setting \({\varvec{u}}[{\textsf {sim}}_{\tau }]\). The vectors associated with the challenge ciphertext are given by

The indistinguishability between the hybrids \({\textsf {H}}_{13, 2}\) and \({\textsf {H}}_{14}\) follows from the reversely sampleability guaranteed by the piecewise security of AKGS.

Hybrid : It is analogous to \({\textsf {H}}_{14}\) except that the actual labels \(\ell _{1, \tau } = L_{1, \tau }({\varvec{x}}^*)\) are removed from \({\varvec{u}}[{\textsf {sim}}_{\tau }]\) and the coefficient vectors \(\varvec{\ell }_{1, t}\) are utilized while setting the vectors \({\varvec{v}}_{1, t}\) for all \(t \in [n^{\prime }]\). The vectors associated with the secret-key and the challenge ciphertext are shown below.

Since the inner products \({{\varvec{v}}_{1, t}} \cdot {{\varvec{u}}} = \ell _{1, t}\), for all \(t \in [n^{\prime }]\), remain the same as in \({\textsf {H}}_{14}\), the function hiding security of IPFE ensures the indistinguishability between the hybrids \({\textsf {H}}_{14}\) and \({\textsf {H}}_{15}\). Observe that the hybrid \({{\textsf{H}}}_{15}\) coincides with the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}}, {\textsf {1-FE}}}(1^{\lambda })\). \(\square \)

4.2 Public key one-slot FE for attribute-weighted sums

In this section we present our public-key one-slot FE scheme \({\varPi }_{{\textsf {one}}}\) for the attribute-weighted sum functionality that is proven adaptively simulation secure against a single ciphertext query and an arbitrary polynomial number of secret key queries both before and after the ciphertext query.

We will use our 1-key, 1-ciphertext secure 1-FE scheme from the previous section in particular hybrid of the full-fledged public-key one-slot FE scheme. In particular, it is not hard to observe that the 1-FE scheme already supports multiple secret keys, however the scheme completely breaks down if release two ciphertexts. Suppose we publish only a single secret key \({\textsf {SK}}_f\) for a function \(f = (f_1, \ldots , f_{n'})\) and two ciphertexts \({\textsf {CT}}_1, {\textsf {CT}}_2\) encrypting \(({\varvec{x}}_1, {\varvec{z}}_1), ({\varvec{x}}_2, {\varvec{z}}_2)\). The system eventually allows the decrypter to evaluate the same AKGS levels \((\varvec{\ell }_{1, t}, \cdots , \varvec{\ell }_{m, t}, \varvec{\ell }_{m+1, t})\) encoding the function \(z[t]f_t({\varvec{x}}) + \beta _t\) twice with inputs \({\varvec{x}}_1\) and \({\varvec{x}}_2\). However, AKGS does not guarantee security when the same level functions are evaluated with two different inputs.

We exploit the fact, similar to [49], that the level values and the inputs are encoded in the exponent of source groups and the AKGS evaluation is performed via the underlying IPFE in the exponent of the target group. In fact, computational assumptions such as MDDH can be used along with the function hiding security of IPFE to randomize the level functions in the exponent of source groups. Instead of encrypting the vectors \((1, {\varvec{x}}), (-1, z[t])\) directly using IPFE, we first randomize the vectors by sampling a uniformly random vector \({\varvec{s}}\) and then encrypt the randomized vectors using IPFE. Consequently, the level functions associated with the secret key can be randomized with \({\varvec{s}}\) using the function hiding security of IPFE. Then, the MDDH assumption ensures that the randomized level functions are computationally uniform. It seems like the same level functions are sampled independently each time we decrypt a ciphertext with the same secret key. However, in order to handle a polynomial number of secret keys in the setting of FE, the techniques developed in [49] is not sufficient. As discussed in Sect. 2.1, we devise a three-slot dual system encryption mechanism and utilize the security of our 1-FE scheme in one of the hidden slots for handling pre-ciphertext key queries one at a time in a loop.

As outlined in Remark 1 below, this scheme can naturally be extended to one supporting a bounded number of ciphertext queries. We describe the construction for any fixed value of the security parameter \(\lambda \) and suppress the appearance of \(\lambda \) for simplicity of notations. Let \(({\textsf{Garble}}, {\textsf{Eval}})\) be a special piecewise secure AKGS for a function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\), \({{\textsf{G}}}=({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) a tuple of pairing groups of prime order p such that \({\textsf{MDDH}}_k\) holds in \({\mathbb {G}}_2\), and \(({\textsf{IPFE}}.{\textsf{Setup}}. {\textsf{IPFE}}.{\textsf{KeyGen}},{\textsf{IPFE}}.{\textsf{Enc}}, {\textsf{IPFE}}.{\textsf{Dec}})\) a slotted \({\textsf{IPFE}}\) based on \({{\textsf{G}}}\). We construct an \({\textsf{FE}}\) scheme for attribute-weighted sums with the message space \({\mathbb {M}}={\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\).

Setup(\({\varvec{1}}^{{\varvec{n}}}, {\varvec{1}}^{{\varvec{n}}^{{\varvec{\prime }}}}\)) Define the following index sets as follows

$$\begin{aligned} S_{{\textsf {pub}}}&= \left\{ \{{\textsf {const}}^{(\iota )}\}_{\iota \in [k]}, \{{\textsf {coef}}_{i}^{(\iota )}\}_{\iota \in [k], i\in [n]}\right\} , {{\widehat{S}}}_{{\textsf {pub}}} = \big \{\widehat{{\textsf {const}}}^{(\iota )}, \widehat{{\textsf {coef}}}^{(\iota )}\big \}_{\iota \in [k]}\\ S_{{\textsf {priv}}}&= \left\{ {\textsf {const}}, \{{\textsf {coef}}_i\}_{i\in [n]}, \{{\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}_{\tau \in [n^{\prime }]}\right\} ,\\ {{\widehat{S}}}_{{\textsf {priv}}}&= \{ \widehat{{\textsf {const}}}_1, \widehat{{\textsf {coef}}}_1, \widehat{{\textsf {const}}}_2, \widehat{{\textsf {coef}}}_2, \widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}}^*\}. \end{aligned}$$

It generates \(({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}}) \leftarrow {\textsf {IPFE.Setup}}(S_{{\textsf {pub}}}, S_{{\textsf {priv}}})\) and \((\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}}) \leftarrow {\textsf {IPFE.Setup}}({{\widehat{S}}}_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {priv}}})\). Finally, it returns \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\) and \({\textsf{MPK}}= ({\textsf{IPFE}}.{\textsf{MPK}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}})\).

Let \(f = (f_1, \ldots , f_{n^{\prime }})\in {\mathcal {F}}_{{\textsf{ABP}}}^{(n, n^{\prime })}\). Sample \(\varvec{\alpha }, \varvec{\beta }_t \leftarrow {\mathbb {Z}}_p^k\) for \(t \in [n^{\prime }]\) such that

$$\begin{aligned} \sum _{t \in [n^{\prime }]} \varvec{\beta }_t[\iota ] = 0 \mod p \text { for all }\iota \in [k] \end{aligned}$$

Next, sample independent random vectors \({\varvec{r}}^{(\iota )}_t \leftarrow {\mathbb {Z}}_p^{m}\) and computes

$$\begin{aligned} (\varvec{\ell }_{1, t}^{(\iota )}, \ldots , \varvec{\ell }_{m, t}^{(\iota )}, \varvec{\ell }_{m+1, t}^{(\iota )}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }[\iota ] {\varvec{z}}[t]f_t({\varvec{x}}) + \varvec{\beta }_t[\iota ]; {\varvec{r}}^{(\iota )}_t) \end{aligned}$$

for all \(\iota \in [k], t \in [n^{\prime }]\). Here we make use of the instantiation of the AKGS described in Sect. 3.6. From the description of that AKGS instantiation, we note that the \((m+1)\)-th label function \(\varvec{\ell }_{m+1, t}^{(\iota )}\) would be of the form \(\varvec{\ell }_{m+1,t}^{(\iota )}=\varvec{\alpha }[\iota ] {\varvec{z}}[t]-{\varvec{r}}_t^{(\iota )}[m]\) where \(\varvec{\alpha }[\iota ]\) is a constant. Also all the label functions \(\varvec{\ell }_{1,t}^{(\iota )},\ldots ,\varvec{\ell }_{m,t}^{(\iota )} \) involve only the variables \({\varvec{x}}\) and not the variable \({\varvec{z}}[t]\). Next, for all \(j \in [m]\) and \(t \in [n^{\prime }]\), it defines the vectors \({\varvec{v}}_{j, t}\) corresponding to the label functions \(\varvec{\ell }_{j,t}^{(\iota )}\) obtained from the partial garbling above as

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

\(S_{{\textsf {priv}}}\)

\({\varvec{v}}\)

\(\varvec{\alpha }[\iota ]\)

0

0

\({\varvec{v}}_{j, t}\)

\(\varvec{\ell }_{j, t}^{(\iota )}[{\textsf {const}}]\)

\(\varvec{\ell }_{j, t}^{(\iota )}[{\textsf {coef}}_i]\)

0

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

\({{\widehat{S}}}_{{\textsf {priv}}}\)

\({\varvec{v}}_{m+1, t}\)

\({\varvec{r}}^{(\iota )}_{t}[m]\)

\(\varvec{\alpha }[\iota ]\)

0

It generates the secret-keys as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}\leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}]\!]_2)&\\ {\textsf{IPFE}}.{\textsf{SK}}_{j, t} \leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{j, t}]\!]_2)&\text { for } j \in [m], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t} \leftarrow {\textsf {IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{m+1, t}]\!]_2)&\text { for } t \in [n^{\prime }] \end{aligned}$$

It returns \({\textsf{SK}}_f = ({\textsf{IPFE}}.{\textsf{SK}}, \{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\).

It samples \({\varvec{s}} \leftarrow {\mathbb {Z}}_p^{k}\) and set the vectors

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

\({\varvec{u}}\)

\({\varvec{s}}[\iota ]\)

\({\varvec{s}}[\iota ] {\varvec{x}}[i]\)

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

\({\varvec{h}}_{t}\)

\(-{\varvec{s}}[\iota ]\)

\({\varvec{s}}[\iota ]{\varvec{z}}[t]\)

for all \(t \in [n^{\prime }]\). It encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {\textsf {IPFE.SlotEnc}}({\textsf{IPFE}}.{\textsf{MPK}}, [\![{\varvec{u}}]\!]_1)&\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t \leftarrow {\textsf {IPFE.SlotEnc}}(\widehat{{\textsf{IPFE}}.{\textsf{MPK}}}, [\![{\varvec{h}}_t]\!]_1)&\text { for } t \in [n^{\prime }] \end{aligned}$$

and returns the ciphertext as \({\textsf{CT}}= ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

It parses \({\textsf{SK}}_f = ({\textsf{IPFE}}.{\textsf{MSK}}, \{{\textsf{IPFE}}.{\textsf{MSK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) and the ciphertext \({\textsf{CT}}= ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\). It uses the decryption algorithm of IPFE to compute

$$\begin{aligned}{}[\![\mu ]\!]_T&= {\textsf {IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}, {\textsf{IPFE}}.{\textsf{CT}}) \\ [\![\ell _{j, t}]\!]_T&= {\textsf {IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{j, t}, {\textsf{IPFE}}.{\textsf{CT}}) \text { for } j \in [m], t \in [n^{\prime }]\\ [\![\ell _{m+1, t}]\!]_T&= {\textsf {IPFE.Dec}}(\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}, \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t) \text { for } t \in [n^{\prime }] \end{aligned}$$

Next, it utilizes the evaluation procedure of AKGS and obtain a combined value

$$\begin{aligned}{}[\![\rho ]\!]_T = \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T). \end{aligned}$$

Finally, it returns a value \(\zeta \) from a polynomially bounded set \({\mathcal {P}}\) such that \([\![\rho ]\!]_T = [\![\mu ]\!]_T \cdot [\![\zeta ]\!]_T\); otherwise \(\bot \).

Correctness By the correctness of IPFE, AKGS and the linearity of the Eval function we have

$$\begin{aligned}&{\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) \\&\quad = [\![\sum _{\iota = 1}^k \varvec{\alpha }[\iota ]{\varvec{s}}[\iota ] \cdot f_t({\varvec{x}}){\varvec{z}}[t] + \varvec{\beta }_t[\iota ]{\varvec{s}}[\iota ]]\!]_T \\&\quad = [\![{\varvec{\alpha }} \cdot {{\varvec{s}}}\cdot f_t({\varvec{x}}){\varvec{z}}[t] + {\varvec{\beta }_t} \cdot {{\varvec{s}}}]\!]_T \end{aligned}$$

Therefore, \([\![\rho ]\!]_T = [\![\sum _{t = 1}^{n^{\prime }} {\varvec{\alpha }} \cdot {{\varvec{s}}}\cdot f_t({\varvec{x}}){\varvec{z}}[t] + {\varvec{\beta }_t} \cdot {{\varvec{s}}}]\!]_T = [\![{\varvec{\alpha }} \cdot {{\varvec{s}}} f({\varvec{x}})^{\top } {\varvec{z}}]\!]_T\) since \(\sum _{t \in [n^{\prime }]} \varvec{\beta }_t[\iota ] = 0 \mod p\) for all \(\iota \in [k]\). Also, by the correctness of IPFE we see that \([\![\mu ]\!]_T = [\![{\varvec{\alpha }} \cdot {{\varvec{s}}}]\!]_T\) and hence \([\![\zeta ]\!]_T = [\![f({\varvec{x}})^{\top } {\varvec{z}}]\!]_T \in {\mathcal {P}}\).

Remark 1

(Multi-Ciphertext Scheme) The one-slot FE scheme \({\varPi }_{{\textsf {one}}}\) described above is secure against adversaries that are restricted to query a single ciphertext. However, we can easily modify the FE scheme to another FE that is secure for any a-priori bounded number of ciphertext queries from the adversary’s end. For the extension, we introduce additional \((2n^{\prime } + 2)q_{{\textsf {CT}}}\) private slots on each ciphertext and decryption key sides, where \(q_{{\textsf {CT}}}\) denotes the number of ciphertext queries. More specifically, we add \(2n^{\prime } q_{{\textsf {CT}}}\) and \(2q_{{\textsf {CT}}}\) dimensional hidden slots to \({\mathcal {S}}_{{\textsf {priv}}}\) and \(\widehat{{\mathcal {S}}}_{{\textsf {priv}}}\) respectively to handle the \(q_{{\textsf {CT}}}\) ciphertext queries during the security reduction. Consequently, the sizes of system parameters, secret-keys and ciphertext would grow linearly with \(q_{{\textsf {CT}}}\). A similar strategy can be followed to convert our extended one-slot FE scheme (of Sect. 1) that only supports a single ciphertext query to one that is secure for any a-priori bounded number of ciphertext queries.

4.2.1 Security analysis

Theorem 3

The one slot FE scheme \({\varPi }_{{\textsf {one}}}\) for attribute-weighted sum is adaptively simulation-secure assuming the AKGS is piecewise secure as per Definition 7, the \({\textsf{MDDH}}_k\) assumption holds in group \({\mathbb {G}}_2\) as per Assumption 1, and the slotted IPFE is function hiding as per Definition 5.

4.2.2 The simulator

We describe the simulator for the one slot FE scheme \({\varPi }_{{\textsf {one}}}\).

To generate the master public/secret keys, it executes as follows:

1.:

Define the following index sets as follows

$$\begin{aligned} S_{{\textsf {pub}}}&= \left\{ \{{\textsf {const}}^{(\iota )}\}_{\iota \in [k]}, \{{\textsf {coef}}_{i}^{(\iota )}\}_{\iota \in [k], i\in [n]}\right\} ,\\ {{\widehat{S}}}_{{\textsf {pub}}}&= \big \{\widehat{{\textsf {const}}}^{(\iota )}, \widehat{{\textsf {coef}}}^{(\iota )}\big \}_{\iota \in [k]}\\ S_{{\textsf {priv}}}&= \left\{ {\textsf {const}}, \{{\textsf {coef}}_i\}_{i\in [n]}, \{{\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}_{\tau \in [n^{\prime }]}\right\} ,\\ {{\widehat{S}}}_{{\textsf {priv}}}&= \{ \widehat{{\textsf {const}}}_1, \widehat{{\textsf {coef}}}_1, \widehat{{\textsf {const}}}_2, \widehat{{\textsf {coef}}}_2, \widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}}^*\}. \end{aligned}$$
2.:

It generates \(({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}})\! \leftarrow \! {\textsf {IPFE.Setup}}(S_{{\textsf {pub}}}, S_{{\textsf {priv}}})\) and \((\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}}) \leftarrow {\textsf {IPFE.Setup}}({{\widehat{S}}}_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {priv}}})\).

3.:

It outputs \({\textsf{MSK}}^* = ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\) and \({\textsf{MPK}}^* = ({\textsf{IPFE}}.{\textsf{MPK}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}})\).

On input \({\textsf{MSK}}^*\), a function \(f_q = (f_{q, 1}, \ldots f_{q, n^{\prime }})\) for \(q \in [Q_{{\textsf {pre}}}]\) the simulator proceeds as follows:

Setting Public Positions: The public positions are set as in the original scheme.

1.:

It first samples \(\varvec{\beta }_{q, t} = (\varvec{\beta }_{q, t}[1], \ldots , \varvec{\beta }_{q, t}[k]) \leftarrow {\mathbb {Z}}_p^k\) and \({\varvec{r}}^{(\iota )}_{q, t} = ({\varvec{r}}^{(\iota )}_{q, t}[1], \ldots , {\varvec{r}}^{(\iota )}_{q, t}[m_q]) \leftarrow {\mathbb {Z}}_p^{m_q}\) where it holds that

$$\begin{aligned} \sum _{t \in [n^{\prime }]} \varvec{\beta }_{q, t}[\iota ] = 0 \mod p\text { for all }\iota \in [k]. \end{aligned}$$
2.:

Next, it computes the coefficient vectors for the label functions as

$$\begin{aligned} (\varvec{\ell }_{q, 1, t}^{(\iota )}, \ldots , \varvec{\ell }_{q, m_q, t}^{(\iota )},\varvec{\ell }_{q, m_q+1, t}^{(\iota )}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }_q[\iota ] {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + \varvec{\beta }_{q, t}[\iota ]; {\varvec{r}}^{(\iota )}_{q, t}) \end{aligned}$$

for all \(\iota \in [k], t \in [n^{\prime }]\). From the description of AKGS, we note that the \((m_q+1)\)-th label function \(\varvec{\ell }_{q, m_q+1, t}^{(\iota )}\) would be of the form \(\varvec{\ell }_{q, m_q+1,t}^{(\iota )}=\varvec{\alpha }_q[\iota ] {\varvec{z}}^*[t]-{\varvec{r}}_{q,t}^{(\iota )}[m_q]\).

3.:

It picks \(\varvec{\alpha }_q \leftarrow {\mathbb {Z}}_p^k\) and sets the public positions at the indexes in \(S_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {pub}}}\) of following vectors

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

 

\({\varvec{v}}_q\)

\(\varvec{\alpha }_q[\iota ]\)

0

 

\({\varvec{v}}_{q, j, t}\)

\(\varvec{\ell }_{q, j, t}^{(\iota )}[{\textsf {const}}]\)

\(\varvec{\ell }_{q, j, t}^{(\iota )}[{\textsf {coef}}_i]\)

 

for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\). It also sets the following vectors

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

 

\({\varvec{v}}_{q, m_q+1, t}\)

\({\varvec{r}}^{(\iota )}_{q, t}[m_q]\)

\(\varvec{\alpha }_q[\iota ]\)

 

for all \(t \in [n^{\prime }]\).

Setting Private Positions:

4.:

It samples \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t} \leftarrow {\mathbb {Z}}_p\) for \(t \in [n^{\prime }]\) satisfying \(\sum _{t \in [n^{\prime }]} {\widetilde{\beta }}_{q, t} = 0\).

5.:

Next, it picks \(\widetilde{{\varvec{r}}}_{q, t} \leftarrow {\mathbb {Z}}_p^{m_q}\) and computes the coefficient vectors for the label functions as

$$\begin{aligned} (\widetilde{\varvec{\ell }}_{q, 1, t}, \ldots , \widetilde{\varvec{\ell }}_{q, m_q, t}, \widetilde{\varvec{\ell }}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}(\widetilde{\alpha }_q {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + {\widetilde{\beta }}_{q, t}; \widetilde{{\varvec{r}}}_{q, t}). \end{aligned}$$

for all \(t \in [n^{\prime }]\). From the description of AKGS, we note that the \((m_q+1)\)-th label function \(\widetilde{\varvec{\ell }}_{q,m_q+1,t}\) would be of the form \(\widetilde{\varvec{\ell }}_{q,m_q+1,t} = {\widetilde{\alpha }}_q{\varvec{z}}^*[t] - \widetilde{{\varvec{r}}}_{q,t}[m_q]\).

6.:

Now, it fills the private positions at the indexes in \(S_{{\textsf {priv}}}, {{\widehat{S}}}_{{\textsf {priv}}}\) as follows

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_q\)

\({\widetilde{\alpha }}_q\)

0

0

0

\({\varvec{v}}_{q, j, t}\)

\(\widetilde{\varvec{\ell }}_{q, j, t}[{\textsf {const}}]\)

\(\widetilde{\varvec{\ell }}_{q, j, t}[{\textsf {coef}}_i]\)

0

0

for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\); and

vector

\(\widehat{{\textsf {const}}}_1\)

\(\widehat{{\textsf {coef}}}_1\)

\(\widehat{{\textsf {const}}}_2\)

\(\widehat{{\textsf {coef}}}_2\)

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}}^*\)

\({\varvec{v}}_{q, m_q+1, t}\)

0

0

\(\widetilde{{\varvec{r}}}_{q, t}[m_q]\)

\({\widetilde{\alpha }}_q\)

0

0

0

for all \(t \in [n^{\prime }]\).

7.:

It generates the IPFE secret-keys as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_q \leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_q]\!]_2)&\\ {\textsf{IPFE}}.{\textsf{SK}}_{q, j, t} \leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{q, j, t}]\!]_2)&\text { for } j \in [m_q], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t} \leftarrow {\textsf {IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{q, m_q+1, t}]\!]_2)&\text { for } t \in [n^{\prime }] \end{aligned}$$
8.:

Finally, it returns

$$\begin{aligned} {\textsf{SK}}_{f_q} = ({\textsf{IPFE}}.{\textsf{SK}}_q, \{{\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}\}_{j \in [m_q], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}\}_{t \in [n^{\prime }]}). \end{aligned}$$

On input \({\textsf{MSK}}^*\), a vector \({\varvec{x}}^* \in {\mathbb {Z}}_p^n\) and a set \({\mathcal {V}} = \{(f_q, f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*) : q \in [Q_{{\textsf {pre}}}]\}\) the simulator executes the following steps:

1.:

It samples a dummy vector \({\varvec{d}}\) from the set

$$\begin{aligned} D = \{{\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}: f_q({\varvec{x}}^*)^{\top }{\varvec{d}} = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* \text { for all } q \in [Q_{{\textsf {pre}}}]\}. \end{aligned}$$

The simulator does this by finding a random vector \({\varvec{d}}\in {\mathbb {Z}}_p^{n^{\prime }}\) such that \(\sum _{t \in [n^{\prime }]} f_{q, t}({\varvec{x}}^*) {\varvec{d}}[t] = \sum _{t \in [n^{\prime }]} f_{q, t}({\varvec{x}}^*) {\varvec{z}}^*[t]\) for all \(q \in [Q_{{\textsf {pre}}}]\). Hence, D is identical to the set \(D_{{\textsf{IP}}} = \{{\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}: {(f_{q, 1}({\varvec{x}}^*), \ldots , f_{q, n^{\prime }}({\varvec{x}}^*))} \cdot {({\varvec{d}}[1], \ldots , {\varvec{d}}[n^{\prime }])} = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* \text { for all } q \in [Q_{{\textsf {pre}}}]\}.\) A vector \({\varvec{d}}\) from a set of the form \(D_{{\textsf{IP}}}\) can be efficiently sampled via a polynomial time algorithm given by O’Neill [59] as noted earlier. Therefore, given \({\varvec{x}}^*\) and \({\mathcal {V}}\), the simulator can find a dummy vector \({\varvec{d}}\) such that \(f_q({\varvec{x}}^*)^{\top }{\varvec{d}} = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*\) holds for every \(q \in [Q_{{\textsf {pre}}}]\).

2.:

Next, it sets the following vectors

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{u}}\)

0

0

1

\({\varvec{x}}^*[i]\)

0

0

and

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

\({\varvec{h}}_{ t}\)

0

0

vector

\(\widehat{{\textsf {const}}}_1\)

\(\widehat{{\textsf {coef}}}_1\)

\(\widehat{{\textsf {const}}}_2\)

\(\widehat{{\textsf {coef}}}_2\)

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}}^*\)

\({\varvec{h}}_{ t}\)

1

0

\(-1\)

\({\varvec{d}}[t]\)

0

0

0

for all \(t \in [n^{\prime }]\).

3.:

It encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {\textsf {IPFE.Enc}}({\textsf{IPFE}}.{\textsf{MPK}}, [\![{\varvec{u}}]\!]_1)&\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t \leftarrow {\textsf {IPFE.Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MPK}}}, [\![{\varvec{h}}_t]\!]_1)&\text { for } t \in [n^{\prime }] \end{aligned}$$
4.:

It returns the ciphertext as \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

On input \({\textsf{MSK}}^*\), \({\varvec{x}}^* \in {\mathbb {Z}}_p^n\), a function \(f_q = (f_{q, 1}, \ldots f_{q, n^{\prime }}) \in {\mathcal {F}}_{{\textsf{ABP}}}^{(n, n^{\prime })}\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) and \(f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* \in {\mathbb {Z}}_p\) the simulator proceeds as follows:

Fig. 2
figure 2

Structure of the hybrid reduction proving Theorem 3

Setting Public Positions:

1.:

The simulator sets the public positions at the indexes in \(S_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {pub}}}\) of the vectors \({\varvec{v}}_q\) and \({\varvec{v}}_{q, j, t}\) analogous to \({\textsf {KeyGen}}^*_0({\textsf{MSK}}^*, f_q)\).

Setting Private Positions:

2.:

First, it samples a random elements \({\widetilde{\alpha }}_q, \widetilde{\beta }_{q, t} \leftarrow {\mathbb {Z}}_p\), for \(t \in [n^{\prime }]\), satisfying \(\sum _{t \in [n^{\prime }]} \widetilde{\beta }_{q, t} = 0\) and then runs the simulator of the AKGS to obtain

$$\begin{aligned} ({\widehat{\ell }}_{q, 1, 1}, \ldots , {\widehat{\ell }}_{q, m_q, 1}, {\widehat{\ell }}_{q, m_q+1, 1})&\leftarrow {\textsf {SimGarble}}(f_{q, 1}, {\varvec{x}}^*, {\widetilde{\alpha }}_q \cdot f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + \widetilde{\beta }_{q, 1})\\ ({\widehat{\ell }}_{q, 1, t}, \ldots , {\widehat{\ell }}_{q, m_q, t}, {\widehat{\ell }}_{q, m_q+1, t})&\leftarrow {\textsf {SimGarble}}(f_{q, t}, {\varvec{x}}^*, \widetilde{\beta }_{q, t})~~ \text { for } 1< t \le n^{\prime }. \end{aligned}$$
3.:

Next, it fills the private positions at the indices in \(S_{{\textsf {priv}}}, {{\widehat{S}}}_{{\textsf {priv}}}\) as follows

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_q\)

\({\widetilde{\alpha }}_q\)

0

0

0

\({\varvec{v}}_{q, j, t}\)

\({\widehat{\ell }}_{q, j, t}\)

0

0

0

for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\); and

vector

\(\widehat{{\textsf {const}}}_1\)

\(\widehat{{\textsf {coef}}}_1\)

\(\widehat{{\textsf {const}}}_2\)

\(\widehat{{\textsf {coef}}}_2\)

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}}^*\)

\({\varvec{v}}_{q, m_q+1, t}\)

\({\widehat{\ell }}_{q, m_q+1, t}\)

0

0

0

0

0

0

for all \(t \in [n^{\prime }]\).

4.:

It generates the IPFE secret-keys as

figure f
5.:

It outputs

$$\begin{aligned} {\textsf{SK}}_{f_q} = ({\textsf{IPFE}}.{\textsf{SK}}_q, \{{\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}\}_{j \in [m_q], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}\}_{t \in [n^{\prime }]}). \end{aligned}$$

4.2.3 Hybrids and reductions

Proof

We employ a sequence of hybrid experiments to demonstrate the indistinguishability between the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real, FE}}}(1^{\lambda })\) and the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{\textsf {Ideal, FE}}(1^{\lambda })\) with the simulator described above where \({\mathcal {A}}\) is any PPT adversary. The overall hybrid reduction is shown in Fig. 2. In each experiment, \({\mathcal {A}}\) can query a polynomial number of secret-key queries for functions \(f_q \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\), both before and after submitting the challenge message \(({\varvec{x}}^*, {\varvec{z}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\). Let Q be the total number of secret-key queries and \(Q_{{\textsf {pre}}}\) \((< Q)\) be the number of secret-keys queried before making the challenge message. We denote the q-th secret-key by \({\textsf{SK}}_{f_q}\) corresponding to a function \(f_q\). For the ease of presentation, we write the vector elements sitting in the public slots in blue color and the vector elements sitting in the private slots in red color. More precisely, we do this so that while describing the hybrid games, we sometimes omit the public parts of the vectors and write down only the private parts when the changes occur only in the private parts. Now, we describe the hybrids as follows:

Hybrid This is the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{\textsf {Real, FE}}(1^{\lambda })\) defined in Definition 4 (with single slot, i.e., \(N = 1\)). For any \(q \in [Q]\), the q-th secret-key \({\textsf{SK}}_{f_q} = ({\textsf{IPFE}}.{\textsf{SK}}_q, \{{\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}\}_{j \in [m_q], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}\}_{t \in [n^{\prime }]})\) is associated with the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) given by

for \(j \in [m_q]\) and \(t \in [n^{\prime }]\). Note that \(\varvec{\alpha }_q\) and \({\varvec{r}}^{(\iota )}_{q, t}\) are random vectors sampled from \({\mathbb {Z}}_p^k\) and \({\mathbb {Z}}_p^{m_q}\) respectively. For all \(t \in [n^{\prime }]\), the garblings are computed as

$$\begin{aligned} (\varvec{\ell }_{q, 1, t}, \ldots , \varvec{\ell }_{q, m_q, t}, \varvec{\ell }_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }_q[\iota ] {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + \varvec{\beta }_{q, t}[\iota ]; {\varvec{r}}^{(\iota )}_{q, t}) \end{aligned}$$

where \(f_q = (f_{q, 1}, \ldots , f_{q, n^{\prime }})\) and \(\varvec{\beta }_{q, t} \leftarrow {\mathbb {Z}}_p^k\) with \(\sum _{t \in [n^{\prime }]} \varvec{\beta }_{q, t}[\iota ] = 0 \mod p ~ \forall \iota \in [k]\). The challenge ciphertext \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\) corresponds to \(({\varvec{x}}^*, {\varvec{z}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\) is associated with the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\) given by

for \(t\in [n^{\prime }]\) and \({\varvec{s}} \leftarrow {\mathbb {Z}}_p^k\). Note that, in the real experiment, \({\textsf{CT}}^*\) is computed using IPFE.SlotEnc and therefore the elements sitting at the indexes in \(S_{{\textsf{priv}}}\) are set as \(\bot \) for the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\).

Hybrid It is exactly the same as hybrid \({\textsf {H}}_0\) except the fact that here the challenge ciphertext \({\textsf{CT}}^*\) is generated using IPFE.Enc using \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\). As a result the private positions of \({\varvec{u}}\) and \({\varvec{h}}_t\) (in \({\textsf{CT}}^*\)) are changed from \(\bot \) to 0. Thus the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\) become

The slot-mode correctness of IPFE guarantees that the two hybrids \({\textsf {H}}_0\) and \({\textsf {H}}_1\) are identically distributed.

Hybrid This hybrid is similar to \({\textsf {H}}_1\) except that in the private slots of the vectors used to compute \({\textsf{SK}}_{f_q}\), we put one single garbling that linearly combines k garblings with weight vector \({\varvec{s}} \in {\mathbb {Z}}_p^k\) instead of using k independent garblings associated to each index \(j \in [m_q]\) of the vectors \({\varvec{v}}_{q, j, t}\) and a single random element combining the weight vector \({\varvec{s}}\) in \({\varvec{v}}_q\) instead of using a random vector \(\varvec{\alpha }_q\). Accordingly, we modify the challenge ciphertext \({\textsf{CT}}^*\) by omitting the weight vector \({\varvec{s}}\) and setting the public slots to zero of the vectors \({\varvec{u}}, {\varvec{h}}_t\) to ensure the inner products computed at the time of decryption remains the same in both the hybrids.

In \({\textsf {H}}_1\), the public slots of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) are occupied by a vector \(\varvec{\alpha }_q \in {\mathbb {Z}}_p^k\) and the garblings \(\varvec{\ell }^{(\iota )}_{q, j, t}\) computed using randomness \({\varvec{r}}_{q, t}^{(\iota )} \in {\mathbb {Z}}_p^{m_q}\). In the public slots of the vectors \({\varvec{u}}, {\varvec{h}}_t\), we use \(({\varvec{s}}[\iota ], {\varvec{s}}[\iota ]{\varvec{x}}^*[i]), (-{\varvec{s}}[\iota ], {\varvec{s}}[\iota ]{\varvec{z}}^*[t])\) respectively. Therefore, the IPFE decryption lets us recover \([\![\mu _q]\!]_T, [\![\ell _{q, j, t}]\!]_T\) such that

$$\begin{aligned} \mu _q&= {\varvec{\alpha }_q} \cdot {{\varvec{s}}} = {\overline{\alpha }}_q \text { (say), } \\ \ell _{q, j, t}&= {(\varvec{\ell }^{(1)}_{q, j, t}, \ldots , \varvec{\ell }^{(k)}_{q, j, t})} \cdot {({\varvec{s}}[1](1, {\varvec{x}}^*), \ldots , {\varvec{s}}[k](1, {\varvec{x}}^*))} \\&= {({\varvec{s}}[1]\varvec{\ell }^{(1)}_{q, j, t}, \ldots , {\varvec{s}}[k]\varvec{\ell }^{(k)}_{q, j, t})} \cdot {((1, {\varvec{x}}^*), \ldots , (1, {\varvec{x}}^*))}\\&= {\overline{\varvec{\ell }}_{q, j, t}} \cdot {(1, {\varvec{x}}^*)} \end{aligned}$$

where \(\overline{\varvec{\ell }}_{q, j, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] \varvec{\ell }^{(\iota )}_{q, j, t}\) for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\). Similarly, the \((m_q+1)\)-th garbling returns

$$\begin{aligned} \ell _{q, m_q+1, t}&= {(({\varvec{r}}^{(1)}_{q, t}[m_q], \varvec{\alpha }_q[1]), \ldots , ({\varvec{r}}^{(k)}_{q, t}[m_q], \varvec{\alpha }_q[k]))} \cdot {({\varvec{s}}[1](-1, {\varvec{z}}^*[t]), \ldots , {\varvec{s}}[k](-1, {\varvec{z}}^*[t]))}\\&= {({\varvec{s}}[1]({\varvec{r}}^{(1)}_{q, t}[m_q], \varvec{\alpha }_q[1]), \ldots , {\varvec{s}}[k]({\varvec{r}}^{(k)}_{q, t}[m_q], \varvec{\alpha }_q[k]))} \cdot {((-1, {\varvec{z}}^*[t]), \ldots , (-1, {\varvec{z}}^*[t]))}\\&= {(\overline{{\varvec{r}}}_{q, t}[m_q], {\overline{\alpha }}_q)} \cdot {(-1, {\varvec{z}}^*[t])} \end{aligned}$$

where \(\overline{{\varvec{r}}}_{q, t}[m_q] = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t}[m_q]\). In \({\textsf {H}}_2\), we use \({\overline{\alpha }}_q, \overline{\varvec{\ell }}_{q, j, t}\) and \(\overline{{\varvec{r}}}_{q, t}[m_q]\) in the private slots of the vectors associated to \({\textsf{SK}}_{f_q}\) as described below

Since the weight vector \({\varvec{s}}\) is not required to generate the challenge ciphertext \({\textsf{CT}}^*\), we omit it in the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\). Moreover, the public slots of \({\varvec{u}}\) and \({\varvec{h}}_t\) are set to zero as the inner product is computed through the private slots only. We describe the changes below.

Finally, we observe that the inner products \({{\varvec{v}}_q} \cdot {{\varvec{u}}}, {{\varvec{v}}_{q, j, t}} \cdot {{\varvec{u}}}\) and \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\) for all \(j \in [m_q], t \in [n^{\prime }]\) remain the same as in \({\textsf {H}}_1\). Thus, the function hiding property of IPFE preserves the indistinguishability between the hybrids \({\textsf {H}}_1\) and \({\textsf {H}}_2\).

Note that, in this hybrid we pick \(\varvec{\alpha }_q, \varvec{\beta }_{q, t}, {\varvec{s}} \leftarrow {\mathbb {Z}}_p^k\) and \({\varvec{r}}_{q, t}^{(\iota )} \leftarrow {\mathbb {Z}}_p^{m_q}\) for all \(t \in [n^{\prime }], \iota \in [k]\) satisfying \(\sum _{t \in [n^{\prime }]}\varvec{\beta }_{q, t}[\iota ] = 0 \mod p\) for each \(\iota \in [k]\). Then, the linearity of the Garble algorithm allows us to write

$$\begin{aligned} (\overline{\varvec{\ell }}_{q, 1, t}, \ldots , \overline{\varvec{\ell }}_{q, m_q, t}, \overline{\varvec{\ell }}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}({\overline{\alpha }}_q {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + {\overline{\beta }}_{q, t}; \overline{{\varvec{r}}}_{q, t}) \end{aligned}$$

where \(\overline{\varvec{\ell }}_{q, j, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] \varvec{\ell }^{(\iota )}_{q, j, t}, \overline{{\varvec{r}}}_{q, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t}\) and \({\overline{\beta }}_{q, t} = {\varvec{\beta }_{q, t}} \cdot {{\varvec{s}}}\).

Hybrid It is analogous to \({\textsf {H}}_2\) except the liner combinations \({\overline{\alpha }}_q, \overline{\varvec{\ell }}_{q, j, t}, \overline{{\varvec{r}}}_{q, t}\) in the private slots of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}, {\varvec{v}}_{q, m_q+1, t}\) are replaced with freshly and independently generated random values and garblings \({\widetilde{\alpha }}_q, \widetilde{\varvec{\ell }}_{q, j, t}, \widetilde{{\varvec{r}}}_{q, t}\). More specifically, we sample random elements \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t} \leftarrow {\mathbb {Z}}_p\) for all \(t \in [n^{\prime }]\) such that \(\sum _{t \in [n^{\prime }]} {\widetilde{\beta }}_{q, t} = 0 \mod p\) and a vector \(\widetilde{{\varvec{r}}}_{q, t} \leftarrow {\mathbb {Z}}_p^{m_q}\). Then, the garblings are computed as

$$\begin{aligned} (\widetilde{\varvec{\ell }}_{q, 1, t}, \ldots , \widetilde{\varvec{\ell }}_{q, m_q, t}, \widetilde{\varvec{\ell }}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}(\widetilde{\alpha }_q {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + {\widetilde{\beta }}_{q, t}; \widetilde{{\varvec{r}}}_{q, t}) \end{aligned}$$

for all \(t \in [n^{\prime }]\). The vectors involved in \({\textsf{SK}}_{f_q}\) are modified as follows:

Recall that in \({\textsf {H}}_2\), the following linear combinations

$$\begin{aligned} {\overline{\alpha }}_q = {\varvec{\alpha }_q} \cdot {{\varvec{s}}},~~ {\overline{\beta }}_{q, t} = {\varvec{\beta }_{q, t}} \cdot {{\varvec{s}}},~~ \overline{{\varvec{r}}}_{q, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t} \end{aligned}$$

where a common weight vector \({\varvec{s}}\) has been used to set \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\). On the other hand, in \({\textsf {H}}_3\), fresh and independent random elements \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t}, \widetilde{{\varvec{r}}}_{q, t}\) are used to compute \({\textsf{SK}}_{f_q}\). Note that the elements of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) are only used in the exponent of the source group \({\mathbb {G}}_2\) while generating the IPFE secret-keys. Let us consider the matrix \({\textbf{A}}_{q, t} = (\varvec{\alpha }_q ~ \Vert ~\varvec{\beta }_{q, t} ~ \Vert ~({\textbf{R}}_{q, t})^{\top }) \in {\mathbb {Z}}_p^{k \times (m_q+2)}\) where \({\textbf{R}}_{q, t} = ({\varvec{r}}^{(1)}_{q, t} ~ \Vert ~\ldots ~ \Vert ~{\varvec{r}}^{(k)}_{q, t}) \in {\mathbb {Z}}_p^{m_q \times k}\). Since the matrix \({\textbf{A}}_{q, t}\) is uniformly chosen from \({\mathbb {Z}}_p^{k \times (m_q+2)}\) and \({\varvec{s}}\) is uniform over \({\mathbb {Z}}_p^k\), by the \({\textsf{MDDH}}_{k}\) assumption in group \({\mathbb {G}}_2\) we have

$$\begin{aligned} (\underbrace{[\![{\textbf{A}}_{q, t}]\!]_2, [\![{\varvec{s}}^\top {\textbf{A}}_{q, t}]\!]_2}_{\text { in } {\textsf {H}}_2}) {\mathop {\approx }\limits ^{c}} (\underbrace{[\![{\textbf{A}}_{q, t}]\!]_2, [\![({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t}, \widetilde{{\varvec{r}}}_{q, t})]\!]_2}_{\text { in } {\textsf {H}}_3}) \end{aligned}$$

holds for all \(q \in [Q]\) and \(t \in [n^{\prime }]\). Hence, the two hybrids \({\textsf {H}}_2\) and \({\textsf {H}}_3\) are indistinguishable under the \({\textsf{MDDH}}_{k}\) assumption with \(k < m_q+2\).

Hybrid It is exactly the same as hybrid \({\textsf {H}}_3\) except we change the way the vectors \({\varvec{h}}_t\) for all \(t \in [n^{\prime }]\) are computed while producing the challenge ciphertext. After all the pre-challenge secret-key queries made by \({\mathcal {A}}\), a dummy vector \({\varvec{d}}\) is picked from the set

$$\begin{aligned} D = \{{\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}: f_q({\varvec{x}}^*)^{\top }{\varvec{d}} = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* \text { for all } q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

via an efficient algorithm proposed in [59], and then the vectors \({\varvec{u}}, {\varvec{h}}_t\) associated with the ciphertext are defined as below.

Note that, these changes in \({\varvec{h}}_t\) have no effect in the final inner product between \({\varvec{v}}_{q, m_q+1, t}\) and \({\varvec{h}}_t\) since the slots (\(\widehat{{\textsf {const}}}_2, \widehat{{\textsf {coef}}}_2, \widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}\)) where the changes take place in \({\varvec{h}}_t\) correspond to zero entries in \({\varvec{v}}_{q, m_q+1, t}\). Therefore, by the function hiding property of IPFE, the hybrids \({\textsf {H}}_3\) and \({\textsf {H}}_4\) remain indistinguishable to the adversary.

From the next hybrid we will modify the pre-challenge secret-key queries and the challenge ciphertext so that the decryption results become \(f_q({\varvec{x}}^*)^{\top }{\varvec{d}}\) for all \(q \in [Q_{{\textsf{pre}}}]\) for some vector \({\varvec{d}} \in {\mathbb {Z}}_p^{n^{\prime }}\). Note that, \({\varvec{d}}\) is a dummy vector which is sampled from \({\mathbb {Z}}_p^{n^{\prime }}\) such that \(f_q({\varvec{x}}^*)^{\top }{\varvec{d}} = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*\) for all \(q \in [Q_{{\textsf {pre}}}]\). This is done through a loop of hybrids described below.

Hybrid () It proceeds similar to \({\textsf {H}}_4\) except that for each \(1 \le q^{\prime } \le q\), we modify the vector \({\varvec{v}}_{q, m_q+1, t}\) as described below.

Note that, the post-challenge secret-key queries are still answered according to \({\textsf {H}}_4\). Observe that \({{\textsf{H}}}_{5,0}\) coincides with \({{\textsf{H}}}_4\). We will prove that \({{\textsf{H}}}_{5, (q-1)}\) and \({{\textsf{H}}}_{5,q}\) are indistinguishable via the following sequence of sub-hybrids, namely \(\{{{\textsf{H}}}_{5,q,1}, {{\textsf{H}}}_{5,q,2}, {{\textsf{H}}}_{5,q,3}\}\).

Hybrid () It is analogous to \({\textsf {H}}_{5, (q-1)}\) except that in the qth secret-key query the vector \({\varvec{v}}_{q, m_q+1, t}\) is modified as follows.

figure g

We observe that this change in \({\varvec{v}}_{q, m_q+1, t}\) has no effect in the inner product \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\) for all \(t \in [n^{\prime }]\). Therefore, the function hiding security of IPFE ensures that the hybrids \({\textsf {H}}_{5, (q-1)}\) and \({\textsf {H}}_{5, q, 1}\) are indistinguishable.

In this hybrid, the positions of \({\varvec{v}}_{q, j, t}|_{S_{{\textsf {priv}}}}\) and \({\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {const}}}], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {coef}}}], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {sim}}}], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {sim}}}^*]\) are exactly the same as in the secret-key of our 1-FE scheme. Similarly, in the case of the challenge ciphertext, the positions of \({\varvec{u}}|_{S_{{\textsf {priv}}}}\) and \({\varvec{h}}_{ t}[\widehat{{\textsf {const}}}], {\varvec{h}}_{t}[\widehat{{\textsf {coef}}}], {\varvec{h}}_{ t}[\widehat{{\textsf {sim}}}], {\varvec{h}}_{t}[\widehat{{\textsf {sim}}}^*]\) are also identical to the ciphertext of our 1-FE scheme.

Hybrid () It is exactly the same as \({\textsf {H}}_{5, q, 1}\) except that the position \({\varvec{h}}_t[\widehat{{\textsf {coef}}}]\) is changed from \({\varvec{z}}^*[t]\) to \({\varvec{d}}[t]\) as shown below.

All the secret-keys are answered as in the previous hybrid. The indistinguishability follows from the security of our 1-FE scheme. We note that the security of our 1-FE relies on the function hiding security of IPFE and the security of AKGS. In particular, we use the security of IPFE and AKGS to reversely sample the first label and make all the other labels random as shown below

$$\begin{aligned} \widetilde{\ell }_{q, 1, 1}&\leftarrow {\textsf {RevSamp}}(f_{q, 1}, {\varvec{x}}^*, \widetilde{\alpha }_q f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + \widetilde{\beta }_{q, 1}, \ell _{2, 1}, \ldots , \ell _{m_q+1, 1})\\ \widetilde{\ell }_{q, 1, \tau }&\leftarrow {\textsf {RevSamp}}(f_{q, \tau }, {\varvec{x}}^*, \widetilde{\beta }_{q, \tau }, \ell _{2, \tau }, \ldots , \ell _{m_q+1, \tau }) ~~~\text { for } 1 < \tau \le n^{\prime }, \end{aligned}$$

where \(\sum _{\tau \in [n^{\prime }]} \widetilde{\beta }_{q, \tau } = 0 \). Then, the dummy vector \({\varvec{d}}\) replaces \({\varvec{z}}^*\) while computing \(\widetilde{\ell }_{q, 1, 1}\) and \({\varvec{d}}[t]\) is placed at \({\varvec{h}}_t[\widehat{{\textsf {coef}}}]\). Finally, we move in the reverse direction so that the vectors \({\varvec{v}}_{q, j, t}\) for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\) are back in the form as they were in \({\textsf {H}}_{5, q, 1}\). Note that, the hybrids involved in our 1-FE scheme uses the positions \({\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*, \widehat{{\textsf {sim}}}, \widehat{{\textsf {sim}}}^*\) of the vectors \({\varvec{v}}_{q, j, t}, {\varvec{u}}\) and \({\varvec{h}}_t\), which does not effect the decryption using any post-challenge secret-key.

Hybrid () It proceeds analogously to \({\textsf {H}}_{5, q, 2}\) except that we change \({\varvec{v}}_{q, m_q+1, t}\) and \({\varvec{h}}_t\) as below.

Note that the inner product \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_{t}}\) remains the same as in \({\textsf {H}}_{5, q, 2}\). Therefore, the hybrids \({\textsf {H}}_{5, q, 2}\) and \({\textsf {H}}_{5, q, 3}\) are indistinguishable due to the function hiding security of IPFE. We observe that \({\textsf {H}}_{5, q, 3}\) is identical to \({\textsf {H}}_{5, q}\) for all \(q \in [Q_{{\textsf {pre}}}]\).

Hybrid It is exactly the same as \({\textsf {H}}_{5, Q_{{\textsf {pre}}}}\) except that the positions \({\varvec{h}}_t[\widehat{{\textsf {const}}}]\) and \({\varvec{h}}_t[\widehat{{\textsf {coef}}}]\) are set to zero. We describe the vectors associated with the pre-ciphertext secret-key queries and the challenge ciphertext below. Note that the post-challenge secret-key queries are answered in the same way as in \({\textsf {H}}_4\) (or in \({\textsf {H}}_{5, Q_{{\textsf {pre}}}}\)).

Since the inner product \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_{t}}\) for all \(q \in [Q], t \in [n^{\prime }]\) is unaltered with this change, the function hiding security of IPFE ensures indistinguishability between the hybrids \({\textsf {H}}_{5, Q_{{\textsf {pre}}}}\) and \({\textsf {H}}_6\).

Hybrid This hybrid proceeds exactly similar to \({\textsf {H}}_{6}\) except that we use the honest levels \({\widetilde{\ell }}_{q, j, t} = \widetilde{\varvec{\ell }}_{q, j, t}({\varvec{x}}^*)\) for \(j \in [m_q]\) and \({\widetilde{\ell }}_{q, m_q+1, t} = {\widetilde{\alpha }}_q {\varvec{z}}^*[t] -\widetilde{{\varvec{r}}}_{q, t}[m_q]\) at the index \({\textsf {const}}\) of the vectors \({\varvec{v}}_{q, j, t}\) in all the post-challenge secret-key queries. Moreover, all the other private positions of \({\varvec{v}}_{q, j, t}\) are set to zero for all \(j \in [m_q]\). We also modify \({\varvec{h}}_t\) of the challenge ciphertext as shown below.

figure h

Since the inner products \({{\varvec{v}}_{q, j, t}} \cdot {{\varvec{u}}}, {{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\) gives the same result as in the previous hybrid, the function hiding property of IPFE ensures that the hybrids \({\textsf {H}}_6\) and \({\textsf {H}}_7\) are indistinguishable.

Hybrid This hybrid proceeds analogous to \({\textsf {H}}_{7}\) except that in the post-challenge secret-key queries we use the simulated garblings instead of the honest garblings. More specifically, we sample \({\widetilde{\alpha }}_q, \widetilde{\beta }_{q, t} \leftarrow {\mathbb {Z}}_p\) satisfying \(\sum _{t\in [n^{\prime }]} \widetilde{\beta }_{q, t} = 0\) and compute the simulated garblings

$$\begin{aligned} ({\widehat{\ell }}_{q, 1, t}, \ldots , {\widehat{\ell }}_{q, m_q, t}, {\widehat{\ell }}_{q, m_q+1, t})&\leftarrow {\textsf {SimGarble}}(f_{q, t}, {\varvec{x}}^*, \widetilde{\alpha }_q \cdot {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + \widetilde{\beta }_{q, t}) \end{aligned}$$

for all \(q \in [Q_{{\textsf {pre}}}+1, Q]\) and \(t \in [n^{\prime }]\). Then, the post-challenge secret-keys are generated using the vectors given below.

The simulated levels of AKGS is used in place of actual garblings. The simulation security of AKGS implies that the hybrids \({\textsf {H}}_{7}\) and \({\textsf {H}}_8\) are indistinguishable.

Hybrid This is exactly the same as \({\textsf {H}}_8\) except that the distribution of \(\{\widetilde{\beta }_{q, t}\}_{t \in [n^{\prime }]}\) is changed. We replace \(\widetilde{\beta }_{q, t}\) by \(\widetilde{\beta }_{q, t}^{\prime } = \widetilde{\beta }_{q, t} - \widetilde{\alpha }_q \cdot {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*)\) for all \(1 < t \le n^{\prime }\) and replace the element \(\widetilde{\beta }_{q, 1}\) by \(\widetilde{\beta }_{q, 1}^{\prime } = \widetilde{\beta }_{q, 1} - \widetilde{\alpha }_q \cdot {\varvec{z}}^*[t] f_{q, 1}({\varvec{x}}^*) + \widetilde{\alpha }_q \cdot f_q({\varvec{x}}^*)^{\top } {\varvec{z}}^*\). Note that, the distributions

$$\begin{aligned} \{\widetilde{\beta }_{ q, t} \leftarrow {\mathbb {Z}}_p : \sum _{t \in [n^{\prime }]} \widetilde{\beta }_{q, t} = 0\} \text { and } \{\widetilde{\beta }^{\prime }_{q, t}: \sum _{t \in [n^{\prime }]} \widetilde{\beta }_{q, t} = 0 \} \end{aligned}$$

are statistically close since \(\{\widetilde{\beta }^{\prime }_{q, t}\}_{t \in [n^{\prime }]}\) are also uniform over \({\mathbb {Z}}_p\) and \(\sum _{t \in [n^{\prime }]} \widetilde{\beta }^{\prime }_{q, t} = 0\). Finally, the vectors associated to the post-challenge secret-keys are given by

where the simulated garblings take the form

Observe that \({\textsf {H}}_9\) is the same as the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {FE, Ideal}}}(1^{\lambda })\). This completes the security analysis. \(\square \)

5 One-slot extended FE for attribute-weighted sums designed for achieving unbounded-slot FE for attribute-weighted sums

5.1 Secret key 1-key 1-ciphertext secure one-slot extended FE

In this section, we present a private-key one-slot FE scheme for an extended attribute-weighted sum functionality that is proven simulation secure against a single ciphertext query and a single secret key query either before or after the ciphertext query. This scheme will be embedded into the hidden subspaces of the public-key multi-key FE scheme for the same functionality presented in the next section in its security proof. We describe the construction for any fixed value of the security parameter \(\lambda \) and suppress the appearance of \(\lambda \) for simplicity of notations. Let \(({\textsf{Garble}}, {\textsf{Eval}})\) be a special piecewise secure AKGS for a function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\), \({{\textsf{G}}}=({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) a tuple of pairing groups of prime order p, and \(({\textsf{IPFE}}.{\textsf{Setup}}, {\textsf{IPFE}}.{\textsf{KeyGen}}, {\textsf{IPFE}}.{\textsf{Enc}}, {\textsf{IPFE}}.{\textsf{Dec}})\) a secret-key function-hiding \({\textsf{SK}}\text {-}{\textsf{IPFE}}\) based on \({{\textsf{G}}}\).

Setup(\({\varvec{1}}^{{\varvec{\lambda }}}, {\varvec{1}}^{{\varvec{n}}}, {\varvec{1}}^{{\varvec{n}}^{{\varvec{\prime }}}}\)) Define the following index sets as follows

$$\begin{aligned} S_{{\textsf {1-extFE}}} = \left\{ {\textsf {const}}, \{{\textsf {coef}}_{i}\}_{i \in [n]}, \{{\textsf {extnd}}_{\kappa }\}_{\kappa \in [k]}, {\textsf {query}}, \{{\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^* \}_{\tau \in [n^{\prime }]}\right\} ,\\ {{\widehat{S}}}_{{\textsf {1-extFE}}} = \{\widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}^*}\} \end{aligned}$$

It generates two IPFE master secret-keys \({\textsf{IPFE}}.{\textsf{MSK}}\leftarrow {\textsf {SK-IPFE.Setup}}(S_{{\textsf {1-extFE}}})\) and \(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}} \leftarrow {\textsf {SK-IPFE.Setup}}({{\widehat{S}}}_{{\textsf {1-extFE}}})\). Finally, it returns \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\).

Let \(f = (f_1, \ldots , f_{n^{\prime }}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\) and \({\varvec{y}} \in {\mathbb {Z}}_p^k\). Samples integers \(\nu _t,\beta _t \leftarrow {\mathbb {Z}}_p\) for \(t \in [n^{\prime }]\) such that

$$\begin{aligned} \sum _{t \in [n^{\prime }]}\nu _t = 1 \text { and } \sum _{t \in [n^{\prime }]} \beta _t = 0 ~~ \text { modulo }p. \end{aligned}$$

Next, samples independent random vectors \({\varvec{r}}_t \leftarrow {\mathbb {Z}}_p^{m}\) for garbling and computes the coefficient vectors

$$\begin{aligned} ({\varvec{\ell }}_{1, t}, \ldots , {\varvec{\ell }}_{m, t}, {\varvec{\ell }}_{m+1,t}) \leftarrow {\textsf {Garble}}({\varvec{z}}[t] f_t({\varvec{x}}) + \beta _t; {\varvec{r}}_t) \end{aligned}$$

for each \(t \in [n^{\prime }]\). Here we make use of the instantiation of the AKGS described in Sect. 3.6. From the description of that AKGS instantiation, we note that the \((m+1)\)-th label function \({\varvec{\ell }}_{m+1, t}\) would be of the form \({\varvec{\ell }}_{m+1,t}={\varvec{z}}[t]-{\varvec{r}}_t[m]\). Also all the label functions \({\varvec{\ell }}_{1,t},\ldots ,{\varvec{\ell }}_{m,t} \) involve only the variables \({\varvec{x}}\) and not the variable \({\varvec{z}}[t]\). Next, for all \(j \in [m]\) and \(t \in [n^{\prime }]\), it defines the vectors \({\varvec{v}}_{j, t}\) corresponding to the label functions \({\varvec{\ell }}_{j,t}\) obtained from the partial garbling above and the vector \({\varvec{y}}\) as

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {extnd}}_{\kappa }\)

query

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_{1, t}\)

\({\varvec{\ell }}_{1, t}[{\textsf {const}}]\)

\({\varvec{\ell }}_{1, t}[{\textsf {coef}}_i]\)

\({\varvec{y}}[\kappa ]\nu _t\)

0

0

0

\({\varvec{v}}_{j, t}\)

\({\varvec{\ell }}_{j, t}[{\textsf {const}}]\)

\({\varvec{\ell }}_{j, t}[{\textsf {coef}}_i]\)

0

0

0

0

It also sets the vectors \({\varvec{v}}_{m+1, t}\) for \(t \in [n^{\prime }]\) corresponding to the \((m+1)\)-th label function \({\varvec{\ell }}_{m+1,t}\) as

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{v}}_{m+1, t}\)

\({\varvec{r}}_{t}[m]\)

1

0

Now, it uses the key generation algorithm of IPFE to generate the secret-keys

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_{j, t}&\leftarrow {\textsf {SK-IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{j, t}]\!]_2){} & {} \text { for } j \in [m], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}&\leftarrow {\textsf {SK-IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{m+1, t}]\!]_2){} & {} \text { for } t \in [n^{\prime }] \end{aligned}$$

It returns the secret-key \({\textsf{SK}}_{f, {\varvec{y}}} = (\{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\).

Remark

We note that the key-generation process can be performed if the vector \({\varvec{y}}\) is not given in the clear, but \([\![{\varvec{y}}]\!]_2 \in {\mathbb {G}}_2^{k}\) is known. This is because while running the \({\mathsf {IPFE.KeyGen}}\) algorithm above, the vectors \({\varvec{v}}_{j,t}\) are not inputted in the clear but in the exponent of the group \({\mathbb {G}}_2\). This fact will be used in the security analysis of our unbounded FE scheme.

It sets the following vectors:

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {extnd}}_{\kappa }\)

query

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{u}}\)

1

\({\varvec{x}}[i]\)

\({\varvec{w}}[\kappa ]\)

0

0

0

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{h}}_{t}\)

\(-1\)

\({\varvec{z}}[t]\)

0

for all \(t \in [n^{\prime }]\). Then, it encrypts the vectors using IPFE and obtain the ciphertexts

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}&\leftarrow {\textsf {SK-IPFE.Enc}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{u}}]\!]_1) \\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t&\leftarrow {\textsf {SK-IPFE.Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{h}}_t]\!]_1)~~~~ \text { for } t \in [n^{\prime }] \end{aligned}$$

Finally, it returns the ciphertext as \({\textsf{CT}}_{{\varvec{x}}, {\varvec{z}}||{\varvec{w}}} = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

Dec() It parses \({\textsf{SK}}_{f, {\varvec{y}}} = (\{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) and \({\textsf{CT}}_{{\varvec{x}}, {\varvec{z}}||{\varvec{w}}} = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\). It uses the decryption algorithm of SK-IPFE to compute

$$\begin{aligned}{}[\![\ell _{1, t}+\psi _t]\!]_T&\leftarrow {\textsf {SK-IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{1, t}, {\textsf{IPFE}}.{\textsf{CT}}){} & {} \text { for } t \in [n^{\prime }]\\ [\![\ell _{j, t}]\!]_T&\leftarrow {\textsf {SK-IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{j, t}, {\textsf{IPFE}}.{\textsf{CT}}){} & {} \text { for } j \in [2, m], t \in [n^{\prime }]\\ [\![\ell _{m+1, t}]\!]_T&\leftarrow {\textsf {SK-IPFE.Dec}}(\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}, \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t){} & {} \text { for } t \in [n^{\prime }] \end{aligned}$$

where \(\psi _t = \nu _t \cdot {\varvec{y}}^\top {\varvec{w}}\). Next, it utilizes the evaluation procedure of AKGS and returns the combined value

$$\begin{aligned}{}[\![\rho ]\!]_T = \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t} + \psi _t]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T). \end{aligned}$$

Correctness From the correctness of IPFE, we have SK-IPFE.Dec(\({\textsf{IPFE}}.{\textsf{SK}}_{1, t}, {\textsf{IPFE}}.{\textsf{CT}}\)) = \([\![\ell _{1, t} + \psi _t]\!]_T\) where \(\psi _t = \nu _t\cdot {\varvec{y}}^{\top }{\varvec{w}}\). Next, using the correctness of IPFE and AKGS evaluation, we get

$$\begin{aligned}&{\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t} + \psi _t]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) \\&\quad = {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t}]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T) + {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\psi _t]\!]_T, [\![0]\!]_T, \ldots , [\![0]\!]_T) \\&\quad = [\![{\varvec{z}}[t]f_t({\varvec{x}}) + \beta _t + \nu _t\cdot {\varvec{y}}^{\top }{\varvec{w}}]\!]_T \end{aligned}$$

The first equality follows from the linearity of Eval function. Now, multiplying all the evaluated values we have

$$\begin{aligned}{}[\![\rho ]\!]_T&= \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t} + \psi _t]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T)\\&= [\![\sum _{t = 1}^{n^{\prime }} ({\varvec{z}}[t]f_t({\varvec{x}}) + \nu _t \cdot {\varvec{y}}^{\top }{\varvec{w}} + \beta _t)]\!]_T \\&= [\![f({\varvec{x}})^{\top }{\varvec{z}} + {\varvec{y}}^{\top }{\varvec{w}}]\!]_T \end{aligned}$$

The last equality is obtained from the fact that \( \sum _{t\in [n^{\prime }]} \nu _t = 1\) and \(\sum _{t \in [n^{\prime }]} \beta _t= 0\).

5.1.1 Security analysis

Theorem 4

The 1-extFE scheme for attribute-weighted sum is 1-key, 1-ciphertext simulation-secure as per Definition 4 assuming the AKGS is piecewise secure as per Definition 7 and the IPFE is function hiding as per Definition 5.

As in the case of our 1-key 1-ciphertext secure one-slot FE, here also we assume that the adversary queries the single secret key before the challenge ciphertext is sent. This is because we will use the security of the 1-key 1-ciphertext secure one-slot extFE in a particular hybrid of the security reduction of our one-slot extFE scheme (presented in Sect. 1) where we deal with a single pre-ciphertext secret key of the one-slot extFE. However, we emphasize that if we consider the single secret key query after the challenge phase then the security can also be proved using the security reduction of our one-slot extFE.

5.1.2 The simulator

We describe the simulator for the 1-extFE scheme. Let us assume that \((f, {\varvec{y}}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })} \times {\mathbb {Z}}_p^k\) is the only secret-key query made by the adversary before it sends challenge vectors \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*) \in {\mathbb {Z}}_p^{n} \times {\mathbb {Z}}_p^{n^{\prime }+k}\). The algorithm \({\textsf {Setup}}^*(1^{\lambda }, 1^n, 1^{n^{\prime }})\) is exactly the same as \({\textsf {Setup}}(1^{\lambda }, 1^n, 1^{n^{\prime }})\) which outputs a master secret-key \({\textsf{MSK}}^* = ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\). The key generation procedure \({\textsf {KeyGen}}_0^*({\textsf{MSK}}^*, (f, {\varvec{y}}))\) of the simulator is similar to the original algorithm \({\textsf {KeyGen}}({\textsf{MSK}}^*, (f, {\varvec{y}}))\) except the fact that \({\varvec{v}}_{1, t}[{\textsf {query}}] = \nu _t\). We describe the encryption process of the simulator which uses the information \(\mu = f({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}^{\top }{\varvec{w}}^*\).

On input \({\textsf{MSK}}^*\), a vector \({\varvec{x}}^* \in {\mathbb {Z}}_p^n\), the tuple \((f, {\varvec{y}}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })} \times {\mathbb {Z}}_p^k\) and an integer \(\mu \in {\mathbb {Z}}_p\) the simulator executes the following steps:

1.:

First, it picks two random vectors \({\varvec{d}}_1 \leftarrow {\mathbb {Z}}_p^{n^{\prime }}, {\varvec{d}}_2 \leftarrow {\mathbb {Z}}_p^k\) and sets \(\sigma = \mu - f({\varvec{x}}^*)^{\top }{\varvec{d}}_1 - {\varvec{y}}^{\top }{\varvec{d}}_2\).

2.:

Next, it sets the following vectors

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {extnd}}_{\kappa }\)

\({\textsf {query}}\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{u}}\)

1

\({\varvec{x}}^*[i]\)

\({\varvec{d}}_2[\kappa ]\)

\(\sigma \)

0

0

and

vector

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}^*}\)

\({\varvec{h}}_{t}\)

\(-1\)

\({\varvec{d}}_1[t]\)

0

for all \(t \in [n^{\prime }]\).

3.:

Finally, it encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}&\leftarrow {\textsf {SK-IPFE.Enc}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{u}}]\!]_1) \\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t&\leftarrow {\textsf {SK-IPFE.Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{h}}_t]\!]_1)~~~~ \text { for } t \in [n^{\prime }] \end{aligned}$$
4.:

It returns the simulated ciphertext as \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

Fig. 3
figure 3

Structure of the hybrid reduction proving Theorem 4

Remark

Observe that \({\textsf {Enc}}^*\) is designed in such a way that the simulator is also able to generate the ciphertext \({\textsf{CT}}^*\) even when it gets \([\![{\varvec{y}}]\!]_1, [\![\mu ]\!]_1\) instead of \({\varvec{y}}, \mu \) in the clear. In such a scenario, the simulator will obtain \([\![\sigma ]\!]_1 = [\![\mu ]\!]_1\cdot [\![{\varvec{y}}^{\top }{\varvec{d}}_2]\!]_1^{-1} \cdot [\![f({\varvec{x}}^*)^{\top }{\varvec{d}}_1 ]\!]^{-1}\) by sampling \({\varvec{d}}_1 \leftarrow {\mathbb {Z}}_p^{n^{\prime }}, {\varvec{d}}_2 \leftarrow {\mathbb {Z}}_p^k\). Hence, it can define \([\![{\varvec{u}}]\!]_1\) and \([\![{\varvec{h}}_t]\!]_1\) as above before applying the encryption process of IPFE. This procedure is indeed required for the security analysis of our unbounded FE construction.

5.1.3 Hybrids and reductions

Proof

We employ a sequence of hybrid experiments to demonstrate the indistinguishability between the real experiment \({\textsf {Expt}}_{ {\mathcal {A}}}^{{\textsf {Real}}, {\textsf {1-extFE}}}(1^{\lambda })\) and the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}}, {\textsf {1-extFE}}}(1^{\lambda })\) where \({\mathcal {A}}\) is any PPT adversary. We assume that in each experiment, \({\mathcal {A}}\) queries the single secret-key query for a pair \((f, {\varvec{y}}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })} \times {\mathbb {Z}}_p^k\) before submitting the challenge message \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }+k}\). The overall hybrid reduction is shown in Fig. 3.

Hybrid This is the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real}}, {\textsf {1-extFE}}}(1^{\lambda })\) where the secret-key \({\textsf{SK}}_{f, {\varvec{y}}} = (\{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) such that \({\textsf{IPFE}}.{\textsf{SK}}_{j, t} \leftarrow {\textsf {SK-IPFE.KeyGen}}({\textsf{IPFE}}.\)\({\textsf{MSK}}, [\![{\varvec{v}}_{j, t}]\!]_2)\) for \(j \in [m], t \in [n^{\prime }]\) and \(\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t} \leftarrow {\textsf {SK-IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}},\) \([\![{\varvec{v}}_{m+1, t}]\!]_2)\) for \(t \in [n^{\prime }]\) where the vectors \({\varvec{v}}_{j, t}, {\varvec{v}}_{m+1,t}\) are given as follows:

for \(j \in [m]\), \(t \in [n^{\prime }]\) and \({\varvec{r}}_t \leftarrow {\mathbb {Z}}_p^{m}\). Note that \(\{\nu _t\}_{t\in [n^{\prime }]} \leftarrow {\mathbb {Z}}_p\) is such that \(\sum _{t \in [n^{\prime }]}\nu _t = 1\) modulo p. Then, the garblings are computed as

$$\begin{aligned} ({\varvec{\ell }}_{1, t}, \ldots , {\varvec{\ell }}_{m, t},{\varvec{\ell }}_{m+1,t}) \leftarrow {\textsf {Garble}}({\varvec{z}}^*[t] f_{t}({\varvec{x}}^*)+\beta _{t}; {\varvec{r}}_{t}) \end{aligned}$$

where \(\beta _{ t} \leftarrow {\mathbb {Z}}_p\) for all \(t \in [n^{\prime }]\) with \(\sum _{t \in [n^{\prime }]} \beta _{t} = 0 \) modulo p. The challenge ciphertext \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\) corresponding to the challenge message \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }+k}\) is given by \({\textsf{IPFE}}.{\textsf{CT}}\leftarrow {\textsf {SK-IPFE.Enc}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{u}}]\!]_1)\) and \(\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t \leftarrow {\textsf {SK-IPFE.Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{h}}_t]\!]_1)\) for \(t \in [n^{\prime }]\) where

for \(t\in [n^{\prime }]\). Note that the components of the vectors \({\varvec{u}}\) and \({\varvec{v}}_{j, t}\) are associated with the indices in \(S_{{\textsf {1-extFE}}}\), and the components of the vectors \({\varvec{h}}_t\) and \({\varvec{v}}_{m+1,t}\) are associated with the indices in \(\widehat{S}_{{\textsf {1-extFE}}}\).

Hybrid This hybrid is exactly the same as \({\textsf {H}}_0\) except that we directly hardwire the value \(\ell _{1, \tau } + \psi _\tau = {\varvec{\ell }}_{1, \tau }({\varvec{x}}^*) + \nu _\tau \cdot {\varvec{y}}^{\top }{\varvec{w}}\) into \({\varvec{u}}[{\textsf {sim}}_{\tau }]\) for all \(\tau \in [n^{\prime }]\) and remove the coefficient vector \({\varvec{\ell }}_{1, t}\) from \({\varvec{v}}_{1, t}\) for all \(t \in [n^{\prime }]\). We change the vectors \({\varvec{v}}_{1, t}\) in the secret-key and \({\varvec{u}}\) in the challenge ciphertext as follows:

We denote by \(\delta _{t\tau }\) the usual Kronecker delta function such that \(\delta _{t\tau }= 1\) if \(t = \tau \), 0 otherwise. Note that the inner product \({{\varvec{v}}_{1, t}} \cdot {{\varvec{u}}} = \ell _{1, t} + \psi _t\), for all \(t \in [n^{\prime }]\), remain the same as in \({\textsf {H}}_0\). Therefore, the function hiding security of IPFE ensures the indistinguishability between the hybrids \({\textsf {H}}_0\) and \({\textsf {H}}_1\).

Hybrid This is analogous to \({\textsf {H}}_1\) except that instead of using the actual garbling value \(\ell _{1, \tau }\) at \({\varvec{u}}[{\textsf {sim}}_{\tau }]\), we now use \({\widetilde{\ell }}_{1, \tau }\) which is computed via reverse sampling algorithm of AKGS:

$$\begin{aligned} {\widetilde{\ell }}_{1, \tau } \leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, f_{\tau }({\varvec{x}}^*){\varvec{z}}^*[\tau ]+ \nu _\tau \cdot {\varvec{y}}^{\top }{\varvec{w}} + \beta _{\tau }, \ell _{2, \tau }, \ldots , \ell _{m+1, \tau }) \end{aligned}$$

where \(\ell _{j, \tau } = {\varvec{\ell }}_{j, \tau }({\varvec{x}}^*)\) for all \(j \in [2, m]\) and \(\ell _{m+1, \tau } = -{\varvec{r}}_\tau [m] + {\varvec{z}}^*[\tau ]\) for all \(\tau \in [n^{\prime }]\). Therefore, the vectors in the challenge ciphertext becomes

For each \(\tau \in [n^{\prime }]\), the piecewise security of AKGS guarantees that given the label functions \(({\varvec{\ell }}_{2, \tau }, \ldots , {\varvec{\ell }}_{m, \tau }, {\varvec{\ell }}_{m+1, \tau })\), the actual garbled label \(\ell _{1, \tau }\) and the reversely sampled value \({\widetilde{\ell }}_{1, \tau }\) are identically distributed. Hence, the hybrids \({\textsf {H}}_1\) and \({\textsf {H}}_2\) are indistinguishable by the reverse sampleability of AKGS.

Remark

Suppose in this hybrid instead of the vector \({\varvec{y}}\), the challenger only receives \([\![{\varvec{y}}]\!]_1\) from the adversary as part of its secret-key query. Then, it can also simulate the game by computing the vector \([\![{\varvec{u}}]\!]_1\) using the fact

$$\begin{aligned}&{\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, [\![\gamma _\tau ]\!]_1, [\![\ell _{2, \tau }]\!]_1, \ldots , [\![\ell _{m+1, \tau }]\!]_1) \\&\quad = [\![\gamma _\tau ]\!]_1 \cdot ([\![{{Eval}}(f_{\tau }, {\varvec{x}}^*, 0, \ell _{2, \tau }, \ldots , \ell _{m+1, \tau })]\!]_1)^{-1} \end{aligned}$$

with \(\gamma _\tau = f_{\tau }({\varvec{x}}^*){\varvec{z}}^*[\tau ]+ \nu _\tau \cdot {\varvec{y}}^{\top }{\varvec{w}} + \beta _{\tau }\). Although, it is not necessary for this proof, we will need this formulation of RevSamp during the security analysis of our unbounded FE scheme.

Hybrid \(({\varvec{j}} \in [{\varvec{2,m}}])\) The hybrid proceeds similar to \({\textsf {H}}_2\) except that we change the secret-key as follows. For all \(j^{\prime }\) such that \(1< j^{\prime } < j\), the coefficient vector \({\varvec{\ell }}_{j, t}\) is taken away from \({\varvec{v}}_{j^{\prime }, t}\) and a random value \(\ell _{j^{\prime }, t}^{\prime } \leftarrow {\mathbb {Z}}_p\) is put into \({\varvec{v}}_{j^{\prime }, t}[{\textsf {const}}]\). We describe the vectors associated with the secret-key and the ciphertext below.

Note that, in this hybrid \(\widetilde{\ell }_{1, \tau }\) is reversely sampled using the random values \(\ell _{2, \tau }, \ldots , \ell _{j-1, \tau }\) (which are randomly chosen from \({\mathbb {Z}}_p\)) and the actual values \(\ell _{j, \tau }, \ldots , \ell _{m+1 ,\tau }\) for each \(\tau \in [n^{\prime }]\). Observe that \({{\textsf{H}}}_{3,1}\) coincides with \({{\textsf{H}}}_2\). We will show that for all \(j\in [2,m]\), the hybrids \({{\textsf{H}}}_{3, (j-1)}\) and \({{\textsf{H}}}_{3,j}\) are indistinguishable via the following sequence of sub-hybrids, namely, \(\{{{\textsf{H}}}_{3,j,1}, {{\textsf{H}}}_{3,j,2}, {{\textsf{H}}}_{3,j,3}\}_{j\in [2,m]}\).

Hybrid \(({\varvec{j}} \in [{\varvec{2,m}}])\) This is exactly the same as \({\textsf {H}}_{3, (j-1)}\) except that the coefficient vector \({\varvec{\ell }}_{j, t}\) is removed from \({\varvec{v}}_{j, t}\) and \({\varvec{v}}_{j, t}[{\textsf {sim}}_{\tau }^*]\) is set to \(\delta _{t\tau }\). The actual garbling value \(\ell _{j, \tau } = {\varvec{\ell }}_{j, \tau }({\varvec{x}}^*)\) is hardwired into \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) to ensure the inner product \({{\varvec{v}}_{j, \tau }} \cdot {{\varvec{u}}}\) remains the same as in \({\textsf {H}}_{3, (j-1)}\). The changes in the vectors involved while computing secret-key and the challenge ciphertext as given below.

The hybrids \({\textsf {H}}_{3, (j-1)}\) and \({\textsf {H}}_{3, j, 1}\) are indistinguishable by the function hiding security of IPFE since the inner product \({{\varvec{v}}_{j, \tau }} \cdot {{\varvec{u}}}\) for all \(\tau \in [n^{\prime }]\) remains the same as in \({\textsf {H}}_{3,(j-1)}\).

Hybrid \(({\varvec{j \in [2,m]}})\) It proceeds exactly the same as \({\textsf {H}}_{3, j, 1}\) except that the actual label \(\ell _{j, \tau }\) (sitting at \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\)) is replaced with a random value \(\ell _{j, \tau }^{\prime } \leftarrow {\mathbb {Z}}_p\). The vectors associated to the challenge ciphertext are given by

where \(\ell _{j, \tau }^{\prime }\) is randomly sampled from \({\mathbb {Z}}_p\). Now, the first label \(\widetilde{\ell }_{1, \tau }\) is reversely sampled using the random values \(\ell _{2, \tau }^{\prime }, \ldots , \ell _{j, \tau }^{\prime }\) and the actual labels \(\ell _{j+1, \tau } = {\varvec{\ell }}_{j+1,\tau }({\varvec{x}}^*), \ldots , \ell _{m,\tau }={\varvec{\ell }}_{m,\tau }({\varvec{x}}^*), \ell _{m+1, \tau } = -{\varvec{r}}_\tau [m] + {\varvec{z}}^*[\tau ]\). The marginal randomness property of AKGS implies that the hybrids \({\textsf {H}}_{3, j, 1}\) and \({\textsf {H}}_{3, j, 2}\) are identically distributed.

Hybrid \(({\varvec{j}} \in [{\varvec{2,m}}])\) The hybrid is analogous to \({\textsf {H}}_{3, j, 2}\) except that the random value \(\ell _{j, \tau }^{\prime }\) is sifted from the ciphertext component \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) to the secret-key component \({\varvec{v}}_{j, t}[{\textsf {const}}]\). Also, the positions \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) and \({\varvec{v}}_{j, t}[{\textsf {sim}}_{\tau }^*]\) are set to zero. Thus, the vectors in the secret-key and the challenge ciphertext become

Since the inner products \({{\varvec{v}}_{j, t}} \cdot {{\varvec{u}}}\) for all jt remain the same as in \({\textsf {H}}_{3, j, 2}\), the indistinguishability between the hybrids \({\textsf {H}}_{3, j, 2}\) and \({\textsf {H}}_{3, j, 3}\) follows from the function hiding security of IPFE. We observe that the hybrids \({\textsf {H}}_{3, j, 3}\) is identical to \({\textsf {H}}_{3, j}\) for all \(j \in [2,m]\).

Hybrid It proceeds exactly the same as hybrid \({\textsf {H}}_{3, m}\) except that the actual garbling value \(\ell _{m+1, t} = -{\varvec{r}}_t[m] + {\varvec{z}}^*[t]\) is used in \({\varvec{h}}_t[\widehat{{\textsf {sim}}^*}]\). Also, \({\varvec{h}}_t[\widehat{{\textsf {coef}}}], {\varvec{v}}_{m+1,t}[\widehat{{\textsf {const}}}], {\varvec{v}}_{m+1,t}[\widehat{{\textsf {coef}}}]\) are set to zero. The changes are indicated below.

Since the inner products \({{\varvec{v}}_{m+1,t}} \cdot {{\varvec{h}}_t}\) for all \(t \in [n^{\prime }]\) are unaltered as in \({\textsf {H}}_4\), the indistinguishability between the hybrids \({\textsf {H}}_{3, m}\) and \({\textsf {H}}_4\) follows from the function hiding security of IPFE.

Hybrid It is analogous to \({\textsf {H}}_4\) except that the actual label \(\ell _{m+1, t}\) is now replaced with a random value \(\ell _{m+1, t}^{\prime } \leftarrow {\mathbb {Z}}_p\). The vectors associated with the challenge ciphertext are modified as follows.

Note that, in this hybrid the labels \(\widetilde{\ell }_{1, t}\) for \(t \in [n^{\prime }]\) are now reversely sampled using all random values \(\ell _{2, t}^{\prime }, \ldots , \ell _{m+1, t}^{\prime }\) which are randomly picked from \({\mathbb {Z}}_p\). By the marginal randomness property of AKGS, the hybrids \({\textsf {H}}_4\) and \({\textsf {H}}_5\) are identically distributed.

Hybrid This hybrid proceeds exactly the same as \({\textsf {H}}_5\) except that the simulated labels \(\ell _{m+1, t}^{\prime }\) are shifted from \({\varvec{h}}_t[\widehat{{\textsf {sim}}^*}]\) to \({\varvec{v}}_{m+1,t}[\widehat{{\textsf {rand}}}]\). The positions \({\varvec{v}}_{m+1,t}[\widehat{{\textsf {sim}}}^*]\) and \({\varvec{h}}_t[\widehat{{\textsf {sim}}}^*]\) are set to zero. The changes are indicated as follows.

Observe that the inner products \({{\varvec{v}}_{m+1,t}} \cdot {{\varvec{h}}_t}\) for all \(t \in [n^{\prime }]\) are unchanged as in \({\textsf {H}}_5\). Hence, the function-hiding security of IPFE ensures the indistinguishability between the hybrids \({\textsf {H}}_5\) and \({\textsf {H}}_6\).

Hybrid It is analogous to \({\textsf {H}}_6\) except that the value \(f_{\tau }({\varvec{x}}^*) {\varvec{z}}^*[\tau ]\) is removed from \(\widetilde{\ell }_{1, \tau }\) for all \(1 < \tau \le n^{\prime }\) and the value \(f({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}^{\top }{\varvec{w}}^*\) is directly encoded into the label \(\widetilde{\ell }_{1, 1}\). To make this change, we replace the random elements \(\beta _{\tau }\) by \(\beta ^{\prime }_{\tau } = \beta _{\tau } - f_{\tau }({\varvec{x}}^*) {\varvec{z}}^*[\tau ] - \nu _\tau \cdot {\varvec{y}}^{\top }{\varvec{w}}^*\) for all \(1 < \tau \le n^{\prime }\) and change the element \(\beta _1\) with \(\beta ^{\prime }_1 = \beta _1 - (f_1({\varvec{x}}^*) {\varvec{z}}^*[1] + \nu _1\cdot {\varvec{y}}^{\top }{\varvec{w}}^*) + f({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}^{\top }{\varvec{w}}^*\). Note that, the distributions

$$\begin{aligned} \{\beta _{\tau } \leftarrow {\mathbb {Z}}_p : \sum _{\tau \in [n^{\prime }]} \beta _{\tau } = 0 \mod p\} \text { and } \{\beta ^{\prime }_{\tau } : \sum _{\tau \in [n^{\prime }]} \beta _{\tau } = 0 \mod p\} \end{aligned}$$

are statistically close since \(\beta ^{\prime }_{\tau }\) is also uniform over \({\mathbb {Z}}_p\) and \(\sum _{\tau \in [n^{\prime }]} \beta ^{\prime }_{\tau } = 0 \mod p\). Thus the vectors associated to the challenge ciphertext become

where the labels \(\widetilde{\ell }_{1, \tau }\) are given by

$$\begin{aligned} \widetilde{\ell }_{1, 1}&\leftarrow {\textsf {RevSamp}}(f_1, {\varvec{x}}^*, f_1({\varvec{x}}^*){\varvec{z}}^*[1] + \nu _1 \cdot {\varvec{y}}^{\top }{\varvec{w}}^* + \beta _1^{\prime }, \ell _{2, 1}^{\prime }, \ldots , \ell _{m+1, 1}^{\prime })\\&= {\textsf {RevSamp}}(f_1, {\varvec{x}}^*, f({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}^{\top }{\varvec{w}}^* + \beta _1, \ell _{2, 1}^{\prime }, \ldots , \ell _{m+1, 1}^{\prime })\\ \widetilde{\ell }_{1, \tau }&\leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, f_\tau ({\varvec{x}}^*){\varvec{z}}^*[\tau ] + \nu _\tau \cdot {\varvec{y}}^\top {\varvec{w}}^*+ \beta _{\tau }^{\prime }, \ell _{2, \tau }^{\prime }, \ldots , \ell _{m+1, \tau }^{\prime }) \\&= {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, \beta _{\tau }, \ell _{2, \tau }^{\prime }, \ldots , \ell _{m+1, \tau }^{\prime }) ~~~~ \text { for } 1 < \tau \le n^{\prime } \end{aligned}$$

Thus, \({\textsf {H}}_6\) and \({\textsf {H}}_7\) are indistinguishable from the adversary’s view as they are statistically close. As discussed in the remark of \({\textsf {H}}_2\), the challenger can also simulate this hybrid when \([\![{\varvec{y}}]\!]_1\) is known instead of \({\varvec{y}}\).

Hybrid This hybrid is exactly the same as \({\textsf {H}}_7\) except that we use a dummy vector \(({\varvec{d}}_1 ~ \Vert ~{\varvec{d}}_2) \in {\mathbb {Z}}_p^{n^{\prime }+k}\) in place of \(({\varvec{z}}^* ~ \Vert ~{\varvec{w}}^*)\) while computing \(\widetilde{\ell }_{1, 1}\) where it holds that \(\mu = f({\varvec{x}}^*)^{\top } {\varvec{z}}^* + {\varvec{y}}^{\top }{\varvec{w}}^* = f({\varvec{x}}^*)^{\top } {\varvec{d}}_1 + {\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma \). In particular, we choose \({\varvec{d}}_1\leftarrow {\mathbb {Z}}_p^{n^{\prime }}, {\varvec{d}}_2 \leftarrow {\mathbb {Z}}_p^k\) and set \(\sigma = \mu - f({\varvec{x}}^*)^{\top } {\varvec{d}}_1 - {\varvec{y}}^{\top } {\varvec{d}}_2 \in {\mathbb {Z}}_p\). It can be seen that \( f({\varvec{x}}^*)^{\top } {\varvec{d}}_1 + {\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma = \mu \) as required. The vector \({\varvec{u}}\) is now defined as

where the labels are computed as

$$\begin{aligned} \widetilde{\ell }_{1, 1}&\leftarrow {\textsf {RevSamp}}(f_1, {\varvec{x}}^*, f({\varvec{x}}^*)^{\top }{\varvec{d}}_1+ {\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma + \beta _1, \ell _{2, 1}^{\prime }, \ldots , \ell _{m+1, 1}^{\prime })\\ \widetilde{\ell }_{1, \tau }&\leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, \beta _{\tau }, \ell _{2, \tau }^{\prime }, \ldots , \ell _{m+1, \tau }^{\prime }) ~~~~ \text { for } 1 < \tau \le n^{\prime } \end{aligned}$$

Above, we write the full expression of the vector \({\varvec{u}}\) as opposed to its compressed expression used so far in order to highlight the change. Since \(\beta _1\) is uniformly distributed and \(f({\varvec{x}}^*)^{\top } {\varvec{z}}^* + {\varvec{y}}^{\top }{\varvec{w}}^* = f({\varvec{x}}^*)^{\top } {\varvec{d}}_1 + {\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma \), hybrids \({{\textsf{H}}}_7\) and \({{\textsf{H}}}_8\) are statistically close.

Remark

Suppose, the vector \([\![{\varvec{y}}]\!]_1\) is known to the challenger instead of \({\varvec{y}}\), then it can directly computes \([\![\sigma ]\!]_1 = [\![\mu ]\!]_1 \cdot [\![f({\varvec{x}}^*)^{\top }{\varvec{d}}_1]\!]_1^{-1} \cdot [\![{\varvec{y}}^{\top } {\varvec{d}}_2]\!]_1^{-1}\). To simulate this hybrid the challenger uses \([\![f({\varvec{x}}^*)^{\top }{\varvec{d}}_1+ {\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma + \beta _1]\!]_1\) to obtain \([\![\widetilde{\ell }_{1, 1}]\!]_1\) as it has \({\varvec{d}}_1 \in {\mathbb {Z}}_p^{n^{\prime }}, {\varvec{d}}_2 \in {\mathbb {Z}}_p^k, [\![\sigma ]\!]_1 \in {\mathbb {G}}_1\) and \(\beta _1 \in {\mathbb {Z}}_p\).

Hybrid The following sequence of hybrids is basically the reverse of the previous hybrids with \(({\varvec{z}}^* ~ \Vert ~{\varvec{w}}^*)\) replaced with \(({\varvec{d}}_1 ~ \Vert ~{\varvec{d}}_2)\). In this hybrid, we change the distribution of \(\beta _\tau \) similar to what we did in \({\textsf {H}}_7\). In particular, \(\beta _{\tau }\) is replaced with \(\beta ^{\prime }_{\tau } = \beta _{\tau } + f_{\tau }({\varvec{x}}^*) {\varvec{d}}_1[\tau ] + \nu _\tau \cdot ({\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma )\) and \(\beta _1\) is replaced with \(\beta ^{\prime }_1 = \beta _1 + f_1({\varvec{x}}^*) {\varvec{d}}_1[1] + \nu _1\cdot ({\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma ) - (f({\varvec{x}}^*)^{\top }{\varvec{d}}_1 + {\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma )\). So, the vectors associated with challenge ciphertext are distributed as

where \(\widetilde{\ell }_{1, \tau } \leftarrow {\textsf {RevSamp}}(f_{\tau }, {\varvec{x}}^*, f_{\tau }({\varvec{x}}^*){\varvec{d}}_1[\tau ] + \nu _\tau \cdot ({\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma ) + \beta _{\tau }, \ell _{2, \tau }^{\prime }, \ldots , \ell _{m+1, \tau }^{\prime })\) Note that, \({\textsf {H}}_8\) and \({\textsf {H}}_{9}\) are statistically close as \(\{\beta _{\tau } : \tau \in [n^{\prime }]\}\) and \(\{\beta _{\tau }^{\prime }: \tau \in [n^{\prime }]\}\) are both uniform over \({\mathbb {Z}}_p\) with \(\sum _{\tau \in [n^{\prime }]} \beta _{\tau } = \sum _{\tau \in [n^{\prime }]} \beta _{\tau }^{\prime } = 0 \mod p\). Hence, hybrids \({{\textsf{H}}}_8\) and \({{\textsf{H}}}_9\) are indistinguishable.

Hybrid In this hybrid we change the vectors \({\varvec{v}}_{m+1,t}\) and \({\varvec{h}}_t\) as follows

where \(\ell _{m+1,t}^{\prime } \leftarrow {\mathbb {Z}}_p\). The indistinguishability between the hybrids \({\textsf {H}}_{9}\) and \({\textsf {H}}_{10}\) follows from the function-hiding security of IPFE.

Hybrid It is exactly the same as \({\textsf {H}}_{10}\) except that the random values \(\ell _{m+1, t}^{\prime } \leftarrow {\mathbb {Z}}_p\) are changed to the actual label \(\ell _{m+1, t} = {\varvec{d}}_1[t] -{\varvec{r}}_t[m]\). Then the vectors associated with the challenge ciphertext become

The hybrids \({\textsf {H}}_{10}\) and \({\textsf {H}}_{11}\) are identical due to the marginal randomness property of AKGS.

Hybrid In this hybrid we change the vectors \({\varvec{v}}_{m+1,t}\) and \({\varvec{h}}_t\) as follows

The indistinguishability between the hybrids \({\textsf {H}}_{11}\) and \({\textsf {H}}_{12}\) follows from the function-hiding security of IPFE.

Hybrid \(({\varvec{j}} \in [{\varvec{m-1}}])\) It is analogous to \({\textsf {H}}_{12}\) except the secret-key is modified as follows. For all \(j^{\prime }\) such that \(m+1-j \le j^{\prime } < m+1\), the random value \(\ell _{j^{\prime }, t}^{\prime } \leftarrow {\mathbb {Z}}_p\) is discarded from \({\varvec{v}}_{j^{\prime }, t}[{\textsf {const}}]\) and the coefficient vector \(\varvec{\ell }_{j^{\prime }, t}\) is used in \({\varvec{v}}_{j^{\prime }, t}\).

In this hybrid, the label \(\widetilde{\ell }_{1, t}\) is reversely sampled using the random values \(\ell _{2, t}^{\prime }, \ldots , \ell _{m+1-j, t}^{\prime }\) and the actual values \(\ell _{m-j+2, t}, \ldots , \ell _{m+1 ,t}\) for each \(t \in [n^{\prime }]\). The hybrids \({{\textsf{H}}}_{13, m+1-(j-1)}\) and \({{\textsf{H}}}_{13, m+1-j}\) can be shown to be indistinguishable via the following sequence of sub-hybrids, namely, \(\{{{\textsf{H}}}_{13, m+1-j,1}, {{\textsf{H}}}_{13, m+1-j,2}, {{\textsf{H}}}_{13, m+1-j, 3}\}_{j\in [m-1]}\).

Hybrid \(({\varvec{j}} \in [{\varvec{m-1}}])\) It proceeds exactly the same as \({\textsf {H}}_{13, m+1-(j-1)}\) except that the random labels \(\ell _{m+1-j, t}^{\prime }\) are sifted from \({\varvec{v}}_{m+1-j, t}[{\textsf {const}}]\) to \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\). We modify the vectors associated with the secret-key and the challenge ciphertext as follows

figure i

The indistinguishability between the hybrids \({\textsf {H}}_{13, m+1-(j-1)}\) and \({\textsf {H}}_{13, m+1-j, 1}\) follows from the function-hiding security of IPFE.

Hybrid \(({\varvec{j \in [m-1}}])\) It is exactly same as \({\textsf {H}}_{13, m+1-j, 1}\) except that the random label \(\ell _{m+1-j, \tau }^{\prime } \leftarrow {\mathbb {Z}}_p\) at \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) are now replaced with the actual labels \(\ell _{m+1-j, \tau } = \varvec{\ell }_{m+1-j, \tau }({\varvec{x}}^*)\). The change in the vector \({\varvec{u}}\) associated to the challenge ciphertext is indicated below.

The indistinguishability between the hybrids \({\textsf {H}}_{13, m+1-j, 1}\) and \({\textsf {H}}_{13, m+1-j, 2}\) follows from the marginal randomness property of AKGS.

Hybrid \(({\varvec{j \in [m-1])}}\) It proceeds analogous to \({\textsf {H}}_{13, m+1-j, 2}\) except that the actual label \(\ell _{m+1-j, \tau } = \varvec{\ell }_{m+1-j, \tau }({\varvec{x}}^*)\) is removed from \({\varvec{u}}[{\textsf {sim}}_{\tau }^*]\) and the coefficient vector \(\varvec{\ell }_{m+1-j, t}\) is used to set \({\varvec{v}}_{m+1-j, t}\). The inner product \({{\varvec{v}}_{m+1-j, t}} \cdot {{\varvec{u}}}\) is unaltered as in \({\textsf {H}}_{13, m+1-j, 2}\). The changes in the vectors associated to the secret-key and the challenge ciphertext are shown below.

figure j

The indistinguishability between the hybrids \({\textsf {H}}_{13, m+1-j, 2}\) and \({\textsf {H}}_{13, m+1-j, 3}\) follows from the function-hiding security of IPFE. We observe that \({\textsf {H}}_{13, m+1-j, 3}\) is identical to \({\textsf {H}}_{13, m+1-j}\) for all \(j \in [m-1]\).

Hybrid It proceeds exactly the same as \({\textsf {H}}_{13, 2}\) except that the reversely sampled labels \(\widetilde{\ell }_{1, \tau }\) are replaced with the actual labels \(\ell _{1, \tau } + \psi _\tau = \varvec{\ell }_{1, \tau }({\varvec{x}}^*) + \nu _\tau \cdot ({\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma )\) when setting \({\varvec{u}}[{\textsf {sim}}_{\tau }]\). The vectors associated with the challenge ciphertext are now written as

The indistinguishability between the hybrids \({\textsf {H}}_{13,2}\) and \({\textsf {H}}_{14}\) follows from the piecewise security of AKGS.

Hybrid It is analogous to \({\textsf {H}}_{14}\) except that the actual label \(\ell _{1, \tau } = \varvec{\ell }_{1, \tau }({\varvec{x}}^*) + \nu _\tau \cdot ({\varvec{y}}^{\top }{\varvec{d}}_2 + \sigma )\) is removed from \({\varvec{u}}[{\textsf {sim}}_{\tau }]\) and the coefficient vectors \(\varvec{\ell }_{1, t}\) are utilized while setting the vectors \({\varvec{v}}_{1, t}\) for all \(t \in [n^{\prime }]\). Also, the positions \({\varvec{v}}_{1, t}[{\textsf {extnd}}_{\kappa }], {\varvec{v}}_{1, t}[{\textsf {query}}]\) and \({\varvec{u}}[{\textsf {extnd}}_{\kappa }], {\varvec{u}}[{\textsf {query}}]\) are set as \({\varvec{y}}[\kappa ]\nu _t, \nu _t\) and \({\varvec{d}}_2[\kappa ], \sigma \) respectively. The vectors associated with the secret-key and the challenge ciphertext are shown below.

Since the inner products \({{\varvec{v}}_{1, t}} \cdot {{\varvec{u}}} = \ell _{1, t}+\psi _t\), for all \(t \in [n^{\prime }]\), remain the same as in \({\textsf {H}}_{14}\), the function-hiding security of IPFE ensures the indistinguishability between the hybrids \({\textsf {H}}_{14}\) and \({\textsf {H}}_{15}\). This completes the security analysis as \({\textsf {H}}_{15}\) is the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}}, 1-{\textsf {extFE}}}(1^{\lambda })\). \(\square \)

5.2 Public key one-slot extended FE for attribute-weighted sums

In this section, we present a public-key one-slot FE scheme \({\varPi }_{{\textsf {extOne}}}^{{\textsf {bdd}}}\) for an extended attribute-weighted sum functionality. This scheme is proven adaptively simulation secure against one ciphertext query, an a priori bounded number of pre-ciphertext secret key queries, and an arbitrary polynomial number of post-ciphertext secret key queries. We will apply the bootstrapping compiler from [3] onto this FE scheme to obtain our unbounded-slot FE scheme for attribute-weighted sums in the next section. We describe the construction for any fixed value of the security parameter \(\lambda \) and suppress the appearance of \(\lambda \) for simplicity of notations. Let \(({\textsf{Garble}}, {\textsf{Eval}})\) be a special piecewise secure AKGS for a function class \({\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\), \({{\textsf{G}}}=({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, g_1, g_2, e)\) a tuple of pairing groups of prime order p such that \({\textsf{MDDH}}_k\) holds in \({\mathbb {G}}_2\), and \(({\textsf{IPFE}}.{\textsf{Setup}}. {\textsf{IPFE}}.{\textsf{KeyGen}},{\textsf{IPFE}}.{\textsf{Enc}}, {\textsf{IPFE}}.{\textsf{Dec}})\) a slotted \({\textsf{IPFE}}\) based on \({{\textsf{G}}}\). We construct an \({\textsf{FE}}\) scheme for attribute-weighted sums with the message space \({\mathbb {M}}={\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }+k}\).

Defines the following index sets as follows

$$\begin{aligned} S_{{\textsf {pub}}} = \left\{ \{{\textsf {const}}^{(\iota )}\}_{\iota \in [k]}, \{{\textsf {coef}}_{i}^{(\iota )}\}_{\iota \in [k], i \in [n]}, \{{\textsf {extnd}}^{(\iota )}_{\kappa }\}_{\iota , \kappa \in [k]} \right\} , {{\widehat{S}}}_{{\textsf {pub}}} = \{\widehat{{\textsf {const}}}^{(\iota )}, \widehat{{\textsf {coef}}}^{(\iota )}\}_{\iota \in [k]} \end{aligned}$$

\(S_{{\textsf {priv}}} = \{ {\textsf {const}}, \{{\textsf {coef}}_i\}_{i \in [n]}, \{{\textsf {extnd}}_{\kappa , 1}, {\textsf {extnd}}_{\kappa , 2}, {\textsf {extnd}}_{\kappa }\}_{\kappa \in [k]},\) \(\{{\textsf {query}}_{\eta }\}_{\eta \in [B]}, \{{\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}_{\tau \in [n^{\prime }]} \}\),

$$\begin{aligned} {{\widehat{S}}}_{{\textsf {priv}}} = \{ \widehat{{\textsf {const}}}_1, \widehat{{\textsf {coef}}}_1, \widehat{{\textsf {const}}}_2, \widehat{{\textsf {coef}}}_2, \widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}}^*\} \end{aligned}$$

where \(B\) denotes a bound on the number of pre-challenge queries. It generates two pair of IPFE keys \(({\textsf{IPFE}}.{\textsf{MSK}}, {\textsf{IPFE}}.{\textsf{MPK}}) \leftarrow {\textsf {IPFE.Setup}}(S_{{\textsf {pub}}}, S_{{\textsf {priv}}})\) and \((\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}}) \leftarrow {\textsf {IPFE.Setup}}({{\widehat{S}}}_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {priv}}})\). Finally, it returns the master secret-key of the system as \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\) and master public-key as \({\textsf{MPK}}= ({\textsf{IPFE}}.{\textsf{MPK}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}})\).

Let \(f = (f_1, \ldots , f_{n^{\prime }}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n')} \) and \({\varvec{y}} \in {\mathbb {Z}}_p^k\). It samples integers \(\nu _t \leftarrow {\mathbb {Z}}_p\) and vectors \(\varvec{\alpha }, \varvec{\beta }_t \leftarrow {\mathbb {Z}}_p^k\) for \(t \in [n^{\prime }]\) such that

$$\begin{aligned} \sum _{t \in [n^{\prime }]}\nu _t = 1 \text { and } \sum _{t \in [n^{\prime }]} \varvec{\beta }_t[\iota ] = 0 \text { mod }p \text { for all }\iota \in [k] \end{aligned}$$

Next, sample independent random vectors \({\varvec{r}}^{(\iota )}_t \leftarrow {\mathbb {Z}}_p^{m}\) and computes

$$\begin{aligned} ({\varvec{\ell }}_{1, t}^{(\iota )}, \ldots , {\varvec{\ell }}_{m, t}^{(\iota )}, {\varvec{\ell }}_{m+1,t}^{(\iota )}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }[\iota ] {\varvec{z}}[t] f_t({\varvec{x}}) +\varvec{\beta }_t[\iota ]; {\varvec{r}}^{(\iota )}_t) \end{aligned}$$

for all \(\iota \in [k], t \in [n^{\prime }]\). Here, we make use of the instantiation of the AKGS described in Sect. 3.6. From the description of that AKGS instantiation, we note that the \((m+1)\)-th label function \({\varvec{\ell }}_{m+1,t}^{(\iota )}\) would be of the form \({\varvec{\ell }}_{m+1,t}^{(\iota )} = \varvec{\alpha }[\iota ]{\varvec{z}}[t] - {\varvec{r}}_t^{(\iota )}[m]\) where \(\varvec{\alpha }[\iota ]\) is a constant. Also all the label functions \({\varvec{\ell }}_{1,t}^{(\iota )}, \ldots , {\varvec{\ell }}_{m,t}^{(\iota )}\) involve only the variables \({\varvec{x}}\) and not the variable \( {\varvec{z}}[t]\). Next, for all \(j \in [2, m]\) and \(t \in [n^{\prime }]\), it defines the vectors \({\varvec{v}}_{j,t}\) corresponding to the label functions \({\varvec{\ell }}_{j,t}\) obtained from the partial garbling above and the vector \({\varvec{y}}\) as

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

\({\textsf {extnd}}^{(\iota )}_{\kappa }\)

\(S_{{\textsf {priv}}}\)

\({\varvec{v}}\)

\(\varvec{\alpha }[\iota ]\)

0

0

0

\({\varvec{v}}_{1, t}\)

\({\varvec{\ell }}_{1, t}^{(\iota )}[{\textsf {const}}]\)

\({\varvec{\ell }}_{1, t}^{(\iota )}[{\textsf {coef}}_i]\)

\(\varvec{\alpha }[\iota ]{\varvec{y}}[\kappa ]\nu _t\)

0

\({\varvec{v}}_{j, t}\)

\({\varvec{\ell }}_{j, t}^{(\iota )}[{\textsf {const}}]\)

\({\varvec{\ell }}_{j, t}^{(\iota )}[{\textsf {coef}}_i]\)

0

0

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

\({{\widehat{S}}}_{{\textsf {priv}}}\)

\({\varvec{v}}_{m+1, t}\)

\({\varvec{r}}^{(\iota )}_{t}[m]\)

\(\varvec{\alpha }[\iota ]\)

0

It generates the secret-keys as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}\leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}]\!]_2)&\\ {\textsf{IPFE}}.{\textsf{SK}}_{j, t} \leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{j, t}]\!]_2)&\text { for } j \in [m], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t} \leftarrow {\textsf {IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{m+1, t}]\!]_2)&\text { for } t \in [n^{\prime }] \end{aligned}$$

Finally, it returns the secret-key as \({\textsf{SK}}_{f, {\varvec{y}}} = ({\textsf{IPFE}}.{\textsf{SK}}, \{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) and \((f, {\varvec{y}})\).

Remark 2

We note that the vector \({\varvec{y}}\) is only used to set \({\varvec{v}}_{1, t}[{\textsf {extnd}}^{(\iota )}_{\kappa }]\) and the IPFE.KeyGen only requires \([\![{\varvec{v}}_{1, t}]\!]_2 \in {\mathbb {G}}_2^k\) to compute the secret-key \({\textsf{IPFE}}.{\textsf{SK}}_{1, t}\). Therefore, the key generation process can compute the same secret-key \({\textsf{SK}}_{f, {\varvec{y}}}\) if \((f, [\![{\varvec{y}}]\!]_2)\) is supplied as input instead of \((f, {\varvec{y}})\) and we express this by writing KeyGen\(({\textsf{MSK}}, (f, [\![{\varvec{y}}]\!]_2))\) = KeyGen\(({\textsf{MSK}}, (f, {\varvec{y}}))\). This fact will be crucial while describing the unbounded slot FE.

It samples a random vector \({\varvec{s}} \leftarrow {\mathbb {Z}}_p^k\) and sets the vectors

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

\({\textsf {extnd}}^{(\iota )}_{\kappa }\)

\({\varvec{u}}\)

\({\varvec{s}}[\iota ]\)

\({\varvec{s}}[\iota ] {\varvec{x}}[i]\)

\({\varvec{s}}[\iota ]{\varvec{w}}[\kappa ]\)

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

\({\varvec{h}}_{t}\)

\(-{\varvec{s}}[\iota ]\)

\({\varvec{s}}[\iota ]{\varvec{z}}[t]\)

for all \(t \in [n^{\prime }]\). It encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {\textsf {IPFE.SlotEnc}}({\textsf{IPFE}}.{\textsf{MPK}}, [\![{\varvec{u}}]\!]_1)&\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t \leftarrow {\textsf {IPFE.SlotEnc}}(\widehat{{\textsf{IPFE}}.{\textsf{MPK}}}, [\![{\varvec{h}}_t]\!]_1)&\text { for } t \in [n^{\prime }] \end{aligned}$$

and returns the ciphertext as \({\textsf{CT}}= ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\) and \({\varvec{x}}\).

It parses the secret-key and ciphertext as \({\textsf{SK}}_{f, {\varvec{y}}} = ({\textsf{IPFE}}.{\textsf{SK}}, \{{\textsf{IPFE}}.{\textsf{SK}}_{j, t}\}_{j \in [m], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}\}_{t \in [n^{\prime }]})\) and \({\textsf{CT}}_{{\varvec{x}}, {\varvec{z}}} {=} ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\). It uses the decryption algorithm of IPFE to compute

$$\begin{aligned}{}[\![\rho ]\!]_T \leftarrow {\textsf {IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}, {\textsf{IPFE}}.{\textsf{CT}})&\\ [\![\ell _{1, t} + \psi _t]\!]_T \leftarrow {\textsf {IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{1, t}, {\textsf{IPFE}}.{\textsf{CT}})&\\ [\![\ell _{j, t}]\!]_T \leftarrow {\textsf {IPFE.Dec}}({\textsf{IPFE}}.{\textsf{SK}}_{j, t}, {\textsf{IPFE}}.{\textsf{CT}})&\text { for } j \in [2, m], t \in [n^{\prime }]\\ [\![\ell _{m+1, t}]\!]_T \leftarrow {\textsf {IPFE.Dec}}(\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{m+1, t}, \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t)&\text { for } t \in [n^{\prime }] \end{aligned}$$

where \(\psi _t = \sum _{\iota =1}^k \varvec{\alpha }[\iota ] {\varvec{s}}[\iota ] \cdot \nu _t \cdot {\varvec{y}}^\top {\varvec{w}} = {\varvec{\alpha }} \cdot {{\varvec{s}}} \cdot \nu _t \cdot {\varvec{y}}^\top {\varvec{w}}\). Next, it utilizes the evaluation procedure of AKGS and obtain a combined value

$$\begin{aligned}{}[\![\zeta ]\!]_T = \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t} + \psi _t]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T). \end{aligned}$$

Finally, it returns a value \([\![\mu ]\!]_T = [\![\zeta ]\!]_T \cdot [\![\rho ]\!]_T^{-1} \in {\mathbb {G}}_T\).

Correctness First, the IPFE correctness implies IPFE.Dec(\({\textsf{IPFE}}.{\textsf{SK}}_{1, t}, {\textsf{IPFE}}.{\textsf{CT}}\)) = \([\![\ell _{1, t} + \psi _t]\!]\) where \(\psi _t = \sum _{\iota = 1}^k \varvec{\alpha }[\iota ]{\varvec{s}}[\iota ]\cdot \nu _t \cdot {\varvec{y}}^{\top }{\varvec{w}} = {\varvec{\alpha }} \cdot {{\varvec{s}}}\cdot \nu _t \cdot {\varvec{y}}^{\top }{\varvec{w}}\). Next, by the correctness of IPFE, AKGS we have

$$\begin{aligned}&{\textsf {Eval}}(f_t, {\varvec{x}}, \ell _{1, t} + \psi _t, \ldots , \ell _{m+1, t}) \\&\quad = {\textsf {Eval}}(f_t, {\varvec{x}}, \ell _{1, t}, \ldots , \ell _{m+1, t}) + {\textsf {Eval}}(f_t, {\varvec{x}}, \psi _t, 0, \ldots , 0) \\&\quad = {\textsf {Eval}}(f_t, {\varvec{x}}, \ell _{1, t}, \ldots , \ell _{m+1, t}) + \psi _t \\&\quad = \sum _{\iota = 1}^k (\varvec{\alpha }[\iota ]{\varvec{s}}[\iota ] \cdot {\varvec{z}}[t]f_t({\varvec{x}}) + \varvec{\beta }_t[\iota ]{\varvec{s}}[\iota ]) +{\varvec{\alpha }} \cdot {{\varvec{s}}}\cdot \nu _t \cdot {\varvec{y}}^{\top }{\varvec{w}}\\&\quad = {\varvec{\alpha }} \cdot {{\varvec{s}}}\cdot ({\varvec{z}}[t]f_t({\varvec{x}}) + \nu _t \cdot {\varvec{y}}^{\top }{\varvec{w}}) + {\varvec{\beta }_t} \cdot {{\varvec{s}}} \end{aligned}$$

The first equality follows from the linearity of Eval algorithm. Therefore, multiplying all the evaluated values we have

$$\begin{aligned}{}[\![\zeta ]\!]_T&= \prod _{t \in [n^{\prime }]} {\textsf {Eval}}(f_t, {\varvec{x}}, [\![\ell _{1, t} + \psi _t]\!]_T, \ldots , [\![\ell _{m+1, t}]\!]_T)\\&= [\![\sum _{t = 1}^{n^{\prime }} {\varvec{\alpha }} \cdot {{\varvec{s}}}\cdot ({\varvec{z}}[t]f_t({\varvec{x}}) + \nu _t \cdot {\varvec{y}}^{\top }{\varvec{w}}) + {\varvec{\beta }_t} \cdot {{\varvec{s}}}]\!]_T = [\![{\varvec{\alpha }} \cdot {{\varvec{s}}} \cdot (f({\varvec{x}})^{\top }{\varvec{z}} + {\varvec{y}}^{\top }{\varvec{w}})]\!]_T \end{aligned}$$

where the last equality follows from the fact that \( \sum _{t\in n^{\prime }} \nu _t = 1 \text { mod }p\) and \(\sum _{t \in [n^{\prime }]} \varvec{\beta }_t[\iota ] = 0 \text { mod }p\) for all \(\iota \in [k]\). Also, by the correctness of IPFE we see that \([\![\rho ]\!]_T = [\![{\varvec{\alpha }} \cdot {{\varvec{s}}}]\!]_T\) and hence \([\![\mu ]\!]_T = [\![f({\varvec{x}})^{\top }{\varvec{z}} + {\varvec{y}}^{\top }{\varvec{w}}]\!]_T\).

5.2.1 Security analysis

5.2.2 The simulator

Theorem 5

The extended one slot FE scheme \({\varPi }_{{\textsf {extOne}}}^{{\textsf {bdd}}}\) for attribute-weighted sum is adaptively simulation-secure against an adversary making at most B pre-ciphertext secret key queries and an arbitrary polynomial number of post-ciphertext secret key queries assuming the AKGS is piecewise-secure as per Definition 7, the \({\textsf{MDDH}}_k\) assumption holds in group \({\mathbb {G}}_2\), and the slotted IPFE is function hiding as per Definition 5.

We describe the simulator for the extended one-slot FE scheme \({\varPi }_{{\textsf {extOne}}}^{{\textsf {bdd}}}\). The simulated setup algorithm is the same setup of the original scheme. Let \(({\textsf{MSK}}, {\textsf{MPK}}) \leftarrow {\textsf {Setup}}^*(1^{\lambda }, 1^n, 1^{n^{\prime }}, 1^{B}) = {\textsf {Setup}}(1^{\lambda }, 1^n, 1^{n^{\prime }}, 1^{B})\) where \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\) and \({\textsf{MPK}}= ({\textsf{IPFE}}.{\textsf{MPK}}, \widehat{{\textsf{IPFE}}.{\textsf{MPK}}})\).

On input \({\textsf{MSK}}\), a function \(f_q = (f_{q, 1}, \ldots f_{q, n^{\prime }}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })}\) and a vector \({\varvec{y}}_q \in {\mathbb {Z}}_p^k\) the simulator proceeds as follows:

Setting Public Positions: The public positions are set as in the original scheme.

1.:

It first samples \(\varvec{\beta }_{q, t} = (\varvec{\beta }_{q, t}[1], \ldots , \varvec{\beta }_{q, t}[k]) \leftarrow {\mathbb {Z}}_p^k, \nu _{q,t} \leftarrow {\mathbb {Z}}_p\) for \(t \in [n^{\prime }]\), and \({\varvec{r}}^{(\iota )}_{q, t} = ({\varvec{r}}^{(\iota )}_{q, t}[1], \ldots , {\varvec{r}}^{(\iota )}_{q, t}[m_q]) \leftarrow {\mathbb {Z}}_p^{m_q}\) where it holds that

$$\begin{aligned} \sum _{t \in [n^{\prime }]} \varvec{\beta }_{q, t}[\iota ] = 0 \text { mod }p \text { for all }\iota \in [k] \text { and } \sum _{t \in [n^{\prime }]} \nu _{q,t} = 1 \text { mod }p \end{aligned}$$
2.:

Next, it computes the coefficient vectors for the label functions as

$$\begin{aligned} ({\varvec{\ell }}_{q, 1, t}^{(\iota )}, \ldots , {\varvec{\ell }}_{q, m_q, t}^{(\iota )}, {\varvec{\ell }}_{q, m_q+1, t}^{(\iota )}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }_q[\iota ] {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + \varvec{\beta }_{q, t}[\iota ]; {\varvec{r}}^{(\iota )}_{q, t}) \end{aligned}$$

for all \(\iota \in [k], t \in [n^{\prime }]\). From the description of AKGS, we note that the \((m_q+1)\)-th label function \(\varvec{\ell }_{q, m_q+1, t}^{(\iota )}\) would be of the form \(\varvec{\ell }_{q, m_q+1,t}^{(\iota )}=\varvec{\alpha }_q[\iota ] {\varvec{z}}^*[t]-{\varvec{r}}_{q,t}^{(\iota )}[m_q]\).

3.:

It picks \(\varvec{\alpha }_q \leftarrow {\mathbb {Z}}_p^k\) and sets the public positions at the indexes in \(S_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {pub}}}\) of following vectors

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}_i^{(\iota )}\)

\({\textsf {extnd}}^{(\iota )}_{\kappa }\)

\({\varvec{v}}_q\)

\(\varvec{\alpha }_q[\iota ]\)

0

0

\({\varvec{v}}_{q, 1, t}\)

\({\varvec{\ell }}_{q, 1, t}^{(\iota )}[{\textsf {const}}]\)

\({\varvec{\ell }}_{q, 1, t}^{(\iota )}[{\textsf {coef}}_i]\)

\(\varvec{\alpha }_q[\iota ]{\varvec{y}}_q[\kappa ]\nu _{q, t}\)

\({\varvec{v}}_{q, j, t}\)

\({\varvec{\ell }}_{q, j, t}^{(\iota )}[{\textsf {const}}]\)

\({\varvec{\ell }}_{q, j, t}^{(\iota )}[{\textsf {coef}}_i]\)

0

for all \(j \in [2, m_q]\) and \(t \in [n^{\prime }]\). It also sets the following vectors for all \(t \in [n^{\prime }]\).

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

 

\({\varvec{v}}_{q, m_q+1, t}\)

\({\varvec{r}}^{(\iota )}_{q, t}[m_q]\)

\(\varvec{\alpha }_q[\iota ]\)

 

Setting Private Positions: It now fills the private indices as follows.

4.:

It samples \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t} \leftarrow {\mathbb {Z}}_p\) for \(t \in [n^{\prime }]\) satisfying \(\sum _{t \in [n^{\prime }]} {\widetilde{\beta }}_{q, t} = 0\).

5.:

Next, it picks \(\widetilde{{\varvec{r}}}_{q, t} \leftarrow {\mathbb {Z}}_p^{m_q}\) and computes the coefficient vectors for the label functions as

$$\begin{aligned} (\widetilde{{\varvec{\ell }}}_{q, 1, t}, \ldots , \widetilde{{\varvec{\ell }}}_{q, m_q, t}, \widetilde{{\varvec{\ell }}}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}({\widetilde{\alpha }}_q{\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + {\widetilde{\beta }}_{q, t}; \widetilde{{\varvec{r}}}_{q, t}). \end{aligned}$$

for all \(t \in [n^{\prime }]\). From the description of AKGS, we note that the \((m_q+1)\)-th label function \(\widetilde{\varvec{\ell }}_{q,m_q+1,t}\) would be of the form \(\widetilde{\varvec{\ell }}_{q,m_q+1,t} = {\widetilde{\alpha }}_q{\varvec{z}}^*[t] - \widetilde{{\varvec{r}}}_{q,t}[m_q]\).

6.:

Now, it fills the private positions at the indexes in \(S_{{\textsf {priv}}}, {{\widehat{S}}}_{{\textsf {priv}}}\) as follows

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {extnd}}_{\kappa , 1}\)

\({\textsf {extnd}}_{\kappa , 2}\)

\({\textsf {extnd}}_{\kappa }\)

\({\textsf {query}}_{\eta }\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_q\)

\({\widetilde{\alpha }}_q\)

0

0

0

0

0

0

0

\({\varvec{v}}_{q, 1, t}\)

\(\widetilde{{\varvec{\ell }}}_{q, 1, t}[{\textsf {const}}]\)

\(\widetilde{{\varvec{\ell }}}_{q, 1, t}[{\textsf {coef}}_i]\)

0

\( {\widetilde{\alpha }}_q {\varvec{y}}_q[\kappa ] \nu _{q,t}\)

0

\( {\widetilde{\alpha }}_q {\varvec{e}}_q[\eta ] \nu _{q,t}\)

0

0

\({\varvec{v}}_{q, j, t}\)

\(\widetilde{{\varvec{\ell }}}_{q, j, t}[{\textsf {const}}]\)

\(\widetilde{{\varvec{\ell }}}_{q, j, t}[{\textsf {coef}}_i]\)

0

0

0

0

0

0

for all \(j \in [2, m_q]\) and \(t \in [n^{\prime }]\); and for all \(t \in [n^{\prime }]\)

vector

\(\widehat{{\textsf {const}}}_1\)

\(\widehat{{\textsf {coef}}}_1\)

\(\widehat{{\textsf {const}}}_2\)

\(\widehat{{\textsf {coef}}}_2\)

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}}^*\)

\({\varvec{v}}_{q, m_q+1, t}\)

0

0

\(\widetilde{{\varvec{r}}}_{q, t}[m_q]\)

\(\widetilde{\varvec{\alpha }}_q\)

0

0

0

where \({\varvec{e}}_q \in \{0, 1\}^{B}\) such that \({\varvec{e}}_q[\eta ] = 1\) if \(\eta = q\); 0 otherwise.

7.:

It generates the IPFE secret-keys

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_q&\leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_q]\!]_2) \\ {\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}&\leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{q, j, t}]\!]_2) \text { for } j \in [m_q], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}&\leftarrow {\textsf {IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{q, m_q+1, t}]\!]_2) \text { for } t \in [n^{\prime }] \end{aligned}$$
8.:

Finally, it returns the secret-key

$$\begin{aligned} {\textsf{SK}}_{f_q, {\varvec{y}}_q} = ({\textsf{IPFE}}.{\textsf{SK}}_q, \{{\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}\}_{j \in [m_q], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}\}_{t \in [n^{\prime }]}). \end{aligned}$$

Let \(Q_{{\textsf {pre}}}\) be the total number of secret-key queries made before the challenge query and hence without loss of generality we take \(B= Q_{{\textsf {pre}}}\).

Remark

Suppose the simulator only gets \([\![{\varvec{y}}_q]\!]_2\) instead of \({\varvec{y}}_q\). We observe that the components of \({\varvec{y}}_q\) are used to set \({\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa }^{~\iota }]\) and \({\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa , 2}]\). Since the elements \(\varvec{\alpha }_q[\iota ], \widetilde{\alpha }_q\) and \(\nu _{q, t}\) are sampled by the simulator, it can compute \([\![{\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa }^{~\iota }]]\!]_2 = \varvec{\alpha }_q[\iota ] \nu _{q, t} \cdot [\![{\varvec{y}}_q[\kappa ]]\!]_2\) and \([\![{\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa , 2}]]\!]_2 = \widetilde{\alpha }_q \nu _{q, t} \cdot [\![{\varvec{y}}_q[\kappa ]]\!]_2\). The simulator only requires to know \([\![{\varvec{v}}_{q, 1, t}]\!]_2\) in order to generate \({\textsf{IPFE}}.{\textsf{SK}}_{q, 1, t}\). In this context, we write \({\textsf{KeyGen}}^*_0({\textsf{MSK}}, (f_q, [\![{\varvec{y}}_q]\!]_2)) = {\textsf{KeyGen}}^*_0({\textsf{MSK}}, (f_q, {\varvec{y}}_q))\) for all \(q \in [Q_{{\textsf {pre}}}]\). We emphasize that this fact is crucial for the security analysis of the unbounded slot scheme.

On input \({\textsf{MPK}}, {\textsf{MSK}}\), a vector \({\varvec{x}}^* \in {\mathbb {Z}}_p^n\) and a set \({\mathcal {V}} = \{(f_q, f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*+{\varvec{y}}_q^{\top }{\varvec{w}}^*) : q \in [Q_{{\textsf {pre}}}]\}\) the simulator executes the following steps:

1.:

It samples a dummy vector \(({\varvec{d}}_1 || {\varvec{d}}_2||{\varvec{d}}_3) \in {\mathbb {Z}}_p^{n^{\prime }+k+Q_{{\textsf {pre}}}}\) from the set

$$\begin{aligned} {\mathcal {D}} = \left\{ ({\varvec{d}}_1 || {\varvec{d}}_2 || {\varvec{d}}_3) \in {\mathbb {Z}}_p^{n^{\prime }+k+Q_{{\textsf {pre}}}}: \begin{array}{r} f_q({\varvec{x}}^*)^{\top }{\varvec{d}}_1 + {\varvec{y}}_q^{\top }{\varvec{d}}_2 + {\varvec{e}}_q^{\top } {\varvec{d}}_3 = \mu _q \\ \text { for all } q \in [Q_{{\textsf {pre}}}] \end{array}\right\} \end{aligned}$$

where \(\mu _q = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}_q^{\top }{\varvec{w}}^*\). The sampling procedure works as follows. First, the simulator selects two random vectors \({\varvec{d}}_1 \in {\mathbb {Z}}_p^{n^{\prime }}, {\varvec{d}}_2 \leftarrow {\mathbb {Z}}_p^k\) and sets \(\sigma _q = \mu _q - f_q({\varvec{x}}^*)^{\top }{\varvec{d}}_1 - {\varvec{y}}_q^{\top } {\varvec{d}}_2 \in {\mathbb {Z}}_p\). Then, it sets \({\varvec{d}}_3[\eta ] = \sigma _{\eta }\)Footnote 2 for all \(\eta \in [Q_{{\textsf {pre}}}]\). Therefore, one may observe that \(f_q({\varvec{x}}^*)^{\top } {\varvec{d}}_1 + {\varvec{y}}_q^{\top } {\varvec{d}}_2 + {\varvec{e}}_q^{\top } {\varvec{d}}_3 = \mu _q\) for all \(q \in [Q_{{\textsf {pre}}}]\).

2.:

Next, it sets the following vectors:

vector

\({\textsf {const}}^{(\iota )}\)

\({\textsf {coef}}^{(\iota )}_i\)

\({\textsf {extnd}}^{(\iota )}_{\kappa }\)

\({\varvec{u}}\)

0

0

0

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {extnd}}_{\kappa , 1}\)

\({\textsf {extnd}}_{\kappa , 2}\)

\({\textsf {extnd}}_{\kappa }\)

\({\textsf {query}}_{\eta }\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{u}}\)

1

\({\varvec{x}}^*[i]\)

0

\({\varvec{d}}_2[\kappa ]\)

0

\({\varvec{d}}_3[\eta ]\)

0

0

and for all \(t \in [n^{\prime }]\)

vector

\(\widehat{{\textsf {const}}}^{(\iota )}\)

\(\widehat{{\textsf {coef}}}^{(\iota )}\)

\(\widehat{{\textsf {const}}}_1\)

\(\widehat{{\textsf {coef}}}_1\)

\(\widehat{{\textsf {const}}}_2\)

\(\widehat{{\textsf {coef}}}_2\)

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}}^*\)

\({\varvec{h}}_{ t}\)

0

0

1

0

\(-1\)

\({\varvec{d}}_1[t]\)

0

0

0

3.:

It encrypts the vectors as

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{CT}}\leftarrow {\textsf {IPFE.Enc}}({\textsf{IPFE}}.{\textsf{MPK}}, [\![{\varvec{u}}]\!]_1)&\\ \widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t \leftarrow {\textsf {IPFE.Enc}}(\widehat{{\textsf{IPFE}}.{\textsf{MPK}}}, [\![{\varvec{h}}_t]\!]_1)&\text { for } t \in [n^{\prime }] \end{aligned}$$
4.:

It returns the ciphertext as \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\).

On input \({\textsf{MSK}}^*\), \({\varvec{x}}^* \in {\mathbb {Z}}_p^n\), a function \(f_q = (f_{q, 1}, \ldots , f_{q, n^{\prime }}) \in {\mathcal {F}}_{{\textsf{ABP}}}^{(n, n^{\prime })}\), a vector \({\varvec{y}}_q \in {\mathbb {Z}}_p^k\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) and \((f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}_q^{\top }{\varvec{w}}^*) \in {\mathbb {Z}}_p\) the simulator proceeds as follows:

Setting Public Positions:

1.:

The simulator sets the public positions at the indexes in \(S_{{\textsf {pub}}}, {{\widehat{S}}}_{{\textsf {pub}}}\) of the vectors \({\varvec{v}}_q\) and \({\varvec{v}}_{q, j, t}\) analogous to \({\textsf {KeyGen}}^*_0({\textsf{MSK}}^*, (f_q, {\varvec{y}}_q))\).

Setting Private Positions:

2.:

First, it samples a random element \({\widetilde{\alpha }}_q , \widetilde{\beta }_{q, t} \leftarrow {\mathbb {Z}}_p\), for \(t \in [n^{\prime }]\), satisfying \(\sum _{t \in [n^{\prime }]} \widetilde{\beta }_{q, t} = 0\) and then runs the simulator of the AKGS to obtain

figure k
3.:

Next, it fills the private positions at the indices in \(S_{{\textsf {priv}}}, {{\widehat{S}}}_{{\textsf {priv}}}\) as follows

vector

\({\textsf {const}}\)

\({\textsf {coef}}_i\)

\({\textsf {extnd}}_{\kappa , 1}\)

\({\textsf {extnd}}_{\kappa , 2}\)

\({\textsf {extnd}}_{\kappa }\)

\({\textsf {query}}_{\eta }\)

\({\textsf {sim}}_{\tau }\)

\({\textsf {sim}}_{\tau }^*\)

\({\varvec{v}}_q\)

\({\widetilde{\alpha }}_q\)

0

0

0

0

0

0

0

\({\varvec{v}}_{q, j, t}\)

\(\widehat{\ell }_{q, j, t}\)

0

0

0

0

0

0

0

for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\); and

vector

\(\widehat{{\textsf {const}}}_1\)

\(\widehat{{\textsf {coef}}}_1\)

\(\widehat{{\textsf {const}}}_2\)

\(\widehat{{\textsf {coef}}}_2\)

\(\widehat{{\textsf {const}}}\)

\(\widehat{{\textsf {coef}}}\)

\(\widehat{{\textsf {sim}}}^*\)

\({\varvec{v}}_{q, m_q+1, t}\)

\(\widehat{\ell }_{q, m_q+1, t}\)

0

0

0

0

0

0

for all \(t \in [n^{\prime }]\).

4.:

It generates the IPFE secret-keys

$$\begin{aligned} {\textsf{IPFE}}.{\textsf{SK}}_q \leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_q]\!]_2)&\\ {\textsf{IPFE}}.{\textsf{SK}}_{q, j, t} \leftarrow {\textsf {IPFE.KeyGen}}({\textsf{IPFE}}.{\textsf{MSK}}, [\![{\varvec{v}}_{q, j, t}]\!]_2)&\text { for } j \in [m_q], t \in [n^{\prime }]\\ \widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t} \leftarrow {\textsf {IPFE.KeyGen}}(\widehat{{\textsf{IPFE}}.{\textsf{MSK}}}, [\![{\varvec{v}}_{q, m_q+1, t}]\!]_2)&\text { for } t \in [n^{\prime }] \end{aligned}$$
5.:

It outputs the secret-key \({\textsf{SK}}_{f_q, {\varvec{y}}_q} = ({\textsf{IPFE}}.{\textsf{SK}}_q, \{{\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}\}_{j \in [m_q], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}\}_{t \in [n^{\prime }]})\).

Remark

Suppose the simulator is provided with \((f_q, [\![{\varvec{y}}_q]\!]_2)\) as secret-key query and it only knows \([\![f_q({\varvec{x}}^*)^{\top } {\varvec{z}}^* + {\varvec{y}}_q^{\top }{\varvec{w}}^*]\!]_2 = [\![\mu _q]\!]_2\). Then, it can simulate the public positions using \( [\![{\varvec{y}}_q]\!]_2\) as described at the end of the description of \({\textsf{KeyGen}}_0^*(\cdot )\). Now, for private positions, the simulator samples \(\widetilde{\alpha }_q , \widetilde{\beta }_{q, t} \leftarrow {\mathbb {Z}}_p\) (as above) and computes \(\widetilde{\alpha }_q \cdot [\![\mu _q]\!]_2 = [\![\widetilde{\alpha }_q \mu _q]\!]_2\). Next, it employs the simulator of AKGS as follows:

$$\begin{aligned} ({\widehat{\ell }}_{q, 1, 1}, \ldots , {\widehat{\ell }}_{q, m_q, 1}, {\widehat{\ell }}_{q, m_q+1, 1})&\leftarrow {\textsf {SimGarble}}(f_{q, 1}, {\varvec{x}}^*, [\![\widetilde{\alpha }_q \mu _q + \widetilde{\beta }_{q, 1}]\!]_2)\\ ({\widehat{\ell }}_{q, 1, t}, \ldots , {\widehat{\ell }}_{q, m_q, t}, {\widehat{\ell }}_{q, m_q+1, t})&\leftarrow {\textsf {SimGarble}}(f_{q, t}, {\varvec{x}}^*, [\![\widetilde{\beta }_{q, t}]\!]_2)~~ \text { for } 1< t \le n^{\prime }. \end{aligned}$$

Thus, the vectors \({\varvec{v}}_{q, j, t}\) for all \(j \in [m_q]\) are available in the exponent of source group \({\mathbb {G}}_2\) and hence the simulator successfully executes key generation of IPFE with \([\![{\varvec{v}}_{q, j, t}]\!]_2\). We express it by writing \({\textsf{KeyGen}}^*_1({\textsf{MSK}}^*, {\varvec{x}}^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![\mu _q]\!]_2) = {\textsf{KeyGen}}^*_1({\textsf{MSK}}^*, {\varvec{x}}^*, (f_q, {\varvec{y}}_q), \mu _q)\) and note that this fact is, in particular, useful for the security analysis of our unbounded slot scheme.

5.3 Hybrids and reductions

Fig. 4
figure 4

Structure of the hybrid reduction proving Theorem 5

Proof

We use a sequence of hybrid experiments to establish the indistinguishability between the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real}},{\textsf {extFE}}}(1^{\lambda })\) and the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}},{\textsf {extFE}}}(1^{\lambda })\) where \({\mathcal {A}}\) is any PPT adversary. The overall hybrid reduction is shown in Fig. 4. In each experiment, \({\mathcal {A}}\) can query a polynomial number of secret-key queries for pairs \((f, {\varvec{y}}) \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n,n^{\prime })} \times {\mathbb {Z}}_p^k\), both before and after submitting the challenge message \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }+k}\). Let Q be the total number of secret-key queries and \(B= Q_{{\textsf {pre}}}\) \((\le Q)\) be the number of secret-keys queried before submitting the challenge message. We denote the q-th secret-key by \({\textsf{SK}}_{f_q, {\varvec{y}}_q}\) corresponding to a function \(f_q\) and a vector \({\varvec{y}}_q\). For the ease of presentation, we write the vector elements sitting in the public slots in blue color and the vector elements sitting in the private slots in red color. More precisely, we do this so that while describing the hybrid games, we sometimes omit the public parts of the vectors and write down only the private parts when the changes occur only in the private parts. Now, we describe the hybrids as follows:

Hybrid : This is the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real}},{\textsf {extFE}}}(1^{\lambda })\) defined in Definition 4 (with single slot, i.e., \(N = 1\)). The q-th secret-key \({\textsf{SK}}_{f_q, {\varvec{y}}_q} = ({\textsf{IPFE}}.{\textsf{SK}}_q, \{{\textsf{IPFE}}.{\textsf{SK}}_{q, j, t}\}_{j \in [m_q], t \in [n^{\prime }]}, \{\widehat{{\textsf{IPFE}}.{\textsf{SK}}}_{q, m_q+1, t}\}_{t \in [n^{\prime }]})\) is computed using the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) given by

for \(j \in [2, m_q]\) and \(t \in [n^{\prime }]\). Note that \(\varvec{\alpha }_q\) and \({\varvec{r}}^{(\iota )}_{q, t}\) are random vectors sampled from \({\mathbb {Z}}_p^k\) and \({\mathbb {Z}}_p^{m_q}\) respectively. The integers \(\nu _{q,t}\) for \(t \in [n^{\prime }]\) is picked randomly from \({\mathbb {Z}}_p\) such that \(\sum _{t \in [n^{\prime }]} \nu _{q, t} = 1\). For all \(t \in [n^{\prime }]\), the garblings are computed as

$$\begin{aligned} ({\varvec{\ell }}_{q, 1, t}^{(\iota )}, \ldots , {\varvec{\ell }}_{q, m_q, t}^{(\iota )}, {\varvec{\ell }}_{q, m_q+1, t}^{(\iota )}) \leftarrow {\textsf {Garble}}(\varvec{\alpha }_q[\iota ] \varvec{z^*}[t] f_{q, t}({\varvec{x}}^*) + \varvec{\beta }_{q, t}[\iota ]; {\varvec{r}}^{(\iota )}_{q, t}) \end{aligned}$$

where \(f_q = (f_{q, 1}, \ldots , f_{q, n^{\prime }})\) and \(\varvec{\beta }_{q, t} \leftarrow {\mathbb {Z}}_p^k\) with \(\sum _{t \in [n^{\prime }]} \varvec{\beta }_{q, t}[\iota ] = 0 ~ \forall \iota \in [k]\). The challenge ciphertext \({\textsf{CT}}^* = ({\textsf{IPFE}}.{\textsf{CT}}, \{\widehat{{\textsf{IPFE}}.{\textsf{CT}}}_t\}_{t \in [n^{\prime }]})\) corresponds to the challenge vectors \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }+k}\) is computed using the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\) given by

for \(t\in [n^{\prime }]\) and \({\varvec{s}} \leftarrow {\mathbb {Z}}_p^k\). Note that, in real experiment \({\textsf{CT}}^*\) is computed using IPFE.SlotEnc and therefore the elements sitting at the indices in \(S_{{\textsf {priv}}}\) are set as \(\perp \) for the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\).

Hybrid It is exactly the same as hybrid \({\textsf {H}}_0\) except the fact that instead of using IPFE.SlotEnc, here the challenge ciphertext \({\textsf{CT}}^*\) is generated applying IPFE.Enc which uses \({\textsf{MSK}}= ({\textsf{IPFE}}.{\textsf{MSK}}, \widehat{{\textsf{IPFE}}.{\textsf{MSK}}})\) to encrypt the vectors. We indicate this change by changing the private positions of \({\varvec{u}}\) and \({\varvec{h}}_t\) from \(\perp \) to 0. Thus the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\) become

The slot-mode correctness of IPFE guarantees that the two hybrids \({\textsf {H}}_0\) and \({\textsf {H}}_1\) are identically distributed.

Hybrid This hybrid is similar to \({\textsf {H}}_1\) except that in the private slots of the vectors \({\varvec{v}}_{q, j, t}\) we put a garbling that linearly combines k garblings (of the public slots) with weight vector \({\varvec{s}} \in {\mathbb {Z}}_p^k\) and in the private slots of the vector \({\varvec{v}}_q\) we use a single random element combining the weight vector \({\varvec{s}}\). Accordingly, we modify the challenge ciphertext \({\textsf{CT}}^*\) by omitting the weight vector \({\varvec{s}}\) and setting the public slots of the vectors \({\varvec{u}}, {\varvec{h}}_t\) to zero so that the inner products computed at the time of decryption remains the same in the previous hybrids.

In \({\textsf {H}}_1\), the public slots of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) are occupied by vectors \(\varvec{\alpha }_q \in {\mathbb {Z}}_p^k, \nu _{q,t} \in {\mathbb {Z}}_p\) for \(t \in [n^{\prime }]\) and the garblings \({\varvec{\ell }}^{(\iota )}_{q, j, t}\) computed using randomness \({\varvec{r}}_{q, t}^{(\iota )} \in {\mathbb {Z}}_p^{m_q}\). In the public slots of the vectors \({\varvec{u}}, {\varvec{h}}_t\), we use \(({\varvec{s}}[\iota ], {\varvec{s}}[\iota ]{\varvec{x}}^*[i]), (-{\varvec{s}}[\iota ], {\varvec{s}}[\iota ]{\varvec{z}}^*[t])\) respectively. Therefore, at the time of decryption we recover \([\![\rho _q]\!]_T, [\![\ell _{q, j, t}]\!]_T\) such that

$$\begin{aligned} \rho _q&= {\varvec{\alpha }_q} \cdot {{\varvec{s}}} = {\overline{\alpha }}_q \text { (say), } \\ \ell _{q, 1, t}&= {({\varvec{\ell }}^{(1)}_{q, 1, t}, \ldots , {\varvec{\ell }}^{(k)}_{q, 1, t})} \cdot {({\varvec{s}}[1](1, {\varvec{x}}^*), \ldots , {\varvec{s}}[k](1, {\varvec{x}}^*))} + {\varvec{\alpha }} \cdot {{\varvec{s}}} \cdot {\varvec{y}}^{\top }{\varvec{w}}\cdot \nu _{q, t}\\&= {({\varvec{s}}[1]{\varvec{\ell }}^{(1)}_{q, 1, t}, \ldots , {\varvec{s}}[k]{\varvec{\ell }}^{(k)}_{q, 1, t})} \cdot {((1, {\varvec{x}}^*), \ldots , (1, {\varvec{x}}^*))} + {\overline{\alpha }}_q \cdot {\varvec{y}}^{\top }{\varvec{w}}\cdot \nu _{q, t}\\&= {\overline{{\varvec{\ell }}}_{q, 1, t}} \cdot {(1, {\varvec{x}}^*)} + {\overline{\alpha }}_q \cdot {\varvec{y}}^{\top }{\varvec{w}}\cdot \nu _{q, t}\\ \ell _{q, j, t}&= {({\varvec{\ell }}^{(1)}_{q, j, t}, \ldots , {\varvec{\ell }}^{(k)}_{q, j, t})} \cdot {({\varvec{s}}[1](1, {\varvec{x}}^*), \ldots , {\varvec{s}}[k](1, {\varvec{x}}^*))} \\&= {\overline{{\varvec{\ell }}}_{q, j, t}} \cdot {(1, {\varvec{x}}^*)} \end{aligned}$$

where \(\overline{{\varvec{\ell }}}_{q, j, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{\ell }}^{(\iota )}_{q, j, t}\) for all \(j \in [2, m_q]\) and \(t \in [n^{\prime }]\). Similarly, the \(m_q+1\)-the garbling returns

$$\begin{aligned} \ell _{q, m_q+1, t}&= {(({\varvec{r}}^{(1)}_{q, t}[m_q], \varvec{\alpha }_q[1]), \ldots , ({\varvec{r}}^{(k)}_{q, t}[m_q], \varvec{\alpha }_q[k]))} \cdot {({\varvec{s}}[1](-1, {\varvec{z}}^*[t]), \ldots , {\varvec{s}}[k](-1, {\varvec{z}}^*[t]))}\\&= {({\varvec{s}}[1]({\varvec{r}}^{(1)}_{q, t}[m_q], \varvec{\alpha }_q[1]), \ldots , {\varvec{s}}[k]({\varvec{r}}^{(k)}_{q, t}[m_q], \varvec{\alpha }_q[k]))} \cdot {((-1, {\varvec{z}}^*[t]), \ldots , (-1, {\varvec{z}}^*[t]))}\\&= {(\overline{{\varvec{r}}}_{q, t}[m_q], {\overline{\alpha }}_q)} \cdot {(-1, {\varvec{z}}^*[t])} \end{aligned}$$

where \(\overline{{\varvec{r}}}_{q, t}[m_q] = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t}[m_q]\). In \({\textsf {H}}_2\), we use \({\overline{\alpha }}_q, \overline{{\varvec{\ell }}}_{q, j, t}\) and \(\overline{{\varvec{r}}}_{q, t}[m_q]\) in the private slots of the vectors \({\varvec{v}}_q\) and \({\varvec{v}}_{q, j, t}\) as described below

Since the weight vector \({\varvec{s}}\) is not required to generate the challenge ciphertext \({\textsf{CT}}^*\), we omit using it in the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\). Moreover, the public slots of \({\varvec{u}}\) and \({\varvec{h}}_t\) are set to zero as the inner product is computed through the private slots only. We describe the changes below.

Finally, we observe that the inner products \({{\varvec{v}}_q} \cdot {{\varvec{u}}}, {{\varvec{v}}_{q, j, t}} \cdot {{\varvec{u}}}\) and \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\) remain the same as in \({\textsf {H}}_1\). Thus, the function hiding property of IPFE preserves the indistinguishability between the hybrids \({\textsf {H}}_1\) and \({\textsf {H}}_2\).

Note that, in this hybrid we pick \(\varvec{\alpha }_q, \varvec{\beta }_{q, t}, {\varvec{s}} \leftarrow {\mathbb {Z}}_p^k, \nu _{q,t} \leftarrow {\mathbb {Z}}_p\) and \({\varvec{r}}_{q, t}^{(\iota )} \leftarrow {\mathbb {Z}}_p^{m_q}\) for all \(t \in [n^{\prime }], \iota \in [k]\) satisfying \(\sum _{t \in [n^{\prime }]}\varvec{\beta }_{q, t}[\iota ] = 0\) for each \(\iota \in [k]\) and \(\sum _{t \in [n^{\prime }]} \nu _{q, t} = 1\). Then, the linearity of the Garble algorithm allows us to write

$$\begin{aligned} (\overline{{\varvec{\ell }}}_{q, 1, t}, \ldots , \overline{{\varvec{\ell }}}_{q, m_q, t}, \overline{{\varvec{\ell }}}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}({\overline{\alpha }}_q {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + {\overline{\beta }}_{q, t}; \overline{{\varvec{r}}}_{q, t}) \end{aligned}$$

where \(\overline{{\varvec{\ell }}}_{q, j, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{\ell }}^{(\iota )}_{q, j, t}, \overline{{\varvec{r}}}_{q, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t}\) and \({\overline{\beta }}_{q, t} = {\varvec{\beta }_{q, t}} \cdot {{\varvec{s}}}\).

From the next hybrid onward the public slots of the vectors \({\varvec{v}}_q\) and \({\varvec{v}}_{q, j, t}\) are unaltered for all \(q \in [Q], j \in [k]\) and \(t \in [n^{\prime }]\). Therefore, we only write the components sitting in the private slots of the vectors \({\varvec{v}}_q\) and \({\varvec{v}}_{q, j, t}\) assuming that the components of public slots are the same as in the real experiment. We denote the private slots of the vectors by \({\varvec{v}}_q|_{S_{{\textsf {priv}}}}, {\varvec{v}}_{q, j, t}|_{S_{{\textsf {priv}}}}\) and \({\varvec{v}}_{q, m_q+1, t}|_{\widehat{S}_{{\textsf {priv}}}}\).

Hybrid It is analogous to \({\textsf {H}}_2\) except the liner combinations \({\overline{\alpha }}_q, \overline{{\varvec{\ell }}}_{q, j, t}, \overline{{\varvec{r}}}_{q, t}\) in the private slots of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}, {\varvec{v}}_{q, m_q+1, t}\) are replaced with freshly and independently generated random values and garblings \({\widetilde{\alpha }}_q, \widetilde{{\varvec{\ell }}}_{q, j, t}, \widetilde{{\varvec{r}}}_{q, t}\). More specifically, we sample random elements \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t} \leftarrow {\mathbb {Z}}_p\) for all \(t \in [n^{\prime }]\) such that \(\sum _{t \in [n^{\prime }]} {\widetilde{\beta }}_{q, t} = 0\) and a vector \(\overline{{\varvec{r}}}_{q, t} \leftarrow {\mathbb {Z}}_p^{m_q}\). Then, the garblings are computed as

$$\begin{aligned} (\widetilde{{\varvec{\ell }}}_{q, 1, t}, \ldots , \widetilde{{\varvec{\ell }}}_{q, m_q, t}, \widetilde{{\varvec{\ell }}}_{q, m_q+1, t}) \leftarrow {\textsf {Garble}}({\widetilde{\alpha }}_q {\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + {\widetilde{\beta }}_{q, t}; \widetilde{{\varvec{r}}}_{q, t}) \end{aligned}$$

for all \(t \in [n^{\prime }]\). The vectors involved in the computation of \({\textsf{SK}}_{f_q, {\varvec{y}}_q}\) are as follows:

Recall that in \({\textsf {H}}_2\), the following linear combinations

$$\begin{aligned} {\overline{\alpha }}_q = {\varvec{\alpha }_q} \cdot {{\varvec{s}}},~~ {\overline{\beta }}_{q, t} = {\varvec{\beta }_{q, t}} \cdot {{\varvec{s}}},~~ \overline{{\varvec{r}}}_{q, t} = \sum _{\iota \in [k]} {\varvec{s}}[\iota ] {\varvec{r}}^{(\iota )}_{q, t} \end{aligned}$$

with a common weight vector \({\varvec{s}}\) has been used to set \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\). On the other hand, in \({\textsf {H}}_3\) fresh and independent random elements \({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t}, \widetilde{{\varvec{r}}}_{q, t}\) are used to compute \({\textsf{SK}}_{f_q, {\varvec{y}}_q}\). Note that the elements of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) are only used in the exponent of the source group \({\mathbb {G}}_2\) while generating the IPFE secret-keys. Let us consider the matrix \({\textbf{A}}_{q, t} = (\varvec{\alpha }_q | \varvec{\beta }_{q, t} | ({\textbf{R}}_{q, t})^{\top }) \in {\mathbb {Z}}_p^{k \times (m_q+1)}\) where \({\textbf{R}}_{q, t} = ({\varvec{r}}^{(1)}_{q, t} | \ldots | {\varvec{r}}^{(k)}_{q, t}) \in {\mathbb {Z}}_p^{m \times k}\). Since the matrix \({\textbf{A}}_{q, t}\) is uniformly chosen from \({\mathbb {Z}}_p^{k \times (m_q+1)}\) and \({\varvec{s}}\) is uniform over \({\mathbb {Z}}_p^k\), by the \({\textsf {MDDH}}_{k}\) assumption in group \({\mathbb {G}}_2\) we have

$$\begin{aligned} (\underbrace{[\![{\textbf{A}}_{q, t}]\!]_2, [\![{\textbf{A}}_{q, t}^{\top }{\varvec{s}}]\!]}_{\text { in } {\textsf {H}}_2}) \approx (\underbrace{[\![{\textbf{A}}_{q, t}]\!]_2, [\![({\widetilde{\alpha }}_q, {\widetilde{\beta }}_{q, t}, \widetilde{{\varvec{r}}}_{q, t})]\!]_2}_{\text { in } {\textsf {H}}_3}) \end{aligned}$$

holds for all \(q \in [Q]\) and \(t \in [n^{\prime }]\). Hence, the two hybrids \({\textsf {H}}_2\) and \({\textsf {H}}_3\) are indistinguishable under the \({\textsf {MDDH}}_{k}\) assumption.

We have completed the first phase of our security analysis as we see that the private slots of the vectors associated to secret-keys and the challenge ciphertext are now computed similar to our extended 1-FE scheme. From the next hybrid, we modify the vectors in such a way that all the pre-challenge secret-key queries decrypt the challenge ciphertext without using the slots of \({\varvec{u}}\) and \({\varvec{h}}_t\) where the challenge massage \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*)\) are used.

Hybrid It proceeds similar to hybrid \({\textsf {H}}_3\) except we change the vectors \({\varvec{u}}\) and \({\varvec{h}}_t\) for all \(t \in [n^{\prime }]\) which are used in the computation of the challenge ciphertext. After all the pre-challenge secret-key queries made by \({\mathcal {A}}\), a dummy vector \(({\varvec{d}}_1 || {\varvec{d}}_2 || {\varvec{d}}_3) \in {\mathbb {Z}}_p^{n^{\prime }+k+Q_{{\textsf {pre}}}}\) is picked from the set

$$\begin{aligned} {\mathcal {D}} = \{({\varvec{d}}_1 || {\varvec{d}}_2 || {\varvec{d}}_3) \in {\mathbb {Z}}_p^{n^{\prime }+k+Q_{{\textsf {pre}}}}: f_q({\varvec{x}}^*)^{\top }{\varvec{d}}_1 + {\varvec{y}}_q^{\top }{\varvec{d}}_2 + {\varvec{e}}_q^{\top } {\varvec{d}}_3 = \mu _q \text { for all } q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

where \(\mu _q = f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}_q^{\top }{\varvec{w}}^*\). The sampling procedure is as described in the algorithm \({\textsf {Enc}}^*(\cdot )\). Then the vectors \({\varvec{u}}, {\varvec{h}}_t\) are defined as below.

Note that, these changes in \({\varvec{u}}\) and \({\varvec{h}}_t\) have no effect in the final inner product values of \({{\varvec{v}}_q} \cdot {{\varvec{u}}}, {{\varvec{v}}_{q, j, t}} \cdot {{\varvec{u}}}\) and \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\). This is because the elements at the slots \(({\textsf {extnd}}_{\kappa , 2}, {\textsf {extnd}}_{\kappa })\) of the vectors \({\varvec{v}}_q, {\varvec{v}}_{q, j, t}\) \({\varvec{h}}_t\) and the elements at the slots (\(\widehat{{\textsf {const}}}_2, \widehat{{\textsf {coef}}}_2, \widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}\)) of the vector \({\varvec{v}}_{q, m_q+1, t}\) (where the changes take place in \({\varvec{u}}, {\varvec{h}}_t\)) are all zero. Therefore, by the function hiding property of IPFE the hybrids \({\textsf {H}}_3\) and \({\textsf {H}}_4\) remain indistinguishable to the adversary.

Hybrid () It proceeds similar to \({\textsf {H}}_4\) except that for each \(1 \le q^{\prime } \le q\), we modify the vectors \({\varvec{v}}_{q, 1, t}\) and \({\varvec{v}}_{q, m_q+1, t}\) as described below.

figure l

Note that, the post-challenge secret-key queries are still answered according to \({\textsf {H}}_4\). Observe that \({{\textsf{H}}}_{5,0}\) coincides with \({{\textsf{H}}}_4\). We will prove that \({{\textsf{H}}}_{5, (q-1)}\) and \({{\textsf{H}}}_{5,q}\) are indistinguishable via the following sequence of sub-hybrids, namely \(\{{{\textsf{H}}}_{5,q,1}, {{\textsf{H}}}_{5,q,2}, {{\textsf{H}}}_{5,q,3}\}\).

Hybrid () It is analogous to \({\textsf {H}}_{5, (q-1)}\) except that in the qth secret-key query the vectors \({\varvec{v}}_{q, 1, t}\) and \({\varvec{v}}_{q, m_q+1, t}\) are modified as follow. The element \(\widetilde{\alpha }_{q}{\varvec{y}}_{q}[\kappa ]\nu _{q, t}\) is shifted from \({\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa , 1}]\) to \({\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa }]\) and the elements \(\widetilde{{\varvec{r}}}_{q, t}[m_q], {\widetilde{\alpha }}_{q}\) are shifted from \({\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {const}}}_1], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {coef}}}_1]\) to \({\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {const}}}], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {coef}}}]\) respectively.

figure m

We observe that the inner products \({{\varvec{v}}_{q, 1, t}} \cdot {{\varvec{u}}}\) and \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\) are unchanged due to the modification occurred in \({\varvec{v}}_{q, 1, t}\) and \({\varvec{v}}_{q, m_q+1, t}\). Therefore, the function hiding security of IPFE ensures that the hybrids \({\textsf {H}}_{5, (q-1)}\) and \({\textsf {H}}_{5, q, 1}\) are indistinguishable.

In this hybrid, the components of \({\varvec{v}}_{q, j, t}\) corresponding to the slots \(\{{\textsf {const}}, {\textsf {coef}}_i, {\textsf {extnd}}_{\kappa }, {\textsf {query}}_q, {\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}\) and the components of \({\varvec{v}}_{q, m_q+1, t}\) corresponding to the slots \(\{\widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}}^*\}\) are exactly the same as in the secret-key of our extended 1-FE scheme. Similarly, in case of the challenge ciphertext, the components of \({\varvec{u}}\) at the positions \(\{{\textsf {const}}, {\textsf {coef}}_i, {\textsf {extnd}}_{\kappa }, {\textsf {query}}_q, {\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*\}\) and the components of \({\varvec{h}}_{ t}\) at the positions \(\{\widehat{{\textsf {const}}}, \widehat{{\textsf {coef}}}, \widehat{{\textsf {sim}}}^*\}\) are also identical to the ciphertext of our extended 1-FE scheme.

Hybrid () It is exactly the same as \({\textsf {H}}_{5, q, 1}\) except that the components \({\varvec{u}}[{\textsf {extnd}}_{\kappa }], {\varvec{u}}[{\textsf {query}}_q]\) and \({\varvec{h}}_t[\widehat{{\textsf {coef}}}]\) are changed from \({\varvec{z}}^*[t], 0, {\varvec{w}}^*[\kappa ]\) to \({\varvec{d}}_1[t], \sigma _q, {\varvec{d}}_2[\kappa ]\) respectively. Thus, the secret key vectors and the vectors \({\varvec{u}}, {\varvec{h}}_t\) become

figure n

where \({\varvec{d}}_3^{\le q}[\eta ] = \sigma _q\) if \(\eta \le q\); 0 otherwise. The indistinguishability follows from the security of 1-extFE scheme. We note that the security of our 1-extFE scheme relies on the function hiding security of IPFE and the security of AKGS. In particular, we use the security of IPFE and AKGS to reversely sample the first label and make all the other labels random as shown below

$$\begin{aligned} \widetilde{\ell }_{q, 1, 1}&\leftarrow {\textsf {RevSamp}}(f_{q, 1}, {\varvec{x}}^*, \widetilde{\alpha }_q f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^* + {\varvec{y}}_q^{\top }{\varvec{w}}^* + \widetilde{\beta }_{q, 1}, \ell _{q, 2, 1}, \ldots , \ell _{q, m_q, 1})\\ \widetilde{\ell }_{q, 1, \tau }&\leftarrow {\textsf {RevSamp}}(f_{q, \tau }, {\varvec{x}}^*, \widetilde{\beta }_{q, \tau }, \ell _{q, 2, \tau }, \ldots , \ell _{q, m_q, \tau }) ~~~\text { for } 1< \tau < n^{\prime }, \end{aligned}$$

where \(\sum _{\tau \in [n^{\prime }]} \widetilde{\beta }_{q, \tau } = 0\) and \(\ell _{q, j, \tau }\) is picked randomly for all \(j \in [2, m_q]\). Then, the dummy vector \(({\varvec{d}}_1||{\varvec{d}}_2)\) replaces the challenge message \(({\varvec{z}}^*||{\varvec{w}}^*)\) and \({\varvec{d}}_3[q] = \sigma _q\) is added to the term \(\widetilde{\alpha }_q f_q({\varvec{x}}^*)^{\top }{\varvec{d}}_1 + {\varvec{y}}_q^{\top }{\varvec{d}}_2\) while computing \(\widetilde{\ell }_{q, 1, 1}\). Finally, we move in the reverse direction so that the vectors \({\varvec{v}}_{q, j, t}\) for all \(j \in [m_q]\) and \(t \in [n^{\prime }]\) are back in form as they were in \({\textsf {H}}_{5, q, 1}\) and \({\varvec{d}}_1[t], {\varvec{d}}_2[\kappa ]\) are placed at \({\varvec{h}}_t[\widehat{{\textsf {coef}}}], {\varvec{u}}[{\textsf {extnd}}_{\kappa }]\) respectively. Note that, the hybrids involved in our 1-extFE scheme uses the positions \({\textsf {sim}}_{\tau }, {\textsf {sim}}_{\tau }^*, \widehat{{\textsf {sim}}}, \widehat{{\textsf {sim}}}^*\) of the vectors \({\varvec{v}}_{q, j, t}, {\varvec{u}}\) and \({\varvec{h}}_t\), which does not affect the decryption using any post-challenge secret-key.

Hybrid () It proceeds analogous to \({\textsf {H}}_{5, q, 2}\) except that we change \({\varvec{v}}_{q, m_q+1, t}\) and \({\varvec{h}}_t\) as below. The element \(\widetilde{\alpha }_{q}{\varvec{y}}_{q}[\kappa ]\nu _{q, t}\) is shifted from \({\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa }]\) to \({\varvec{v}}_{q, 1, t}[{\textsf {extnd}}_{\kappa , 2}]\) and the elements \(\widetilde{{\varvec{r}}}_{q, t}[m_q], {\widetilde{\alpha }}_{q}\) are shifted from \({\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {const}}}], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {coef}}}]\) to \({\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {const}}}_2], {\varvec{v}}_{q, m_q+1, t}[\widehat{{\textsf {coef}}}_2]\) respectively.

figure o

Note that the inner products \({{\varvec{v}}_{q, 1, t}} \cdot {{\varvec{u}}}\) and \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_{t}}\) remains the same as in \({\textsf {H}}_{5, q, 2}\). Therefore, the hybrids \({\textsf {H}}_{5, q, 2}\) and \({\textsf {H}}_{5, q, 3}\) are indistinguishable due to the function hiding security of IPFE. We observe that \({\textsf {H}}_{5, q, 3}\) is identical to \({\textsf {H}}_{5, q}\) for all \(q \in [Q_{{\textsf {pre}}}]\).

Hybrid It is exactly the same as \({\textsf {H}}_{5, Q_{{\textsf {pre}}}}\) except that the elements \({\varvec{u}}[{\textsf {extnd}}_{\kappa }]\), \({\varvec{h}}_t[\widehat{{\textsf {const}}}]\) and \({\varvec{h}}_t[\widehat{{\textsf {coef}}}]\) are set to zero. We describe the vectors associated to secret-key queries and the challenge ciphertext below. Note that the post-challenge secret-key queries are released in the same way as in \({\textsf {H}}_4\) (or in \({\textsf {H}}_{5, Q_{{\textsf {pre}}}}\)).

figure p

Since the inner products \({{\varvec{v}}_{q, 1, t}} \cdot {{\varvec{u}}}\) and \({{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_{t}}\) is unaltered due to the modification in this hybrid, the function hiding security of IPFE ensures indistinguishability between the hybrids \({\textsf {H}}_{5, Q_{{\textsf {pre}}}}\) and \({\textsf {H}}_6\).

The second part of the proof is completed as all the pre-challenge secret-keys are now able to decrypt the challenge ciphertext without the components of \({\varvec{u}}, {\varvec{h}}_t\) that make use of \({\varvec{z}}^*\) and \({\varvec{w}}^*\). Note that, \({\varvec{u}}[{\textsf {extnd}}_{\kappa , 1}] = {\varvec{w}}^*[\kappa ]\) and \({\varvec{h}}_t[\widehat{{\textsf {coef}}}_1] = {\varvec{z}}^*[t]\) are only needed for the successful decryption of the challenge ciphertext by post-challenge secret-keys. From the next hybrid we change the computation of post-challenge secret-keys so that the challenge ciphertext can be simulated without using \(({\varvec{z}}^*||{\varvec{w}}^*)\).

Hybrid This hybrid proceeds exactly similar to \({\textsf {H}}_{6}\) except that we use the honest levels \({\widetilde{\ell }}_{q, 1, t} = \widetilde{{\varvec{\ell }}}_{q, 1, t}({\varvec{x}}^*)\), \({\widetilde{\ell }}_{q, j, t} = \widetilde{{\varvec{\ell }}}_{q, j, t}({\varvec{x}}^*)\) for \(j \in [2, m_q]\) and \({\widetilde{\ell }}_{q, m_q+1, t} = -\widetilde{{\varvec{r}}}_{q, t}[m_q] + {\widetilde{\alpha }}_q {\varvec{z}}^*[t]\) while defining the vectors \({\varvec{v}}_{q, j, t}\) in all the post-challenge secret-key queries. Moreover, all the other private components \({\varvec{v}}_{q, j, t}[{\textsf {coef}}_i]\) and \({\varvec{v}}_{q, j, t}[{\textsf {extnd}}_{\kappa , 1}]\) are zero for all \(j \in [m_q]\). We also modify \({\varvec{u}}\) and \({\varvec{h}}_t\) of the challenge ciphertext as shown below.

figure q

Since the inner products \({{\varvec{v}}_{q, j, t}} \cdot {{\varvec{u}}}, {{\varvec{v}}_{q, m_q+1, t}} \cdot {{\varvec{h}}_t}\) for all \(q \in [Q_{{\textsf {pre}}}+1, Q]\) are the same as in the previous hybrid, the function hiding property of IPFE ensures that the hybrids \({\textsf {H}}_{6}\) and \({\textsf {H}}_7\) are indistinguishable.

Hybrid : This hybrid proceeds analogous to \({\textsf {H}}_{7}\) except that the post-challenge secret-key queries use the simulated garblings instead of the honest garblings. More specifically, we sample \({\widetilde{\alpha }}_q, \widetilde{\beta }_{q, t}, \widetilde{\nu }_{q, t} \leftarrow {\mathbb {Z}}_p\) satisfying \(\sum _{t\in [n^{\prime }]} \widetilde{\beta }_{q, t} = 0, \sum _{t \in [n^{\prime }]} \widetilde{\nu }_{q, t} = 1\) and compute the simulated garblings

figure r

for all \(q \in [Q_{{\textsf {pre}}}+1, Q]\) and \(t \in [n^{\prime }]\). Then, the post-challenge secret-keys are generated using the vectors described below.

figure s

The simulated levels of AKGS is used in place of actual garblings. The simulation security of AKGS implies that the hybrids \({\textsf {H}}_{7}\) and \({\textsf {H}}_8\) are indistinguishable.

Hybrid : This proceeds exactly the same as \({\textsf {H}}_8\) except that the distribution of \(\{\widetilde{\beta }_{q, t}\}_{t \in [n^{\prime }]}\) is changed. We replace \(\widetilde{\beta }_{q, t}\) by \(\widetilde{\beta }_{q, t}^{\prime } = \widetilde{\beta }_{q, t} - \widetilde{\alpha }_q \cdot ({\varvec{z}}^*[t] f_{q, t}({\varvec{x}}^*) + \widetilde{\nu }_{q, t} \cdot {\varvec{y}}_q^{\top }{\varvec{w}}^*)\) for all \(1 < t \le n^{\prime }\) and replace the element \(\widetilde{\beta }_{q, 1}\) by \(\widetilde{\beta }_{q, 1}^{\prime } = \widetilde{\beta }_{q, 1} - \widetilde{\alpha }_q \cdot ({\varvec{z}}^*[1] f_{q, 1}({\varvec{x}}^*) + \widetilde{\nu }_{q, 1} \cdot {\varvec{y}}_q^{\top }{\varvec{w}}^*) + \widetilde{\alpha }_q \cdot (f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*+ {\varvec{y}}_q^{\top }{\varvec{w}}^*)\). Note that, the distributions

$$\begin{aligned} \{\widetilde{\beta }_{t, q} \leftarrow {\mathbb {Z}}_p : \sum _{t \in [n^{\prime }]} \widetilde{\beta }_{t, q} = 0\} \text { and } \{\widetilde{\beta }^{\prime }_{t, q}: \sum _{t \in [n^{\prime }]} \widetilde{\beta }_{t, q} = 0 \} \end{aligned}$$

are statistically close since \(\{\widetilde{\beta }^{\prime }_{q, t}\}_{t \in [n^{\prime }]}\) are also uniform over \({\mathbb {Z}}_p\) and \(\sum _{t \in [n^{\prime }]} \widetilde{\beta }^{\prime }_{q, t} = 0\). Finally, the vectors associated to the post-challenge secret-keys are given by

figure t

where the simulated garblings take the form

figure u

Observe that \({\textsf {H}}_9\) is the same as the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}}, {\textsf {extFE}}}(1^{\lambda })\). This completes the security proof.

Note: Recall that the simulation goes through even if the challenger gets \([\![{\varvec{y}}_q]\!]_2\) (and hence \([\![{\widetilde{\alpha }}_q f_q({\varvec{x}}^*)^{\top }{\varvec{z}}^*+ {\varvec{y}}_q^{\top }{\varvec{w}}^*]\!]_2\)) as we have already mentioned it while describing \({\textsf {KeyGen}}_1^*(\cdot )\). \(\square \)

6 Unbounded-slot FE for attribute-weighted sum

In this section, we describe the transformation from extended one-slot FE to unbounded-slot FE. The conversion is proposed in [3] with semi-adaptive simulation security relying on \({\textsf {MDDH}}_k\) assumption. We show the same transformation works to achieve adaptive simulation security against an a priori bounded number of pre-ciphertext secret key queries while an arbitrary polynomial number of post-ciphertext secret key queries under the \({\textsf {bMDDH}}_k\) assumption.

Let \({\varPi }_{\textsf {extOne}} = ({\textsf {Setup}}_{{\textsf {extFE}}}, {\textsf {KeyGen}}_{{\textsf {extFE}}}, {\textsf {Enc}}_{{\textsf {extFE}}}, {\textsf {Dec}}_{{\textsf {extFE}}})\) be the extended one-slot FE scheme described in Sect. 5.2. The unbounded-slot FE scheme \({\varPi }_{{\textsf {ubd}}} = ({\textsf {Setup}}, {\textsf {KeyGen}}, {\textsf {Enc}}, {\textsf {Dec}})\) works as follows:

Setup(\({\varvec{1}}^{{\varvec{\lambda }}}, {\varvec{1}}^{{\varvec{n}}}, {\varvec{1}}^{{\varvec{n}}^{{\varvec{\prime }}}}, {\varvec{1}}^{{\varvec{B}}}\)) On input integers \(\lambda , n, n^{\prime }\) as unary, the setup algorithm runs

$$\begin{aligned}&({\textsf{MSK}}_1, {\textsf{MPK}}_1) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}), \\&({\textsf{MSK}}_2, {\textsf{MPK}}_2) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

and outputs the master secret-key \({\textsf{MSK}}= ({\textsf{MSK}}_1, {\textsf{MSK}}_2)\) and the master public-key \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

The key generation algorithm takes input \({\textsf{MSK}}= ({\textsf{MSK}}_1, {\textsf{MSK}}_2)\) and a function \(f \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\). It samples \({\varvec{y}} \leftarrow {\mathbb {Z}}_p^k\) and computes

$$\begin{aligned} {\textsf{SK}}_{f, 1} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_1, (f, [\![{\varvec{y}}]\!]_2)), ~~~ {\textsf{SK}}_{f, 2} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f, [\![{\varvec{y}}]\!]_2)) \end{aligned}$$

Then, It returns the secret-key as \({\textsf{SK}}_f = ({\textsf{SK}}_{f, 1}, {\textsf{SK}}_{f, 2})\) and f. Here, we use the property of extFE that \({\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_j, (f, {\varvec{y}})) = {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_j, (f, [\![{\varvec{y}}]\!]_2))\) for \(j \in [2]\).

The encryption algorithm takes input \({\textsf{MPK}}\) and message \(({\varvec{x}}_i, {\varvec{z}}_i) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }}\) for \(i \in [N]\). It samples random vectors \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and computes

$$\begin{aligned} {\textsf{CT}}_1&\leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_1, ({\varvec{x}}_1, {\varvec{z}}_1 || - \sum _{i \in [2, N]} {\varvec{w}}_i)) \\ {\textsf{CT}}_i&\leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i, {\varvec{z}}_i || {\varvec{w}}_i )), \text { for } i \in [2, N] \end{aligned}$$

It returns the ciphertext \({\textsf{CT}}_{({\varvec{x}}_i||{\varvec{z}}_i)} = ({\textsf{CT}}_1, \ldots , {\textsf{CT}}_N)\).

Dec() The decryption algorithm parses the secret-key \({\textsf{SK}}_f = ({\textsf{SK}}_{f, 1}, {\textsf{SK}}_{f, 2})\) and the ciphertext \({\textsf{CT}}_{({\varvec{x}}_i||{\varvec{z}}_i)} = ({\textsf{CT}}_1, \ldots , {\textsf{CT}}_N)\). Then it computes

$$\begin{aligned}{}[\![D_1]\!]_T&\leftarrow {\textsf {Dec}}_{{\textsf {extFE}}}(({\textsf{SK}}_{f, 1}, f), ({\textsf{CT}}_1, {\varvec{x}}_1)) \\ [\![D_i]\!]_T&\leftarrow {\textsf {Dec}}_{{\textsf {extFE}}}(({\textsf{SK}}_{f, 2}, f), ({\textsf{CT}}_i, {\varvec{x}}_i)) ~~~\text { for } i \in [2, N] \end{aligned}$$

and multiply those values to get \([\![D]\!]_T = [\![D_1]\!]_T \cdots [\![D_N]\!]_T\). Finally, it returns D by solving discrete log via brute-force.

Correctness. By the correctness of underlying extFE scheme, we get

$$\begin{aligned}{}[\![D_1]\!]_T&= [\![f({\varvec{x}}_1)^{\top }{\varvec{z}}_1 - \sum _{i \in [2, N]} {\varvec{y}}^{\top } {\varvec{w}}_i]\!]_T\\ [\![D_i]\!]_T&= [\![f({\varvec{x}}_i)^{\top } {\varvec{z}}_i + {\varvec{y}}^{\top } {\varvec{w}}_i]\!]_T ~~~\text { for } i \in [2, N] \end{aligned}$$

Therefore, multiplying all \([\![D_i]\!]_T\) for \(i \in [N]\), we have \([\![D]\!]_T = [\![\sum _{i \in [N]} f({\varvec{x}}_i)^{\top } {\varvec{z}}_i]\!]_T\).

6.1 Security analysis

Theorem 6

The unbounded-slot FE scheme \({\varPi }_{{\textsf {ubd}}}\) for attribute weighted sum is adaptively simulation-secure under bilateral \({\textsf {MDDH}}_k\) assumption if the underlying extended one-slot FE scheme \({\varPi }_{{\textsf {extOne}}}\) is adaptively simulation secure.

6.1.1 The simulator

In this section, we describe the simulator of our unbounded slot FE scheme \({\varPi }_{{\textsf {ubd}}}\). First, we recall the syntax of the simulator of our extended one-slot FE scheme presented in Sect. 5.2.

Simulator of \({\varPi }_{{\textsf {extOne}}}\). Let Q be the total number of secret-key queries by the adversary and \(B= Q_{{\textsf {pre}}}\) be the number of secret-keys asked before the challenge phase. We consider \(({\varvec{x}}^*, {\varvec{z}}^*||{\varvec{w}}^*)\) as the challenge message.

  • \({\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^n, 1^{n^{\prime }}, 1^{B}) \rightarrow ({\textsf{MSK}}^*_1, {\textsf{MPK}}_1)\)

  • \({\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}^*_1, (f_q, [\![{\varvec{y}}_q]\!]_2)) \rightarrow {\textsf{SK}}_{f_q, {\varvec{y}}}\)

  • \({\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\varvec{x}}^*, {\mathcal {V}}_1) \rightarrow {\textsf{CT}}^*\) where \({\mathcal {V}}_1 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![f_q({\varvec{x}}^*)^{\top } {\varvec{z}}^* + {\varvec{y}}_q^{\top } {\varvec{w}}^*]\!]_1): q \in [Q_{{\textsf {pre}}}] \}\)

  • \({\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![f_q({\varvec{x}}^*)^{\top } + {\varvec{y}}_q^{\top } {\varvec{w}}^*]\!]_2) \rightarrow {\textsf{SK}}_{f_q, {\varvec{y}}}\)

Remark 3

Note that, the simulator is given \({\varvec{y}}_q\) and \(f_q({\varvec{x}}^*)^{\top } + {\varvec{y}}_q^{\top } {\varvec{w}}^*\) in the power of the source groups. The simulator still runs efficiently as we are utilizing the following facts from our \({\varPi }_{{\textsf {extOne}}}\):

1.:

\({\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}^*_1, (f_q, [\![{\varvec{y}}_q]\!]_2)) = {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}^*_1, (f_q, {\varvec{y}}_q))\) in case of our \({\varPi }_{{\textsf {extOne}}}\) for all \(q \in [Q_{{\textsf {pre}}}]\)

2.:

\({\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\varvec{x}}^*, {\mathcal {V}}_1) = {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\varvec{x}}^*, {\mathcal {V}}_1^{\prime })\) where \({\mathcal {V}}_1^{\prime } = \{((f_q, [\![{\varvec{y}}_q]\!]_1), f_q({\varvec{x}}^*)^{\top } {\varvec{z}}^* + {\varvec{y}}_q^{\top } {\varvec{w}}^*): q \in [Q_{{\textsf {pre}}}] \}\)

3.:

\({\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![f_q({\varvec{x}}^*)^{\top } + {\varvec{y}}_q^{\top } {\varvec{w}}^*]\!]_2) =\) \({\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}^*, (f_q, {\varvec{y}}_q), f_q({\varvec{x}}^*)^{\top } + {\varvec{y}}_q^{\top } {\varvec{w}}^*)\) for all \(q \in [Q_{{\textsf {pre}}}+1, Q]\)

Now, we present the simulator of \({\varPi }_{{\textsf {ubd}}}\) as follows:

On input integers \(\lambda , n, n^{\prime }, N\) and a bound on the pre-challenge query \(B\) as unary, the simulated setup algorithm samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and generates the keys

$$\begin{aligned} ({\textsf{MSK}}_1^*, {\textsf{MPK}}_1) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^n, 1^{n^{\prime }}, 1^{B}), \\ ({\textsf{MSK}}_2, {\textsf{MPK}}_2) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^n, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

It returns \({\textsf{MSK}}^* = ({\textsf{MSK}}^*_1, {\textsf{MSK}}_2, {\varvec{w}}_2, \ldots , {\varvec{w}}_N)\) and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

This is the pre-challenge key generation algorithm. On input \({\textsf{MSK}}^*\) and a function \(f_q \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\), the algorithm samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

$$\begin{aligned} {\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}^*_1, (f, [\![{\varvec{y}}_q]\!]_2)),\\ {\textsf{SK}}_{f_q, 2} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

It outputs the simulated key \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, {\textsf{SK}}_{f_q, 2})\).

Let \(B= Q_{{\textsf {pre}}}\) be the total number of pre-challenge keys queried by the adversary and \(({\varvec{x}}_i^*, {\varvec{z}}_i^*)_{i \in [N]}\) be the challenge message.

On input \({\textsf{MPK}}, {\textsf{MSK}}^*\), a set of vectors \(({\varvec{x}}^*_i)_{i \in [N]}\) and a set \({\mathcal {V}} = \{((f_q, [\![{\varvec{y}}_q]\!]_1), \mu _q = \sum _{i \in [N]} f_q({\varvec{x}}^*_i)^{\top } {\varvec{z}}_i^*) : q \in [Q_{{\textsf {pre}}}]\}\), the simulated encryption algorithm defines the set \({\mathcal {V}}_1 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\mu _q - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}] \}\) and computes

$$\begin{aligned} {\textsf{CT}}_1^*&\leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\varvec{x}}_1^*, {\mathcal {V}}_1)\\ {\textsf{CT}}_i^*&\leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{0}}||{\varvec{w}}_i)) ~~~ \text { for } i \in [2, N] \end{aligned}$$

It returns the simulated ciphertext \({\textsf{CT}}^* = ({\textsf{CT}}_1^*, {\textsf{CT}}_2, \ldots , {\textsf{CT}}_N)\).

This is the post-challenge key generation algorithm. On input \({\textsf{MSK}}^*\), a set of vectors \(({\varvec{x}}_i^*)_{i \in [2, N]}\), a function \(f_q \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\) and an integer \(\mu _q = \sum _{i \in [N]} f_q({\varvec{x}}^*_i)^{\top } {\varvec{z}}_i^*\), the algorithm samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

$$\begin{aligned} {\textsf{SK}}_{f_q, 1}^*&\leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![\mu _q - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_2)\\ {\textsf{SK}}_{f_q, 2}&\leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

It outputs the simulated secret-key \({\textsf{SK}}_{f_q}^* = ({\textsf{SK}}_{f_q, 1}^* , {\textsf{SK}}_{f_q, 2})\)

6.1.2 Hybrids and reductions

Proof

We prove the theorem by showing the indistinguishability between the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real}},{\textsf {ubdFE}}}(1^{\lambda })\) and the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}},{\textsf {ubdFE}}}(1^{\lambda })\) via a sequence of hybrid games. In each experiment, the adversary \({\mathcal {A}}\) can query a polynomial number of secret-key queries corresponding to functions \(f \in {\mathcal {F}}_{{\textsf {ABP}}}^{(n, n^{\prime })}\), both before and after submitting the challenge message \(({\varvec{x}}_i, {\varvec{z}}_i)_{i \in [N]} \in ({\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^{n^{\prime }})^N\). Let Q be the total number of key queries and without loss of generality let \(B= Q_{{\textsf {pre}}}\) be the number of keys queried before the challenge phase. We denote the q-th secret-key by \({\textsf{SK}}_{f_q}\) for a function \(f_q\). The sequence of hybrids are described as follows:

Hybrid : This is the real experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Real}},{\textsf {ubdFE}}}(1^{\lambda })\).

  • The master keys are sampled as follows:

    $$\begin{aligned} ({\textsf{MSK}}_1, {\textsf{MPK}}_1)&\leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}), \\ ({\textsf{MSK}}_2, {\textsf{MPK}}_2)&\leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    The challenger sets \({\textsf{MSK}}= ({\textsf{MSK}}_1, {\textsf{MSK}}_2)\) and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

  • The q-th secret-key \({\textsf{SK}}_{f_q}\), for all \(q \in [Q]\), is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generate the keys

    $$\begin{aligned} {\textsf{SK}}_{f_q, 1}&\leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_1, (f_q, [\![{\varvec{y}}_q]\!]_2)), \\ {\textsf{SK}}_{f_q, 2}&\leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    The challenger sends \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}, {\textsf{SK}}_{f_q, 2})\).

  • The challenge ciphertext is computed as follows: The challenger samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and compute the ciphertexts

    $$\begin{aligned}&{\textsf{CT}}_1 \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_1, ({\varvec{x}}_1^*, {\varvec{z}}_1^* || - \sum _{i \in [2, N]} {\varvec{w}}_i))\\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{z}}_i^* || {\varvec{w}}_i )), \text { for } i \in [2, N] \end{aligned}$$

    The challenger returns \({\textsf{CT}}= ({\textsf{CT}}_1, \ldots , {\textsf{CT}}_N)\).

Hybrid : This is exactly the same \({\textsf {H}}_0\) except that all the algorithms of the first instant of \({\varPi }_{{\textsf {extOne}}}\) is now replaced with their simulated counterpart. The changes are indicated as follows:

  • The master keys as sampled as follows:

    The challenger samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and sets the master keys as and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

  • The q-th secret-key \({\textsf{SK}}_{f_q}\), for all \(q \in [Q_{{\textsf {pre}}}]\), is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generate the keys

    The challenger sends .

  • The challenge ciphertext is computed as follows: After all the pre-challenge secret-key queries, the challenger defines a set

    $$\begin{aligned} {\mathcal {V}}_1 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![f_q({\varvec{x}}_1^*)^{\top } {\varvec{z}}_1^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

    and computes the ciphertexts

    The challenger returns .

  • The post-challenge secret-key \({\textsf{SK}}_{f_q}\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) is computed as follows: The challenger \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generates the keys

    and returns

In Lemma 7, we show that the hybrids \({\textsf {H}}_0\) and \({\textsf {H}}_1\) are indistinguishable by the adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\) scheme.

Hybrid (\({\varvec{\eta \in [2, N]}}\)): It is exactly the same as hybrid \({\textsf {H}}_1\) except that the changes indicated below.

  • The master keys as sampled as follows:

    $$\begin{aligned} ({\textsf{MSK}}_1^*, {\textsf{MPK}}_1) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}), \\ ({\textsf{MSK}}_2, {\textsf{MPK}}_2) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    The challenger samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and sets \({\textsf{MSK}}= ({\textsf{MSK}}_1^*, {\textsf{MSK}}_2, {\varvec{w}}_2, \ldots , {\varvec{w}}_N)\) and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

  • The q-th secret-key \({\textsf{SK}}_{f_q}\), for all \(q \in [Q_{{\textsf {pre}}}]\), is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generate the keys

    $$\begin{aligned}&{\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2)),\\&{\textsf{SK}}_{f_q, 2} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    The challenger sends \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, {\textsf{SK}}_{f_q, 2})\).

  • The challenge ciphertext is computed as follows: After all the pre-challenge secret-key queries, the challenger defines a set

    $$\begin{aligned} {\mathcal {V}}_1 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\sum _{i \in [\eta - 1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

    and computes the ciphertexts

    The challenger returns \({\textsf{CT}}= ({\textsf{CT}}_1^*, {\textsf{CT}}_2, \ldots , {\textsf{CT}}_{\eta -1}, {\textsf{CT}}_{\eta },\ldots , {\textsf{CT}}_N)\).

  • The post-challenge secret-key \({\textsf{SK}}_{f_q}\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generates the keys

    figure v

    and returns \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, {\textsf{SK}}_{f_q, 2})\)

Observe that \({{\textsf{H}}}_{2,1}\) coincides with \({{\textsf{H}}}_1\). We will show that for all \(\eta \in [2,N]\), the hybrids \({{\textsf{H}}}_{2, (\eta -1)}\) and \({{\textsf{H}}}_{2,\eta }\) are indistinguishable via the following sequence of sub-hybrids, namely, \(\{{{\textsf{H}}}_{2,\eta ,1}, {{\textsf{H}}}_{2,\eta ,2}, {{\textsf{H}}}_{2,\eta ,3}\}_{\eta \in [2, N]}\).

Hybrid (\({\varvec{\eta \in [2, N]}}\)): It is exactly the same as hybrid \({\textsf {H}}_{2, (\eta -1)}\) except that the changes indicated below.

  • The master keys as sampled as follows:

    The challenger samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and sets and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

  • The q-th secret-key \({\textsf{SK}}_{f_q}\), for all \(q \in [Q_{{\textsf {pre}}}]\), is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generate the keys

    The challenger sends .

  • The challenge ciphertext is computed as follows: After all the pre-challenge secret-key queries, the challenger defines the sets

    $$\begin{aligned} {\mathcal {V}}_1&= \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\sum _{i \in [\eta - 1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}]\} \\ {\mathcal {V}}_2&= \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![f_q({\varvec{x}}_{\eta }^*)^{\top }{\varvec{z}}_{\eta }^* + {\varvec{y}}_q^{\top } {\varvec{w}}_{\eta }]\!]_1) : q \in [Q_{{\textsf {pre}}}] \} \end{aligned}$$

    and computes the ciphertexts

    The challenger returns .

  • The post-challenge secret-key \({\textsf{SK}}_{f_q}\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generates the keys

    figure w

    and returns

We demonstrate in Lemma 8 that \({\textsf {H}}_{2, (\eta -1)}\) and \({\textsf {H}}_{2, \eta , 1}\) are indistinguishable by the adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\).

Hybrid (\({\varvec{\eta \in [2, N]}}\)): It is exactly the same as hybrid \({\textsf {H}}_{2, \eta , 1}\) except that the changes indicated below.

  • The master keys as sampled as follows:

    $$\begin{aligned}&({\textsf{MSK}}_1^*, {\textsf{MPK}}_1) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}), \\&({\textsf{MSK}}_2^*, {\textsf{MPK}}_2) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    The challenger samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and sets \({\textsf{MSK}}= ({\textsf{MSK}}_1^*, {\textsf{MSK}}_2^*, {\varvec{w}}_2, \ldots , {\varvec{w}}_N)\) and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

  • The q-th secret-key \({\textsf{SK}}_{f_q}\), for all \(q \in [Q_{{\textsf {pre}}}]\), is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generate the keys

    $$\begin{aligned}&{\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2)), \\&{\textsf{SK}}_{f_q, 2}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_2^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    The challenger sends \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, {\textsf{SK}}_{f_q, 2}^*)\).

  • The challenge ciphertext is computed as follows: After all the pre-challenge secret-key queries, the challenger defines the sets

    and computes the ciphertexts

    The challenger returns .

  • The post-challenge secret-key \({\textsf{SK}}_{f_q}\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) is computed as follows: The challenger \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generates the keys

    figure x

    and returns

Lemma 9 ensures that the hybrids \({\textsf {H}}_{2, \eta , 1}\) and \({\textsf {H}}_{2, \eta , 2}\) are indistinguishable due to bilateral \({\textsf {MDDH}}_k\) assumption.

Hybrid (\({\varvec{\eta \in [2, \eta ]}}\)): It is exactly the same as hybrid \({\textsf {H}}_{2, \eta , 2}\) except that the changes indicated below.

  • The master keys as sampled as follows:

    The challenger samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and sets and \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\).

  • The q-th secret-key \({\textsf{SK}}_{f_q}\), for all \(q \in [Q_{{\textsf {pre}}}]\), is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generate the keys

    The challenger sends .

  • The challenge ciphertext is computed as follows: After all the pre-challenge secret-key queries, the challenger defines the sets

    $$\begin{aligned} {\mathcal {V}}_1&= \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\sum _{i \in [\eta ]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

    and computes the ciphertexts

    The challenger returns .

  • The post-challenge secret-key \({\textsf{SK}}_{f_q}\) for \(q \in [Q_{{\textsf {pre}}}+1, Q]\) is computed as follows: The challenger samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generates the keys

    figure y

    and returns

We show in Lemma 10 that the hybrids \({\textsf {H}}_{2, \eta , 2}\) and \({\textsf {H}}_{2, \eta , 3}\) are indistinguishable by the adaptive simulation security of \({\varPi }_{{\textsf {extOne}}}\).

Now, we observe that the hybrid \({\textsf {H}}_{2, 1}\) is identical to \({\textsf {H}}_1\) and \({\textsf {H}}_{2, \eta , 3}\) is identical to \({\textsf {H}}_{2, \eta }\) for all \(\eta \in [2, N]\). Finally, we note that \({\textsf {H}}_{2, N}\) is the ideal experiment \({\textsf {Expt}}_{{\mathcal {A}}}^{{\textsf {Ideal}},{\textsf {ubdFE}}}(1^{\lambda })\). \(\square \)

Lemma 7

The hybrids \({\textsf {H}}_0\) and \({\textsf {H}}_1\) are computationally indistinguishable by adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\). More specifically, for any PPT adversary \({\mathcal {A}}\), there exists another PPT adversary \({\mathcal {B}}_1\) such that

$$\begin{aligned} |{\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_0}(\lambda ) - {\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_1}(\lambda )| \le {\textsf {Adv}}_{{\mathcal {B}}_1}^{{\textsf {extFE}}}(\lambda ) \end{aligned}$$

Proof

We establish the indistinguishability by constructing an adversary \({\mathcal {B}}_1\) against the adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\). Let \({\mathcal {C}}_1\) be the challenger of the security experiment of \({\varPi }_{{\textsf {extOne}}}\). The adversary \({\mathcal {B}}_1\) works as follows:

  • Setup: \({\mathcal {B}}_1\) gets \({\textsf{MPK}}_1\) from \({\mathcal {C}}_1\) and computes

    $$\begin{aligned} ({\textsf{MSK}}_2, {\textsf{MPK}}_2) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    It returns \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\) to \({\mathcal {A}}\).

  • Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q]\). First, \({\mathcal {B}}_1\) samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and generates

    $$\begin{aligned} {\textsf{SK}}_{f_q, 2} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    Next, \({\mathcal {B}}_1\) forwards \((f_q, {\varvec{y}}_q)\) to \({\mathcal {C}}_1\) and gets a secret-key \(\widetilde{{\textsf{SK}}}_{f_q, 1}\). Finally, \({\mathcal {B}}_1\) returns \({\textsf{SK}}_{f_q} = (\widetilde{{\textsf{SK}}}_{f_q, 1}, {\textsf{SK}}_{f_q, 2})\) to \({\mathcal {A}}\).

  • Ciphertext Query: \({\mathcal {A}}\) sends the challenge ciphertext \(({\varvec{x}}_i^*, {\varvec{z}}_i^*)_{i \in [N]}\). Now, \({\mathcal {B}}_1\) samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and computes

    $$\begin{aligned} {\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{z}}_i^* || {\varvec{w}}_i )), \text { for } i \in [2, N] \end{aligned}$$

    Next, \({\mathcal {B}}_1\) sends \(({\varvec{x}}_1^*, {\varvec{z}}_1^*|| -\sum _{i \in [2, N]} {\varvec{w}}_i)\) as its challenge ciphertext to \({\mathcal {C}}_1\) and receives a ciphertext \(\widetilde{{\textsf{CT}}}_1\). Finally, \({\mathcal {B}}_1\) sends the challenge ciphertext \({\textsf{CT}}= (\widetilde{{\textsf{CT}}}_1, {\textsf{CT}}_2, \ldots , {\textsf{CT}}_N)\) to \({\mathcal {A}}\).

Observe that, if \({\mathcal {C}}_1\) chooses the real algorithms of \({\varPi }_{{\textsf {extOne}}}\) then

$$\begin{aligned}&({\textsf{MSK}}_1, {\textsf{MPK}}_1) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B})\\&\widetilde{{\textsf{SK}}}_{f_q, 1} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_1, (f_q, [\![{\varvec{y}}_q]\!]_2)) ~~\forall q \in [Q]\\&\widetilde{{\textsf{CT}}}_1 \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_1, ({\varvec{x}}_1^*, {\varvec{z}}_1^*|| -\sum _{i \in [2, N]} {\varvec{w}}_i)) \end{aligned}$$

and hence \({\mathcal {B}}_1\) simulates \({\textsf {H}}_0\). If \({\mathcal {C}}_1\) chooses the the simulator of \({\varPi }_{{\textsf {extOne}}}\) then

$$\begin{aligned}&({\textsf{MSK}}_1^*, {\textsf{MPK}}_1) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B})\\&\widetilde{{\textsf{SK}}}_{f_q, 1} \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) ~~\forall q \in [Q_{{\textsf {pre}}}]\\&\widetilde{{\textsf{CT}}}_1 \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_1, ({\varvec{x}}_1^*, {\varvec{z}}_1^*|| -\sum _{i \in [2, N]} {\varvec{w}}_i)) \\&\widetilde{{\textsf{SK}}}_{f_q, 1} \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![f_q({\varvec{x}}_1^*)^{\top } {\varvec{z}}_1^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_2) \\&\forall q \in [Q_{{\textsf {pre}}}+1, Q] \end{aligned}$$

and hence \({\mathcal {B}}_1\) simulates \({\textsf {H}}_1\). \(\square \)

Lemma 8

The hybrids \({\textsf {H}}_{2, (\eta -1)}\) and \({\textsf {H}}_{2, \eta , 1}\) are computationally indistinguishable by adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\). More specifically, for any PPT adversary \({\mathcal {A}}\), there exists another PPT adversary \({\mathcal {B}}_2\) such that

$$\begin{aligned} |{\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_{2, (\eta -1)}}(\lambda ) - {\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_{2, \eta , 1}}(\lambda )| \le {\textsf {Adv}}_{{\mathcal {B}}_2}^{{\textsf {extFE}}}(\lambda ) \end{aligned}$$

Proof

We prove the lemma by constructing an adversary \({\mathcal {B}}_2\) against the adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\). Let \({\mathcal {C}}_2\) be the challenger of the security experiment of \({\varPi }_{{\textsf {extOne}}}\). The adversary \({\mathcal {B}}_2\) works as follows:

  • Setup: \({\mathcal {B}}_2\) gets \({\textsf{MPK}}_2\) from \({\mathcal {C}}_2\) and computes

    $$\begin{aligned} ({\textsf{MSK}}_1^*, {\textsf{MPK}}_1) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    It returns \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\) to \({\mathcal {A}}\).

  • Pre-challenge Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q_{{\textsf {pre}}}]\). First, \({\mathcal {B}}_2\) samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

    $$\begin{aligned} {\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    Next, \({\mathcal {B}}_2\) forwards \((f_q, {\varvec{y}}_q)\) to \({\mathcal {C}}_2\) and gets a secret-key \(\widetilde{{\textsf{SK}}}_{f_q, 2}\). Finally, \({\mathcal {B}}_2\) returns \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, \widetilde{{\textsf{SK}}}_{f_q, 2})\) to \({\mathcal {A}}\).

  • Ciphertext Query: \({\mathcal {A}}\) sends the challenge ciphertext \(({\varvec{x}}_i^*, {\varvec{z}}_i^*)_{i \in [N]}\). Now, \({\mathcal {B}}_2\) samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and defines the set

    $$\begin{aligned} {\mathcal {V}}_1 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\sum _{i \in [\eta - 1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

    Now, \({\mathcal {B}}_2\) computes the ciphertexts

    $$\begin{aligned}&{\textsf{CT}}_1^* \leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\mathcal {V}}_1)\\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{0}} || {\varvec{w}}_i )) \text { for } i \in [2, \eta -1],\\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{z}}_i^* || {\varvec{w}}_i )) \text { for } i \in [ \eta +1, N] \end{aligned}$$

    Next, \({\mathcal {B}}_2\) sends \(({\varvec{x}}_{\eta }^*, {\varvec{z}}_{\eta }^*|| {\varvec{w}}_{\eta })\) as its challenge ciphertext to \({\mathcal {C}}_2\) and receives a ciphertext \(\widetilde{{\textsf{CT}}}_{\eta }\). Finally, \({\mathcal {B}}_2\) sends the challenge ciphertext \({\textsf{CT}}= ({\textsf{CT}}_1^*, {\textsf{CT}}_2, \ldots , {\textsf{CT}}_{\eta -1}, \widetilde{{\textsf{CT}}}_{\eta }, {\textsf{CT}}_{\eta +1},\ldots , {\textsf{CT}}_N)\) to \({\mathcal {A}}\).

  • Post-challenge Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q_{{\textsf {pre}}}+1, Q]\). First, \({\mathcal {B}}_2\) samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

    figure z

    Next, \({\mathcal {B}}_2\) forwards \((f_q, {\varvec{y}}_q)\) to \({\mathcal {C}}_2\) and gets a secret-key \(\widetilde{{\textsf{SK}}}_{f_q, 2}\). Finally, \({\mathcal {B}}_2\) returns \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, \widetilde{{\textsf{SK}}}_{f_q, 2})\) to \({\mathcal {A}}\).

Observe that, if \({\mathcal {C}}_2\) chooses the real algorithms of \({\varPi }_{{\textsf {extOne}}}\) then

$$\begin{aligned}&({\textsf{MSK}}_2, {\textsf{MPK}}_2) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B})\\&\widetilde{{\textsf{SK}}}_{f_q, 2} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f_q, [\![{\varvec{y}}_q]\!]_2)) ~~\forall q \in [Q]\\&\widetilde{{\textsf{CT}}}_{\eta } \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_{\eta }^*, {\varvec{z}}_{\eta }^*|| {\varvec{w}}_{\eta })) \end{aligned}$$

and hence \({\mathcal {B}}_2\) simulates \({\textsf {H}}_{2, (\eta -1)}\). If \({\mathcal {C}}_2\) chooses the the simulator of \({\varPi }_{{\textsf {extOne}}}\) then

$$\begin{aligned}&({\textsf{MSK}}_2^*, {\textsf{MPK}}_2) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B})\\&\widetilde{{\textsf{SK}}}_{f_q, 2} \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_2^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) ~~\forall q \in [Q_{{\textsf {pre}}}]\\&\widetilde{{\textsf{CT}}}_{\eta } \leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_2, {\textsf{MSK}}_2^*, {\mathcal {V}}_2) \\&\widetilde{{\textsf{SK}}}_{f_q, 2} \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_2^*, {\varvec{x}}_{\eta }^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![f_q({\varvec{x}}_{\eta }^*)^{\top }{\varvec{z}}_{\eta }^* + {\varvec{y}}_q^{\top } {\varvec{w}}_{\eta }]\!]_2)\\&\forall q \in [Q_{{\textsf {pre}}}+1, Q] \end{aligned}$$

where \({\mathcal {V}}_2 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![f_q({\varvec{x}}_{\eta }^*)^{\top }{\varvec{z}}_{\eta }^* + {\varvec{y}}_q^{\top } {\varvec{w}}_{\eta }]\!]_1) : q \in [Q_{{\textsf {pre}}}] \}\) and hence \({\mathcal {B}}_2\) simulates \({\textsf {H}}_{2, \eta , 1}\). \(\square \)

Lemma 9

The hybrids \({\textsf {H}}_{2, \eta , 1}\) and \({\textsf {H}}_{2, \eta , 2}\) are computationally indistinguishable by bilateral \({\textsf{MDDH}}_{k, Q}^1\) assumption. More specifically, for any PPT adversary \({\mathcal {A}}\), there exists another PPT adversary \({\mathcal {B}}_3\) such that

$$\begin{aligned} |{\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_{2, \eta , 1}}(\lambda ) - {\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_{2, \eta , 2}}(\lambda )| \le {\textsf {Adv}}^{{\mathcal {B}}_3}_{{\textsf{bMDDH}}_{k, Q}^1}(\lambda ) \end{aligned}$$

Proof

We prove the indistinguishability using Lemma 1 with \({\varvec{w}} = {\varvec{w}}_{\eta }\) and \(\mu _q = f_q({\varvec{x}}_{\eta }^*)^{\top } {\varvec{z}}_{\eta }^*\). Let \({\mathcal {B}}_3\) be an adversary of Lemma 1, who gets a challenge instance

$$\begin{aligned} \{[\![\rho _{q, 1}]\!]_1, [\![\rho _{q, 1}]\!]_2, ~~~ [\![\rho _{q, 2}]\!]_1, [\![\rho _{q, 2}]\!]_2, ~~~ [\![{\varvec{y}}_q]\!]_1, [\![{\varvec{y}}_q]\!]_2\}_{q \in [Q]} \end{aligned}$$

from its challenger. Now, \({\mathcal {B}}_3\) simulates the game as follows:

  • Setup: \({\mathcal {B}}_3\) generates the master keys as follows:

    $$\begin{aligned}&({\textsf{MSK}}_1^*, {\textsf{MPK}}_1)&\leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}), \\&({\textsf{MSK}}_2^*, {\textsf{MPK}}_2)&\leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    and sends \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\) to \({\mathcal {A}}\).

  • Pre-challenge Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q_{{\textsf {pre}}}]\). First, \({\mathcal {B}}_3\) generate the keys

    $$\begin{aligned} {\textsf{SK}}_{f_q, 1}^*&\leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2)), \\ {\textsf{SK}}_{f_q, 2}^*&\leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_2^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    Then it sends \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, {\textsf{SK}}_{f_q, 2}^*)\) to \({\mathcal {A}}\).

  • Ciphertext Query: \({\mathcal {A}}\) sends the challenge ciphertext \(({\varvec{x}}_i^*, {\varvec{z}}_i^*)_{i \in [N]}\). Now, \({\mathcal {B}}_3\) samples \({\varvec{w}}_i \leftarrow {\mathbb {Z}}_p^k\) for all \(i \in [2, N] \setminus \{\eta \}\) and defines the set

    $$\begin{aligned} {\mathcal {V}}_1&= \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\sum _{i \in [\eta -1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]\setminus \{\eta \}} {\varvec{y}}_q^{\top } {\varvec{w}}_i + \rho _{q, 1}]\!]_1 ) : q \in [Q_{{\textsf {pre}}}]\} \\ {\mathcal {V}}_2&= \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\rho _{q, 2}]\!]_1) : q \in [Q_{{\textsf {pre}}}] \} \end{aligned}$$

    Next, it computes the ciphertexts

    $$\begin{aligned}&{\textsf{CT}}_1^* \leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\mathcal {V}}_1)\\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{0}} || {\varvec{w}}_i )) \text { for } i \in [2, \eta -1],\\&{\textsf{CT}}_{\eta }^* \leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_2, {\textsf{MSK}}_2^*, {\mathcal {V}}_2), \\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{z}}_i^* || {\varvec{w}}_i )) \text { for } i \in [ \eta +1, N] \end{aligned}$$

    and sends the challenge ciphertext as \({\textsf{CT}}= ({\textsf{CT}}_1^*, {\textsf{CT}}_2, \ldots , {\textsf{CT}}_{\eta -1}, {\textsf{CT}}_{\eta }^*, {\textsf{CT}}_{\eta +1},\ldots , {\textsf{CT}}_N)\).

  • Post-challenge Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q_{{\textsf {pre}}}+1, Q]\). First, \({\mathcal {B}}_2\) samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

    $$\begin{aligned}&{\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2), \\&\quad [\![\sum _{i \in [\eta -1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]\setminus \{\eta \}} {\varvec{y}}_q^{\top } {\varvec{w}}_i + \rho _{q, 1}]\!]_2),\\&{\textsf{SK}}_{f_q, 2}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_2^*, {\varvec{x}}_{\eta }^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![ \rho _{q, 2}]\!]_2) \end{aligned}$$

    and sends \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, {\textsf{SK}}_{f_q, 2}^*)\) to \({\mathcal {A}}\).

Observe that, if \({\mathcal {B}}_3\) gets the challenge instance such that \(\rho _{q, 1} = {\varvec{y}}_q^{\top }{\varvec{w}}_{\eta }\) and \(\rho _{q, 2} = f_q({\varvec{x}}_{\eta }^*)^{\top } {\varvec{z}}_{\eta }^* + {\varvec{y}}_q^{\top }{\varvec{w}}_{\eta } \) which corresponds to the first distribution in Lemma 1, then we have

$$\begin{aligned} \sum _{i \in [\eta -1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]\setminus \{\eta \}} {\varvec{y}}_q^{\top } {\varvec{w}}_i + \rho _{q, 1} = \sum _{i \in [\eta -1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i \end{aligned}$$

and hence \({\mathcal {B}}_3\) simulates \({\textsf {H}}_{2, \eta , 1}\). If \({\mathcal {B}}_3\) gets the challenge instance such that \(\rho _{q, 1} = f_q({\varvec{x}}_{\eta }^*)^{\top } {\varvec{z}}_{\eta }^* - {\varvec{y}}_q^{\top }{\varvec{w}}_{\eta } \) and \(\rho _{q, 2} = {\varvec{y}}_q^{\top }{\varvec{w}}_{\eta }\) which corresponds to the second distribution in Lemma 1, then we have

$$\begin{aligned} \sum _{i \in [\eta -1]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]\setminus \{\eta \}} {\varvec{y}}_q^{\top } {\varvec{w}}_i + \rho _{q, 1} = \sum _{i \in [\eta ]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i \end{aligned}$$

and hence \({\mathcal {B}}_3\) simulates \({\textsf {H}}_{2, \eta , 2}\). \(\square \)

Lemma 10

The hybrids \({\textsf {H}}_{2, \eta , 2}\) and \({\textsf {H}}_{2, \eta , 3}\) are computationally indistinguishable by adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\). More specifically, for any PPT adversary \({\mathcal {A}}\), there exists another PPT adversary \({\mathcal {B}}_4\) such that

$$\begin{aligned} |{\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_{2, \eta , 2}}(\lambda ) - {\textsf {Adv}}_{{\mathcal {A}}}^{{\textsf {H}}_{2, \eta , 3}}(\lambda )| \le {\textsf {Adv}}_{{\mathcal {B}}_4}^{{\textsf {extFE}}}(\lambda ) \end{aligned}$$

Proof

The proof is similar to the Lemma 8 with a few changes. We construct an adversary \({\mathcal {B}}_4\) against the adaptive simulation-security of \({\varPi }_{{\textsf {extOne}}}\) depending on the the adversary \({\mathcal {A}}\). Let \({\mathcal {C}}_4\) be the challenger of the security experiment of \({\varPi }_{{\textsf {extOne}}}\). The adversary \({\mathcal {B}}_4\) works as follows:

  • Setup: \({\mathcal {B}}_4\) gets \({\textsf{MPK}}_2\) from \({\mathcal {C}}_4\) and computes

    $$\begin{aligned} ({\textsf{MSK}}_1^*, {\textsf{MPK}}_1) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B}) \end{aligned}$$

    It returns \({\textsf{MPK}}= ({\textsf{MPK}}_1, {\textsf{MPK}}_2)\) to \({\mathcal {A}}\).

  • Pre-challenge Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q_{{\textsf {pre}}}]\). First, \({\mathcal {B}}_4\) samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

    $$\begin{aligned} {\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) \end{aligned}$$

    Next, \({\mathcal {B}}_4\) forwards \((f_q, {\varvec{y}}_q)\) to \({\mathcal {C}}_4\) and gets a secret-key \(\widetilde{{\textsf{SK}}}_{f_q, 2}\). Finally, \({\mathcal {B}}_4\) returns \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, \widetilde{{\textsf{SK}}}_{f_q, 2})\) to \({\mathcal {A}}\).

  • Ciphertext Query: \({\mathcal {A}}\) sends the challenge ciphertext \(({\varvec{x}}_i^*, {\varvec{z}}_i^*)_{i \in [N]}\). Now, \({\mathcal {B}}_4\) samples \({\varvec{w}}_2, \ldots , {\varvec{w}}_N \leftarrow {\mathbb {Z}}_p^k\) and defines the set

    $$\begin{aligned} {\mathcal {V}}_1 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![\sum _{i \in [\eta ]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_1) : q \in [Q_{{\textsf {pre}}}]\} \end{aligned}$$

    Now, \({\mathcal {B}}_4\) computes the ciphertexts

    $$\begin{aligned}&{\textsf{CT}}_1^* \leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_1, {\textsf{MSK}}_1^*, {\mathcal {V}}_1)\\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{0}} || {\varvec{w}}_i )) \text { for } i \in [2, \eta -1],\\&{\textsf{CT}}_i \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_i^*, {\varvec{z}}_i^* || {\varvec{w}}_i )) \text { for } i \in [ \eta +1, N] \end{aligned}$$

    Next, \({\mathcal {B}}_4\) sends \(({\varvec{x}}_{\eta }^*, {\varvec{0}}|| {\varvec{w}}_{\eta })\) as its challenge ciphertext to \({\mathcal {C}}_4\) and receives a ciphertext \(\widetilde{{\textsf{CT}}}_{\eta }\). Finally, \({\mathcal {B}}_4\) sends the challenge ciphertext \({\textsf{CT}}= ({\textsf{CT}}_1^*, {\textsf{CT}}_2, \ldots , {\textsf{CT}}_{\eta -1}, \widetilde{{\textsf{CT}}}_{\eta }, {\textsf{CT}}_{\eta +1},\ldots , {\textsf{CT}}_N)\) to \({\mathcal {A}}\).

  • Post-challenge Key Queries: \({\mathcal {A}}\) asks for a secret-key corresponding to the function \(f_q\) at the q-th key query for \(q \in [Q_{{\textsf {pre}}}+1, Q]\). First, \({\mathcal {B}}_4\) samples \({\varvec{y}}_q \leftarrow {\mathbb {Z}}_p^k\) and computes

    $$\begin{aligned} {\textsf{SK}}_{f_q, 1}^* \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_1^*, {\varvec{x}}_1^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![\sum _{i \in [\eta ]} f_q({\varvec{x}}_i^*)^{\top } {\varvec{z}}_i^* - \sum _{i \in [2, N]} {\varvec{y}}_q^{\top } {\varvec{w}}_i]\!]_2) \end{aligned}$$

    Next, \({\mathcal {B}}_4\) forwards \((f_q, {\varvec{y}}_q)\) to \({\mathcal {C}}_4\) and gets a secret-key \(\widetilde{{\textsf{SK}}}_{f_q, 2}\). Finally, \({\mathcal {B}}_4\) returns \({\textsf{SK}}_{f_q} = ({\textsf{SK}}_{f_q, 1}^*, \widetilde{{\textsf{SK}}}_{f_q, 2})\) to \({\mathcal {A}}\).

Observe that, if \({\mathcal {C}}_4\) chooses the simulator of \({\varPi }_{{\textsf {extOne}}}\) then

$$\begin{aligned}&({\textsf{MSK}}_2^*, {\textsf{MPK}}_2) \leftarrow {\textsf{Setup}}^*_{{\textsf{extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B})\\&\widetilde{{\textsf{SK}}}_{f_q, 2} \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 0}({\textsf{MSK}}_2^*, (f_q, [\![{\varvec{y}}_q]\!]_2)) ~~\forall q \in [Q_{{\textsf {pre}}}]\\&\widetilde{{\textsf{CT}}}_{\eta } \leftarrow {\textsf{Enc}}^*_{{\textsf{extFE}}}({\textsf{MPK}}_2, {\textsf{MSK}}_2^*, {\mathcal {V}}_2) \\&\widetilde{{\textsf{SK}}}_{f_q, 2} \leftarrow {\textsf{KeyGen}}^*_{{\textsf{extFE}}, 1}({\textsf{MSK}}_2^*, {\varvec{x}}_{\eta }^*, (f_q, [\![{\varvec{y}}_q]\!]_2), [\![ {\varvec{y}}_q^{\top } {\varvec{w}}_{\eta }]\!]_2) ~~\forall q \in [Q_{{\textsf {pre}}}+1, Q] \end{aligned}$$

where \({\mathcal {V}}_2 = \{((f_q, [\![{\varvec{y}}_q]\!]_1), [\![ {\varvec{y}}_q^{\top } {\varvec{w}}_{\eta }]\!]_1) : q \in [Q_{{\textsf {pre}}}] \}\) and hence \({\mathcal {B}}_4\) simulates \({\textsf {H}}_{2, \eta , 2}\). If \({\mathcal {C}}_4\) chooses the real algorithms of \({\varPi }_{{\textsf {extOne}}}\) then

$$\begin{aligned}&({\textsf{MSK}}_2, {\textsf{MPK}}_2) \leftarrow {\textsf {Setup}}_{{\textsf {extFE}}}(1^{\lambda }, 1^{n}, 1^{n^{\prime }}, 1^{B})\\&\widetilde{{\textsf{SK}}}_{f_q, 2} \leftarrow {\textsf {KeyGen}}_{{\textsf {extFE}}}({\textsf{MSK}}_2, (f_q, [\![{\varvec{y}}_q]\!]_2)) ~~\forall q \in [Q]\\&\widetilde{{\textsf{CT}}}_{\eta } \leftarrow {\textsf {Enc}}_{{\textsf {extFE}}}({\textsf{MPK}}_2, ({\varvec{x}}_{\eta }^*, {\varvec{0}}|| {\varvec{w}}_{\eta })) \end{aligned}$$

and hence \({\mathcal {B}}_4\) simulates \({\textsf {H}}_{2, \eta , 3}\). \(\square \)