LNCS 9841

Vassilis Zikas
Roberto De Prisco (Eds.)

Security and Cryptography
for Networks
10th International Conference, SCN 2016
Amalfi, Italy, August 31 – September 2, 2016
Proceedings

123


Lecture Notes in Computer Science
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zürich, Switzerland
John C. Mitchell

Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany

9841


More information about this series at />

Vassilis Zikas Roberto De Prisco (Eds.)
•

Security and Cryptography
for Networks
10th International Conference, SCN 2016
Amalfi, Italy, August 31 – September 2, 2016
Proceedings

123



Editors
Vassilis Zikas
Rensselaer Polytechnic Institute
Troy, NY
USA

Roberto De Prisco
University of Salerno
Fisciano
Italy

ISSN 0302-9743
ISSN 1611-3349 (electronic)
Lecture Notes in Computer Science
ISBN 978-3-319-44617-2
ISBN 978-3-319-44618-9 (eBook)
DOI 10.1007/978-3-319-44618-9
Library of Congress Control Number: 2016947481
LNCS Sublibrary: SL4 – Security and Cryptology
© Springer International Publishing Switzerland 2016
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are

believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.
Printed on acid-free paper
This Springer imprint is published by Springer Nature
The registered company is Springer International Publishing AG Switzerland


Preface

The 10th Conference on Security and Cryptography for Networks (SCN 2016) was
held in Amalfi, Italy, from August 31 to September 2, 2016. The conference has
traditionally been held in Amalfi, with the exception of the fifth edition that was held in
the nearby Maiori. The first three editions of the conference were held in 1996, 1999,
and 2002. Since 2002, the conference has been held biannually.
Modern communication is achieved mostly through the use of computer networks.
Computer networks bring many advantages, such as easy access to information and fast
communication. However guaranteeing security of distributed transactions is a challenging task. The SCN conference is an international meeting whose goal is to bring
together researchers, practitioners, and developers interested in the security of communication networks, in order to foster cooperation, facilitate exchange of ideas, and
disseminate research results.
The conference received 67 submissions in a broad range of cryptography and
security areas. The Program Committee has selected, among the many high-quality
submissions, 30 technical papers for publication in these proceedings. The selection
took into account quality, originality, and relevance to the conference’s scope. In
addition, this year we received a crypto-lyrics paper titled “Zero-Knowledge Made
Easy So It Won’t Make You Dizzy” that the Program Committee found to be of great
quality and therefore decided to grant it a special slot in the proceedings. It is our hope
that this can motivate more of these high-quality creative and entertaining types of
submissions in the future.
The international Program Committee (PC) consisted of 32 members who are top

experts in the conference fields. At least three PC members reviewed each submitted
paper, while submissions co-authored by a PC member were subjected to the more
stringent evaluation of four PC members. In addition to the PC members, many external
reviewers joined the review process in their particular areas of expertise. We were
fortunate to have this knowledgeable and energetic team of experts, and are deeply
grateful to all of them for their hard and thorough work, which included a very active
discussion phase. Special thanks to Jeremiah Blocki, Alessandra Scafuro, Susumu
Kiyoshima, Dimitris Papadopoulos, Juan Garay, and Sanjam Garg, for their extra work
as shepherds.
The program was further enriched by the invited talks of Aggelos Kiayias
(University of Edinburgh, UK) and Rafael Pass (Cornell University and Cornell NYC
Tech, USA).
SCN 2016 was organized in cooperation with the International Association for
Cryptologic Research (IACR). The paper submission, review, and discussion processes
were effectively and efficiently made possible by the IACR Web-Submission-andReview software, written by Shai Halevi. Many thanks to Shai for his assistance with the
system’s various features and constant availability.


VI

Preface

We thank all the authors who submitted papers to this conference, the Organizing
Committee members, colleagues, and student helpers for their valuable time and effort,
and all the conference attendees who made this event truly intellectually stimulating
through their active participation.
We finally thank the Dipartimento di Informatica of the Università degli Studi di
Salerno, InfoCert, and the Università degli Studi di Salerno for their financial support.
September 2016


Vassilis Zikas
Roberto De Prisco


SCN 2016
The 10th Conference on
Security and Cryptography for Networks
Amalfi, Italy
August 31 to September 2, 2016
Organized by
Dipartimento di Informatica
Università di Salerno
In Cooperation with
The International Association for Cryptologic Research (IACR)

Program Chair
Vassilis Zikas

Rensselaer Polytechnic Institute (RPI), USA

General Chair
Roberto De Prisco

Università di Salerno, Italy

Organizing Committee
Carlo Blundo
Aniello Castiglione
Luigi Catuogno
Paolo D’Arco


Università
Università
Università
Università

di
di
di
di

Salerno,
Salerno,
Salerno,
Salerno,

Italy
Italy
Italy
Italy

Steering Committee
Alfredo De Santis
Ueli Maurer
Rafail Ostrovsky
Giuseppe Persiano
Jacques Stern
Douglas Stinson
Gene Tsudik
Moti Yung


Università di Salerno, Italy
ETH Zürich, Switzerland
University of California - Los Angeles, USA
Università di Salerno, Italy
ENS, France
University of Waterloo, Canada
University of California - Irvine, USA
Snapchat and Columbia University, USA

Program Committee
Divesh Aggarwal
Shweta Agrawal
Joël Alwen

EPFL, Switzerland
Indian Institute of Technology, India
IST, Austria


VIII

SCN 2016

Gilad Asharov
Foteini Baldimtsi
Jeremiah Blocki
David Cash
Nishanth Chandran
Karim El Defrawy

Sebastian Faust
Juan Garay
Sanjam Garg
Shafi Goldwasser
Stanislaw Jarecki
Iordanis Kerenidis
Ranjit Kumaresan
Steve Lu
Ueli Maurer
Charalampos Papamanthou
Anat Paskin-Cherniavsky
Rafael Pass
Kenny Paterson
Christian Rechberger
Raphael Reischuk
Alessandra Scafuro
Peter Schwabe
Damien Stehl
Marc Stevens
Vanessa Teague
Stefano Tessaro
Hong-Sheng Zhou
Vassilis Zikas

The Hebrew University of Jerusalem, Israel
Boston University, USA and University of Athens,
Greece
Microsoft Research, USA
Rutgers University, USA
Microsoft Research, India

HRL Labs, USA
Ruhr-Universität Bochum, Germany
Yahoo Labs, USA
UC Berkeley, USA
MIT, USA
UC Irvine, USA
University of Paris Diderot 7, France
MIT, USA
Stealth Software Technologies Inc., USA
ETH Zurich, Switzerland
University of Maryland, USA
Ariel University, Israel
Cornell University and Cornell NYC Tech., USA
Royal Holloway, University of London, UK
DTU, Denmark
ETH Zurich, Switzerland
Boston University and Northeastern University, USA
Radboud University, The Netherlands
ENS de Lyon, France
CWI, The Netherlands
University of Melbourne, Australia
UC Santa Barbara, USA
Virginia Commonwealth University, USA
RPI, USA

External Reviewers
Shashank Agrawal
Daniel Apon
Christian Badertscher
Saikrishna Badrinarayan

Iddo Bentov
Alexandra Berkoff
Florian Bourse
Christina Brzuska
Jie Chen
Alain Couvreur

Chris Culnane
Joan Daemen
Wei Dai
Angelo De Caro
Akshay Degwekar
David Derler
Julien Devigne
Lo Ducas
Lisa Eckey
Xiong Fan

Carmit Hazay
Brett Hemenway
Aayush Jain
Charanjit Jutla
Chethan Kamath
Handan Kilinc
Susumu Kiyoshima
Karen Klein
Ahmed Kosba
Luke Kowalczyk



SCN 2016

Eyal Kushilevitz
Kim Laine
Joshua Lampkins
Adeline Langlois
Enrique Larraia
Tancrede Lepoint
Satyanarayana Lokam
Bernardo Machado David
Rusydi Makarim
Antonio Marcedone
Nico Marcel Döttling
Alexander May
Sebastian Meiser
Peihan Miao
Sonia Mihaela Bogos
Katerina Mitrokotsa
Pratyay Mukherjee

Kartik Nayak
Dimitris Papadopoulos
Kostas Papagiannopoulos
Alain Passelgue
Antigoni Polychroniadou
Ishaan Preet Singh
Srinivasan Raghuraman
Somindu Ramanna
Kim Ramchen
Vanishree Rao

Tom Ristenpart
Abhi shelat
Katerina Samari
Daniel Slamanig
Nigel Smart
Pratik Soni
Akshayaram Srinivasan

Douglas Stebila
Bjoern Tackmann
Qiang Tang
Alin Tomescu
Roberto Trifiletti
Daniel Tschudi
Daniele Venturi
Frederik Vercauteren
Ivan Visconti
Michael Walter
Xiao Wang
Udi Weinsberg
Sophia Yabukov
Yupeng Zhang
Joe Zimmerman

Sponsoring Institutions

Dipartimento di Informatica, Università di Salerno, Italy

InfoCert, Rome, Italy


Università di Salerno, Italy

IX


Abstracts of Invited Talks


Foundations of Blockchain Protocols

Aggelos Kiayias
School of Informatics, University of Edinburgh, 10 Crichton St.,
Edinburgh EH8 6AB, UK

Abstract. The bitcoin system is a remarkable solution. But to what problem?
The rise of bitcoin and other cryptocurrencies puts forth a wealth of interesting
questions in distributed systems and cryptography that relate to building
decentralized systems. We initiate a formal investigation of this class of protocols and of their basic properties.
The core of the bitcoin protocol can be abstracted in a simple algorithmic
form that has been termed the bitcoin backbone in [1]. This work also provided a
synchronous model for the analysis of the protocol. This algorithmic abstraction
and modeling enabled the expression of simple provable properties about the
blockchain data structure maintained by the protocol called chain quality,
common prefix and chain growth. In this model, the concept of a robust
transaction ledger can also be defined and analyzed as captured by its two basic
properties, persistence and liveness. Given the above we show how a robust
transaction ledger can be reduced to a blockchain protocol that satisfies these
simple properties, cf. [2]. Alternative proof strategies are possible and will be
also examined.
Given our formal definition of the robust transaction ledger problem, one can

ask next whether the bitcoin backbone is the optimal solution. One important
aspect of efficiency is the overhead to confirm transactions in the presence of an
adversary, cf. [3], which is intimately related to the liveness of the ledger.
Alternative designs such as GHOST used in the Ethereum system, are possible
and will be analyzed and compared within the model with respect to their
security and efficiency characteristics.
Finally, the relation of a robust transaction ledger to the consensus problem
will be also examined and we will consider a number of model extensions that
include rational players and dynamically changing user sets.

References
1. Garay, J.A., Kiayias, A., Leonardos, N.: The Bitcoin backbone protocol: analysis and
applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057,
pp. 281–310. Springer, Berlin

A. Kiayias—Most of the work reported performed while at the National and Kapodistrian University
of Athens. Research was supported by ERC project CODAMODA # 259152.


XIV

A. Kiayias

2. Kiayias, A., Panagiotakos, G.: Speed-Security Tradeoffs in Blockchain Protocols. IACR
Cryptology ePrint Archive 2015: 1019 (2015)
3. Kiayias, A., Panagiotakos, G.: On Trees, Chains and Fast Transactions in the Blockchain.
IACR Cryptology ePrint Archive 2016: 545 (2016)


Cryptography and Game Theory


Rafael Pass
Cornell Tech, New York, USA

Abstract. Cryptographic notions of knowledge consider the knowledge
obtained, or possessed, by computationally-bounded agents under adversarial
conditions. In this talk, we will survey some recent cryptographically-inspired
approaches for reasoning about agents in the context of game-theory and
mechanism design (where agents typically are modelled as computationally
unbounded).

R. Pass—Supported in part by NSF Award CNS-1217821, NSF Award TWC-1561209, AFOSR
Award FA9550-15-1-0262, a Microsoft Faculty Fellowship, and a Google Faculty Research Award.


Contents

Encryption
A Tag Based Encoding: An Efficient Encoding for Predicate Encryption in
Prime Order Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jongkil Kim, Willy Susilo, Fuchun Guo, and Man Ho Au

3

Non-zero Inner Product Encryption with Short Ciphertexts
and Private Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jie Chen, Benoît Libert, and Somindu C. Ramanna

23


Attribute-Based Encryption for Range Attributes . . . . . . . . . . . . . . . . . . . . .
Nuttapong Attrapadung, Goichiro Hanaoka, Kazuto Ogawa, Go Ohtake,
Hajime Watanabe, and Shota Yamada

42

Naor-Yung Paradigm with Shared Randomness and Applications . . . . . . . . .
Silvio Biagioni, Daniel Masny, and Daniele Venturi

62

Memory Protection
Provably-Secure Remote Memory Attestation for Heap
Overflow Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alexandra Boldyreva, Taesoo Kim, Richard Lipton,
and Bogdan Warinschi
Memory Erasability Amplification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jan Camenisch, Robert R. Enderlein, and Ueli Maurer

83

104

Multi-party Computation
On Adaptively Secure Multiparty Computation with a Short CRS . . . . . . . . .
Ran Cohen and Chris Peikert

129

Linear Overhead Optimally-Resilient Robust MPC Using Preprocessing. . . . .

Ashish Choudhury, Emmanuela Orsini, Arpita Patra, and Nigel P. Smart

147

High-Precision Secure Computation of Satellite Collision Probabilities. . . . . .
Brett Hemenway, Steve Lu, Rafail Ostrovsky, and William Welser IV

169


XVIII

Contents

Zero-Knowledge Proofs
Zero-Knowledge Made Easy so It Won’t Make You Dizzy (A Tale of
Transaction Put in Verse About an Illicit Kind of Commerce) . . . . . . . . . . .
Trotta Gnam
Fiat–Shamir for Highly Sound Protocols Is Instantiable . . . . . . . . . . . . . . . .
Arno Mittelbach and Daniele Venturi
Verifiable Zero-Knowledge Order Queries and Updates for Fully Dynamic
Lists and Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Esha Ghosh, Michael T. Goodrich, Olga Ohrimenko,
and Roberto Tamassia
On the Implausibility of Constant-Round Public-Coin Zero-Knowledge
Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Yi Deng, Juan Garay, San Ling, Huaxiong Wang,
and Moti Yung

191

198

216

237

Efficient Protocols
Improving Practical UC-Secure Commitments Based on the DDH
Assumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Eiichiro Fujisaki

257

The Whole is Less Than the Sum of Its Parts: Constructing More Efficient
Lattice-Based AKEs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rafael del Pino, Vadim Lyubashevsky, and David Pointcheval

273

Efficient Asynchronous Accumulators for Distributed PKI . . . . . . . . . . . . . .
Leonid Reyzin and Sophia Yakoubov

292

Outsourcing Computation
The Feasibility of Outsourced Database Search in the Plain Model . . . . . . . .
Carmit Hazay and Hila Zarosim

313


Verifiable Pattern Matching on Outsourced Texts . . . . . . . . . . . . . . . . . . . .
Dario Catalano, Mario Di Raimondo, and Simone Faro

333

Digital Signatures
Virtual Smart Cards: How to Sign with a Password and a Server . . . . . . . . .
Jan Camenisch, Anja Lehmann, Gregory Neven, and Kai Samelin

353

Signatures Resilient to Uninvertible Leakage . . . . . . . . . . . . . . . . . . . . . . .
Yuyu Wang, Takahiro Matsuda, Goichiro Hanaoka, and Keisuke Tanaka

372


Contents

Practical Round-Optimal Blind Signatures in the Standard Model from
Weaker Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Georg Fuchsbauer, Christian Hanser, Chethan Kamath,
and Daniel Slamanig

XIX

391

Cryptanalysis
How (Not) to Instantiate Ring-LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chris Peikert

411

Pen and Paper Arguments for SIMON and SIMON-like Designs . . . . . . . . .
Christof Beierle

431

Two-party Computation
Bounded Size-Hiding Private Set Intersection . . . . . . . . . . . . . . . . . . . . . . .
Tatiana Bradley, Sky Faber, and Gene Tsudik

449

On Garbling Schemes with and Without Privacy. . . . . . . . . . . . . . . . . . . . .
Carsten Baum

468

What Security Can We Achieve Within 4 Rounds? . . . . . . . . . . . . . . . . . . .
Carmit Hazay and Muthuramakrishnan Venkitasubramaniam

486

Secret Sharing
Secret Sharing Schemes for Dense Forbidden Graphs . . . . . . . . . . . . . . . . .
Amos Beimel, Oriol Farràs, and Naty Peter

509


Proactive Secret Sharing with a Dishonest Majority. . . . . . . . . . . . . . . . . . .
Shlomi Dolev, Karim ElDefrawy, Joshua Lampkins, Rafail Ostrovsky,
and Moti Yung

529

Obfuscation
Shorter Circuit Obfuscation in Challenging Security Models. . . . . . . . . . . . .
Zvika Brakerski and Or Dagmi

551

Bounded KDM Security from iO and OWF . . . . . . . . . . . . . . . . . . . . . . . .
Antonio Marcedone, Rafael Pass, and Abhi Shelat

571

A Unified Approach to Idealized Model Separations via Indistinguishability
Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Matthew D. Green, Jonathan Katz, Alex J. Malozemoff,
and Hong-Sheng Zhou
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

587

605


Encryption



A Tag Based Encoding:
An Efficient Encoding for Predicate Encryption
in Prime Order Groups
Jongkil Kim1(B) , Willy Susilo1 , Fuchun Guo1 , and Man Ho Au2
1

Centre of Computer and Information Security Research,
School of Computing and Information Technology, University of Wollongong,
Wollongong, Australia
{jk057,wsusilo,fuchun}@uow.edu.au
2
The Hong Kong Polytechnic University, Hung Hom, Hong Kong


Abstract. We introduce a tag based encoding, a new generic framework for modular design of Predicate Encryption (PE) schemes in prime
order groups. Our framework is equipped with a compiler which is adaptively secure in prime order groups under the standard Decisional Linear
Assumption (DLIN). Compared with prior encoding frameworks in prime
order groups which require multiple group elements to interpret a tuple
of an encoding in a real scheme, our framework has a distinctive feature
which is that each element of an encoding can be represented with only a
group element and an integer. This difference allows us to construct a more
efficient encryption scheme. In the current literature, the most efficient
compiler was proposed by Chen, Gay and Wee (CGW) in Eurocrypt’15.
It features one tuple of an encoding into two group elements under the
Symmetric External Diffie-Hellman assumption (SXDH). Compared with
their compiler, our encoding construction saves the size of either private
keys or ciphertexts up-to 25 % and reduces decryption time and the size
of public key up-to 50 % in 128 security level. Several new schemes such

as inner product encryption with short keys, dual spatial encryption with
short keys and hierarchical identity based encryption with short ciphertexts are also introduced as instances of our encoding.
Keywords: Encodings · Prime order groups · Inner
encryption · Spatial encryption · Predicate encryption

1

product

Introduction

Predicate Encryption (PE) is a public key cryptographic system supporting a
fine-grained access control. PE schemes have been proposed to support various
types of predicates, but many of them share similar features in their constructions and security proofs. Two independent works [2,30] have been presented by
observing the coupling of PE. They formalized common features of PE schemes in
c Springer International Publishing Switzerland 2016
V. Zikas and R. De Prisco (Eds.): SCN 2016, LNCS 9841, pp. 3–22, 2016.
DOI: 10.1007/978-3-319-44618-9 1


4

J. Kim et al.

composite order groups by encoding predicate parts of the schemes. Those encoding frameworks provide a new direction of proving security since one can show
security of a PE scheme by only proving that an encoding satisfies the syntax
required in the framework. Therefore, the encoding frameworks provide a new
insight of properties leading to adaptive security.
Despite the advantage, the usage of encoding frameworks [2,30] were limited
since they were introduced only in composite order groups. It is well known that

composite order groups significantly harm the efficiency of encryption systems
[13,14,21]. According to Guillevic [14], to achieve 128 bits security level, the
minimum group orders for prime order and composite order bilinear group are
256 and 2,644 bits, resp. Moreover, a pairing computation in composite order
groups is about 254 times slower than that of prime order bilinear groups. Hence,
constructing adaptively secure PE schemes in prime order groups is desirable to
ensure that they are adoptable in practice.
Recently, Chen, Gay and Wee (CGW) presented a dual system attribute
based encryption [8] which can be considered as a new compiler in prime order
groups for the predicate encoding [30]. They introduced compilers in prime order
groups by adopting Dual System Groups (DSG) [9]. In the most efficient compiler
of theirs, one composite order group element [30] is represented by two prime
order group elements. Independently, Attrapadung [3] and Agrawal and Chase
[1] also proposed other compilers in prime order groups, but they showed similar
results from an efficiency perspective1 . All existing compilers show a similar
behavior from an efficiency perspective. Specifically, the number of parameters
and computation of the resulting scheme in the prime order group is always
bounded below by a multiplicative factor, say n, of their counterparts in the
composite order groups. The best compiler achieves a factor of n = 2 under
SXDH assumption in [1,8]. Moreover, in [1,3,8] n = 3 is achieved under the
DLIN assumption which is weaker than the SXDH assumption. This appears
to be the lower bound of the techniques of dual system groups with orthogonal
vectors since the size of vectors must be at least 2 to “simulate” the properties of
a composite order group. Therefore, it remains an interesting research problem
to achieve PE schemes in prime order groups without using vector properties
since it may imply more efficient schemes.
1.1

Our Contribution


We introduce a tag based encoding, a new generic framework for PE schemes in
prime order groups. Compared with prior encoding frameworks in prime order
groups, our framework improves the efficiency of prior encodings when the size of
an encoding scheme is large. Our encoding framework does not use DPVS, DSG
or composite order groups. Instead, we utilize tags to construct adaptively secure
1

Attrapadung’s compiler [3] needs three group elements for a tuple of an encoding
under the DLIN assumption. Agrawal and Chase’s compiler [1] requires two group
elements under the SXDH assumption and three group elements under the DLIN
assumption.


A Tag Based Encoding

Predicates and functions
(x, y) ∈ X × Y
R : X × Y → {0, 1}

5

Encodings

Compiler
Schemes
Setup
kE(x, ·)
KeyGen
PE
→

→
→
cE(y, ·)
Encryption
(IBE, HIBE, IPE, ...)
Decryption

Fig. 1. Encoding frameworks for PE
Table 1. An efficiency comparison between our and CGW’s compilers [8].
Assump.
PK
SK
CT
2(mk +1)|G2 |
2(mc +1)|G1 | + |GT |
CGW [8] SXDH (2 +3)|G1 | + |GT |
DLIN (6 +8)|G1 | + 2|GT |
3(mk +1)|G2 |
3(mc +1)|G1 | + |GT |
Ours
DLIN ( + 11)|G1 | + |GT | (mk +7)|G2 | + mk |Zp | (mc +8)|G1 | + mc |Zp | + |GT |
Assump.
CGW [8] SXDH
DLIN
Ours
DLIN

PK (by bits)
SK (by bits)
CT (by bits) Decryption

3840 + 512 1024 + 1024 mk 3584 + 512 mc 4P + 2 E
8192 + 1536 1536 + 1536 mk 3840 + 768 mc 6P + 3 E
3584+ 768 mk 5120 + 512mc 8P+ E
5888 + 256

: a predicate size (the size of common values in an encoding),
mk and mc : the size of encoding schemes used for keys and ciphertexts,
For 128 bits security level [14], we use |G1 | = |Zp | = 256 bits, |G2 | = 512 bits,
|GT | = 3072 bits.

PE schemes. We observe common properties of PE schemes as other encoding
frameworks, but generalize them as a new encoding framework using tag. The
generic construction of our encoding is adaptively secure under the Decisional
Linear assumption.
Tag Based Encoding. We introduce a tag based encoding. For a predicate R
with input domains X and Y, R : X × Y → {0, 1}, a tag based encoding for R
comprises two algorithms, namely, kE and cE, together with a field Zp where
p is a prime number and is a value allocated for each function R such as the
size of predicate vectors for Inner Product Encryption. We let kE(x, h) and
cE(y, h) denote the outputs of kE taking as inputs x ∈ X and h ∈ Zp and cE
taking as inputs y ∈ Y and h ∈ Zp , respectively. The tag based encoding must
satisfy three essential properties, namely Reconstruction, Linearity and h-hiding.
Instances of our encoding are interpreted as PE schemes via our constructions.
These constructions are often called compilers since they compile encodings to
form PE schemes (Fig. 1).
An Improved Efficiency. Prior to our work, the most efficient compiler in
prime order groups was proposed by Chen et al. [8], which is subsequently
referred as CGW in this work. The compiler was proposed for the predicate
encoding [30]. Multiple compilers under the generalized k-linear assumption [12]
were also included in the CGW’s framework. The number of group elements that

a compiler in the CGW’s framework uses to represent a tuple of an encoding


6

J. Kim et al.

(e.g. kE and cE) depends on computational assumptions of which the compiler
is based on. More concretely, each tuple of an encoding scheme is represented by
k + 1 group elements in private keys and ciphertexts. Also, k(k + 1) elements are
required for each coordinate of h in public keys where h is a shared input of kE
and cE. The most efficient compiler is under the SXDH assumption (i.e. when
k is equal to 1). Two group elements are used for a tuple of an encoding in this
compiler. Other encoding frameworks [1,3] were also proposed independently,
but they are similar to the CGW’s framework from the efficiency perspective.
Hence, without losing generality, we compare our compiler with CGW’s compiler
to highlight our contribution.
In our compiler, only one group element is required for each entity of h in
public keys. Hence, if the size of h is large, our compiler reduces the size of public
key to 50 % compared with the CGW’s compiler. Also, it reduces decryption time
by 50 % under the same condition. For the other parameters such as private keys
and ciphertexts, our compiler needs a group element and an integer for one tuple
of an encoding scheme. The size of the integer in our compiler is the same as
the group order of the underlying bilinear group. In other words, it is as small
as the size of a group element of G1 but much less than that of G2 due to
embedding degree of asymmetric bilinear maps. Thus, our compiler reduces the
size of either private keys or ciphertexts depending on where G2 is used for. For
example, in 128 bits security level, G2 requires at least 512 bits. It is twice of
the size of Zp [14]. It means that only 768 bits are required to represent a tuple
in our compiler. This outperforms CGW’s approach which requires 1024 bits for

a tuple. Therefore, our compiler saves the size of private keys or ciphertexts by
25 % compared to their compiler under the SXDH assumption when the size of
an encoding is large.
Moreover, the CGW’s framework is also realized under the weaker assumption, namely the DLIN assumption, in comparison to ours2 . It should be noted
that in this setting, 6 group elements are required for public keys for their compiler. It implies that our compiler outperforms their compiler as well in this
setting. More concretely, under the same assumption at a 128 bits security level,
our compiler saves 83 % in a public key, 50 % in private keys, 33 % in ciphertexts
and 66 % in decryption time if the size of encodings and their shared input is
large. We provide Table 1 for the details. To compare the efficiency in practice,
we compare our inner product encryption with short keys and public attribute
inner product encryption to those of other encodings. The instance of Public
Attribute Inner Product Encryption (PAIPE) which is taken from [4] is introduced in the full version of this paper. It should be noted that encodings for
our IPE schemes are slightly different from those of CGW [8] and Wee [30]. Our
instances require one or two fewer elements.

2

The DLIN assumption with asymmetric bilinear maps can be featured in various
forms since it expanded from the DLIN assumption originally equipped with symmetric pairing. The DLIN assumption of the CGW’s compiler is slightly different
from our assumption. In particular, it has two fewer group elements in G2 .


A Tag Based Encoding

7

Table 2. Efficiency comparison of inner product encryption (IPE) between encodings.

Scheme


Assumption PK

Wee [30]

SDs

SK

CT

Decryption

2|GN |

( + 1)|GN | + |GN,T |

2P + E

4|G2 |

2( + 1)|G1 | + |GT |

4P + 2 E

(6 + 8)|G1 | +2|GT | 6|G2 |

3( + 1)|G1 | + |GT |

6P + 3 E


|GN | +|GN,T |

CGW [8] SXDH
DLIN

(2 + 4)|G1 | +|GT |

Ours
DLIN
(11 + )|G1 | +|GT |
8|G2 | + |Zp | (7 + )|G1 | + ( − 1)|Zp | + |GT | 8P + E
: the size of a predicate vector (the length of common parameter in the encoding),
P : Pairing computation, E: Exponentiations over a group element,
GN and GN,T : group elements of a composite order N ,
G1 , G2 and GT : Group elements of order p of e : G1 × G2 → GT

Table 3. Efficiency comparison of public attribute IPE between encodings.
Scheme

Assumption

PK

SK

CT

Decryption

CGW [8]


SXDH

(2 + 4)|G1 | +|GT |

(2 + 4)|G2 |

4|G1 | + |GT |

4P + 2 E

DLIN

(6 + 8)|G1 | +2|GT |

(3 + 6)|G2 |

6|G1 | + |GT |

6P + 3 E

DLIN

(11 + )|G1 | +|GT |

(6 + )|G2 |
+ ( − 1)|Zp |

9|G1 | + |Zp | + |GT |


8P + E

Ours, AL [4]

: the size of a predicate vector (the length of common parameter in the encoding),
P : Pairing computation, E: Exponentiation over a group element,
G1 , G2 and GT : Group elements of order p of e : G1 × G2 → GT

A Compiler with Symmetric Bilinear Maps. We also provide a new compiler with symmetric bilinear maps in the full version of this paper. Prior to our
works, with symmetric bilinear maps, all encodings [2,8,30] are secure only in
composite order groups. It is because all prior encodings [1,3,8] in prime order
groups are based on dual system groups [9] which requires asymmetric pairings
to feature different properties of left-hand groups and right-hand groups in pairings. To the best of our knowledge, our construction is the only compiler that
provides adaptive security for encodings with symmetric pairings in prime order
groups. This gives our framework an additional flexibility when the encryption
scheme is implemented under a special requirement of the pairing type (Tables 2
and 3).
New Schemes. We introduce a number of new schemes as instances, namely:
Inner Product Encryption with short keys, Dual Spatial Encryption with short
keys and Hierarchical Identity Based Encryption with short ciphertexts. Particularly, dual spatial encryption is a new primitive. It is a symmetric conversion of
a spatial encryption [15]. In this primitive, an affine space and an affine vector
are taken to generate ciphertexts and keys, respectively. Moreover, in the full
version of this paper, we describe as encodings a number of existing schemes such
as IBE [29], (Public Attribute) Inner Product Encryption [4], Spatial Encryption
and Doubly Spatial Encryption [7] to show the versatility of our framework.
1.2

Our Technique

Our encoding framework generalizes Waters’ dual system encryption methodology [29] which is widely used to analyze PE schemes. In Waters’ dual system



8

J. Kim et al.

encryption, private keys and ciphertexts are changed into auxiliary types, namely
semi-functional keys and semi-functional ciphertexts in the security analysis.
After converting all keys and the challenge ciphertext to semi-functional type,
proving security becomes much easier in their methodology since semi-functional
keys cannot decrypt semi-functional ciphertexts. Prior encodings [2,30] in composite order groups and their compilers [1,3,8] in prime order groups also generalized and utilized the dual system encryption methodology. The most distinctive
feature of our encoding compared to theirs is our compiler. Our compiler is constructed for tag based compiler by utilizing and expanding Waters’ IBE [29].
Therefore, our compiler is adaptively secure in prime order groups under the
standard DLIN assumption (which is the same as Water’s IBE).
The critical part of the dual system encryption is proving semi-functional key
invariance. In this proof, it is shown that a normal key and a semi-functional
key are indistinguishable when the challenge ciphertext is already fixed as semifunctional. Therefore, the key becomes a valid key into an invalid key against
the challenge ciphertext since the semi-functional challenge ciphertext can be
decrypted only by a normal key. In Waters’ IBE, tags are used to hide the type
of the challenge key against not only the adversary but also the simulator. The
simulator can try to distinguish the type of the challenge key by generating
a valid semi-functional ciphertext to be decrypted only if the key is normal.
This trial must be hindered in the analysis. Tags take an important role to
restrict the simulator’s trial. In Waters’ IBE, tags in the challenge key and the
challenge ciphertext are enforced to share the same values. In particular, they
become h1 · IDkey + h2 and h1 · IDct + h2 where h1 and h2 are values which
are initially information theoretically hidden to the adversary. Therefore, if the
simulator generates a ciphertext to test the challenge key, the simulator can only
simulate the challenge key with the same tag as the ciphertext, such that the selfdecryption cannot be used to distinguish the challenge key because decryption
requires two distinct tags. At the same time, since the values of h1 and h2 are

hidden to the adversary, the correlation between tags in the challenge ciphertext
and the challenge key is also hidden since they are pairwise independent. In other
words, tags are randomly distributed to the adversary.
In our framework, tags have structures. We reveal the structures of tags, but
they take as inputs random values (e.g. h1 and h2 in Waters’ IBE). In more
detail, in our compiler, tags are constructed by the encodings kE and cE but
take random inputs instead of public parameters. Formally, tags in our compiler
are generated as kE(x, h ) and cE(y, h ) where x and y are predicates and h
and h are random values. Therefore, our tags are not random but they retain
structures. This approach is actually beneficial for our encoding since we describe
tags more formally, but it still works for the dual system encryption methodology.
Particularly, in the key invariance proof, those tags must share the same random
values (i.e. h = h ). This enforces the simulator’s trial to fail as in the Waters’
IBE system during the decryption process. Also, sharing inputs of encodings can
be hidden by utilizing the independence argument such as pairwise independence
for IBE. Requiring independence between tags may be a bit more strict than the


A Tag Based Encoding

9

similar property of the previous encodings. For example, we do not know how
linear secret sharing scheme [6] can be utilized into our encoding, but it provides
efficiency benefits for PE and still flexible to capture a number of PE schemes.
Duality. Another distinct feature of our encodings is that required properties for
kE and cE are identical. This is useful since without any conversion technique or
efficiency loss, one encoding scheme realizes two encryption schemes; one scheme
uses kE for a key and cE for a ciphertext and the other scheme uses cE for a key
and kE for a ciphertext. The previous encodings require a new variable incurring

efficiency loss for symmetric conversion [5]. We introduce several new schemes
as instances of our encoding. Some of them are generated as the symmetric
conversions of existing schemes (e.g. Dual spatial encryption as the symmetric
conversion of spatial encryption [7]).

2

Related Works

Dual system encryption [29] provides a break-through technique of proving the
security of PE. It implements auxiliary types of keys and ciphertexts, namely
semi-functional keys and semi-functional ciphertexts, appearing only in the security proof. Subsequently, it shows that a security game consisting of semifunctional keys and semi-functional ciphertexts is indistinguishable from the
original security game. Since semi-functional keys cannot decrypt semi-functional
ciphertexts, the security proof for the transformed game becomes much easier
than that of the original game. Waters showed that dual system encryption is a
powerful tool in public key encryptions and signatures by introducing a number
of adaptive encryption schemes.
Several encryption systems [4,7,11] have been introduced in prime order
groups under standard assumption. In particular, all of them share similar constructions and security proofs. Interestingly, their techniques are quite different
from those of dual system groups. They are more similar to Waters’ IBE [29],
but provide different predicates for their own purposes. Compared with similar constructions in composite order groups [4,17,30], they are considered to be
efficient and secure since they are constructed in prime order groups and their
security depends only on standard assumption.
Encoding frameworks [2,30] well formalize the core properties that the dual
system encryption requires. The frameworks consist of syntax and a compiler
of encodings. PE schemes were simply written by encoding instances in the
frameworks. Then, the compiler is applied to instances of encodings to result in
encryption schemes. Those outputs are also adaptively secure since the adaptive
security of the compiler is already proved using properties defined in the syntax.
Initially, they [2,30] were suggested only in composite order groups. Several

techniques [13,16,18,21,28] to convert encryption systems in composite order to
those in prime order have also been proposed. Nevertheless, the techniques in
[13,16,28] are not applicable to dual system encryption since they do not hide
parameters. It means that it is not applicable to encoding frameworks.