1 Introduction

Predicate encryption (PE) is an advanced form of public-key encryption that allows much flexibility. Instead of encrypting data to a target recipient, a sender will specify in a more general way about who should be able to view the message. In predicate encryption for a predicate R, a sender can associate a ciphertext with a ciphertext attribute X while a private key is associated with a key attribute Y. Such a ciphertext can then be decrypted by such a key if the predicate evaluation R(XY) holds true.

There exist many classes of PE, each is defined by specifying a corresponding class of predicates. One notable class is attribute-based encryption (ABE) [24, 38] for span programs (or equivalently, linear secret sharing schemes), of which predicate is defined over key attributes being a span program and ciphertext attributes being a set of attributes, and its evaluation holds true if the span program accepts the set. This is called key-policy ABE (KP-ABE). There is also ciphertext-policy ABE (CP-ABE), where the roles of key and ciphertext attributes are exchanged. Another important class is doubly spatial encryption (DSE) [25], of which predicate is defined over both key and ciphertext attributes being affine subspaces, and its evaluation holds true if both subspaces intersect. Very recently, a new important class of PE, that is called attribute encryption for arithmetic span programs is defined in [28]. They showed such a PE scheme is useful by demonstrating that the scheme can be efficiently converted into ABE for arithmetic branching programs for both zero-type and non-zero type predicates. If the scheme satisfies a certain requirement for efficiency (namely, encryption cost is at most linear in ciphertext predicate size), it is also possible to obtain a publicly verifiable delegation scheme for arithmetic branching programs, by exploiting a conversion shown in [36]. Furthermore, they gave a concrete construction of such scheme.

Compared to specific constructions of predicate encryption  [19, 21, 3032, 40] (to name just a few) that focus on achieving more expressive predicates and/or stronger security guarantee, relations among predicate encryption schemes are much less investigated. The purpose of this paper is to improve our understanding of relations among them.

1.1 Our Results

Relations among PE. Towards the goal above, we study relations among PE and show that some of them are in fact equivalent by giving generic conversion among them. We first investigate the relation among ABE with some bounds on parameters (the size of attribute sets and the size of span programs) and DSE. We have the following results:

  • First, we show a conversion from KP-ABE (or CP-ABE) with the bounds on parameters into DSE (without key delegation, in Sect. 3). Such an implication is not straightforward in the first place. Intuitively, one reason stems from the different nature between both predicates: while DSE can be considered as an algebraic object that involves affine spaces, ABE can be seen as a somewhat more combinatorial object that involves sets (of attributes). Our approach involves some new technique for “programming” a set associated to a ciphertext and a span program associated to a private key in the KP-ABE scheme so that they can emulate the relation for doubly spatial encryption.

  • We then extend the result of [25], which showed that DSE implies CP/KP-ABE with large universes. We provide a new conversion from DSE (without delegation) to non-monotonic CP/KP-ABE with large universes (in Sect. 4). We note that the resulting schemes obtained by the above conversions have some bounds on parameters. In the conversion, we extensively use a special form of polynomial introduced in [29] and carefully design a matrix so that DSE can capture a relation for ABE.

Somewhat surprisingly, by combining the above results, we obtain generic conversions that can boost the functionality of (bounded) ABE: from monotonic to non-monotonic, and from small-universe to large-universe; moreover, we also obtain conversions which transform ABE to its dual (key-policy to ciphertext-policy, and vice versa). This implies that they are essentially equivalent in some sense. See Fig. 1 for the details.

Fig. 1.
figure 1

Relations among predicate encryption primitives. In this figure, arrows indicate conversions that transform the primitive of the starting point to that of the end point. The red arrows indicate our results in this paper. For ABE, ‘mono’ and ‘non-mono’ indicate whether it is monotonic or non-monotonic, while ‘small’ and ‘large’ indicate whether the attribute universes are large (i.e., exponentially large) or small (i.e., polynomially bounded). \((\bar{k},\bar{\ell },\bar{m},\varphi )\) specify bounds on size of sets of attributes and span programs. See Sect. 2.1 for details. As a result, primitives inside each dashed box are all equivalent in the sense there is a conversion between each pair (Color figure online).

Full size image

So far, we have considered ABE schemes with bounds on parameters, especially on the size of span programs. We then proceed to investigate relation among ABE schemes without bounds on the size of span programs (but with a bound on the size of attribute sets) and ABE for arithmetic span programs recently introduced and studied by Ishai and Wee [28]. We call the latter key-policy ABE for arithmetic span programs (KASP), since in the latter, a ciphertext is associated with a vector while a private key is associated with an arithmetic span program which specifies a policy. By exchanging key and ciphertext attribute, we can also define ciphertext-policy version of ABE for arithmetic span program (CASP). We have the following results:

  • We show that monotonic KP-ABE with small universe (without bound on the size of span programs) can be converted into KASP (in Sect. 5). The idea for the conversion is similar to that in Sect. 3.

  • In the full version of the paper [4], we also investigate the converse direction. In fact, we show somewhat stronger result. That is, KASP can be converted into non-monotonic KP-ABE with large universe, which trivially implies monotonic KP-ABE with small universe. The idea for the conversion is similar to that in Sect. 4.

Given the above results, we have all of the following are equivalent: monotonic KP-ABE with small universe, non-monotonic KP-ABE with large universe, and KASP. Similar implications hold for the case of CP-ABE and CASP. However, we do not have a conversion from KP-ABE to CP-ABE in this case. Again, see Fig. 1 for the details.

Direct Applications: New Instantiations. By applying our conversions to existing schemes, we obtain many new instantiations. Most of them have new properties that were not achieved before. These include

  • the first DSE with constant-size public key,

  • the first DSE with constant-size ciphertexts,

  • the first DSE with constant-size private keys,

  • the first non-monotonic, large-universe CP-ABE with constant-size ciphertexts,

  • the first non-monotonic, large-universe KP-ABE with constant-size keys,

  • the first KASP, CASP with constant-size public key,

  • the first KASP, CASP with adaptive security and unbounded multi-use,

  • the first KASP with constant-size ciphertexts,

  • the first CASP with constant-size keys,

which together offer various compactness tradeoffs. Previously, all DSE schemes require linear (or more) sizes in all parameters [14, 17, 25]. Previous CP-ABE with constant-size ciphertexts [12, 13, 18, 20] can only deal with threshold or even more limited expressiveness. As for KP-ABE, to the best of our knowledge, there were no constructions with constant-size keys.Footnote 1 Previous KASP and CASP [16, 28] require linear sizes in all parameters. Moreover, the adaptively secure schemes [16] support only attribute one-use. See Sect. 6 and tables therein for our instantiations and comparisons.

Application to Attribute-Based Signatures. Our technique is also useful in the settings of attribute-based signatures (ABS) [33, 34]. We first define a notion that we call predicate signature (PS) which is a signature analogue of PE. Then, we construct a specific PS scheme with constant-size signatures such that a signature is associated with a set of attributes while a private key is associated with a policy (or monotone span programs). This is in some sense a dual notion of ordinary ABS in which a signature is associated with a policy and a private key with a set. By using the technique developed in the above, we can convert the PS scheme into an ABS scheme. As a result, we obtain the first ABS scheme with constant-size signatures. Previous ABS schemes with constant-size signatures [12, 26] only support threshold or more limited policies.

Finally, we remark that although our conversions are feasible, they often introduce polynomial-size overheads to some parameters. Thus, in most cases, above schemes obtained by the conversions should be seen as feasibility results in the sense that they might not be totally efficient. As a future direction, it would be interesting to construct more efficient schemes directly.

1.2 Related Works

There are several previous works investigating relations among PE primitives. In [23], a black box separation between threshold predicate encryption (fuzzy IBE) and IBE was shown. They also rule out certain natural constructions of PE for \(\mathbf {NC}^1\) from PE for \(\mathbf {AC}^0\). In [15], it was shown that hierarchical inner product encryption is equivalent to spatial encryption, which is a special case of doubly spatial encryption.

[22] showed a generic conversion from KP-ABE supporting threshold formulae to CP-ABE supporting threshold formulae. Their result and ours are incomparable. Our KP-ABE to CP-ABE conversion requires the original KP-ABE to support monotone span programs, which is a stronger requirement than [22]. On the other hand, the resulting scheme obtained by our conversion supports non-monotone span programs, which is a wider class than threshold formulaeFootnote 2. Thus, by applying our conversion, we can obtain new schemes (such as CP-ABE supporting non-monotone span programs with constant-size ciphertext) that is not possible to obtain by the conversion by [22].

In recent works [2, 6], it is shown that PE satisfying certain specific template can be converted into PE for its dual predicate. In particular, it yields KP-ABE-to-CP-ABE conversion. Again, their result and ours are incomparable. On the one hand, schemes obtained from their conversion are typically more efficient than ours. On the other hand, their conversion only works for schemes with the template while our conversion is completely generic. Furthermore, since they essentially exchange key and ciphertext components in the conversion, the size of keys and ciphertexts are also exchanged. For example, if we start from KP-ABE with constant-size ciphertexts, they obtain CP-ABE with constant-size private keys while we obtain CP-ABE with constant-size ciphertexts.

We also remark that in the settings where PE for general circuit is available, we can easily convert any KP-ABE into CP-ABE by using universal circuits as discussed in [19, 21]. However, in the settings where only PE for span programs is available, this technique is not known to be applicable. We note that all existing PE schemes for general circuits [9, 19, 21] are quite inefficient and based on strong assumptions (e.g., existence of secure multi-linear map or hardness of certain lattice problems for an exponential approximation factor). In [7], in the context of quantum computation, Belovs studies a span program that decides whether two spaces intersect or not. The problem and its solution considered there is very similar to that in Sect. 3 of our paper. However, he does not consider application to cryptography and the result is not applicable to our setting immediately since the syntax of span programs is slightly different.

Concurrent and Independent Work. Concurrently and independently to our work, Aggrawal and Chase [1] show specific construction of CP-ABE scheme with constant-size ciphertexts. Compared to our CP-ABE scheme with constant-size ciphertexts, which is obtained by our conversion, their scheme only supports monotone access structure over large universe, whereas our scheme supports non-monotonic access structure over large universe. Furthermore, we can obtain adaptively secure scheme whereas their scheme is only selectively secure. On the other hand, their scheme has shorter keys.

2 Preliminaries

Notation. Throughout the paper, p denotes a prime number. We will treat a vector as a column vector, unless stated otherwise. For a vector \(\mathbf {a}\in \mathbb {Z}_p^n\), \(\mathbf {a}[i] \in \mathbb {Z}_p\) represents i-th element of the vector. Namely, \(\mathbf {a}= (\mathbf {a}[1],\ldots , \mathbf {a}[n])^\top \). For \(\mathbf {a}, \mathbf {b}\in \mathbb {Z}_p^n\), we denote their inner product as \(\langle \mathbf {a}, \mathbf {b}\rangle = \mathbf {a}^{\top } \mathbf {b}= \sum ^{n}_{i=1} \mathbf {a}[i]\cdot \mathbf {b}[i]\). We denote by \(\mathrm {e}_i\) the i-th unit vector: its i-th component is one, all others are zero. \(\mathbf {I}_n\) and \(\mathbf {0}_{n\times m}\) represent an identity matrix in \(\mathbb {Z}_p^{n\times n}\) and zero matrix in \(\mathbb {Z}_p^{n\times m}\) respectively. We also define \(\mathbf {1}_{n} = (1,1,\ldots , 1)^\top \in \mathbb {Z}_p^n\) and \(\mathbf {0}_n = \mathbf {0}_{n\times 1}\). We often omit the subscript if it is clear from the context. We denote by [ab] a set \(\{a,a+1,\ldots , b\}\) for \(a,b \in \mathbb {Z}\) such that \(a\le b\) and [b] denotes [1, b]. For a matrix \(\mathbf {X}\in \mathbb {Z}_p^{n\times d}\), \(\mathrm {span}(\mathbf {X})\) denotes a linear space \(\{\mathbf {X}\cdot \mathbf {u}| \mathbf {u}\in \mathbb {Z}_p^d \}\) spanned by columns of \(\mathbf {X}\). For matrices \(\mathbf {A}\in \mathbb {Z}_p^{n_1\times m}\) and \(\mathbf {B}\in \mathbb {Z}_p^{n_2 \times m}\), \([\mathbf {A};\mathbf {B}]\in \mathbb {Z}_p^{(n_1 + n_2)\times m}\) denotes \([\mathbf {A}^{\top },\mathbf {B}^{\top }]^{\top }\) i.e., the vertical concatenation of them.

2.1 Definition of Predicate Encryption

Here, we define the syntax of predicate encryption. We emphasize that we do not consider attribute hiding in this paperFootnote 3.

Syntax. Let \(R= \{R_N: A_N \times B_N \rightarrow \{0,1\} \ |\ N\in \mathbb {N}^c\}\) be a relation family where \(A_N\) and \(B_N\) denote “ciphertext attribute” and “key attribute” spaces and c is some fixed constant. The index \(N=(n_1,n_2,\ldots ,n_c)\) of \(R_N\) denotes the numbers of bounds for corresponding parameters. A predicate encryption (PE) scheme for R is defined by the following algorithms:

  • \(\mathsf{Setup}(\lambda , N)\rightarrow (\mathsf {mpk}, \mathsf {msk})\): The setup algorithm takes as input a security parameter \(\lambda \) and an index N of the relation \(R_N\) and outputs a master public key \(\mathsf {mpk}\) and a master secret key \(\mathsf {msk}\).

  • \(\mathsf{Encrypt} (\mathsf {mpk}, \mathsf {M},X)\rightarrow C\): The encryption algorithm takes as input a master public key \(\mathsf {mpk}\), the message \(\mathsf {M}\), and a ciphertext attribute \(X \in A_N\). It will output a ciphertext C.

  • \(\mathsf{KeyGen}(\mathsf {msk}, \mathsf {mpk}, Y)\rightarrow \mathsf {sk}_Y\): The key generation algorithm takes as input the master secret key \(\mathsf {msk}\), the master public key \(\mathsf {mpk}\), and a key attribute \(Y \in B_N\). It outputs a private key \(\mathsf {sk}_Y\).

  • \(\mathsf{Decrypt}(\mathsf {mpk},C, X, \mathsf {sk}_Y, Y)\rightarrow \mathsf {M}\ or \bot \): We assume that the decryption algorithm is deterministic. The decryption algorithm takes as input the master public key \(\mathsf {mpk}\), a ciphertext C, ciphertext attribute \(X\in A_N\), a private key \(\mathsf {sk}_Y\), and private key attribute Y. It outputs the message \(\mathsf {M}\) or \(\bot \) which represents that the ciphertext is not in a valid form.

We refer (standard) definitions of correctness and security of PE to [2, 4].

2.2 (Arithmetic) Span Program, ABE, and Doubly Spatial Encryption

Definition of Span Program. Let \(\mathcal {U}=\{u_1,\ldots , u_t \}\) be a set of variables. For each \(u_i\), denote \(\lnot u_i\) as a new variable. Intuitively, \(u_i\) and \(\lnot u_i\) correspond to positive and negative attributes, respectively. Also let \(\mathcal {U}'=\{\lnot u_1,\ldots , \lnot u_t \}\). A span program over \(\mathbb {Z}_p\) is specified by a pair \((\mathbf {L}, \rho )\) of a matrix and a labelling function where

$$\begin{aligned} \mathbf {L}\in \mathbb {Z}_p^{\ell \times m} \qquad \qquad \qquad \qquad \rho : [\ell ] \rightarrow \mathcal {U} \cup \mathcal {U}' \end{aligned}$$

for some integer \(\ell ,m\). Intuitively, the map \(\rho \) labels row i with attribute \(\rho (i)\).

A span program accepts or rejects an input by the following criterion. For an input \(\delta \in \{0,1\}^t\), we define the sub-matrix \(\mathbf {L}_{\delta }\) of \(\mathbf {L}\) to consist of the rows whose labels are set to 1 by the input \(\delta \). That is, it consists of either rows labelled by some \(u_i\) such that \(\delta _i=1\) or rows labelled by some \(\lnot u_i\) such that \(\delta _i = 0\). We say that

$$\begin{aligned} ( \mathbf {L},\rho )\text { accepts }\delta \ \text {iff}\ (1,0,\ldots ,0)\text { is in the row span of }\mathbf {L}_{\delta }\text {. } \end{aligned}$$

We can write this also as \(\mathrm {e}_1 \in \mathrm {span}(\mathbf {L}_{\delta }^{\top })\). A span program is called monotone if the labels of the rows consist of only the positive literals, in \(\mathcal {U}\).

Key-Policy and Ciphertext-Policy Attribute-Based Encryption. Let \(\mathcal {U}\) be the universe of attributes. We define a relation \(R^{\mathsf {KP}}\) on any span programs \((\mathbf {L},\rho )\) over \(\mathbb {Z}_p\) and any sets of attributes \(S \subseteq \mathcal {U}\) as follows. For \(S \subseteq \mathcal {U}\), we define \(\delta \in \{ 0,1 \}^t\) as an indicator vector corresponding to S. Namely, \(\delta _i= 1\) if \(u_i\in S\) and \(\delta _i =0\) if \(u_i \not \in S\). We define

$$\begin{aligned} R^{\mathsf {KP}}(S,(\mathbf {L},\rho ))=1&\ \text {iff} \ (\mathbf {L},\rho ) \text { accepts } \delta . \end{aligned}$$

Similarly, \(R^{\mathsf {CP}}\) is defined as \(R^{\mathsf {CP}}((\mathbf {L},\rho ),S)=1\) iff \((\mathbf {L},\rho )\) accepts \(\delta \).

A KP-ABE scheme may require some bounds on parameters: we denote

$$\begin{aligned} \bar{k}&= \text { the maximum size of }k\text { (the size of attribute set }S\text {)}, \\ \bar{\ell }&= \text { the maximum size of }\ell \text { (the number of rows of }\mathbf {L}\text {)}, \\ \bar{m}&= \text { the maximum size of }m\text { (the number of columns of }\mathbf {L}\text {)}, \\ \varphi&= \text { the maximum size of allowed repetition in } \{\rho (1),\ldots , \rho (\ell )\}. \end{aligned}$$

These bounds define the index \(N=(\bar{k},\bar{\ell },\bar{m},\varphi )\) for the predicate family. When there is no restriction on corresponding parameter, we represent it by “\(-\)” such as \((\bar{k},-,-,-)\). We define \(A_N\) and \(B_N\) as the set of all attribute sets and the set of all span programs whose sizes are restricted by N, respectively. KP-ABE is a predicate encryption for \(R^{\mathsf {KP}}_N: A_N\times B_N \rightarrow \{0,1\}\), where \(R^{\mathsf {KP}}_N\) is restricted on N in a natural manner. CP-ABE is defined dually with \(A_N\) and \(B_N\) swapped.

Let \(t:=|\mathcal {U}|\). We say the scheme supports small universe if t is polynomially bounded and large universe if t is exponentially large. The scheme is monotonic if span programs are restricted to be monotone, and non-monotonic otherwise.

Attribute-Based Encryption for Arithmetic Span Programs [28]. In this predicate, the index N for the family is specified by an integer n. We call it the dimension of the scheme. We define \(A_N=\mathbb {Z}_p^n\). An arithmetic span program of dimension n is specified by a tuple \((\mathbf {Y},\mathbf {Z},\rho )\) of two matrices \(\mathbf {Y}, \mathbf {Z}\in \mathbb {Z}_p^{m \times \ell }\) and a map \(\rho : [\ell ] \rightarrow [n]\), for some integers \(\ell , m\). There is no restriction on \(\ell \) and m. If \(\rho \) is restricted to injective, we say that the scheme supports only attribute one-use. Otherwise, if there is no restriction on \(\rho \), we say that it is unbounded multi-use. We let \(B_N\) be the set of all arithmetic span programs of dimension n. We then define

$$\begin{aligned} R^{\mathsf {KASP}}_N(\mathrm {x}, (\mathbf {Y},\mathbf {Z},\rho ))=1 \text { iff }\mathrm {e}_1 \in \text {span}\{ \mathrm {x}[\rho (j)]\cdot \mathrm {y}_j +\mathbf {z}_j \}_{j\in [\ell ]} , \end{aligned}$$

where here \(\mathrm {e}_1 = (1,0,\ldots ,0)^\top \in \mathbb {Z}_p^m\) and \(\mathrm {x}[\rho (j)]\) is the \(\rho (j)\)-th term of \(\mathrm {x}\), while \( \mathrm {y}_j\) and \(\mathbf {z}_j\) are the j-th column of \(\mathbf {Y}\) and \(\mathbf {Z}\) respectively. We call predicate encryption for \(R^{\mathsf {KASP}}\) key-policy attribute-based encryption for arithmetic span program (KASP). Ciphertext-policy ASP (CASP) can be defined dually with \(A_N\) and \(B_N\) swapped.

Doubly Spatial Encryption. In this predicate, the index N for the family is specified by an integer n (the dimension of the scheme). We define the domains as \(A_N = B_N= \mathbb {Z}_p^n \times (\cup _{0 \le d\le n} \mathbb {Z}_p^{n\times d})\). We define

$$\begin{aligned} R^{\mathsf {DSE}}_N\bigl ( (\mathrm {x}_0,\mathbf {X}),(\mathrm {y}_0, \mathbf {Y}) \bigr )=1\text { iff }\bigl ( \mathrm {x}_0+ \mathrm {span}(\mathbf {X})\bigr ) \cap \bigl ( \mathrm {y}_0 + \mathrm {span}(\mathbf {Y}) \bigr ) \ne \emptyset . \end{aligned}$$

Doubly spatial encryption is PE for relation \(R^{\mathsf {DSE}}_N\) equipped with additional key delegation algorithm. The key delegation algorithm takes a private key for some affine space as an input and outputs a private key for another affine space, which is a subset of the first one. We require that the distribution of a key obtained by the delegation is the same as that of a key directly obtained by the key generation algorithm. We refer to [4, 17] for the formal definition.

2.3 Embedding Lemma for PE

The following useful lemma from [10] describes a sufficient criterion for implication from PE for a given predicate to PE for another predicate. The lemma is applicable to any relation family.

We consider two relation families:

$$\begin{aligned} R^{\mathsf {F}}_N :A_N \times B_N \rightarrow \{ 0,1 \}, \qquad \qquad R^{\mathsf {F}'}_{N'}: A'_{N'} \times B'_{N'} \rightarrow \{ 0,1 \}, \end{aligned}$$

which is parametrized by \(N\in \mathbb {N}^c\) and \(N'\in \mathbb {N}^{c'}\) respectively. Suppose that there exists three efficient mappings

$$\begin{aligned} f_{\mathsf {p}}: \mathbb {Z}^{c'} \rightarrow \mathbb {Z}^{c} \qquad \qquad f_{\mathsf {e}}: A'_{N'} \rightarrow A_{f_{\mathsf {p}}(N')} \qquad \quad f_{\mathsf {k}}: B'_{N'} \rightarrow B_{f_{\mathsf {p}}(N')} \end{aligned}$$

which maps parameters, ciphertext attributes, and key attributes, respectively, such that for all \(X'\in A'_{N'},Y'\in B'_{N'}\),

$$\begin{aligned} R^{\mathsf {F}'}_{N'}(X',Y')=1 \Leftrightarrow R^{\mathsf {F}}_{f_{\mathsf {p}}(N')}(f_{\mathsf {e}}(X'),f_{\mathsf {k}}(Y') )=1. \end{aligned}$$
(1)

We can then construct a PE scheme \(\varPi '=\{\mathsf{Setup}',\mathsf{Encrypt}', \mathsf{KeyGen}', \mathsf{Decrypt}' \}\) for predicate \(R^{\mathsf {F}'}_{N'}\) from a PE scheme \(\varPi =\{\mathsf{Setup}, \mathsf{Encrypt}, \mathsf{KeyGen}, \mathsf{Decrypt} \}\) for predicate \(R^{\mathsf {F}}_N\) as follows. Let \(\mathsf{Setup}'(\lambda ,N')=\mathsf{Setup}(\lambda , f_{\mathsf {p}}(N'))\) and

$$\begin{aligned} \mathsf{Encrypt}' (\mathsf {mpk},\mathsf {M},X')&= \mathsf{Encrypt}(\mathsf {mpk}, \mathsf {M}, f_{\mathsf {e}}(X')), \\ \mathsf{KeyGen}'(\mathsf {msk}, \mathsf {mpk}, Y')&= \mathsf{KeyGen}( \mathsf {msk}, \mathsf {mpk}, f_{\mathsf {k}}(Y')), \end{aligned}$$

and \(\mathsf{Decrypt}'(\mathsf {mpk}, C, X', \mathsf {sk}_{Y'}, Y') = \mathsf{Decrypt}(\mathsf {mpk}, C, f_{\mathsf {e}}(X'), \mathsf {sk}_{Y'}, f_{\mathsf {k}}(Y'))\).

Lemma 1

(Embedding lemma [10]). If \(\varPi \) is correct and secure, then so is \(\varPi '\). This holds for selective security and adaptive security.

Intuitively, the forward and backward direction of Relation (1) ensure that the correctness and the security are preserving, respectively.

3 Conversion from ABE to DSE

In this section, we show how to construct DSE for dimension n from monotonic KP-ABE (with bounds on the size of attribute sets and span programs). We note that by simply swapping key and ciphertext attributes, we can also obtain CP-ABE-to-DSE conversion. We first describe the conversion, then explain the intuition behind the conversion later below.

3.1 The Conversion

Mapping Parameters. We map \(f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {p}}: n \mapsto (\bar{k},\bar{\ell },\bar{m},\psi )\) where

$$\begin{aligned} \bar{k}&= n(n+1)\kappa + 1,&\bar{\ell }&= 2(n\kappa + 1)(n+1), \\ \bar{m}&= (n\kappa + 1)(n+1)+1,&\psi&= 2(n+1), \end{aligned}$$

where we define \(\kappa := \lceil \log _2 p \rceil \). Moreover, we set the universe \(\mathcal {U}\) as follows.

$$\begin{aligned} \mathcal {U}=\Big \{\ \mathsf {Att}[i][j][k][b]\ \Big |\ (i,j,k,b)\in [0,n]\times [1,n] \times [1,\kappa ] \times \{0,1\} \Big \} \cup \{ \mathsf {D}\}, \end{aligned}$$

where \(\mathsf {D}\) is a dummy attribute which will be assigned for all ciphertext. Hence, the universe size is \(|\mathcal {U}|=2n(n+1)\kappa + 1\). Intuitively, \(\mathsf {Att}[i][j][k][b]\) represents an indicator for the condition “the k-th least significant bit of the binary representation of the j-th element of the vector \(\mathrm {x}_i\) is \(b \in \{0,1\}\)”.

Mapping Ciphertext Attributes. For \(\mathrm {x}_0 \in \mathbb {Z}_p^n\) and \(\mathbf {X}=[\mathrm {x}_1,\ldots , \mathrm {x}_{d_1}] \in \mathbb {Z}_p^{n\times d_1}\) such that \(d_1\le n\), we map \(f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {e}}: (\mathrm {x}_0, \mathbf {X}) \mapsto S\) where

$$\begin{aligned} S=\Bigl \{\ \mathsf {Att}[i][j][k][b] \ \Big |\ (i,j,k)\in [0,d_1]\times [1,n] \times [1,\kappa ],\ b = \mathrm {x}_i[j][k]\ \Big \} \cup \{ \mathsf {D}\}. \end{aligned}$$

Here, we define \(\mathrm {x}_i[j][k] \in \{ 0,1 \}\) so that they satisfy

$$\begin{aligned} \mathrm {x}_i[j] = \sum ^{\kappa }_{k=1}2^{k -1}\cdot \mathrm {x}_i[j][k]. \end{aligned}$$

Namely, \(\mathrm {x}_i[j][k]\) is the k-th least significant bit of the binary representation of \(\mathrm {x}_i[j]\).

Mapping Key Attributes. For \(\mathrm {y}_0 \in \mathbb {Z}_p^n\) and \(\mathbf {Y}= [\mathrm {y}_1,\ldots , \mathrm {y}_{d_2}] \in \mathbb {Z}_p^{n\times d_2}\) such that \(d_2 \le n\), we map \(f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {k}}:(\mathrm {y}_0,\mathbf {Y}) \mapsto (\mathbf {L},\rho )\) as follows. Let the numbers of rows and columns of \(\mathbf {L}\) be

$$\begin{aligned} \ell&=(2n\kappa +1)(n+1) +d_2 +1,&m&= (n\kappa + 1)(n+1)+ 1, \end{aligned}$$

respectively. We then define

$$\begin{aligned} \mathbf {L}= \begin{pmatrix} \mathrm {e}_1 &{} \mathrm {e}_{1} + \mathrm {e}_{d_2 + 2} &{} \mathrm {y}_0^\top \\ &{} &{} \mathbf {Y}^{\top } &{} &{} &{} &{} \\ &{} &{} \mathbf {E}&{}\mathbf {J}&{} &{} &{} \\ &{} &{} \mathbf {E}&{} &{}\mathbf {J}&{} &{}\\ &{} &{}\vdots &{} &{} &{} \ddots &{} \\ &{} &{} \mathbf {E}&{} &{} &{} &{} \mathbf {J}\end{pmatrix} \in \mathbb {Z}_p^{ \ell \times m}, \end{aligned}$$
(2)

of which each sub-matrix \(\mathbf {E}\) and \(\mathbf {J}\) both appears \(n+1\) times, where we define

(3)

where \(\mathrm {g}= (0,1,0,2,\ldots ,0,2^{i},\ldots ,0,2^{\kappa -1})^{\top }\in \mathbb {Z}_p^{2\kappa }\).

Next, we define the map \(\rho : [1, \ell ]\rightarrow \mathcal {U}\) as follows.

  • If \(i\le d_2 + 1\), we set \(\rho (i):= \mathsf {D}\).

  • Else, we have \(i\in [d_2+2, \ell ]\). We then write

    $$\begin{aligned} i = (d_2+1) + (2n\kappa +1) i'+i'' \end{aligned}$$

    with a unique \(i'\in [0,n+1]\) and a unique \(i'' \in [0,2n\kappa ]\).

    • \(i''=0\), we again set \(\rho (i)= \mathsf {D}\).

    • – Else, we have \(i'' \in [1,2n\kappa ]\). We then write

      $$\begin{aligned} i'' = 2\kappa j'+ 2k' + b' +1 \end{aligned}$$

      with unique \(j'\in [0,n-1]\), \(k' \in [0,\kappa -1]\), and \(b'\in \{0,1\}\). We finally set

      $$\begin{aligned} \rho (i)=\mathsf {Att}[i'][j'+1][k'+1][b']. \end{aligned}$$

Intuition. We explain the intuition behind the conversion. S can be seen as a binary representation of the information of \((\mathrm {x}_0, \mathbf {X})\). In the span program \((\mathbf {L},\rho )\), \(\mathbf {E}\) is used to reproduce the information of \((\mathrm {x}_0,\mathbf {X})\) in the matrix while \(\mathbf {J}\) is used to constrain the form of linear combination among rows to a certain form.Footnote 4 In some sense, the roll of the lower part of the matrix \(\mathbf {L}\) (the last \((2n\kappa +1)(n+1)\) rows) is similar to universal circuit while the upper part of the matrix contains the information of \((\mathrm {y}_0, \mathbf {Y})\).

3.2 Correctness of the Conversion

We show the following theorem. The implication from KP-ABE to DSE would then follow from the embedding lemma (Lemma 1).

Theorem 1

For \(n\in \mathbb {N}\), for any \(\mathrm {x}_0 \in \mathbb {Z}_p^n\), \(\mathbf {X}\in \mathbb {Z}_p^{n\times d_1}\), \(\mathrm {y}_0 \in \mathbb {Z}_p^n\) and \(\mathbf {Y}\in \mathbb {Z}_p^{n\times d_2}\), it holds that

$$\begin{aligned} R^{\mathsf {KP}}_N(S,(\mathbf {L},\rho ))=1 \Leftrightarrow R^{\mathsf {DSE}}_n\bigl ((\mathrm {x}_0,\mathbf {X}),(\mathrm {y}_0, \mathbf {Y}) \bigr )=1 \end{aligned}$$

with \(N=f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {p}}(n)\), \(S=f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {e}}(\mathrm {x}_0,\mathbf {X})\), and \((\mathbf {L},\rho )=f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {k}}(\mathrm {y}_0, \mathbf {Y})\).

Proof

Define \(I\subset [\ell ]\) as \(I:=\{i | \rho (i)\in S\}\) and define \(\mathbf {L}_I\) as the sub-matrix of \(\mathbf {L}\) formed by all the rows of which index is in I. From the definition of \(f^{\mathsf {DSE}\rightarrow \mathsf {KP}}_{\mathsf {e}}\), we have that \(\mathbf {L}_I\) is in the form of

$$\begin{aligned} \mathbf {L}_I=\left( \begin{array}{cccccccccc} \mathrm {e}_1 &{} \mathrm {e}_1 + \mathrm {e}_{d_2 + 2} &{} \mathrm {y}_0^\top \\ &{} &{} \mathbf {Y}^{\top } \\ &{} &{} \mathbf {E}_0 &{}\mathbf {J}' &{} &{} &{} &{} &{} &{}\\ &{} &{} \mathbf {E}_1 &{} &{}\mathbf {J}' &{} &{} &{} &{} &{}\\ &{} &{}\vdots &{} &{} &{} \ddots &{} &{} &{} &{}\\ &{} &{} \mathbf {E}_{d_1} &{} &{} &{} &{} \mathbf {J}' &{} &{} &{}\\ &{} &{} &{} &{} &{} &{} &{}\mathbf {1}_{n\kappa }^{\top } &{} &{} \\ &{} &{} &{} &{} &{} &{} &{} &{}\ddots &{} \\ &{} &{} &{} &{} &{} &{} &{} &{} &{}\mathbf {1}_{n\kappa }^{\top } \end{array} \right) \in \mathbb {Z}_p^{\ell _I \times m_I} \end{aligned}$$

where \(\ell _I:=(n\kappa +1)(d_1 +1) + n - d_1 +d_2 + 1\) and \(m_I:=(n\kappa + 1)(n + 1)+1\) and

for \(i\in [0,d_1]\), where

$$\begin{aligned} \mathrm {g}_{i,j}=\Big ( \mathrm {x}_i[j][1],\ 2\mathrm {x}_i[j][2],\ \ldots , 2^{\kappa -1}\mathrm {x}_i[j][\kappa ] \Big )^{\top } \in \mathbb {Z}_p^{\kappa }. \end{aligned}$$

We remark that it holds that \(\langle \mathbf {1}_{\kappa }, \mathrm {g}_{i,j} \rangle =\mathrm {x}_i[j]\) by the definition of \(\mathrm {x}_i[j][k]\) and thus \(\mathbf {E}_{i}^{\top } \cdot \mathbf {1}_{n\kappa +1}=\mathrm {x}_i\) holds. We also remark that if \(\mathrm {v}^{\top } \mathbf {J}' = \mathbf {0}\) holds for some \(\mathrm {v}\in \mathbb {Z}_p^{n\kappa + 1}\), then there exists \(v \in \mathbb {Z}_p\) such that \(\mathrm {v}= v \mathbf {1}_{n\kappa + 1}\). These properties will be used later.

To prove the theorem statement is now equivalent to prove that

$$\begin{aligned} \mathrm {e}_1\in \mathrm {span}(\mathbf {L}_I^{\top })\quad \Leftrightarrow \quad \bigl ( \mathrm {x}_0+\mathrm {span}(\mathbf {X})\bigr ) \cap \bigl ( \mathrm {y}_0+ \mathrm {span}(\mathbf {Y}) \bigr ) \ne \emptyset . \end{aligned}$$

Forward Direction ( \(\Rightarrow \) ). Suppose \(\mathrm {e}_1\in \mathrm {span}(\mathbf {L}_I^{\top })\). Then, there exists \(\mathbf {u}\in \mathbb {Z}_p^{\ell _I}\) such that \(\mathbf {u}^{\top } \mathbf {L}_I = \mathrm {e}_1^{\top }\). We write \(\mathbf {u}\) as

$$\begin{aligned} \mathbf {u}^{\top }= \bigl (\underbrace{ v }_1, \underbrace{\mathrm {v}^{\top }}_{ d_2}, \underbrace{\mathbf {u}_0^{\top }}_{ n\kappa + 1}, \underbrace{\mathbf {u}_1^{\top }}_{ n\kappa + 1}, \ldots , \underbrace{\mathbf {u}_{d_1}^{\top }}_{ n\kappa + 1}, \underbrace{u_{d_1 + 1}}_{1}, \ldots , \underbrace{u_{n}}_{1} \bigr ). \end{aligned}$$

We then write

$$\begin{aligned} \mathbf {u}^{\top } \mathbf {L}_I = \bigg ( v,\ \Big (v+ \langle \mathbf {u}_0, \mathrm {e}_{1} \rangle \Big ),\ \Big (v \mathrm {y}_0^\top + \mathrm {v}^{\top }\mathbf {Y}^{\top } + \sum ^{d_1}_{i=0}\mathbf {u}_i^{\top }\mathbf {E}_i \Big ) ,\ \Big ( \mathbf {u}_0^{\top }\cdot \mathbf {J}' \Big ),\ \ldots , \\ \Big ( \mathbf {u}_{d_1}^{\top }\cdot \mathbf {J}' \Big ), \Big (u_{d_1 + 1}\mathbf {1}^{\top }_{n\kappa + 1} \Big ), \ldots , \Big (u_{n}\mathbf {1}^{\top }_{n\kappa + 1} \Big ) \bigg ) \end{aligned}$$

Since \(\mathbf {u}^{\top } \mathbf {L}_I = \mathrm {e}_1^{\top }\), we have \(u_{d_1+1}=\cdots = u_n = 0\), by comparing each element of the vector. Furthermore, since \(\mathbf {u}_i^{\top }\cdot \mathbf {J}'=\mathbf {0}\) for \(i\in [0,d_1]\), there exist \(\{ u_i\in \mathbb {Z}_p \}_{i\in [0,d_1]}\) such that \(\mathbf {u}_i = u_i \mathbf {1}_{n\kappa + 1}\). By comparing the first and the second element of the vector, we obtain \(v=1\) and \(v + \langle \mathbf {u}_0, \mathrm {e}_{1} \rangle = 1 + u_0 \langle \mathbf {1}^{\top }_{n\kappa + 1}, \mathrm {e}_{ 1 } \rangle =1+ u_0=0\). Hence, \(u_0 = -1\). Finally, we have that \(\sum ^{d_1}_{i=0}\mathbf {u}_i^{\top }\mathbf {E}_i + v\mathrm {y}_0^\top + \mathrm {v}^{\top }\mathbf {Y}^{\top } = \mathbf {0}\) and thus

$$\begin{aligned} -\sum ^{d_1}_{i=0} \mathbf {E}_i^{\top }\mathbf {u}_i = \mathrm {y}_0 + \mathbf {Y}\cdot \mathrm {v}. \end{aligned}$$

The left hand side of the equation is

$$\begin{aligned} - \sum ^{d_1}_{i=0} \mathbf {E}_i^{\top }\mathbf {u}_i&= - u_0 \mathbf {E}_0^{\top } \cdot \mathbf {1}_{n\kappa + 1} - \sum ^{d_1}_{i=1} u_i \mathbf {E}_i^{\top } \cdot \mathbf {1}_{n\kappa + 1}\\&= \mathrm {x}_0 - \sum ^{d_1}_{i=1} u_i \cdot \mathrm {x}_i \in \bigl ( \mathrm {x}_0 + \mathrm {span}(\mathbf {X})\bigr ). \end{aligned}$$

while the right hand side is \(\mathrm {y}_0 + \mathbf {Y}\cdot \mathrm {v}\in ( \mathrm {y}_0 + \mathrm {span}(\mathbf {Y}) )\). This implies that \(\bigl ( \mathrm {x}_0+\mathrm {span}(\mathbf {X})\bigr ) \cap \bigl ( \mathrm {y}_0 + \mathrm {span}(\mathbf {Y}) \bigr ) \ne \emptyset \).

Converse Direction ( \(\Leftarrow \) ). Suppose \(\bigl ( \mathrm {x}_0+\mathrm {span}(\mathbf {X})\bigr ) \cap \bigl ( \mathrm {y}_0 + \mathrm {span}(\mathbf {Y}) \bigr ) \ne \emptyset \). Hence, there exist sets \(\{ u_i\in \mathbb {Z}_p \}_{i\in [1,d_1]}\) and \(\{v_i \in \mathbb {Z}_p \}_{i\in [1,d_2]}\) such that \(\mathrm {x}_0 + \sum ^{d_1}_{i=1}u_i \mathrm {x}_i = \mathrm {y}_0 + \sum ^{d_2}_{i=1}v_i \mathrm {y}_i.\) We set a vector \(\mathbf {u}\) as

$$\begin{aligned} \mathbf {u}^{\top }= \bigl ( 1, \underbrace{v_{1},\ldots , v_{d_2}}_{d_2} \underbrace{-\mathbf {1}^{\top }_{n\kappa + 1}, -u_1\mathbf {1}^{\top }_{n\kappa + 1}, \ldots , -u_{d_1}\mathbf {1}^{\top }_{n\kappa + 1}}_{(n\kappa +1)(d_1+1)}, \underbrace{ 0,\ldots , 0}_{n-d_1} \bigr ) ). \end{aligned}$$

Therefore, we have

$$\begin{aligned} \mathbf {u}^{\top } \mathbf {L}_{I}= & {} \bigg (1,\ 1-1,\ \Big (\mathrm {y}_0^\top + \sum _{i=1}^{d_2} v_i \mathrm {y}_i^{\top } - \mathbf {1}^{\top }_{n\kappa + 1}(\mathbf {E}_0 + \sum ^{d_1}_{i=1}u_i \mathbf {E}_i)\Big ),\\&\qquad \qquad \Big (-\mathbf {1}^{\top }_{n\kappa + 1}\mathbf {J}'\Big ), \Big (-u_1 \mathbf {1}^{\top }_{n\kappa + 1}\mathbf {J}'\Big ), \ldots , \Big (-u_n \mathbf {1}^{\top }_{n\kappa + 1}\mathbf {J}'\Big ),0\ldots ,0 \bigg )\\= & {} \bigg (1, 0, \Big ( \mathrm {y}_0^\top + \sum ^{d_2}_{i=1}v_i \mathrm {y}_i^{\top } \Big ) - \Big ( \mathrm {x}_0^{\top } +\sum ^{d_1}_{i=1} u_i \mathrm {x}_i^{\top } \Big ) , 0\ldots ,0 \bigg ) = \mathrm {e}_1^{\top } \end{aligned}$$

as desired. This concludes the proof of the theorem.

4 From DSE to Non-Monotonic ABE

In [25], it is shown that DSE can be converted into monotonic CP-ABE with large universe (and bounds on the size of attribute sets and span programs). In this section, we extend their result to show that non-monotonic CP-ABE with large universe and the same bounds can be constructed from DSE. We note that our transformation is very different from that of [25] even if we only consider monotonic CP-ABE because of expositional reasons. We also note that by simply swapping key and ciphertext attributes, we immediately obtain DSE-to-non-monotonic-KP-ABE conversion. Again, we first describe the conversion, provide some intuition later below.

4.1 The Conversion

Mapping Parameters. We map \(f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {p}}:(\bar{k},\bar{\ell },\bar{m},\bar{\ell }) \mapsto n=4\bar{\ell }+\bar{m}+2\bar{k}\bar{\ell }\). We assume that the universe of attributes is \(\mathbb {Z}_p\). This restriction can be easily removed by using collision resistant hash.

Mapping Ciphertext Attributes. For a span program \((\mathbf {L},\rho )\), we map \(f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {e}}: (\mathbf {L},\rho ) \mapsto (\mathrm {x}_0,\mathbf {X})\) as follows. Let \(\ell \times \bar{m}\) be the dimension of \(\mathbf {L}\), where \(\ell \le \bar{\ell }\). (If the number of columns is smaller, we can adjust the size by padding zeroes.) Let \(\ell _0,\ell _1\) be such that \(\ell =\ell _0+\ell _1\), and without loss of generality, we assume that the first \(\ell _0\) rows of \(\mathbf {L}\) are associated with positive attributes and the last \(\ell _1\) rows with negative attributes by the map \(\rho \). We denote \(\mathbf {L}\) as \(\mathbf {L}= [\mathbf {L}_0;\mathbf {L}_1]\) using matrices \(\mathbf {L}_0\in \mathbb {Z}_p^{\ell _0 \times \bar{m}}\) and \(\mathbf {L}_1\in \mathbb {Z}_p^{\ell _1 \times \bar{m}}\). We then define \(f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {e}}( \mathbf {L},\rho )=(\mathrm {x}_0,\mathbf {X})\) with

$$\begin{aligned} \mathrm {x}_0&=-\mathrm {e}_1 \in \mathbb {Z}_p^{n},&\mathbf {X}^{\top }&=\left( \begin{array}{cccccc} \mathbf {L}_0 &{} \overbrace{}^{\bar{\ell }} &{}\mathbf {G}_0 &{}&{}&{}\\ \mathbf {L}_1 &{} &{}&{}\mathbf {I}_{\ell _1}&{} \overbrace{}^{\bar{\ell } -\ell _1}&{}\\ &{}&{}&{}&{}&{} \mathbf {G}_1 \end{array} \right) \in \mathbb {Z}_p^{(\ell _0 + 2\ell _1) \times n}, \end{aligned}$$

where \(\mathbf {G}_b\in \mathbb {Z}_p^{\ell _b \times \bar{\ell }(\bar{k}+1) }\) for each \(b\in \{ 0,1 \}\) is defined as

$$\begin{aligned} \mathbf {G}_b = \left( \begin{array}{cccccc} \mathbf {p}\bigl (\rho (b \ell _0 +1)\bigr )^{\top } &{}&{}&{}&{} \overbrace{}^{(\bar{\ell }-\ell _b)(\bar{k}+1) }\\ &{} \mathbf {p}\bigl (\rho (b \ell _0 +2)\bigr )^{\top }&{}&{}\\ &{} &{} \ddots &{} \\ &{} &{} &{} \mathbf {p}\bigl (\rho (b \ell _0 +\ell _b)\bigr )^{\top } \\ \end{array} \right) \end{aligned}$$

where \(\mathbf {p}()\) is a function that takes an element of \(\mathbb {Z}_p\) or its negation (\(\{\lnot x| x\in \mathbb {Z}_p \}\)) as an input and outputs a vector \(\mathbf {p}(x)=(1,x,x^2,\ldots ,x^{\bar{k}})^{\top } \in \mathbb {Z}_p^{\bar{k}+1}\).

Mapping Key Attributes. For a set \(S=(S_1,\ldots ,S_{k})\) such that \(k\le \bar{k}\), we map \(f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {k}}: S \mapsto (\mathrm {y}_0, \mathbf {Y})\) where

$$ \begin{aligned} \mathrm {y}_0&=\mathbf {0}_n \in \mathbb {Z}_p^n,&\mathbf {Y}^{\top }&= \begin{pmatrix} \overbrace{ }^{\bar{m}}\,\mathbf {H}\,\mathbf {I}_{(\bar{k}+1)\bar{\ell }} \& \\ &{}&{}&{}\,\mathbf {H}\,\mathbf {I}_{(\bar{k}+1)\bar{\ell }} \end{pmatrix} \in \mathbb {Z}_p^{2(\bar{k}+1)\bar{\ell } \times n }, \end{aligned}$$

of which \(\mathbf {H}\) is defined as

$$\begin{aligned} \mathbf {H}= \mathbf {I}_{\bar{\ell }} \otimes \mathbf {q}_S = \begin{pmatrix} \mathbf {q}_S &{}&{}&{}\\ &{} \mathbf {q}_S &{}&{}\\ &{} &{} \ddots &{} \\ &{} &{} &{} \mathbf {q}_S \\ \end{pmatrix} \in \mathbb {Z}_p^{\bigl ( (\bar{k}+1)\bar{\ell } \bigr ) \times \bar{\ell }}, \end{aligned}$$

where \(\mathbf {q}_S=(\mathbf {q}_S[1],\ldots , \mathbf {q}_S[\bar{k}+1])^{\top }\in \mathbb {Z}_p^{\bar{k}+1}\) is defined as a coefficient vector from

$$\begin{aligned} Q_{S}[Z]= \sum ^{k+1}_{i=1}\mathbf {q}_S[i]\cdot Z^{i-1} = \prod _{i=1}^{k}(Z-S_i). \end{aligned}$$

If \(k<\bar{k}\), the coordinates \(\mathbf {q}_S[k+2],\ldots ,\mathbf {q}_S[\bar{k}+1]\) are all set to 0.

Intuition. The matrices \(\mathbf {X}\) and \(\mathbf {Y}\) constructed above can be divided into two parts. The first \(\ell _0\) rows of \(\mathbf {X}^\top \) and the first \((\bar{k}+1)\bar{\ell }\) rows of \(\mathbf {Y}^\top \) deal with positive attributes. The lower parts of \(\mathbf {X}^\top \) and \(\mathbf {Y}^\top \) deal with negation of attributes. Here, we explain how we handle negated attributes. Positive attributes are handled by a similar mechanism. \(\mathbf {I}_{(\bar{k}+1)\bar{\ell }}\) in \(\mathbf {Y}^\top \) and \(\mathbf {G}_1\) in \(\mathbf {X}^\top \) restricts the linear combination of the rows of \(\mathbf {X}^\top \) and \(\mathbf {Y}^\top \) to a certain form in order to two affine spaces to have a intersection. As a result, we can argue that the coefficient of the i-th row of \(\mathbf {L}_1\) in the linear combination should be multiple of \(Q_S(\rho (\ell _0+i))\) Footnote 5. Since we have that \(Q_S(x)=0\) iff \(x\in S\) for any \(x\in \mathbb {Z}_p\), this means that the coefficient of the vector in the linear combination should be 0 if \(\rho (\ell _0+i)=\lnot \mathsf {Att}\) and \(\mathsf {Att}\in S\). This restriction is exactly what we need to emulate predicate of non-monotonic CP-ABE.

4.2 Correctness of the Conversion

We show the following theorem. The implication from DSE to non-monotonic CP-ABE with large universe would then follow from the embedding lemma.

Theorem 2

For any span program \((\mathbf {L}\in \mathbb {Z}_p^{\ell \times m},\rho )\) such that \(\ell \le \bar{\ell }\) and \(m\le \bar{m}\) and S such that \(|S|\le \bar{k}\), let \(N=(\bar{k},\bar{\ell },\bar{m},\bar{\ell })\), we have that

$$\begin{aligned} R^{\mathsf {DSE}}_n((\mathrm {x}_0,\mathbf {X}),( \mathrm {y}_0, \mathbf {Y}))=1 \Leftrightarrow R^{\mathsf {CP}}_N(S,(\mathbf {L},\rho ))=1 \end{aligned}$$

where \(n=f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {p}}(N)\), \((\mathrm {x}_0,\mathbf {X}) = f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {e}}( \mathbf {L},\rho )\), and \(( \mathrm {y}_0, \mathbf {Y}) = f^{\mathsf {CP}\rightarrow \mathsf {DSE}}_{\mathsf {k}}( S )\).

Proof

Let \(I\subset [1,\ell ]\) be \(I = \{i |(\rho (i)=\mathsf {Att}\wedge \mathsf {Att}\in S)\vee (\rho (i)=\lnot \mathsf {Att}\wedge \mathsf {Att}\not \in S)\}\). We also let \(\mathbf {L}_I\) be the sub-matrix of \(\mathbf {L}\) formed by rows whose index is in I.

To prove the theorem statement is equivalent to prove that

$$\begin{aligned} \bigl ( \mathrm {x}_0+\mathrm {span}(\mathbf {X})\bigr ) \cap \bigl ( \mathrm {y}_0+\mathrm {span}(\mathbf {Y})\bigr ) \ne \emptyset \quad \Leftrightarrow \quad \mathrm {e}_1\in \mathrm {span}(\mathbf {L}_I^{\top }). \end{aligned}$$

Forward Direction ( \(\Rightarrow \) ). Suppose that there exist \(\mathbf {u}\in \mathbb {Z}_p^{\ell _0 + 2 \ell _1}\) and \(\mathrm {v}\in \mathbb {Z}_p^{2(\bar{k}+1)\bar{\ell }}\) such that \(\mathrm {x}^{\top }_0 + \mathbf {u}^{\top } \mathbf {X}^{\top } = \mathrm {y}_0^\top +\mathrm {v}^{\top } \mathbf {Y}^{\top }= \mathrm {v}^{\top } \mathbf {Y}^{\top }\). We denote these vectors as

$$\begin{aligned} \mathbf {u}^{\top }&=(\underbrace{\mathbf {u}^{\top }_0}_{ \ell _0},\underbrace{\mathbf {u}^{\top }_1}_{ \ell _1},\underbrace{\mathbf {u}^{\top }_2}_{ \ell _1}),&\mathrm {v}^{\top }&=( \underbrace{\mathrm {v}^{\top }_1}_{\bar{k}+1}, \ldots , \underbrace{\mathrm {v}^{\top }_{\bar{\ell }}}_{\bar{k}+1} \underbrace{\mathbf {w}^{\top }_1}_{\bar{k}+1}, \ldots , \underbrace{\mathbf {w}^{\top }_{\bar{\ell }}}_{\bar{k}+1}. ) \end{aligned}$$

Hence, \(\mathrm {x}_0^{\top }+\mathbf {u}^{\top }\mathbf {X}\) and \(\mathrm {v}^{\top } \mathbf {Y}\) can be written as

$$\begin{aligned} \mathrm {x}_0^{\top }+\mathbf {u}^{\top }\mathbf {X}= & {} \Bigl ( \underbrace{-\mathrm {e}_1^{\top } +\mathbf {u}_0^{\top }\mathbf {L}_0 + \mathbf {u}_1^{\top }\mathbf {L}_1}_{\bar{m}}, \mathbf {0}_{\bar{\ell }}^\top , \underbrace{ \mathbf {u}_0[1]\cdot \mathbf {p}_{}(\rho (1))^{\top }, \ldots , \mathbf {u}_0[\ell _0]\cdot \mathbf {p}_{}(\rho (\ell _0))^{\top }}_{(\bar{k}+1)\ell _0},\nonumber \\&\mathbf {0}^{\top }_{(\bar{\ell }-\ell _0)(\bar{k}+1)}, \underbrace{ \mathbf {u}_1^{\top }}_{\ell _1}, \mathbf {0}^{\top }_{\bar{\ell } - \ell _1}, \nonumber \\&\underbrace{\mathbf {u}_2[1]\cdot \mathbf {p}_{}(\rho (\ell _0 +1))^{\top }, \ldots , \mathbf {u}_2[\ell _1]\cdot \mathbf {p}_{}(\rho (\ell _0 + \ell _1))^{\top }}_{(\bar{k}+1)\ell _1}, \mathbf {0}^{\top }_{(\bar{\ell }-\ell _1)(\bar{k}+1)}\Bigr ) \end{aligned}$$
(4)

and

$$\begin{aligned} \mathrm {v}^{\top }\mathbf {Y}= (\mathbf {0}^{\top }_{\bar{m}}, \underbrace{ \langle \mathrm {v}_1, \mathbf {q}_S \rangle , \ldots , ,\langle \mathrm {v}_{\bar{\ell }}, \mathbf {q}_S \rangle }_{\bar{\ell }}, \underbrace{ \mathrm {v}_1^{\top },\ldots , \mathrm {v}_{\bar{\ell }}^{\top } }_{(\bar{k}+1)\bar{\ell }}, \nonumber \\ \underbrace{ \langle \mathbf {w}_{1}, \mathbf {q}_S \rangle , \ldots , ,\langle \mathbf {w}_{\bar{\ell }}, \mathbf {q}_S \rangle }_{\bar{\ell }}, \underbrace{ \mathbf {w}_{1}^{\top },\ldots , \mathbf {w}_{\bar{\ell }}^{\top } }_{(\bar{k}+1)\bar{\ell }}). \end{aligned}$$
(5)

First, by comparing the \(\bar{m}+\bar{\ell }+1\)-th to \(\bar{m}+ (\bar{k} +2) \bar{\ell }\)-th elements of the vector, we obtain that \(\mathrm {v}_{i} = \mathbf {u}_0[i] \cdot \mathbf {p}(\rho (i))\) for \(i\in [1,\ell _0]\) and \(\mathrm {v}_{ i}=\mathbf {0}_{\bar{k}+1}\) for \(i\in [\ell _0+1,\bar{\ell }]\). Furthermore, by comparing \(\bar{m}+1\)-th to \(\bar{m}+\bar{\ell }\)-th elements of the vector, we have

$$\begin{aligned} \langle \mathrm {v}_i, \mathbf {q}_S \rangle =\mathbf {u}_0[i] \cdot \langle \mathbf {p}(\rho (i)), \mathbf {q}_S \rangle =\mathbf {u}_0[i]\cdot Q_S\bigl ( \rho (i)\bigr )=0 \end{aligned}$$

for \(i\in [1,\ell _0]\). The second equation above follows from the definition of \(\mathbf {p}()\) and \(\mathbf {q}_S\). Since \(Q_S(\rho (i)) = \prod _{\omega \in S}(\rho (i) - \omega ) \ne 0\) if \(\rho (i) \not \in S\), we have that \(\mathbf {u}_0[i]=0\) if \(\rho (i)\not \in S\). That is, \(\mathbf {u}_0[i]=0\) for \(i\in [1,\ell _0]\backslash I \).

Next, by comparing the last \((\bar{k}+ 1)\bar{\ell }\) elements in the vector, we obtain that \(\mathbf {w}_{ i} = \mathbf {u}_2[i] \cdot \mathbf {p}(\rho (\ell _0 +i))\) for \(i\in [1,\ell _1]\) and \(\mathbf {w}_{ i}=\mathbf {0}_{\bar{k}+1}\) for \(i\in [\ell _1+1,\bar{\ell }]\). By comparing the \(\bar{m}+ (\bar{k} +2) \bar{\ell } + 1\)-th to \(\bar{m}+ (\bar{k} +3) \bar{\ell }\)-th elements in the vector, we have that \((\mathbf {u}_1^{\top }, \mathbf {0}^\top _{\bar{\ell }-\ell _1}) = (\langle \mathbf {w}_{1}, \mathbf {q}_S \rangle , \ldots , ,\langle \mathbf {w}_{\bar{\ell }}, \mathbf {q}_S \rangle )\) and thus

$$\begin{aligned} \mathbf {u}_1[i]=\langle \mathbf {w}_{ i}, \mathbf {q}_S \rangle = \mathbf {u}_2[i]\cdot \langle \mathbf {p}(\rho (\ell _0 +i)),\mathbf {q}_S \rangle =\mathbf {u}_2[i]\cdot Q_S(\rho (\ell _0 + i)) \end{aligned}$$

holds for \(i\in [1,\ell _1]\). From the above, we have that \(\mathbf {u}_1[i]= 0\) if \(\rho (\ell _0 +i)=\lnot \mathsf {Att}\) and \(\mathsf {Att}\in S\) for some \(\mathsf {Att}\). This implies that \(\mathbf {u}_1[i]=0\) if \((\ell _0 +i) \not \in I\) for \(i\in [1,\ell _1]\).

Finally, by comparing the first \(\bar{m}\) elements in the vector, we obtain that \(-\mathrm {e}_1^{\top } +\mathbf {u}_0^{\top }\mathbf {L}_0 + \mathbf {u}_1^{\top }\mathbf {L}_1=\mathbf {0}^\top \). Let \(\mathbf {u}_{0,I}\) be a subvector of \(\mathbf {u}_0\) which is obtained by deleting all elements \(\mathbf {u}_0[i]\) for \(i\not \in I\). Similarly, we define \(\mathbf {u}_{1,I}\) as a vector obtained by deleting all elements \(\mathbf {u}_1[i]\) for i such that \((\ell _0 +i)\not \in I\) from \(\mathbf {u}_1\). Since \(\mathbf {u}_0[i]=0\) for \(i\in [1,\ell _0 ]\backslash I \) and \(\mathbf {u}_1[i]=0\) for \(i\in [1,\ell _1]\) such that \((\ell _0 +i) \not \in I\), it follows that \((\mathbf {u}_{0,I}^{\top }, \mathbf {u}_{1,I}^{\top })\mathbf {L}_{I} = \mathbf {u}_0^{\top } \mathbf {L}_0 + \mathbf {u}_1^{\top } \mathbf {L}_1 = \mathrm {e}_1^{\top }\) and thus \(\mathrm {e}_1 \in \mathrm {span}(\mathbf {L}_I^{\top }) \) as desired.

Converse Direction ( \(\Leftarrow \) ). The converse direction can be shown by repeating the above discussion in reverse order. Assume that \(\mathrm {e}_1 \in \mathrm {span}(\mathbf {L}_I^{\top })\). Then there exists \(\mathbf {u}'\in \mathbb {Z}_p^{|I|}\) such that \(\mathbf {u}'^{\top } \mathbf {L}_I = \mathrm {e}_1^{\top }\). We extend \(\mathbf {u}'\) to define \(\mathbf {u}''\in \mathbb {Z}_p^{\ell _0 + \ell _1}\) so that \(\mathbf {u}''_I = \mathbf {u}'\) and \(\mathbf {u}''[i]=0\) for \(i\not \in I\) hold. Here, \(\mathbf {u}''_I \in \mathbb {Z}_p^{|I|}\) is a subvector of \(\mathbf {u}''\) which is obtained by deleting all elements \(\mathbf {u}''[i]\) for \(i\not \in I\). These conditions completely determine \(\mathbf {u}''\). We denote this \(\mathbf {u}''\) as \(\mathbf {u}''^{\top } = (\mathbf {u}_0^{\top },\mathbf {u}_1^{\top })\) using \(\mathbf {u}_0\in \mathbb {Z}_p^{\ell _0}\) and \(\mathbf {u}_1 \in \mathbb {Z}_p^{\ell _1}\). We note that \(\mathbf {u}_0^{\top } \mathbf {L}_0 + \mathbf {u}_1^{\top } \mathbf {L}_1 = \mathrm {e}_1^{\top }\) holds by the definition.

Next we define \(\mathrm {v}_{i}\) for \(i \in [\bar{\ell }]\) as \(\mathrm {v}_{i} = \mathbf {u}_0[i]\cdot \mathbf {p}(\rho (i))\) if \(i\in [\ell _0]\) and \(\mathrm {v}_{i} = \mathbf {0}_{\bar{k}+1}\) if \(i\in [\ell _0 +1, \bar{\ell }]\). We claim that \(\langle \mathrm {v}_i, \mathbf {q}_S \rangle = 0\) holds for \(i \in [ \bar{\ell } ]\). Here, we prove this. The case for \(i \in [ \ell _0 + 1, \bar{\ell } ]\) is trivial. For the case of \(i \in [ 1, \ell _0 ]\), we have

$$\begin{aligned} \langle \mathrm {v}_i, \mathbf {q}_S \rangle = \mathbf {u}_0[i]\cdot \langle \mathbf {p}(\rho (i)) , \mathbf {q}_S \rangle =\mathbf {u}_0[i] \cdot Q_S(\rho (i)) = 0. \end{aligned}$$

The last equation above holds because we have \(Q_S(\rho (i)) = 0\) if \(i \in I\) and \(\mathbf {u}_0[i]=0\) otherwise, by the definition of \(\mathbf {u}_0[i]\).

We define \(\mathbf {u}_2[i]\in \mathbb {Z}_p\) for \(i\in [1,\ell _1]\) as \(\mathbf {u}_2[i]= \mathbf {u}_1[i]/Q_{S}(\rho (\ell _0 +i))\) if \(\mathbf {u}_1[i]\ne 0\) and \(\mathbf {u}_2[i]=0\) if \(\mathbf {u}_1[i]=0\). We have to show that \(\mathbf {u}_2[i]\) are well defined by showing that \(Q_{S}(\rho (\ell _0 +i))\ne 0\) if \(\mathbf {u}_1[i]\ne 0\) (i.e., division by 0 does not occur). If \(\mathbf {u}_1[i]\ne 0\), then \((\ell _0 + i)\in I\) by the definition of \(\mathbf {u}_1\). It implies that \(( \rho (\ell _0 +i)=\lnot \mathsf {Att}) \wedge (\mathsf {Att}\not \in S)\) for some \(\mathsf {Att}\in \mathbb {Z}_p\) and thus \(Q_S(\rho (\ell _0 +i)) = \prod _{\omega \in S} (\mathsf {Att}- \omega ) \ne 0\) holds as desired.

We also define \(\mathbf {w}_{i}\) as \(\mathbf {w}_i = \mathbf {u}_2[i]\cdot \mathbf {p}(\rho (\ell _0 +i))\) for \(i\in [1,\ell _1]\) and \(\mathbf {w}_i = \mathbf {0}_{\bar{k}+1}\) for \(i\in [\ell _1 + 1, \bar{\ell }]\). Then, we have

$$\begin{aligned} \langle \mathbf {w}_i, \mathbf {q}_S \rangle = \mathbf {u}_2[i]\cdot \langle \mathbf {p}(\rho (\ell _0 +i)) , \mathbf {q}_S \rangle =\mathbf {u}_2[i] \cdot Q_S(\rho (\ell _0 +i)) = \mathbf {u}_1[i] \end{aligned}$$

for \(i\in [1,\ell _1]\) and \(\langle \mathbf {w}_i, \mathbf {q}_{S} \rangle = 0\) for \(i\in [\ell _1 + 1, \bar{\ell }]\).

Finally, we define \(\mathbf {u}\) and \(\mathrm {v}\) as \(\mathbf {u}^{\top }=(\mathbf {u}^{\top }_0,\mathbf {u}^{\top }_1,\mathbf {u}^{\top }_2)\) and \(\mathrm {v}^{\top }=(\mathrm {v}^{\top }_1, \ldots , \mathrm {v}^{\top }_{\bar{\ell }}, \mathbf {w}_1^\top ,\ldots , \mathbf {w}^{\top }_{\bar{\ell }})\). Then, Eqs. (4) and (5) hold. By the properties of \(\mathbf {u}\) and \(\mathrm {v}\) we investigated so far, it is straightforward to see that \( \mathrm {x}_0^{\top }+\mathbf {u}^{\top }\mathbf {X}^{\top } = \mathrm {y}_0^\top + \mathrm {v}^{\top }\mathbf {Y}\) holds. This concludes the proof of the theorem.

5 From KP(CP)-ABE to KASP(CASP)

In this section, we show that monotonic KP-ABE with small universe (without bounds on the size of span programs) can be converted into KASP. We note that we can also obtain CP-ABE-to-CASP conversion by simply swapping key and ciphertext attribute.

5.1 The Conversion

Mapping Parameters. We show how to construct KASP for dimension n from monotonic KP-ABE for parameter \(N=(n\kappa +1,-,-,-)\) and the size of attribute universe is \(|\mathcal {U}|=2n\kappa + 1\). Here, \(\kappa = \lceil \log _2 p \rceil \). That is, we define \(f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {p}}(n) = N\). We set the universe of attributes as

$$\begin{aligned} \mathcal {U}=\Big \{\ \mathsf {Att}[i][j][b]\ \Big |\ (i,j,b)\in [1,n] \times [1,\kappa ] \times \{0,1\} \ \Big \} \cup \{ \mathsf {D}\}. \end{aligned}$$

Intuitively, \(\mathsf {Att}[i][j][b]\) represents an indicator for the condition “the j-th least significant bit of the binary representation of the i-th element of the vector \(\mathrm {x}\) is \(b \in \{0,1\}\)”. \(\mathsf {D}\) is a dummy attribute which will be assigned for all ciphertexts.

Mapping Ciphertext Attributes. For \(\mathrm {x}\in \mathbb {Z}_p^n\), we map \(f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {e}}:\mathrm {x}\mapsto S\) where

$$\begin{aligned} S=\Big \{\ \mathsf {Att}[i][j][b]\ \Big |\ (i,j)\in [1,n] \times [1,\kappa ],\ b = \mathrm {x}[i][j]\ \Big \} \cup \{ \mathsf {D}\}, \end{aligned}$$

where we define \(\mathrm {x}[i][j] \in \{ 0,1 \}\) in such a way that \(\mathrm {x}[i] = \sum ^{\kappa }_{j=1}2^{j -1}\cdot \mathrm {x}[i][j]\). In other words, \(\mathrm {x}[i][j]\) is the j-th least significant bit of the binary representation of \(\mathrm {x}[i]\in \mathbb {Z}_p\).

Mapping Key Attributes. For an arithmetic span program \((\mathbf {Y}=(\mathrm {y}_1,\ldots , \mathrm {y}_\ell )\in \mathbb {Z}_p^{m\times \ell }, \mathbf {Z}=(\mathbf {z}_1,\ldots , \mathbf {z}_\ell )\in \mathbb {Z}_p^{m\times \ell }, \rho )\) such that \(\mathbf {Y},\mathbf {Z}\in \mathbb {Z}_p^{m \times \ell }\), we define the map \(f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {k}}:(\mathbf {Y}, \mathbf {Z}, \rho )\mapsto (\mathbf {L},\rho ')\) as follows. First, we define

$$\begin{aligned} \mathbf {L}=\left( \begin{array}{cccccc} \mathbf {G}_1 &{}\mathbf {J}&{} &{} &{} \\ \mathbf {G}_2 &{} &{}\mathbf {J}&{} &{}\\ \vdots &{} &{} &{} \ddots &{} \\ \mathbf {G}_{\ell } &{} &{} &{} &{} \mathbf {J}\end{array} \right) \in \mathbb {Z}_p^{\bigl ( (2\kappa +1)\ell \bigr ) \times \bigl ( \kappa \ell + m \bigr )}, \end{aligned}$$
(6)

where the matrix \(\mathbf {J}\in \mathbb {Z}_p^{(2\kappa +1)\times \kappa }\) is defined as in Equation (3) (by setting \(n=1\)) while \(\mathbf {G}_i\) is defined as

$$\begin{aligned} \mathbf {G}_i = [\mathrm {g}\cdot \mathrm {y}_{i}^\top ; \mathbf {z}_{i}^\top ] = (\mathbf {0}_m,\mathrm {y}_{i}, \mathbf {0}_m, 2\mathrm {y}_{i}, \cdots , \mathbf {0}_m, 2^{\kappa -1}\mathrm {y}_{i}, \mathbf {z}_{i})^\top \in \mathbb {Z}_p^{(2\kappa + 1)\times m} \end{aligned}$$

where \(\mathrm {g}= (0,1,0,2,\ldots ,0,2^{i},\ldots ,0,2^{\kappa -1})^{\top }\in \mathbb {Z}_p^{2\kappa }\).

Next, we define the map \(\rho ': [(2\kappa +1)\ell ] \rightarrow \mathcal {U}\) as follows.

  • If \(i=0 \mod (2\kappa +1)\), we set \(\rho (i):= \mathsf {D}\).

  • Else, we write

    $$\begin{aligned} i=(2\kappa + 1)i' + 2j' + b'+1 \end{aligned}$$

    with unique \(i'\in [0,\ell -1]\), \(j'\in [0,\kappa -1]\), and \(b'\in \{ 0,1 \}\). We finally set \(\rho '(i)=\mathsf {Att}[\rho (i'+1)][j'+1][b'].\)

Intuition. S can be seen as a binary representation of the information of \(\mathrm {x}\). In the span program \((\mathbf {L},\rho ')\), \(\mathbf {J}\) is used to constrain the form of linear combination among rows to a certain form. \(\mathbf {G}_i\) as well as \(\rho '\), along with the above restriction, are designed so that linear combination of rows of \(\mathbf {G}_i\) only can be a scalar multiple of the vector \((\mathrm {x}[\rho (i)]\mathrm {y}_i + \mathbf {z}_i)^\top \). Therefore, \((\mathbf {L},\rho ')\) essentially works as an arithmetic span program.

5.2 Correctness of the Conversion

We show the following theorem. The implication from KP-ABE with parameter \(N=(n\kappa +1, -,-,- )\) to KASP with dimension n would then follow from the embedding lemma.

Theorem 3

For any \(\mathrm {x}\in \mathbb {Z}_p^n\), \(\mathbf {Y}\in \mathbb {Z}_p^{m\times \ell }\), \( \mathbf {Z}\in \mathbb {Z}_p^{m\times \ell }\), and \(\rho :[\ell ] \rightarrow [n]\), it holds that

$$\begin{aligned} R^{\mathsf {KP}}_N(S,(\mathbf {L},\rho '))=1 \Leftrightarrow R^{\mathsf {KASP}}_n(\mathrm {x},(\mathbf {Y},\mathbf {Z},\rho ))=1 \end{aligned}$$

where \(N=f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {p}}(n)\), \(S=f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {e}}(\mathrm {x})\), and \((\mathbf {L},\rho ')=f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {k}}(\mathbf {Y},\mathbf {Z},\rho )\).

Proof

Define \(I\subset [1,(2\kappa +1)\ell ]\) as \(I=\{i | \rho '(i)\in S\}\). We define \(\mathbf {L}_I\) as the sub-matrix of \(\mathbf {L}\) formed by rows whose index is in I. From the definition of \(f^{\mathsf {KASP}\rightarrow \mathsf {KP}}_{\mathsf {e}}\), we have that \(\mathbf {L}_I\) is in the form of

$$\begin{aligned} \mathbf {L}_I=\left( \begin{array}{ccccccccc} \mathbf {G}'_1 &{}\mathbf {J}' &{} &{} &{}\\ \mathbf {G}'_2 &{} &{}\mathbf {J}' &{} &{}\\ \vdots &{} &{} &{} \ddots &{} \\ \mathbf {G}'_{\ell } &{} &{} &{} &{} \mathbf {J}' \end{array} \right) \in \mathbb {Z}_p^{\bigl ( (\kappa +1)\ell \bigr ) \times \bigl ( \kappa \ell + m\bigr ) }, \end{aligned}$$

where

and where \(\mathrm {g}_{i}=(\mathrm {x}[\rho (i)][1], 2\mathrm {x}[\rho (i)][2],\ldots , 2^{\kappa -1}\mathrm {x}[\rho (i)][\kappa ])^{\top } \in \mathbb {Z}_p^{\kappa }.\) We note that we have \(\langle \mathbf {1}_{\kappa }, \mathrm {g}_{i} \rangle =\mathrm {x}[\rho (i)]\) by the definition of \(\mathrm {x}[\rho (i)][j]\) and thus \({\mathbf {G}'}_{i}^{\top } \cdot \mathbf {1}_{\kappa +1}=\mathrm {x}[\rho (i)]\mathrm {y}_i + \mathbf {z}_i\) holds. We also remark that if \(\mathrm {v}^{\top } \mathbf {J}' = \mathbf {0}\) holds for some \(\mathrm {v}\in \mathbb {Z}_p^{\kappa + 1}\), then there exists \(v \in \mathbb {Z}_p\) such that \(\mathrm {v}= v \mathbf {1}_{\kappa + 1}\). These properties will be used later below.

To prove the theorem statement is equivalent to prove that

$$\begin{aligned} \mathrm {e}_1\in \mathrm {span}(\mathbf {L}_I^{\top }) \quad \Leftrightarrow \quad \mathrm {e}_1 \in \mathrm {span}(\{ \mathrm {x}[\rho (i)]\mathrm {y}_i +\mathbf {z}_i \}_{i\in [\ell ]}). \end{aligned}$$

Forward Direction ( \(\Rightarrow \) ). We assume that \(\mathrm {e}_1\in \mathrm {span}(\mathbf {L}_I^{\top })\). From this, there exists \(\mathbf {u}\in \mathbb {Z}_p^{(\kappa +1)\ell }\) such that \(\mathbf {u}^{\top } \mathbf {L}_I = \mathrm {e}_1^{\top }\). We write this \(\mathbf {u}\) as

$$\begin{aligned} \mathbf {u}^{\top }= \bigl ( \underbrace{\mathbf {u}_1^{\top }}_{ \kappa + 1}, \underbrace{\mathbf {u}_2^{\top }}_{\kappa + 1}, \ldots , \underbrace{\mathbf {u}_{\ell }^{\top }}_{ \kappa + 1} \bigr ). \end{aligned}$$

Therefore, we have that

$$\begin{aligned} \mathrm {e}_1^\top = \mathbf {u}^{\top } \cdot \mathbf {L}_I = \left( \sum _{i\in [\ell ]}\mathbf {u}_i^\top \mathbf {G}'_i , \mathbf {u}_1^\top \mathbf {J}', \ldots , \mathbf {u}_\ell ^\top \mathbf {J}' \right) . \end{aligned}$$

Since \(\mathbf {u}_i^{\top }\cdot \mathbf {J}'=\mathbf {0}\) for \(i\in [\ell ]\), there exist \(\{ u_i\in \mathbb {Z}_p \}_{i\in [\ell ]}\) such that \(\mathbf {u}_i = u_i \mathbf {1}_{\kappa + 1}\). Then, we have

$$\begin{aligned} \mathrm {e}_1^\top = \sum _{i\in [\ell ]}\mathbf {u}_i^\top \mathbf {G}'_i= \sum _{i\in [\ell ]}u_i \mathbf {1}^\top _{\kappa + 1} \mathbf {G}'_i =\sum _{i\in [\ell ]} u_i (\mathrm {x}[\rho (i)]\cdot \mathrm {y}_i + \mathbf {z}_i)^\top . \end{aligned}$$

This implies \( \mathrm {e}_1 \in \mathrm {span}(\{ \mathrm {x}[\rho (i)] \mathrm {y}_i +\mathbf {z}_i \}_{i\in [\ell ]})\), as desired.

Converse Direction ( \(\Leftarrow \) ). We assume that \(\mathrm {e}_1 \in \mathrm {span}(\{ \mathrm {x}[\rho (i)]\mathrm {y}_i +\mathbf {z}_i \}_{i\in [\ell ]})\). Then, there exist \(\{ u_i\in \mathbb {Z}_p \}_{i\in [\ell ]}\) such that \(\sum _{i\in [\ell ]}u_i(\mathrm {x}[\rho (i)]\cdot \mathrm {y}_i + \mathbf {z}_i) = \mathrm {e}_1\). We set a vector \(\mathbf {u}\in \mathbb {Z}_p^{(\kappa + 1 )\ell }\) as \(\mathbf {u}^{\top }= \bigl (u_1\mathbf {1}^{\top }_{\kappa + 1}, \ldots , u_\ell \mathbf {1}^{\top }_{\kappa + 1} \bigr ).\) Then, we have that

$$\begin{aligned} \mathbf {u}^{\top } \cdot \mathbf {L}_I= & {} \left( \sum _{i\in [\ell ]}u_i \mathbf {1}_{\kappa +1}^\top \mathbf {G}'_i , u_1 \mathbf {1}_{\kappa +1}^\top \mathbf {J}', \ldots , \mathbf {u}_\ell \mathbf {1}_{\kappa +1}^\top \mathbf {J}' \right) \\= & {} \left( \sum _{i\in [\ell ]}u_i (\mathrm {x}[\rho (i)]\mathrm {y}_i + \mathbf {z}_i)^\top , \mathbf {0}_\kappa ^\top , \ldots , \mathbf {0}_\kappa ^\top \right) =\mathrm {e}_1^\top . \end{aligned}$$

This implies \(\mathrm {e}_1 \in \mathrm {span}(\mathbf {L}_I^\top )\), as desired. This concludes the proof of the theorem.

6 Implications of Our Result

In this section, we discuss consequences of our results.

Equivalence between (bounded) ABE and DSE. We have shown that monotonic KP/CP-ABE for \((\bar{k},\bar{\ell },\bar{m},\varphi )\) implies DSE (without delegation) in Sect. 3 and DSE implies non-monotonic KP/CP-ABE with large universe for \((\bar{k},\bar{\ell },\bar{m},\varphi )\) in Sect. 4. Since non-monotonic KP/CP-ABE with large universe for \((\bar{k},\bar{\ell },\bar{m},\varphi )\) trivially implies monotonic KP/CP-ABE with small universe for \((\bar{k},\bar{\ell },\bar{m},\varphi )\), our results indicate that these PE schemes are essentially equivalent in the sense that they imply each other.

Equivalence between K(C)ASP and KP(CP)-ABE. Next, we consider the case where there is no restriction on the size of span programs. In Sect. 5, we showed that monotonic KP-ABE for \(((\bar{k}+1)\kappa ,-,-,-)\) implies KASP for \((\bar{k},-,-,-)\). In the full version [4], we also show the converse direction. That is, we show that KASP for \((\bar{k}+1,-,-,-)\) implies non-monotonic KP-ABE for \((\bar{k},-,-,-)\) with large universe. Since non-monotonic KP-ABE for \((\bar{k},-,-,-)\) trivially implies monotonic KP-ABE for \((\bar{k},-,-,-)\), our results indicate that these PE schemes are essentially equivalent similarly to the above case. Similar implications hold for CP-ABE. See Fig. 1 for the overview.

Table 1. Comparison among DSE Schemes
Full size table

By applying the conversions to existing schemes, we obtain various new schemes. The overviews of properties of resulting schemes and comparison with existing schemes are provided in Tables 1, 2, 3 and 4. All schemes in the tables are constructed in pairing groups. In the tables, we count the number of group elements to measure the size of master public keys (\(|\mathsf {mpk}|\)), ciphertexts (\(|C|\)), and private keys (\(|\mathsf {sk}|\)). Note that our conversions only can be applied to ABE schemes supporting span programs over \(\mathbb {Z}_p\). Therefore, for ABE schemes constructed on composite order groups [2, 30], our conversions are not applicable since they support span programs over \(\mathbb {Z}_{N}\) where N is a product of several large primes. Similar restrictions are posed on DSE and K(C)ASP. Though it is quite plausible that our conversions work even in such cases assuming hardness of factoring N, we do not prove this in this paper.

New DSE Schemes. By applying our KP(CP)-ABE-to-DSE conversion to existing KP(CP)-ABE schemes, we obtain many new DSE schemes. Table 1 shows overview of obtained schemes.Footnote 6 Specifically,

  • From the unbounded KP-ABE schemes [3, 35, 37], we obtain the first DSE scheme with constant-size master public key (without delegation). Note that all previous schemes [14, 17, 25] require at least O(n) group elements in master public key where n is the dimension of the scheme.

  • From KP-ABE scheme with constant-size ciphertexts [3, 5, 27, 39], we obtain the first DSE scheme with constant-size ciphertexts. All previous schemes [14, 17, 25] require at least \(O(d_1)\) group elements in ciphertexts where \(d_1\) is the dimension of the affine space associated to a ciphertext.

  • From CP-ABE scheme with constant-size keys [6], we obtain the first DSE scheme with constant-size private keys. All previous schemes require at least \(O(d_2)\) group elements in private keys where \(d_2\) is the dimension of the affine space associated to a private key.

The schemes obtained from [3, 35] achieves adaptive security. Furthermore, for schemes obtained from [5, 27, 37], we can define key delegation algorithm. The details of the key delegation algorithm will be given in the full version [4].

Table 2. Comparison among CP-ABE Schemes
Full size table

CP-ABE with Constant-Size Ciphertexts. By applying our DSE-to-non-monotonic-CP-ABE conversion in Sect. 4 to the DSE scheme with constant-size ciphertexts obtained above, we obtain the first non-monotonic CP-ABE with constant-size ciphertexts. Previous CP-ABE schemes with constant-size ciphertexts [12, 13, 18] only support threshold or more limited predicatesFootnote 7. See Table 2 for comparison (we list only relevant schemes).

KP-ABE with Constant-Size Keys. By applying our DSE-to-non-monotonic-KP-ABE conversion in Sect. 4 to the DSE scheme with constant-size keys obtained above, we obtain the first non-monotonic KP-ABE with constant-size keys. See Table 3 for comparison (we list only relevant schemes).

Table 3. Comparison among KP-ABE Schemes
Full size table

New KASP and CASP Schemes. By applying the KP(CP)-ABE-to-K(C)ASP conversion in Sect. 5, we obtain many new K(C)ASP schemes. See Table 4 for the overview. Specifically,

  • From the unbounded KP-ABE, CP-ABE schemes of [3, 37], we obtain the first KASP, CASP schemes with constant-size master public key.

  • From adaptively secure KP-ABE, CP-ABE schemes of [3, 32], we obtain the first adaptively secure KASP, CASP schemes with unbounded attribute multi-use.

  • From KP-ABE schemes with constant-size ciphertexts [3, 5, 27, 39], we obtain the first KASP schemes with constant-size ciphertexts.

  • From CP-ABE schemes with constant-size keys [3], we obtain the first CASP schemes with constant-size keys.

Until recently, the only (K)ASP scheme in the literature was proposed by [28], which is selectively secure and the master public key and ciphertext size are linear in the dimension of the scheme. Very recently, adaptively secure KASP and CASP were given in [16], albeit with the restriction of one-time use (of the same attribute in one policy).

Table 4. Comparison among KASP and CASP Schemes
Full size table

We remark that the conversion is not applicable for schemes in [34, 35] since these schemes are KP-ABE for \((*,*,*,\varphi )\) where \(\varphi \) is polynomially bounded, whereas our conversion requires the last parameter to be unbounded.

7 Application to Attribute-Based Signature

Here, we discuss that our techniques developed in previous sections are also applicable to construct attribute-based signatures (ABS) [33, 34]. ABS is an advanced form of signature and can be considered as a signature analogue of ABE. In particular, it resembles CP-ABE in the sense that a private key is associated with a set of attributes while a signature is associated with a policy and a message. A user can sign on a message with a policy if and only if she has a private key associated with a set satisfying the policy. Roughly speaking, this property corresponds to the correctness and unforgeability. For ABS, we also require privacy. That is, we require that one cannot obtain any information about the attribute of the signer from a signature.

The construction of expressive ABS scheme with constant-size signatures has been open. All previous ABS schemes with constant-size signatures [12, 26] only supports threshold predicates. The difficulty of constructing ABS with constant-size signatures seems to be related to the difficulty of construction of CP-ABE with constant-size ciphertexts. That is, it is hard to set constant number of group elements so that they include very complex information such as span programs.

To solve the problem, we first define the notion of predicate signature (PS) that is a signature analogue of PE. Then we construct a PS scheme that is dual of ABS: a private key is associated with a policy and a signature with a set. The scheme achieves constant-size signatures. This is not difficult to achieve because the signature is associated with a set which is a simpler object compared to a policy. The scheme is based on PS scheme for threshold predicate with constant-size signatures by [26]. We change the scheme mainly in two ways. At first, instead of using Shamir’s secret sharing scheme, we use linear secret sharing scheme so that they support more general predicate. We also add some modification so that the signature size be even shorter. The signatures of the resulting scheme only consist of two group elements.

Since signature analogue of Lemma 1 holds, we can apply KP-ABE-to-non-monotonic-CP-ABE conversion (combination of the results in Sects. 3 and 4) to obtain the first ABS scheme with constant-size signatures supporting non-monotone span programs. We refer to the full version [4] for the details.