Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products

Transcription

1 Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz Amit Sahai Brent Waters Abstract Predicate encrytion is a new aradigm for ublic-key encrytion that generalizes identitybased encrytion and more. In redicate encrytion, secret keys corresond to redicates and cihertexts are associated with attributes; the secret key SK f corresonding to a redicate f can be used to decryt a cihertext associated with attribute I if and only if fi = 1. Constructions of such schemes are currently known only for certain classes of redicates. We construct a scheme for redicates corresonding to the evaluation of inner roducts over Z N for some large integer N. This, in turn, enables constructions in which redicates corresond to the evaluation of disjunctions, olynomials, CNF/DNF formulae, thresholds, and more. Besides serving as a significant ste forward in the theory of redicate encrytion, our results lead to a number of alications that are interesting in their own right. 1 Introduction Traditional ublic-key encrytion is coarse grained: a sender encryts a message M with resect to a ublic key P K, and only the owner of the unique secret key associated with P K can decryt the resulting cihertext and recover the message. These straightforward semantics suffice for oint-tooint communication, where encryted data is intended for one articular reciient who is known in advance to the sender. In other settings, however, the sender may instead want to define a olicy determining who is allowed to recover the encryted data. For examle, classified data might be associated with certain keywords; this data should be accessible both to users who are allowed to read all classified information, as well as to users allowed to read information associated with the articular keywords in question. Or, erhas a atient s records should be accessible only to hysicians who have treated that atient in the ast. In other alications, it may be sufficient to detect only whether a certain redicate is satisfied; for examle, an firewall should otentially be able to evaluate whether an encryted satisfies certain attributes so that it can be forwarded aroriately, without learning anything else about the encryted message. Det. of Comuter Science, University of Maryland. jkatz@cs.umd.edu. Research suorted in art by NSF CAREER award # and the US Army Research Laboratory and the UK Ministry of Defence under agreement number W911NF Comuter Science Deartment, UCLA. sahai@cs.ucla.edu. Research suorted in art by NSF grants # , # , # , and # , a subgrant from SRI as art of the Army Cyber-TA rogram, an equiment grant from Intel, an Okawa Research Award, and an Alfred P. Sloan Foundation Research Fellowshi. Det. of Comuter Science, University of Texas at Austin. bwaters@cs.utexas.edu. Portions of this work were done while the author was at SRI International. 1

2 Alications such as those sketched above require new crytograhic mechanisms that rovide more fine-grained control over access to encryted data. Predicate encrytion offers one such tool. At a high level formal definitions are given in Section 2, secret keys in a redicate encrytion scheme corresond to redicates i.e., boolean functions in some class F, and a sender associates a cihertext with an attribute from a set Σ; a cihertext associated with the attribute I Σ can be decryted by a secret key SK f corresonding to the redicate f F if and only if fi = 1. The basic level of security achieved by such schemes guarantees, informally, that a cihertext associated with attribute I hides all information about the underlying message unless one is in ossession of a secret key giving the exlicit ability to decryt. That is, if an adversary A holds keys SK f1,..., SK fl, then A learns nothing about the message if f 1 I = = f l I = 0. We refer to this security notion as ayload hiding. A stronger notion of security that we call attribute hiding requires that the cihertext hides the message as above, and additionally requires that the cihertext hides all information about the associated attribute I excet that which is exlicitly leaked by the keys in one s ossession. That is, an adversary holding secret keys as above learns only f 1 I,..., f l I and the message, in case one of these evaluates to 1, but learns nothing else about I. See Section 2 for formal definitions. Much rior work can be cast in the framework of redicate encrytion. Identity-based encrytion IBE [32, 11, 19, 18, 5, 6, 36] can be viewed as redicate encrytion for the class of equality tests; the standard notion of security for IBE [11, 18] corresonds to ayload hiding, while anonymous IBE [10, 1, 16, 22] corresonds to the stronger notion of attribute hiding. Forward-secure ublic-key encrytion [18] can be viewed as redicate encrytion for the class of greater-than redicates. Attribute-based encrytion schemes [31, 23, 4, 30] and schemes suorting range queries [34] can also be cast in the framework of redicate encrytion. In this case all the listed constructions achieve ayload hiding only. Boneh and Waters [14] construct a redicate encrytion scheme that handles range queries as well as conjunctions of, e.g., equality tests; their scheme satisfies the stronger notion of attribute hiding. Other work introducing concets related to the idea of redicate encrytion includes [3, 2]. In contrast to the resent work, however, the threat model in those works does not consider collusion among users holding different secret keys. 1.1 Our Results An imortant research direction is to construct redicate encrytion schemes for redicate classes F that are as exressive as ossible, with the ultimate goal being to handle all olynomial-time redicates. In addition, it is of indeendent interest to exlore constructions of attribute-hiding in contrast to ayload-hiding schemes. In this work, we make rogress in both these directions. The aim of our work is to construct attribute-hiding schemes handling disjunctions. Most rior work as surveyed above yields only ayload-hiding schemes, and existing techniques for obtaining attribute hiding are limited to handling conjunctions. Indeed, handling disjunctions was left as an oen question in [14]. On a technical level, this is because the underlying crytograhic mechanism used in the schemes handling conjunctions is to air comonents of the secret key with corresonding comonents of the cihertext and then multily the intermediate results together; a cancelation in the exonent occurs if everything matches, but a random grou element results if there is any mismatch. Thus, the holder of a non-matching secret key learns only that there was a mismatch in at least one osition, but does not learn the number of mismatches or their locations as required for attribute hiding. On the other hand, very different techniques seem 2

3 needed to suort disjunctions since now a mismatch in a single osition should not give a random grou element but must instead somehow result in a cancelation if there is a match in any other osition. We stress that what makes this difficult when attribute hiding is desired is that we must hide the osition of a match, and only reveal the existence of a match in at least one osition. As a steing stone toward an attribute-hiding scheme handling disjunctions, we first focus on redicates corresonding to the comutation of inner roducts over Z N for some large integer N. Formally, we take Σ = Z l N as our set of attributes, and take our class of redicates to be F = {f x x Z l N } where f x y = 1 iff x, y = 0. Here, x, y denotes the standard inner roduct l x i y i mod N of two vectors x and y. We construct a redicate encrytion scheme for this F without random oracles, based on two new assumtions in comosite-order grous equied with a bilinear ma. Our assumtions are non-interactive and of constant size, and can be shown to hold in an extension of the generic-grou model where a bilinear ma is rovided and comosite-order grous are allowed. A essimistic interretation of our results would be that we rove security in the generic-grou model, but we believe it is notable that we are able to distill our necessary assumtions to ones that are comact and falsifiable. Our construction uses new techniques, most rominently the fact that we work in a bilinear grou whose order is a roduct of three rimes. In follow-u work, Freeman [20] shows how to modify our construction so that it works using grous of rime order. Okamoto and Takashima [29] show a different construction that only achieves ayload hiding. We view our main construction as a significant ste toward increasing the exressiveness of redicate encrytion. Moreover, we show that any redicate encrytion scheme suorting innerroduct redicates as described above can be used as a building block to construct redicates of more general tyes: As an easy warm-u, we show that it imlies anonymous identity-based encrytion as well as hidden-vector encrytion [14]. As a consequence, our work imlies all the results of [14]. We can also construct redicate encrytion schemes suorting olynomial evaluation. Here, we take Z N as our set of attributes, and redicates corresond to olynomials over Z N of some bounded degree; a redicate evaluates to 1 iff the corresonding olynomial evaluates to 0 on the attribute in question. We can also extend this to include multi-variate olynomials in a bounded number of variables. A dual of this construction allows the attributes to be olynomials, and the redicates to corresond to evaluation at a fixed oint. Given the above, we can fairly easily suort redicates that are disjunctions of other redicates e.g., equality, thus achieving our main goal. In the context of identity-based encrytion, this gives the ability to issue a secret key corresonding to a set S of identities that enables decrytion whenever a cihertext is encryted to any one of the identities in S without leaking which identity was actually used when encryting. We show how to handle redicates corresonding to bounded-size DNF and CNF formulae. Working directly with our inner-roduct construction, we can derive a scheme suorting threshold queries of the following form: Attributes are subsets of A = {1,..., l}, and redicates take the form {f S,t S A} where f S,t S = 1 iff S S = t. This is useful in the fuzzy IBE setting of Sahai and Waters [31], and imroves on their work in that we achieve attribute hiding rather than only ayload hiding and handle exact thresholds. We defer further discussion regarding the above until Section 5. 3

4 1.2 Subsequent Work Our inner-roduct scheme is roven secure in the selective security model [18] where the adversary is required to outut the challenge attributes in advance, before the ublic key is generated. An imortant question left oen by our work is to construct an inner-roduct scheme secure under an adative definition where the adversary may decide on the challenge attributes after observing the ublic key and obtaining some set of secret keys. Recent work of Lewko et al. [26] makes artial rogress on this question by giving a construction that is secure given an additional restriction on the keys the adversary is allowed to obtain: secifically, the adversary is only allowed to obtain keys whose inner roduct is nonzero with resect to both challenge attributes. Unfortunately, this restriction recludes our main motivating alication of handling disjunctions. Since our work, various extensions and generalizations of inner-roduct redicate encrytion have been considered. Shi, Shen, and Waters [33] exlored a symmetric-key variant of innerroduct encrytion in relation to a new definition of security that cannot be achieved in the ublic-key setting where secret keys should not leak information about the redicates to which they corresond. Okamoto and Takashima have investigated hierarchical inner-roduct encrytion [28] as well as a combination of inner-roduct encrytion and attribute-based encrytion [29]. Boneh, Sahai, and Waters have also roosed a generalization of redicate encrytion called functional encrytion [13]. 2 Definitions We rovide formal definitions, following [14], for the syntax of redicate encrytion and the security roerties discussed informally in the introduction. Throughout this section, we consider the general case where Σ denotes an arbitrary set of attributes and F denotes an arbitrary set of redicates over Σ. Formally, both Σ and F may deend on the security arameter and/or the master ublic arameters and, indeed, this will be the case in our main constructions; for simlicity, we leave this deendence imlicit. We let t stand for robabilistic olynomial time. Definition 2.1. A redicate encrytion scheme for the class of redicates F over the set of attributes Σ consists of four randomized t algorithms Setu, Enc, GenKey, Dec such that: Setu takes as inut the security arameter 1 n and oututs a master ublic key P K and a master secret key SK. Enc takes as inut the ublic key P K, an attribute I Σ, and a message M in some associated message sace. It returns a cihertext C. We write this as C Enc P K I, M. GenKey takes as inut the master secret key SK and a descrition of a redicate f F. It oututs a key SK f. Dec takes as inut a secret key SK f and a cihertext C. It oututs either a message M or the distinguished symbol. For correctness, we require that for all n, all P K, SK generated by Setu1 n, all f F, any key SK f GenKey SK f, and all I Σ: If fi = 1 then Dec SKf Enc P K I, M = M. If fi = 0 then Dec SKf Enc P K I, M = with all but negligible robability. 4

5 A useful variant of the above is a redicate-only scheme. Here, Enc takes only an attribute I and no message, and the correctness requirement is that Dec SKf Enc P K I = fi excet ossibly with negligible robability. One can further relax the correctness requirement in either case so that correctness is required to hold only in a comutational sense; namely, that it is hard to find f and I for which Dec SKf Enc P K I fi. Our schemes satisfy this notion of correctness. Our definition of attribute-hiding security corresonds to the notion described informally earlier. An adversary may request keys corresonding to the redicates f 1,..., f l, and is given either Enc P K I 0, M 0 or Enc P K I 1, M 1 for attributes I 0, I 1 such that f i I 0 = f i I 1 for all i. Furthermore, if M 0 M 1 then it is required that f i I 0 = f i I 1 = 0 for all i. The goal of the adversary is to determine which attribute/message air was encryted, and the stated conditions ensure that this is not trivial. We use the selective notion of security introduced in [18], where I 0, I 1 must be chosen by the adversary in advance. Observe that when secialized to the case when F consists of equality tests on strings, the definition corresonds to anonymous IBE with selective-id security. Our definition corresonds to security against chosen-laintext attacks, and we do not consider chosen-cihertext attacks in this work. Definition 2.2. A redicate encrytion scheme with resect to F and Σ is attribute hiding if for all t adversaries A, the advantage of A in the following exeriment is negligible in the security arameter n: 1. A1 n oututs I 0, I 1 Σ. 2. Setu1 n is run to generate P K and SK, and the adversary is given P K. 3. A may adatively request keys for any redicates f 1,..., f l F subject to the restriction that f i I 0 = f i I 1 for all i. In resonse, A is given the corresonding keys SK fi GenKey SK f i. 4. A oututs two equal-length messages M 0, M 1. If there is an i for which f i I 0 = f i I 1 = 1, then it is required that M 0 = M 1. A random bit b is chosen, and A is given the cihertext C Enc P K I b, M b. 5. The adversary may continue to request keys for additional redicates, subject to the same restrictions as before. 6. A oututs a bit b, and succeeds if b = b. The advantage of A is the absolute value of the difference between its success robability and 1/2. For redicate-only encrytion schemes, attribute hiding is defined by simly omitting the messages in the above exeriment. Payload hiding, a strictly weaker notion of security, is defined by forcing I 0 = I 1 = I in the above exeriment in which case A has advantage 0 if f i I = 1 for any i. 3 Background on Pairings and Comlexity Assumtions We assume some familiarity with bilinear mas as used, e.g., in [24, 25, 11], though our treatment will be self-contained. We focus secifically on bilinear grous of comosite order, first used in crytograhic alications by [12]. In contrast to all rior work using comosite-order bilinear grous, however, we use grous whose order N is a roduct of three distinct rimes. All grous are written multilicatively with identity element 1. Let G be an algorithm that takes as inut a security arameter 1 n and oututs a tule, q, r, G, G T, ê where, q, r are distinct rimes, G and G T are two cyclic grous of order N = qr, and ê : G G G T is a non-degenerate 5

6 bilinear ma: i.e., for all u, v G and all a, b Z we have êu a, v b = êu, v ab, and if g generates G then êg, g generates G T. We assume multilication in G and G T, as well as the bilinear ma ê, are all comutable in time olynomial in n. Furthermore, we assume that the descritions of G and G T include generators of G and G T, resectively. An algorithm G with the required roerties can be based on suersingular ellitic curves with the modified Weil or Tate airing used for ê; we refer to [11, 12, 21] for details. We use the notation G, G q, G r to denote the subgrous of G having order, q, and r, resectively. In addition, let G q denote the subgrou of order q, let G r denote the subgrou of order r, and let G qr denote the subgrou of order qr. Note also that if g is a generator of G then the element g q is a generator of G r, the element g r is a generator of G q, and the element g qr is a generator of G. Furthermore, if h G and h q G q then êh, h q = ê g qr α 1, g r α 2 = ê g α 1, g rα 2 qr = 1, where α 1 = log g qr h and α 2 = log g r h q. A similar rule holds whenever ê is alied to elements in any two subgrous whose only intersection is the identity element. 3.1 Crytograhic Assumtions We now state the assumtions we use to rove security of our construction. These assumtions are new, but we rove in Aendix A that they hold in the generic-grou model as long as finding a non-trivial factor of N the grou order is hard. We state our assumtions exlicitly and highlight that they are non-interactive in contrast to, e.g., the LRSW assumtion [17] and of fixed size in contrast to, e.g., the q-sdh assumtion [7]. Only Assumtion 1 is needed for our main redicateonly construction; Assumtion 2 in addition to Assumtion 1 is used to construct a scheme with better efficiency. Assumtion 1. Let G be as above. We say that G satisfies Assumtion 1 if the advantage of any t algorithm A in the following exeriment is negligible in the security arameter n: 1. G1 n is run to obtain, q, r, G, G T, ê. Set N = qr, and let g, g q, g r be generators of G, G q, and G r, resectively. 2. Choose random Q 1, Q 2, Q 3 G q, random R 1, R 2, R 3 G r, random a, b, s Z, and a random bit c. Give to A the values N, G, G T, ê as well as g, g r, g q R 1, g b, g b2, g a g q, g ab Q 1, g s, g bs Q 2 R 2. If c = 0 give A the value T = g b2 s R 3, while if c = 1 give A the value T = g b2 s Q 3 R A oututs a bit c, and succeeds if c = c. The advantage of A is the absolute value of the difference between its success robability and 1/2. Assumtion 2. Let G be as above. We say that G satisfies Assumtion 2 if the advantage of any t algorithm A in the following exeriment is negligible in the security arameter n: 1. G1 n is run to obtain, q, r, G, G T, ê. Set N = qr, and let g, g q, g r be generators of G, G q, and G r, resectively. 6

7 2. Choose random h G and Q 1, Q 2 G q, random s, γ Z, and a random bit c. Give to A the values N, G, G T, ê as well as g, g q, g r, h, g s, h s Q 1, g γ Q 2, êg, h γ. If c = 0 then give A the value êg, h γs, while if c = 1 then give A a random element of G T. 3. A oututs a bit c, and succeeds if c = c. The advantage of A is the absolute value of the difference between its success robability and 1/2. Assumtion 1 can be viewed as variant of a subgrou-decision assumtion cf. [12], insofar as T is either an element of G r with random G r comonent or an element of G with random G q and G r comonents and we require that it be hard to distinguish between the two ossibilities. Assumtion 2 is similar in sirit to the decisional bilinear Diffie-Hellman decisional-bdh assumtion [11] which in our context would be the assumtion that, given g γ, g, s and h, it is hard to distinguish êg, h γs from a random element of G T. The decisional-bdh roblem becomes easy given the additional information h s ; in Assumtion 2, however, g γ and h s are each masked by indeendent random elements in G q. Both the above assumtions imly the hardness of finding any non-trivial factor of N. For Assumtion 2 this is immediate: êg, h γs has order, whereas a random element of G T has order N with all but negligible robability. For Assumtion 1, êg b2 s R 3, gg a q has order whereas êg b2 s Q 3 R 3, gg a q has order q with all but negligible robability; thus, knowledge of or q and hence r immediately gives a distinguisher. A similar argument alied to êg b2 s R 3, g q R 1 and êg b2 s Q 3 R 3, g q R 1 imlies a distinguisher if r is known. 4 A Predicate-Only Encrytion Scheme Our main construction is a redicate encrytion scheme where the set of attributes is Σ = Z l N, and the class of redicates is F = {f v v Z l N } with f v x = 1 iff v, x = 0 mod N. Here, we resent a redicate-only version of the scheme based on Assumtion 1. Note that any attribute-hiding, redicate-only scheme can be used to encryt arbitrary length messages in a bit-by-bit fashion: To encryt a message M using attribute x, first choose another vector x uniformly at random. Then, for i = 1,..., M, if M i = 1 encryt using attribute x, and if M i = 0 encryt using attribute x. Since v, x has only a negligible robability of being zero for any v, this will achieve the desired functionality and security. Note that here we rely on attribute hiding, so that the adversary does not learn x uon seeing the cihertext. We show in Aendix B how the scheme below can be generalized to give a more efficient redicate encrytion scheme that natively handles long messages, using both Assumtions 1 and Intuition for the Construction In our construction, each cihertext has associated with it a secret vector x, and each secret key corresonds to a vector v. The decrytion rocedure must check whether x v = 0 mod N, and reveal nothing about x but whether this is true. To do this, we will make use of a bilinear grou G whose order N is the roduct of three rimes, q, and r. Let G, G q, and G r denote the subgrous of G having order, q, and r, resectively. We will informally assume, as in [12], that a random 7

8 element in any of these subgrous is indistinguishable from a random element of G. 1 Thus, we can use random elements from one subgrou to mask elements from another subgrou. At a high level, we will use these subgrous as follows: G q will be used to encode the vectors x and v in the cihertext and secret keys, resectively. This will be done, e.g., in the case of cihertexts by utting each element of the vector x = x 1,..., x l in the exonent of its own comonent of the cihertext. Comutation of the inner roduct v, x will be done in G q, in the exonent, using the bilinear ma. The subgrou G will be used to encode an equation again in the exonent that evaluates to zero when decrytion is done roerly. This subgrou is used to revent an adversary from imroerly maniulating the comutation by, e.g., changing the order of comonents of the cihertext or secret key, raising these comonents to some ower, etc.. On an intuitive level, if the adversary tries to maniulate the comutation in any way, then the comutation occurring in the G subgrou will no longer yield the identity i.e., will no longer yield 0 in the exonent, but will instead have the effect of masking the correct answer with a random element of G which will invalidate the entire comutation. Elements in G r are used for general masking of terms in other subgrous; i.e., random elements of G r are multilied with various comonents of the cihertext and secret key in order to hide information that might be resent in the G or G q subgrous. 4.2 A Predicate-Only Encrytion Scheme We now describe our scheme in detail. Below, we assume the length l of vectors is fixed for simlicity, but it could also be taken as any olynomial function of the security arameter n. Setu1 n. The setu algorithm first runs G1 n to obtain, q, r, G, G T, ê. Next, it comutes g, g q, and g r as generators of G, G q, and G r, resectively. It then chooses R 1,i, R G r and h 1,i, h G uniformly at random for i = 1 to l, and R 0 G r uniformly at random. The ublic arameters include N = qr, G, G T, ê along with: P K = The master secret key SK is g, g r, Q = g q R 0, {H 1,i = h 1,i R 1,i, H = h R } l, q, r, g q, {h 1,i, h } l. Enc P K x. Let x = x 1,..., x l with x i Z N. This algorithm chooses random s, α, β Z N and R 3,i, R 4,i G r for i = 1 to l. Note that a random element R G r can be samled, without the factorization of N, by choosing random δ Z N and setting R = gr. δ It oututs the cihertext C = C 0 = g s, { C 1,i = H s 1,i Q α xi R 3,i, C = H s Q β xi R 4,i } l GenKey SK v. Let v = v 1,..., v l, and recall SK =, q, r, g q, {h 1,i, h } l. This algorithm chooses random r 1,i, r Z for i = 1 to l, random R 5 G r, random f 1, f 2 Z q, and random Q 6 G q. It then oututs SK v = K = R 5 Q 6 h r 1,i 1,i h r, { K 1,i = g r 1,i g f 1 v i q, K = g r 1 This is only for intuition. Our actual comutational assumtions are given in Section 3... } l g f 2 v i q. 8

9 Dec SK v C. Let C = C 0, { C 1,i, C } l and SK v = decrytion algorithm oututs 1 iff K, {K 1,i, K } l be as above. The and oututs 0 otherwise. êc 0, K êc 1,i, K 1,i êc, K = 1, Correctness. To see that correctness holds, let C and SK v be as above. Then êc 0, K = ê = ê = êc 1,i, K 1,i êc, K g s, R 5 Q 6 g s, h r 1,i 1,i h r h r 1,i 1,i h r ê ê h s 1,i g α x i H s 1,iQ α x i R 3,i, g r 1,i q, g r 1,i êg q, g q αf 1+βf 2 x i v i = êg q, g q αf 1+βf 2 mod q x, v, g f 1 v i q ê g f 1 v i q ê h s g β x i H s Q β x i R 4,i, g r q, g r g f 2 v i q g f 2 v i q where α, β are random in Z N and f 1, f 2 are random in Z q. If x, v = 0 mod N, then the above evaluates to 1. If x, v 0 mod N there are two cases: if x, v 0 mod q then with all but negligible robability over choice of α, β, f 1, f 2 the above evaluates to an element other than the identity. The other ossibility is that x, v = 0 mod q, in which case the above would always evaluate to 1; however, comuting gcd x, v, N would then give a non-trivial factor of N and so this occurs with only negligible robability recall, our assumtions imly hardness of finding a non-trivial factor of N. There may aear to be some redundancy in our construction; for instance, the C 1,i and C comonents lay identical roles. In fact we can view the encrytion scheme as consisting of two arallel sub-systems linked via the C 0 comonent and the K comonent of the secret key. A natural question is whether this redundancy can be eliminated to achieve better erformance. While such a construction aears to be secure, our current roof relies in an essential way on having these two arallel sub-systems. 4.3 Proof Intuition The most challenging asect to roviding a roof of our scheme arises from the disjunctive caabilities of our system. In the revious attribute-hiding conjunctive scheme [14], security was roved via a sequence of hybrid games in which the challenge cihertext associated with a vector x was changed comonent-by-comonent to a challenge cihertext associated with a vector y. The adversary in that case was only allowed to request secret keys that did not match either of x or y, and so in every hybrid game it was the case that the adversary s secret keys would not match the challenge cihertext. Thus, the hybrids could be handled in a relatively straightforward manner. In our roof the adversary will again try to determine which of two vectors x or y is associated with the challenge cihertext. However, in our case the adversary may legally request a secret key 9

10 SK v that matches both x and y, i.e., the adversary may request a secret key SK v for which both x, v = 0 and y, v = 0. This means that we cannot use a sequence of hybrid games as outlined above. To see why, note that if we change one comonent at a time in the challenge cihertext, then the hybrid vector used in an intermediate ste will likely not match SK v i.e., will not be orthogonal to v, and the adversary can detect this just by running the legal decrytion rocedure. Therefore, we need to use a sequence of hybrid games in which an entire vector used in the challenge cihertext is changed in one ste, instead of using a sequence of hybrid games where the vector is changed comonent-by-comonent. To do this we take advantage of the fact that our encrytion scheme contains two arallel sub-systems corresonding to the {C 1,i } and {C } comonents of the cihertext, resectively. In our roof we will use hybrid games where a challenge cihertext is encryted with resect to one vector in the first sub-system and a different vector in the second sub-system. Note that such a cihertext is ill-formed, since any honestly generated cihertext will always use the same vector in each sub-system. Let a, b denote the exeriment where the challenge cihertext is encryted using vector a in the first sub-system and b in the second sub-system. To rove indistinguishability between the case when the challenge cihertext is associated with x which corresonds to x, x and the case when the challenge cihertext is associated with y which corresonds to y, y, we use a sequence of intermediate hybrid games x, 0, x, y, 0, y, showing indistinguishability in each case. That is, we show x, x x, 0 x, y 0, y y, y, roving our desired result. We use the 0-vector since it is orthogonal to everything. Using this structure in our roof allows us to use a simulator that will essentially work in one subsystem without knowing what is haening in the other one. The simulator embeds a subgrou decision-like challenge into the challenge cihertext for each exeriment. The structure of the challenge will determine whether a sub-system encryts the given vector or the zero vector. Details of our roof and further discussion are given in the following section. 4.4 Proof of Security This section is devoted to a roof of the following theorem: Theorem 4.1. If G satisfies Assumtion 1 then the scheme described in Section 4 is an attributehiding, redicate-only encrytion scheme. For convenience, we re-state Definition 2.2 in the articular setting of our main construction, which is a redicate-only scheme where the set of attributes is Σ = Z l N and the class of redicates corresonds to inner roducts, namely, F = {f x x Z l N } with f x y = 1 iff x, y = 0 mod N. The articular redicate we use requires a slight change in the definition, since the set of attributes deends on the master ublic key but in Definition 2.2 the adversary is suosed to outut I 0, I 1 before receiving the ublic key. We adat the definition in the natural way by giving A the modulus N first, then requiring it to outut I 0, I 1 before being given the rest of the ublic key. Definition 4.2. A redicate-only encrytion scheme for Σ, F as above is attribute hiding if for all t adversaries A, the advantage of A in the following exeriment is negligible in the security arameter n: 1. Setu1 n is run to generate keys P K, SK. This defines a value N which is given to A. 10

11 2. A oututs x, y Z l N, and is then given P K. 3. A may adatively request keys corresonding to the vectors v 1,... Z n N, subject to the restriction that, for all i, v i, x = 0 mod N if and only if v i, y = 0 mod N. In resonse, A is given the corresonding keys SK vi GenKey SK f vi. 4. A random bit b is chosen. If b = 0 then A is given C Enc P K x, and if b = 1 then A is given C Enc P K y. 5. The adversary may continue to request keys for additional vectors, subject to the same restriction as before. 6. A oututs a bit b, and succeeds if b = b. The advantage of A is the absolute value of the difference between its success robability and 1/2. We establish the theorem using a sequence of games, defined as follows: Game 1 : The challenge cihertext is generated as a roer encrytion using x. Recall from Definition 4.2 that we let x, y denote the two vectors outut by the adversary. That is, we choose random s, α, β Z N and random {R 3,i, R 4,i } G r and comute the cihertext as C = C 0 = g s, { } l C 1,i = H1,iQ s αx i R 3,i, C = HQ s βx i R 4,i. Game 2 : We now generate the {C } comonents as if encrytion were done using 0. That is, we choose random s, α, β Z N and random {R 3,i, R 4,i } G r and comute the cihertext as C = C 0 = g s, { C1,i = H s 1,iQ αx i R 3,i, C = H s R 4,i } l. Game 3 : We now generate the {C } comonents using vector y. That is, we choose random s, α, β Z N and random {R 3,i, R 4,i } G r and comute the cihertext as C = C 0 = g s, { } l C 1,i = H1,iQ s αx i R 3,i, C = HQ s βy i R 4,i. Game 4 : This game is defined analogously to Game 2, though here it is the {C i,1 } comonents that are generated using 0. That is, we choose random s, α, β Z N and random {R 3,i, R 4,i } G r and comute the cihertext as C = C 0 = g s, { } l C 1,i = H1,i s R 3,i, C = HQ s βy i R 4,i. Game 5 : This game is analogous to Game 1, though now the challenge cihertext is a roer encrytion using y. I.e., we choose random s, α, β Z N and random {R 3,i, R 4,i } G r and comute the cihertext as C = C 0 = g s, { } l C 1,i = H1,iQ s αy i R 3,i, C = HQ s βy i R 4,i. 11

12 The roof of the theorem is concluded once we show that the adversary cannot distinguish between Game i and Game i+1 for each i. As discussed in Section 4.3, we do not know how to roceed directly from a game in which the challenge cihertext is generated as a roer encrytion using x, to a game in which the challenge cihertext is generated as a roer encrytion using y. Indeed, this is the reason our construction uses two sub-systems. That is why our roof roceeds via the intermediate Game 3 where half the challenge cihertext corresonds to an encrytion using x and the other half corresonds to an encrytion using y. Intermediate games Game 2 and Game 4 are used to simlify the roof; it hels when art of the cihertext corresonds to an encrytion using 0 since this is orthogonal to everything. The main difficulty in our roofs will be to answer queries for decrytion keys. In considering the indistinguishability of Game 1 and Game 2 and, symmetrically, Game 4 and Game 5, we will actually be able to construct all decrytion keys i.e., even keys that would allow the adversary to distinguish an encrytion relative to x from an encrytion relative to y. In essence, we will be showing that even such keys cannot be used to distinguish a well-formed encrytion of x or y from a badly-formed one. On the other hand, in considering the indistinguishability of Game 2 and Game 3 and, symmetrically, Game 3 and Game 4 we will not be able to construct all decrytion keys. Instead, we will deal searately with the roblems of 1 roviding keys for vectors v with v, x = 0 = v, y and 2 roviding keys for vectors v with v, x 0 v, y Indistinguishability of Game 1 and Game 2 Fix an adversary A taking art in the security game of Definition 4.2. We describe a simulator who is given N = qr, G, G T, ê along with g, g r, g q R 1, h = g, b k = g b2, gg a q, g ab Q 1, g, s g bs Q 2 R 2, and an element T = g b2 s gqr ξ 3 where ξ is either 0 or uniform in Z q cf. Assumtion 1. Before describing the simulation in detail, we observe that the simulator can samle a random element R G r by choosing random δ Z N and setting R = gr. δ Although there is no direct way for the simulator to samle a random element of G q since g q is not rovided to the simulator, it def is ossible for the simulator to choose an indeendent random element QR G qr = G q G r by choosing random δ 1, δ 2 Z N and setting QR = g q R 1 δ1 g δ 2 r. Henceforth, we simly describe the simulator as samling uniformly from G r and G qr with the understanding that such samling is done in this way. Public arameters. The simulator begins by giving N to A, who oututs vectors x, y. The simulator chooses random {w 1,i, w } Z N and random {R 1,i, R } G r, includes N, G, G T, ê in the ublic arameters, and sets the remaining values as follows: P K = g, g r, g q R 1, { H 1,i = h x i g w 1,i R 1,i, H = k x i g w } l R. In doing so, the simulator is imlicitly setting h 1,i = h x i g w 1,i has the correct distribution. and h = k x i g w. Note that P K Key derivation. We now describe how the simulator reares the secret key corresonding to the vector v = v 1,..., v l. We stress that although Definition 4.2 restricts the vectors v for which the adversary is allowed to request secret keys, we do not rely on this restriction here. This is because the urose of this hybrid roof is to show that the adversary cannot distinguish between 12

13 roerly formed encrytions of x and imroerly formed encrytions that are a combination of an encrytion of x and an encrytion of 0. We begin with some intuition. We must construct the K 1,i and K comonents of the key. We do not have access to g q, but we do have g q g a and we will use this element here. This will give rise to terms containing a in the exonent of g. Note, however, that we will later have to construct the K comonent of the key, whose urose is to cancel out terms in the G subgrou. If v, x = 0, then additional terms involving ab and ab 2 aear in K. But we do not have access to g ab2 ; indeed, if we did we could easily distinguish between Game 1 and Game 2. We deal with this roblem by adding a term to the K 1,i comonents using the g ab Q 1 term given as art of the challenge that will allow us to cancel out the ab 2 terms that aear in K due to the K comonents. The simulator begins by choosing random f 1, f 2, {r 1,i }, {r } Z N. In constructing the key, imlicitly the simulator will be setting r 1,i = r 1,i + v i af 1 abf 2 1 r = r + a f 2 v i, 2 as well as f 1 = f 1 d f 2 and f 2 = f 2, where we let d = log g q Q 1. These values are each indeendently and uniformly distributed in Z N, just as they would be in actual secret-key comonents. Next, for all i the simulator comutes: and K 1,i = gg a f 1 vi f q g ab 2 v i r Q 1 g 1,i = g af 1 abf 2 v i+r 1,i K = g a g q f 2 vi g r = g af 2 v i+r g f 1 df 2 v i q g f 2 v i q. The simulator next constructs the K element of the secret key. Recall that h 1,i = g bx i g w 1,i. Therefore, the exonents in K will contain a term of the form i r 1,ibx i. But because of how we chose r 1,i, we have i r 1,ibx i = kabf 1 ab2 f 2 + i r 1,i x i where k = v, x. A similar equation holds for the terms arising from the h arts of K, and allows the simulator to cancel out all the ab 2 terms that arise in K. The simulator comutes K as follows: Let k = v, x. The simulator chooses random QR G qr and comutes k f K = QR g ab 1 Q 1 g a f g 1 v i w 1,i f 2 v f iw q g ab 2 v i w 1,i w 1,i r Q 1 g 1,i w r h x i r 1,i k x i r. i The simulator then gives the adversary SK v = K, {K 1,i, K } l as the key. To see formally that the K comonent has the correct distribution, let K, K q, and K r denote the rojections of K in G, G q, and G r, resectively. It is easy to see that K q and K r are indeendently 13

14 and uniformly distributed, as required. Furthermore, K = g abkf 1 = h akf 1 = i i i h ax iv i f 1 k x ir g af 1 v iw 1,i af 2 v iw g abf 2 v iw 1,i g w 1,ir 1,i w r h x ir 1,i k x ir h x ir 1,i g w 1,ir 1,i g w 1,iv i af 1 abf 2 g w r k x ir g w r g w af 2 v i h x ir 1,i g w 1,ir 1,i g w 1,iv i af 1 abf 2 h abx iv i f 2 h abx iv i f 2 g w af 2 v i using the fact that k = x, v = i x i, v i. Using simle but tedious algebra, we obtain, K = i = i h x ir 1,i g w 1,ir 1,i h x iv i af 1 abf 2 g w 1,iv i af 1 abf 2 k x ir h x i g w 1,i r1,i k x i g w r = i h r 1,i 1,i h r g w r k x iaf 2 v i g w af 2 v i using Eqs. 1 and 2, and thus K and hence K has the correct distribution. The challenge cihertext. The challenge cihertext is generated in a straightforward way as follows. The simulator chooses {R 7,i, R 8,i } G r at random, sets C 0 equal to g, s and comutes C 1,i = g bs xi Q 2 R 2 g s w 1,i R 7,i = h x is g w 1,is Q x i 2 R 7,i = h 1,i s Q x i 2 R 7,i C = T xi g s w R 8,i = h s g ξ q xi R 8,i, where {R 7,i, R 8,i } are random elements of G r whose exact values are unimortant. Analysis. By examining the rojections of the comonents of the challenge cihertext in the grous G, G q, and G r, it can be verified that when ξ is random the challenge cihertext is distributed exactly as in Game 1, whereas if ξ = 0 the challenge cihertext is distributed exactly as in Game 2. It follows that if A succeeds in distinguishing these two games then our simulator can use A to break Assumtion 1. Thus if Assumtion 1 holds, these two games are indistinguishable Indistinguishability of Game 2 and Game 3 Fix again some adversary A taking art in the security game of Definition 4.2. We describe a simulator who is given N = qr, G, G T, ê along with the elements g, g r, g q R 1, h = g, b k = g b2, gg a q, g ab Q 1, g, s g bs Q 2 R 2, and an element T = g b2 s gqr ξ 3 where ξ is either 0 or uniform in Z q. Recall that samling uniform elements from G r and G qr can be done efficiently. The simulator interacts with A as we now describe. 14

15 Public arameters. The simulator begins by giving N to A, who oututs vectors x, y. The simulator chooses random {w 1,i, w } Z N and random {R 1,i, R } G r, includes N, G, G T, ê in the ublic arameters, and sets the rest of the master ublic key as follows: P K = g, g r, g q R 1, { H 1,i = h x i g w 1,i R 1,i H = k y i g w } l R. In doing so, the simulator is imlicitly setting h 1,i = h x i g w 1,i has the aroriate distribution. and h = k y i g w. Note that P K Key derivation. The adversary A may request secret keys corresonding to different vectors, and we now describe how the simulator reares the secret key corresonding to the vector v = v 1,..., v l. Here, the simulator will only be able to roduce the aroriate secret key when the vector v satisfies the restriction imosed by Definition 4.2. We distinguish two cases, deending on whether v, x and v, y are both zero or whether they are both nonzero. Case 1. We first consider the case where v, x = 0 = v, y. The simulator begins by choosing random f 1, f 2, {r 1,1 }, {r 2,1 } Z N. Then for all i it comutes K 1,i = g a g q f1 vi g r 1,i = g af 1v i +r 1,i g f 1v i q K = g a g q f2 vi g r = g af 2v i +r g f 2v i q. Finally, the simulator chooses random QR G qr and comutes K = QR i g a g q f1 v i w 1,i f 2 v i w g w 1,i r 1,i w r h x i r 1,i k y i r. The simulator then hands the adversary SK v = K, {K 1,i, K } as the key. To see that this key has the correct distribution, note that by construction of the {K 1,i, K } the values f 1, f 2 are random; furthermore, the simulator imlicity sets r 1,i = r 1,i + af 1 v i r = r + af 2 v i, which are uniformly distributed as well. Looking at K, the rojection of K in G as in the roof in the revious section, we see that K = i = i g af 1v i w 1,i af 2 v i w g w 1,i r 1,i w r h x i r 1,i k y i r h af 1x i v i k af 2y i v i g af 1v i w 1,i af 2 v i w g w 1,i r 1,i w r h x i r 1,i k y i r, using the fact that i h af 1x i v i = h af 1 i x iv i = 1 = i k af 2y i v i because v, x = 0 = v, y. Algebraic maniulation as in the revious section shows that K has the correct distribution. 15

16 Case 2. Here, we consider the case where v, x = c x 0 and v, y = c y 0. The simulator begins by choosing random f 1, f 2, {r 1,1 }, {r 2,1 } Z N. Next, for all i it comutes K 1,i = g a g q f 1 v i g ab Q 1 cy f 2 v i g r 1,i = g af 1 abc yf 2 v i+r 1,i K = g a g q cx f 2 vi g r = g ac xf 2 v i+r g c x f 2 v i q, g f 1 c ydf 2 v i q where we set d = log gq Q 1. Finally, the simulator chooses random QR G qr and comutes K = QR g ab Q 1 c xf 1 g a f g 1 v i w 1,i f 2 c xv i w q g ab Q 1 f 2 c yv i w 1,i g w 1,i r 1,i w r h x i r 1,i k y i r. i The simulator then hands the key SK v = K, {K 1,i, K } to the adversary. To see that this key has the correct distribution, note that by construction of the {K 1,i, K } the simulator imlicity sets r 1,i = r 1,i + af 1 c y abf 2 v i r = r + ac x f 2v i, as well as f 1 = f 1 c y df 2 and f 2 = c x f 2. It is clear that f 1 and the {r 1,i, r } are indeendently and uniformly distributed in Z N. The value f 2 is also uniformly distributed in Z N as long as gcdc x, N = 1. If gcdc x, N 1, then the adversary has found a non-trivial factor of N. This occurs with negligible robability under Assumtion 1. As for element K of the secret key, it is once again easy to see that the rojection of K in G qr is uniformly distributed. Looking at K, the rojection of K in G, we see that K = g abcxf 1 = i i g af 1 v iw 1,i af 2 cxv iw g abf 2 cyv iw 1,i g w 1,i r 1,i w r h x i r 1,i k y i r h ax iv i f 1 g af 1 v iw 1,i af 2 cxv iw g abf 2 cyv iw 1,i h 1,i r 1,i h r = h cxcyabf 2 h cxcyabf 2 = i i g af 2 cxv iw g abf 2 cyv iw 1,i h 1,i r 1,i av if 1 h r h x iv i c yabf 2 k cxy iv i af 2 g af 2 cxv iw g abf 2 cyv iw 1,i h 1,i r 1,i av if 1 h r = i h 1,i r 1,i av if 1 +abf 2 cyvi h r acxv if 2 = i h 1,i r 1,i h r, and so K has the right distribution. We conclude that K has the correct distribution. The challenge cihertext. The challenge cihertext is generated in a straightforward way. The 16

17 simulator chooses {R 7,i, R 8,i } G r at random, sets C 0 = g s, and comutes: C 1,i = g bs Q 2 R 2 xi g s w 1,i R 7,i = h 1,i s Q x i 2 R 7,i C = T y i g s w R 8,i = h s g ξ q yi R 8,i, where {R 7,i, R 8,i } again refer to random elements of G r whose exact values are unimortant. Analysis. By examining the rojections of the comonents of the challenge cihertext in the grous G, G q, and G r, it can be verified that when ξ is random the challenge cihertext is distributed exactly as in Game 3, whereas if ξ = 0 the challenge cihertext is distributed exactly as in Game 2. It follows that if A succeeds at distinguishing these two games then our simulator can use A to break Assumtion 1. Thus if Assumtion 1 holds, these two games are indistinguishable Comleting the Proof Our scheme is symmetric with resect to the roles of h 1,i and h. Thus, the roof that Game 3 and Game 4 are indistinguishable exactly arallels the roof given in Section that Game 2 and Game 3 are indistinguishable, while the roof that Game 4 and Game 5 are indistinguishable exactly arallels the roof given in Section that Game 1 and Game 2 are indistinguishable. This concludes the roof of Theorem Alications of Our Main Construction In this section we discuss some alications of inner-roduct redicate encrytion schemes as constructed in this aer. Our treatment here is general, and we do not rely on any secific details of our construction. Given a vector x Z l N, we denote by f x : Z l N {0, 1} the function such that f x y = 1 def iff x, y = 0 mod N. We define F l = {f x x Z l N }. An inner roduct encrytion scheme of dimension l is an attribute-hiding redicate encrytion scheme for the class of redicates F l. 5.1 Anonymous Identity-Based Encrytion As a warm-u, we show how anonymous identity-based encrytion IBE can be recovered from any inner-roduct encrytion scheme with l = 2. To generate the master ublic and secret keys for the IBE scheme, simly run the setu algorithm of the underlying inner-roduct encrytion scheme. To generate secret keys for the identity I Z N, set I := 1, I and outut the secret key for the redicate f I. To encryt a message M for the identity J Z N, set J := J, 1 and encryt the message using the encrytion algorithm of the underlying inner-roduct encrytion scheme and the attribute J. Since I, J = 0 iff I = J, correctness and security follow. 17

18 5.2 Hidden-Vector Encrytion Given a set Σ, let Σ = Σ { }. Hidden-vector encrytion HVE [14] corresonds to a redicate encrytion scheme for the class of redicates Φ hve l = {φ hve a 1,...,a l a 1,..., a l Σ }, where { φ hve 1 if, for all i, either a 1,...,a l x ai = x 1,..., x l = i or a i =. 0 otherwise A generalization of the ideas from the revious section can be used to realize hidden-vector encrytion with Σ = Z N from any inner-roduct encrytion scheme Setu, Enc, GenKey, Dec of dimension 2l: The setu algorithm is unchanged. To generate a secret key corresonding to the redicate φ hve a 1,...,a l, first construct a vector A = A 1,..., A 2l as follows: if a i : A 2i 1 := 1, A 2i := a i if a i = : A 2i 1 := 0, A 2i := 0. Then outut the key obtained by running GenKey SK f A. To encryt a message M for the attribute x = x 1,..., x l, choose random r 1,..., r l Z N and construct a vector X r = X 1,..., X 2l as follows: X 2i 1 := r i x i, X 2i := r i multilication is done modulo N. Then outut the cihertext C Enc P K X r, M. To see that correctness holds, let a 1,..., a l, A, x 1,..., x l, r, and X r be as above. Then: φ hve a 1,...,a l x 1,..., x l = 1 r : A, X r = 0 r : f A X r = 1. Furthermore, assuming gcda i x i, N = 1 for all i: [ ] [ φ hve a 1,...,a l x 1,..., x l = 0 Pr r A, X r = 0 = 1/N Pr r f A X ] r = 1 = 1/N, which is negligible. Using this fact, one can rove security of the construction as well. A straightforward modification of the above gives a scheme that is the dual of HVE, where the set of attributes is Σ l and the class of redicates is Φ hve l = { φ hve a 1,...,a l a 1,..., a l Σ} with { φ hve 1 if, for all i, either a 1,...,a l x ai = x 1,..., x l = i or x i =. 0 otherwise 5.3 Predicate Encrytion Schemes Suorting Polynomial Evaluation We can also construct redicate encrytion schemes for classes of redicates corresonding to olynomial evaluation. Let Φ oly d = {f Z N [x], deg d}, where { 1 if x = 0 mod N f x = 0 otherwise for x Z N. Given an inner-roduct encrytion scheme Setu, Enc, GenKey, Dec of dimension d+1, we can construct a redicate encrytion scheme for Φ oly d as follows: 18

19 The setu algorithm is unchanged. To generate a secret key corresonding to the olynomial = a d x d + + a 0 x 0, set := a d,..., a 0 and outut the key obtained by running GenKey SK f. To encryt a message M for the attribute w Z N, set w := w d mod N,..., w 0 mod N and outut the cihertext C Enc P K w, M. Since w = 0 iff, w = 0, correctness and security follow. The above shows that we can construct redicate encrytion schemes where redicates corresond to univariate olynomials whose degree d is olynomial in the security arameter. This can be generalized to the case of olynomials in t variables, and degree at most d in each variable, as long as d t is olynomial in the security arameter. We can also construct schemes that are the dual of the above, in which attributes corresond to olynomials and redicates involve the evaluation of the inut olynomial at some fixed oint. 5.4 Disjunctions, Conjunctions, and Evaluating CNF and DNF Formulas Given the olynomial-based constructions of the revious section, we can fairly easily build redicate encrytion schemes for disjunctions of equality tests. For examle, the redicate OR I1,I 2, where OR I1,I 2 x = 1 iff either x = I 1 or x = I 2, can be encoded as the univariate olynomial x = x I 1 x I 2, which evaluates to 0 iff the relevant redicate evaluates to 1. Similarly, the redicate OR I1,I 2, where OR I1,I 2 x 1, x 2 = 1 iff either x 1 = I 1 or x 2 = I 2, can be encoded as the bivariate olynomial x 1, x 2 = x 1 I 1 x 2 I 2. Conjunctions can be handled in a similar fashion. Consider, for examle, the redicate AND I1,I 2 where AND I1,I 2 x 1, x 2 = 1 if both x 1 = I 1 and x 2 = I 2. Here, we determine the relevant secret key by choosing a random r Z N and letting the secret key corresond to the olynomial x 1, x 2 = r x 1 I 1 + x 2 I 2. Note that if AND I1,I 2 x 1, x 2 = 1 then x 1, x 2 = 0, whereas if AND I1,I 2 x 1, x 2 = 0 then, with all but negligible robability over choice of r, it will hold 2 that x 1, x 2 0. The above ideas extend to more comlex combinations of disjunctions and conjunctions, and for boolean variables this means we can handle arbitrary CNF or DNF formulas. For non-boolean variables we do not know how to directly handle negation. As ointed out in the revious section, the comlexity of the resulting scheme deends olynomially on d t, where t is the number of variables and d is the maximum degree of the resulting olynomial in each variable. 2 In general the secret key may leak the value of r, in which case the adversary will be able to find I 1, I 2 such that AND I1,I 2 I 1, I 2 1 yet I 1, I 2 = 0. However, this is not a roblem when considering the selective notion of security where the adversary must commit to I 1, I 2 at the outset of the exeriment. 19

20 5.5 Exact Thresholds We conclude with an alication that relies directly on inner-roduct encrytion. Here, we consider fuzzy IBE [31], which can be maed to the redicate encrytion framework as follows: fix a set A = {1,..., l} and let the set of attributes be all subsets of A. Predicates take the form Φ = {φ S S A} where φ S S = 1 iff S S t, i.e., S and S overla in at least t ositions. We can construct a scheme where the attribute sace is the same as before, but the class of redicates corresonds to overla in exactly t ositions. Namely, set Φ = {φ S S A} with φ S S = 1 iff S S = t. Then, given any inner-roduct encrytion scheme of dimension l + 1, we construct a scheme as follows: The setu algorithm is unchanged. To generate a secret key for the redicate φ S, first define a vector v Zl+1 N as follows: for 1 i l : v i = 1 if i S, and v i = 0 otherwise v l+1 = 1. Then outut the key obtained by running GenKey SK f v. To encryt a message M for the attribute S A, define a vector x as follows: for 1 i l: x i = 1 if i S, and x i = 0 otherwise x l+1 = t mod N. Then outut the cihertext C Enc P K x, M. Since S S = t exactly when v, x = 0, correctness and security follow. An interesting oen direction is to create the functionality that can test if S S t without revealing anything more about the size of the overla. Acknowledgments We thank Omkant Pandey and Yannis Rouselakis for ointing out a mistake in an earlier version of Theorem A.2, and the referees for their many helful comments on earlier drafts of this aer. References [1] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encrytion revisited: Consistency roerties, relation to anonymous IBE, and extensions. Journal of Crytology, 213: , [2] S. Al-Riyami, J. Malone-Lee, and N. Smart. Escrow-free encrytion suorting crytograhic workflow. Intl. J. Information Security, 54: , [3] W. Bagga and R. Molva. Policy-based crytograhy and alications. In Financial Crytograhy and Data Security 2005, volume 3570 of LNCS, ages Sringer, [4] J. Bethencourt, A. Sahai, and B. Waters. Cihertext-olicy attribute-based encrytion. In IEEE Symosium on Security & Privacy, ages IEEE,