Hidden Vector Encryption Fully Secure Against Unrestricted Queries

Predicate encryption is an important cryptographic primitive (see [3, 6, 11, 14]) that enables fine-grained control on the decryption keys. Roughly speaking, in a predicate encryption scheme the owner of the master secret key Msk can derive secret key SkP , for any predicate P from a specified class of predicates P. In encrypting a message M , the sender can specify an attribute vector ~x and the resulting ciphertext X̃ can be decrypted only by using keys SkP such that P (~x) = 1. Our main contribution is the first construction of a predicate encryption scheme that can be proved fully secure against unrestricted queries by probabilistic polynomial-time adversaries under non-interactive constant sized (that is, independent of the length ` of the attribute vectors) hardness assumptions on bilinear groups of composite order. Specifically, we consider hidden vector encryption (HVE in short), a notable case of predicate encryption introduced by Boneh and Waters [6] and further developed in [24, 13, 22]. In a HVE scheme, the ciphertext attributes are vectors ~x = 〈x1, . . . , x`〉 of length ` over alphabet Σ, keys are associated with vectors ~y = 〈y1, . . . , y`〉 of length ` over alphabet Σ ∪ {?} and we consider the Match(~x, ~y) predicate which is true if and only if, for all i, yi 6= ? implies xi = yi. Previous constructions restricted the proof of security to adversaries that could ask only non-matching queries; that is, for challenge attribute vectors ~x0 and ~x1, the adversary could ask only for keys of vectors ~y for which Match(~x0, ~y) = Match(~x1, ~y) = false. Our proof employs the dual system methodology of Waters [26], that gave one of the first fully secure construction in this area, blended with a careful design of intermediate security games that keep into account the relationship between challenge ciphertexts and key queries.