Ciphertext-Policy ABE for $\mathsf{NC}^1$ Circuits with Constant-Size Ciphertexts from Succinct LWE

1 Ciphertext-P olicy ABE f or NC 1 Cir cuits with Constant-Size Ciphertexts from Succinct L WE Jiaqi Liu, Y uanyi Zhang, Fang-W ei Fu Abstract W e construct a lattice-based ciphertext-polic y attribute-based encryption ( CP - ABE ) scheme for NC 1 access policies with constant-size ciphertexts. Let λ be the security parameter . For an NC 1 circuit of depth d and size s on ℓ -bit inputs, our scheme has the public-ke y and cipherte xt sizes O (1) (independent of d ), and secret-key size O ( ℓ ) , where the O ( · ) hides poly ( λ ) factors. As an application, we obtain a broadcast encryption scheme for N users with ciphertext size p oly ( λ ) independent of log N and ke y sizes poly ( λ, log N ) . Our construction is selectively secure in the standard model under the p oly( λ ) -succinct L WE assumption introduced by W ee (CR YPTO 2024). I . I N T RO D U C T I O N In a traditional public-key encryption scheme, only a user who possesses the secret key corresponding to the public ke y used for encryption can decrypt the ciphertext. As a generalization of public-key encryption, attribute-based encryption ( ABE ) realizes ﬁne-grained access control over encrypted data. There are two types of ABE schemes: ciphertext-policy ABE ( CP - ABE ) and ke y-policy ABE ( KP - ABE ). In a CP - ABE scheme, each secret k ey sk x is associated with an attrib ute x ∈ { 0 , 1 } ℓ , and each cipherte xt ct f is associated with an access policy f that speciﬁes which attribute vectors are authorized to decrypt it. In contrast, in a KP - ABE scheme, each secret key sk f is associated with an access policy f , and each ciphertext ct x is associated with an attribute x . In both cases, decryption succeeds only if the attrib ute satisﬁes the access policy , i.e., f ( x ) = 0 ; otherwise, the decryptor learns no information about the underlying plaintext. The concept of ABE was ﬁrst proposed independently by Sahai and W aters [SW05] and by Goyal et al. [GPSW06]. Since then, ABE has become a fundamental cryptographic primiti ve, and many concrete schemes hav e been proposed. A lar ge fraction of existing ABE constructions rely on assumptions over bilinear groups. Ho we ver , due to known quantum attacks on bilinear-group-based assumptions, there has been substantial interest in constructing schemes from alternativ e assumptions. In particular , man y subsequent ABE schemes base their security on the L WE assumption or its variants, which are belie ved to be resistant to quantum attacks. In [AFV11, Boy13, GGH + 13, BGG + 14, GV15, BV16, Tsa19, A WY20, CW23], a series of KP - ABE schemes were proposed, all based on the L WE assumption. A generic transformation can con vert a KP - ABE scheme into a CP - ABE one via a univ ersal circuit. Ho wever , this transformation typically leads to signiﬁcantly worse parameters. T o optimize the parameters of CP - ABE scheme, Agrawal and Y amada [A Y20] proposed a CP - ABE scheme for all NC 1 circuits with ciphertext size independent of the circuit size s , relying on the L WE and generic bilinear groups. Datta et al. [DKW21] proposed a CP - ABE scheme for all NC 1 circuits via linear secret sharing schemes, relying on the hardness of the L WE assumption. Subsequently , there are many CP - ABE schemes relying on the nonstandard L WE -related assumptions. W ee [W ee22] proposed a CP - ABE scheme based on the e v asi ve L WE assumption and tensor L WE assumption. Hsieh et al. [HLL24] presented a CP - ABE scheme based on the (structured) ev asi ve L WE assumption. Agra wal et al. [AKY24] proposed a CP - ABE scheme for all T uring machines based on the circular e vasi ve L WE and tensor L WE . W ee [W ee24, W ee25] presents CP - ABE scheme for all circuits based on the weaker p oly ( λ, d ) -succinct L WE assumption with ciphertext size independent of the attribute length ℓ . A. Our r esults W e list our results as below: Jiaqi Liu, Y uanyi Zhang and Fang-W ei Fu are with Chern Institute of Mathematics and LPMC, Nankai Univ ersity , T ianjin 300071, P . R. China, Emails: ljqi@mail.nankai.edu.cn, yuanyiz@mail.nankai.edu.cn, fwfu@nankai.edu.cn. 2 1. In this work, we present a CP - ABE scheme for access policies represented by NC 1 circuits. For circuits on ℓ -bit inputs with depth d and size s (hence s = p oly ( ℓ ) and d = log( ℓ ) ) where s, d, ℓ are ﬁxed at setup. W e construct a CP - ABE scheme with parameters: | pk | = O ( s ) , | sk | = O ( ℓ ) , | ct | = O (1) , where the notation O ( · ) hides p oly( λ ) factors. It prov es to be selectiv ely secure against unbounded collusions. The security relies on the p oly ( λ ) -succinct L WE assumptions with sub-exponential modulus- to-noise ratio. • The scheme we construct is a succinct CP - ABE . Namely , the ciphertext size in our scheme relies only on the security parameter λ and independent of the size s , the input length ℓ , and the depth d , which is asymptotically optimal up to p oly( λ ) factors. • The size of the public parameters scales with the circuit size s . Though it is seen as not competitiv e compared with previous schemes (many schemes have public key size O ( ℓ ) , such as [BV22, W ee22, HLL24]), we observe that in the public parameters, all elements are sampled uniformly except for the public parameters used in the succinct L WE instance (i.e., pp = ( B , W , T ) ), which is of size p oly( λ ) . Therefore, we can generate the purely uniform part with a pseudorandom generator instead. W e can then compress the size of the public parameters into O (1) size. • The bound on the size of sk is not tight. It depends on the number of attrib utes associated with the secret ke y rather than strictly on ℓ . In scenarios where the users possesses only O (1) attributes, the secret-ke y size can be reduced to O (1) . 2. CP - ABE for NC 1 circuits giv es a broadcast encryption for N = ℓ users as a special case. In the broadcast encryption, we can use a circuit of size O ( N log N ) and depth O (log N ) to check the membership of the users. W e obtain a broadcast encryption scheme for N users with parameters | pk | = N · poly ( λ, log N ) , | sk | = p oly( λ, log N ) , | ct | = p oly ( λ ) . By using a pseudorandom generator to compress the public parameter , we can reduce | pk | to p oly( λ ) . Since | pk | + | ct | + | sk | = p oly ( λ, log N ) , we obtain an optimal broadcast encryption (under poly ( λ ) -succinct L WE assumption). 3. In the proof of the selectiv e security of our construction, we use the technique of using the trapdoor T for [ I ℓ ⊗ B | W ] in the ℓ -succinct L WE assumption to generate other trapdoors for the matrix of the form [ I ℓ ′ ⊗ B | W ′ ] , where W ′ is statistically close to uniform. B. Related W orks Comparison with [W ee25]. W e use the { 0 , 1 } - LSSS technique from [DKW21] and the matrix com- mitment scheme from [W ee25] to construct our CP - ABE scheme for NC 1 scheme and obtain an optimal broadcast encryption scheme. Compared with [W ee25], our scheme supports a narrower class of access policies and incurs a larger secret-k ey size. Nev ertheless, we improv e the parameters in the follo wing respects: (1) | pk | , | sk | , and | ct | are independent of the circuit depth d ; (2) the resulting broadcast encryption has ciphertext size | ct | independent of log N , where N is the number of users in the system; (3) during encryption, we ex ecute only a single matrix commitment on O ( ℓ ) -width inputs, rather than running a circuit commitment scheme on an ℓ -input circuit that composes a sequence of matrix commitments. C. P aper Or ganization The paper is org anized as follows. Section II provides a technical ov erview of our main construction and ideas. Section III introduces necessary notations, basic concepts of lattices, the L WE assumption, and its variants. In Section IV, we formalize the linear secret sharing scheme ( LSSS ) and ciphertext- policy attribute-based encryption ( CP - ABE ) for access structures realized by LSSS . Section V presents our construction of an CP - ABE scheme and its security analysis. 3 I I . T E C H N I C A L O V E RV I E W S In this section, we demonstrate a high-level overvie w of our construction. Throughout this section, we adopt the wa vy underline to indicate that a term is perturbed by some noise. For example, we use the notation s ⊤ A :::: to denote the term s ⊤ A + e for an unspeciﬁed noise vector e . For a discrete set S , we write x $ ← − S to denote that x is uniformly sampled from the set S . The notation A − 1 ( y ) means sampling a short preimage x from discrete Gaussian distribution such that Ax = y . For a positiv e integer n ∈ N , denote [ n ] as the set { k ∈ N : 1 ≤ k ≤ n } . W e use c ≈ to denote computational indistinguishability . W e defer the formal deﬁnitions of all notations to Section III, and here use them informally for simplicity . ℓ -succinct L WE . The security of our construction relies on the ℓ -succinct L WE assumption introduced by [W ee24]. More formally , let n, q , m = O ( n log q ) be lattice parameters. First, sample B $ ← − Z n × m q , W $ ← − Z ℓn × m q , and a Gaussian T ∈ Z ( ℓ +1) m × ℓm such that [ I ℓ ⊗ B | W ] · T = I ℓ ⊗ G . The ℓ -succinct L WE assumption asserts that ( B , s ⊤ B :::: , W , T ) c ≈ ( B , c , W , T ) , where s $ ← − Z n q , c $ ← − Z m q . Throughout the paper , we denote pp := ( B , W , T ) . The ℓ -succinct L WE assumption is a falsiﬁable assumption implied by ev asiv e L WE introduced in [W ee22]. As the parameter ℓ increases, the assumption becomes stronger . W e note that the 1 -succinct L WE assumption is equi valent to the standard L WE assumption. A. Our schemes W e begin by describing the CP - ABE scheme in [DKW21], which supports access structures realized by a linear secret sharing scheme ( LSSS ). DKW21 scheme. Let U denote the attribute univ erse, let N := | U | , and identify U with the set [ N ] . • The public ke y is gi ven by ( { A u } u ∈ U , { Q u } u ∈ U , y ) , where A u , Q u $ ← − Z n × m q and y $ ← − Z n q . • The master secret ke y is gi ven by { td A u } u ∈ U , where td A u is the trapdoor for the matrix A u associated with the attribute u . This trapdoor allows efﬁcient sampling of short preimages for A u . • Gi ven an attribute set U ⊆ U , the secret key associated with U is sampled as follows: Sample ˆ t ← χ m − 1 , where χ is some error distribution, set t = (1 , ˆ t ⊤ ) ⊤ and sample k u ← A − 1 u ( − Q u t ) . Then the secret ke y is given by ( { k u } u ∈ U , t ) . • T o encrypt a message msg ∈ { 0 , 1 } under the access structure determined by matrix M ∈ {− 1 , 0 , 1 } ℓ × s max , the ciphertext is giv en as follo ws: Assume that ρ is an injecti ve function that maps the row indices of M to the attribute. First sample s $ ← − Z n q and v 2 , . . . , v s max ∈ Z m q . The ciphertext components are computed as c ⊤ 1 ,i = s ⊤ A ρ ( i ) ::::::: , c ⊤ 2 ,i = M i, 1 ( s ⊤ y , 0 , . . . , 0 | {z } m − 1 ) + X j ∈{ 2 ,...,s max } M i,j v ⊤ j + s ⊤ Q ρ ( i ) ::::::: , c 3 = s ⊤ y ::: + msg · ⌈ q / 2 ⌋ . Then the ciphertext is giv en as ( { c 1 ,i } i ∈ [ ℓ ] , { c 2 ,i } i ∈ [ ℓ ] , c 3 ) . • Suppose that the secret key is associated with an authorized attrib ute set. Let I be the set of row indices of M corresponding to the attributes associated with the secret k ey . Let { w i } i ∈ I ∈ { 0 , 1 } 4 be the reconstruction coefﬁcients in the LSSS scheme with respect to the matrix M . The decryption algorithm proceeds as follo ws: X i ∈ I w i ( c ⊤ 1 ,i k ρ ( i ) + c ⊤ 2 ,i t ) ≈ X i ∈ I w i ( s ⊤ A ρ ( i ) k ρ ( i ) ) + X i ∈ I w i M i, 1 ( s ⊤ y , 0 , . . . , 0) t + X i ∈ I ,j ∈{ 2 ,...,s max } w i M i,j v ⊤ j t + X i ∈ I w i s ⊤ Q ρ ( i ) t = X i ∈ I w i M i, 1 s ⊤ y + X i ∈ I ,j ∈{ 2 ,...,s max } w i M i,j v ⊤ j t Since the reconstruction coefﬁcients { w i } i ∈ I are such that P i ∈ I w i M i, 1 = 1 and P i ∈ I w i M i,j = 0 for j ∈ { 2 , . . . , s max } . Hence P i ∈ I w i ( c ⊤ 1 ,i k ρ ( i ) + c ⊤ 2 ,i t ) ≈ s ⊤ y , and we can recover msg by subtracting it from c 3 and decoding. From the abov e description, the cipherte xt size scales with ℓ , i.e., the number of rows of the matrix M . W e expect the ciphertext size to be independent of ℓ , and we use the matrix commitment technique in [W ee25] to compress the ciphertext. Precisely , we replace the matrices { A u } u ∈ U $ ← − Z n × m q with a matrix B $ ← − Z n × m q of the same size. Instead of generating v 2 , . . . , v s max $ ← − Z m q , we select uniformly random matrices B 2 , . . . , B s max $ ← − Z n × m q . W e modify the second component of the ciphertext as follo ws: c ′ 2 ,i = M i, 1 ( s ⊤ y , 0 , . . . , 0) + X j ∈{ 2 ,...,s max } M i,j s ⊤ B j + s ⊤ Q ρ ( i ) ::::::: for our commitment purposes (with this modiﬁcation, the scheme remains selectiv ely secure in the same model). T o compress the { c ′ 2 ,i } , for i ∈ [ ℓ ] , let U ρ ( i ) ← M i, 1 ( y | 0 | · · · | 0 ) + X j ∈{ 2 ,...,s max } M i,j B j + Q ρ ( i ) and for u ∈ [ N ] \ ρ ([ ℓ ]) we sample U u $ ← − Z n × m q . For i ∈ [ ℓ ] , we have c ′ 2 ,i ≈ s ⊤ U ρ ( i ) . Then we commit to [ U 1 | · · · U N ] ∈ Z n × mN q , and denote the commitment matrix by C ∈ Z n × m q . Roughly , the matrix C contains partial information about all U u . Modiﬁcation. W ith the idea giv en above, we modify the DKW21 CP - ABE scheme as follows: • The public k ey is giv en by ( pp , A , { B i } i ∈ [ s max ] , { Q u } u ∈ U , y ) , where pp is the public parameter of the 2 m 2 -succinct L WE problem, A , B i , Q u $ ← − Z n × m q and y $ ← − Z n q . • The master secret ke y is gi ven by td B . • Gi ven an attribute set U ⊆ U , the secret key associated with U is sampled as follows: Sample ˆ t ← χ m − 1 , where χ is some error distribution, set t = (1 , ˆ t ⊤ ) ⊤ and sample k u ← B − 1 (( A V u + Q u ) t ) , where V := [ V 1 | · · · | V N ] is the veriﬁcation matrix of a commitment of a matrix of width N m (which can be computed without the kno wledge of the matrix committed). Then the secret key is gi ven by ( { k u } u ∈ U , t ) . • T o encrypt a message msg ∈ { 0 , 1 } under the access structure determined by matrix M ∈ {− 1 , 0 , 1 } ℓ × s max , the ciphertext is giv en as follo ws: Assume that ρ is an injecti ve function that maps the row indices of M to the attribute. First sample s $ ← − Z n q . The ciphertext components are computed as c ⊤ 1 = s ⊤ B :::: , c ⊤ 2 = s ⊤ ( A + C ) ::::::::::: , c 3 = s ⊤ y ::: + msg · ⌈ q / 2 ⌋ . Then the ciphertext is giv en as ( c 1 , c 2 , c 3 ) . 5 In the second component c 2 , the commitment matrix C is such that CV = [ U 1 | · · · | U N ] − BZ , where for each i ∈ [ ℓ ] , U ρ ( i ) ← M i, 1 ( y | 0 | · · · | 0 | {z } m − 1 ) + X j ∈{ 2 ,...,s max } M i,j B j + Q ρ ( i ) and for u ∈ [ N ] \ ρ ([ ℓ ]) , U u $ ← − Z n × m q . • When decrypting the ciphertexts, one can ﬁrst compute U ρ ( i ) for all i ∈ I , where I is the set of the ro w indices related to the attributes associated with the secret ke ys. If we denote V = [ V 1 | · · · | V N ] and Z = [ Z 1 | · · · | Z N ] , we obtain that CV i = U i − BZ i , ∀ i ∈ [ N ] . Therefore, we can recov er c ′ 2 ,i in the DKW21 scheme by c ⊤ 2 V ρ ( i ) ≈ s ⊤ ( A + C ) V ρ ( i ) = s ⊤ A V ρ ( i ) + s ⊤ U ρ ( i ) | {z } ≈ c ′ 2 ,i − s ⊤ BZ ρ ( i ) | {z } ≈ c ⊤ 1 Z ρ ( i ) . Combining it with the reconstruction coef ﬁcients { w i } i ∈ I , we obtain that X i ∈ I w i ( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) ≈ X i ∈ I w i s ⊤ A V ρ ( i ) + X i ∈ I w i s ⊤ U ρ ( i ) = X i ∈ I w i s ⊤ ( A V ρ ( i ) + Q ρ ( i ) ) + X i ∈ I w i M i, 1 s ⊤ [ y | 0 | · · · | 0 ] + X i ∈ I ,j ∈{ 2 ,...,s max } w i M i,j s ⊤ B j = X i ∈ I w i s ⊤ ( A V ρ ( i ) + Q ρ ( i ) ) + s ⊤ [ y | 0 | · · · | 0 ] . Then using the secret key equation Bk ρ ( i ) = ( A V ρ ( i ) + Q ρ ( i ) ) t , we can recov er the message by computing c 3 − X i ∈ I w i ( c ⊤ 2 V ρ ( i ) t + c ⊤ 1 Z ρ ( i ) t − c ⊤ 1 k ρ ( i ) ) . B. Static Security W e prov e that our scheme is selecti vely secure under the 2 m 2 -succinct L WE assumption in V -B. W e achie ve our goal by deﬁning a sequence of hybrid games. The ﬁrst hybrid game corresponds to the real game as deﬁned in 16, while the last hybrid game is independent of the messages, where the adv antage of the adversary is exactly 0. By arguing each adjacent pair of the hybrid games is indistinguishable, the adversary in the real game can win the game with negligible advantage. More precisely , in the reduction, we attempt to prov e the ciphertext components c 1 , c 2 , c 3 are pseudo- random, since they resemble L WE samples intuitiv ely . Howe ver , in the key query phase, the challenger uses the trapdoors td B for B to generate corresponding secret keys, which may result in the additional information leakage of the L WE samples. T o ov ercome this problem, we notice that using the matrix T in the public parameters in the 2 m 2 -succinct L WE instance, we can construct trapdoors for the matrix of the form [ I s ⊗ B | W ′ ] , where W ′ is statistically close to uniform. Using this technique, the challenger can respond to the secret-key queries with the newly generated trapdoor when the secret-ke y corresponds to an unauthorized attribute set. Since the new trapdoor is efﬁciently constructed from the public parameters 6 without using the trapdoor td B , this av oids giving the adv ersary additional information correlated with the L WE samples in the hybrids where the ciphertext components are replaced by uniform. During the reduction, suppose that the adversary submits a secret-key query with respect to the attribute set U . The challenger needs to sample the preimage of ( A V u + Q u ) t for each u ∈ U with respect to B . W e ﬁrst simulate the uniform matrix A = BR − C , Q u = BR u + M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) with R , R u $ ← − {− 1 , 1 } m × m for all u ∈ U , which is guaranteed by the leftov er hash lemma under appropriate parameters. Parsing B i as [ b ′ i | B ′ i ] , where b ′ i ∈ Z n q , then ( A V u + Q u ) t = (( BR − C ) V u + Q u ) t = ( BR V u − U u + BZ u + Q u ) t = BR V u t + BZ u t + Q u t − M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 | {z } m − 1 ) t − X j ∈{ 2 ,...,s max } M ρ − 1 ( u ) ,j B j t = B ( R V u t + Z u t + R u t ) − X j ∈{ 2 ,...,s max } M ρ − 1 ( u ) ,j b ′ j − X j ∈{ 2 ,...,s max } M ρ − 1 ( u ) ,j B ′ j ˆ t . Then the challenger can instead ﬁrst sample short ˆ t and ˜ k u as:   B      X j ∈{ 2 ,...,s max } M ρ − 1 ( u ) ,j B ′ j    ˜ k u ˆ t  = − X j ∈{ 2 ,...,s max } M ρ − 1 ( u ) ,j b ′ j (1) for each u ∈ ρ ([ ℓ ]) ∩ U . Then the challenger sets k u ← ˜ k u + R V u t + Z u t + R u t with t = (1 , ˆ t ⊤ ) ⊤ , and hence { k u } are distributed the same as in the real game up to negligible statistical distance by the noise-smudging technique. By simulating B i := BR i + C i with R i $ ← − {− 1 , 1 } and C i the commitment matrix of some matrix of speciﬁc form, we can use T to generate a trapdoor td ′ for the matrix   I s max − 1 ⊗ B      B ′ 2 . . . B ′ s max   . (2) Moreov er , we can prove that as long as U is unauthorized to decrypt the ciphertext, td ′ can then be used to generate the trapdoor for the linear combination of the ro w block matrices of (2), i.e., ( M U ⊗ I n )   I s max − 1 ⊗ B      B ′ 2 . . . B ′ s max   , where M U are the row vectors of M corresponding to the attributes in U . Therefore, without using the trapdoor td B , the challenger can sample { ˜ k u } u ∈ U in (1). For details, please refer to V -B. I I I . P R E L I M I N A R I E S Notations. Let λ ∈ N denote the security parameter used throughout this paper . For a positi ve integer n ∈ N , denote [ n ] as the set { k ∈ N : 1 ≤ k ≤ n } . For a positiv e integer q ∈ N , let Z q denote the ring of integers modulo q . Throughout this paper , vectors are assumed to be column vectors by default. W e use bold lower -case letters (e.g., u , v ) for vectors and bold upper-case letters (e.g., A , B ) for matrices. Let v [ i ] denote the i -th entry of the v ector v , and let U [ i, j ] denote the ( i, j ) -entry of the matrix U . W e 7 write 0 n for the all-zero vector of length n , and 0 n × m for the all-zero matrix of dimension n × m . The inﬁnity norm of a vector v and the corresponding operator norm of a matrix U are deﬁned as: ∥ v ∥ = max i | v [ i ] | , ∥ U ∥ = max i,j | U [ i, j ] | . For two matrices A , B of dimensions n 1 × m 1 and n 2 × m 2 , respectiv ely , their Kr oneck er pr oduct is an n 1 n 2 × m 1 m 2 matrix gi ven by A ⊗ B =   A [1 , 1] B · · · A [1 , m 1 ] B . . . . . . . . . A [ n 1 , 1] B · · · A [ n 1 , m 1 ] B   . W e hav e ( A ⊗ B )( C ⊗ D ) = ( AC ) ⊗ ( BD ) if the multiplication is compatible. Discrete Gaussians. Let D Z ,σ represent the centered discr ete Gaussian distribution over Z with standard de viation σ ∈ R + (e.g., [Ban93]). For a matrix A ∈ Z n × m q and a vector v ∈ Z n q , let A − 1 σ ( v ) denote the distribution of a random variable u ← D m Z ,σ conditioned on Au = v mo d q . When A − 1 σ is applied to a matrix, it is understood as being applied independently to each column of the matrix. The following lemma (e.g., [MR07]) sho ws that for a giv en Gaussian width parameter σ = σ ( λ ) , the probability of a vector drawn from the discrete Gaussian distribution having norm greater than √ nσ is negligible. Lemma 1. Let λ be a security parameter and σ = σ ( λ ) be a Gaussian width parameter . Then for all polynomials n = n ( λ ) , ther e exists a ne gligible function negl( λ ) such that for all λ ∈ N , Pr  ∥ v ∥ > √ nσ : v ← D n Z ,σ  = negl( λ ) . Smudging Lemma. In the following, we present the standard smudging lemma, which formalizes the intuition that suf ﬁciently large standard de viation can “smudge out” small perturbations, making the resulting distributions statistically indistinguishable. Lemma 2 ([BDE + 18]) . Let λ be a security parameter , and let e ∈ Z satisfy | e | ≤ B . Suppose that σ ≥ B · λ ω (1) . Then, the following two distributions ar e statistically indistinguishable: { z : z ← D Z ,σ } and { z + e : z ← D Z ,σ } . The Gadget Matrix. Here we recall the deﬁnition of the gadget matrix introduced in [MP12]. For positi ve integers n, q ∈ N , let g ⊤ = (1 , 2 , . . . , 2 ⌈ log q ⌉− 1 ) denote the gadget vector . Deﬁne the gadget matrix G n = I n ⊗ g ⊤ ∈ Z n × m q , where m = n ⌈ log q ⌉ . T rapdoors f or lattices. In this w ork, we adopt the trapdoor frame works outlined in [Ajt96, GPV08, MP12], follo wing the formalization in [BTVW17]. Lemma 3 ([GPV08, MP12]) . Let n, m, q be lattice parameter s. Then ther e exist two efﬁcient algorithms ( T rapGen , SamplePre ) with the following syntax: • T rapGen (1 n , 1 m , q ) → ( A , T ) : On input the lattice dimension n , number of samples m , modulus q , this randomized algorithm outputs a matrix A $ ← − Z n × m q together with a trapdoor T ∈ Z m × m q . • SamplePre ( A , T , y , σ ) → x : On input ( A , T ) fr om T rapGen , a targ et vector y ∈ Z n q and a Gaussian width parameter σ , this randomized algorithm outputs a vector x ∈ Z m . Mor eover , ther e exists a polynomial m 0 ( n, q ) = O ( n log q ) suc h that for all m ≥ m 0 , the above algorithms satisfy the following pr operties: • T rapdoor distribution: The matrix A output by T rapGen (1 n , 1 m , q ) is statistically close to a uni- formly random matrix. Speciﬁcally , if ( A , td A ) ← T rapGen (1 n , 1 m , q ) and A ′ $ ← − Z n × m q , then the 8 statistical distance between the distributions of A and A ′ is at most 2 − n . The trapdoor td A serves as τ -tr apdoor wher e τ = O ( √ n log q ) . Denote χ 0 = τ · ω ( √ log n ) . • Preimage sampling: Suppse td A is a τ -trapdoor for A . F or all σ ≥ χ 0 and all tar get vectors y ∈ Z n q , the statistical distance between the following two distributions is at most 2 − n : { x ← SamplePre ( A , T , y , σ ) } and { x ← A − 1 σ ( y ) } . Corollary 1 ([WWW22], adapted) . Let H ∈ Z k × t q be a full r ow rank matrix ( k ≤ t ). Let A ∈ Z kn × m ′ q and R ∈ Z m ′ × mt q . Suppose AR = H ⊗ G . Then ( R , H ) can be used as a τ -tr apdoor for A , wher e τ ≤ √ k mm ′ · mt ∥ R ∥ . Succinct L WE assumption. Our proposed CP - ABE scheme relies on the succinct L WE assumption [W ee24]. Assumption 1 ( ℓ -succinct L WE [W ee24]) . Let λ be a security parameter . Let n, m be such that m ≥ 2 n log q . The ( ℓ, σ ) -succinct L WE says ( B , s ⊤ B + e ⊤ , W , T ) c ≈ ( B , c , W , T ) wher e B $ ← − Z n × m q , s $ ← − Z n q , e ← D m Z ,χ , c $ ← − Z m q W $ ← − Z ℓn × m q , T ← [ I ℓ ⊗ B | W ] − 1 σ ( I ℓ ⊗ G ) Lemma 4 (Leftover hash lemma, [ABB10]) . Let λ be a security parameter . Let n = n ( λ ) , q = q ( λ ) be some lattice parameters. Let m > ( n + 1) log q + ω (log n ) , and k = k ( n ) be some polynomial. Then the following two distributions ar e statistically indistinguishable: { ( A , AR ) : A $ ← − Z n × m q , R $ ← − {− 1 , 1 } m × k } and { ( A , S ) : A $ ← − Z n × m q , S $ ← − Z n × k q } . Lemma 5 (Leftov er hash lemma with trapdoor) . Let λ be a security parameter . Let n = n ( λ ) , q = q ( λ ) be some lattice parameters. Let m > 2( n + 1) log q + ω (log n ) . Let k = k ( n ) be some polyomial. Let m > m 0 , χ, σ > χ 0 , where m 0 , χ 0 ar e polynomials given in Lemma 3. Then for any adversary A , there exists a ne gligible function negl( λ ) , such that for all n ∈ N ,    Pr h Exp LHL - T rap ,q ,σ,χ A ( λ ) = 1 i − 1 / 2    ≤ negl( λ ) , wher e the experiment is deﬁned below . Setup phase: The adversary A sends 1 n , 1 m to the challenger . The challenger ﬂips a random bit b $ ← − { 0 , 1 } , and proceeds as follows: 1. It samples ( B , td B ) ← T rapGen (1 n , 1 m , q ) , W $ ← − Z 2 m 2 n × m q , T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) and sets pp := ( B , W , T ) . It then samples R $ ← − {− 1 , 1 } m × k , and S 0 ← BR . It then samples S 1 $ ← − Z n × k q . 2. It sends ( pp , S b ) to the adversary A . Query Phase: The adversary A makes polynomially many pre-image queries of the form z ∈ Z n q . The challenger responds to each query by sampling s ← SamplePre ( B , td B , z , χ ) and sends s to A . Response Phase: The adversary outputs its guess b ′ ∈ { 0 , 1 } for b . The experiments outputs 1 if and only if b = b ′ . 9 Experiment Exp LHL - T rap ,q ,σ,χ A Pr oof. The proof proceeds via a sequence of hybrid experiments. W e deﬁne games H 0 , . . . , H 6 and show that each consecutiv e pair of hybrids is statistically indistinguishable. The detailed arguments are giv en in Lemmas 7 – 11 belo w . Game H 0 This corresponds to the original game with b = 0 . 1) Setup Phase: The challenger recei ves 1 n and 1 m . a) It samples ( B , td B ) ← T rapGen (1 n , 1 m , q ) . b) It samples W $ ← − Z 2 m 2 n × m q . c) T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) and sets pp := ( B , W , T ) . d) It then samples R $ ← − {− 1 , 1 } m × k , and S ← BR . e) It sends ( pp , S ) to the adversary A . 2) Query Phase: The adversary makes polynomially many queries z ∈ Z n q . The challenger responds to each query as follo ws: a) It samples s ← SamplePre ( B , td B , z , χ ) and sends s to A . 3) The adversary outputs a bit b ′ . Game H 1 This game is deﬁned identically to Game H 0 except for the way to generate the matrices B , T and the responses to the pre-image queries. 1) Setup Phase: The challenger recei ves 1 n and 1 m . a) It samples ( B 1 , td B 1 ) ← T rapGen (1 n , 1 m/ 2 , q ) , ( B 2 , td B 2 ) ← T rapGen (1 n , 1 m/ 2 , q ) and sets B = [ B 1 | B 2 ] . b) It samples W = " W 1 . . . W 2 m 2 # $ ← − Z 2 m 2 n × m q , where W i ∈ Z n × m q for each i ∈ [2 m 2 ] . c) It samples T 2 m 2 +1 ← D m × 2 m 3 Z ,σ . For each i ∈ [2 m 2 ] , it samples T up i ← D m/ 2 × 2 m 3 Z ,σ , and T down i ← SamplePre ( B 2 , td B 2 , e ⊤ i ⊗ G − W i T 2 m 2 +1 − B 1 T up i , σ ) , where e i ∈ { 0 , 1 } 2 m 2 represents the vector with the i -th entry 1 and the other entries 0. It sets T i = h T up i T down i i and T =   T 1 . . . T 2 m 2 T 2 m 2 +1   , and sets pp := ( B , W , T ) . d) It then samples R 1 , R 2 $ ← − {− 1 , 1 } m/ 2 × k , and S ← B 1 R 1 + B 2 R 2 . e) It sends ( pp , S ) to the adversary . 2) Query Phase: The adversary makes polynomially many queries z ∈ Z n q . The challenger responds to each query as follo ws: a) It samples s 1 ← χ m/ 2 , and samples s 2 ← SamplePre ( B 2 , td B 2 , z − B 1 s 1 , χ ) and sends s = [ s 1 s 2 ] to A . 3) The adversary outputs a bit b ′ . Game H 2 This game is deﬁned identically to Game H 1 except that the challenger samples the matrix B 1 uniformly at random instead of using T rapGen . 1) Setup Phase: The challenger recei ves 1 n and 1 m . a) It samples B 1 $ ← − Z n × m/ 2 q , ( B 2 , td B 2 ) ← T rapGen (1 n , 1 m/ 2 , q ) and sets B = [ B 1 | B 2 ] . Game H 3 This game is deﬁned identically to Game H 2 except that we replace the term B 1 R 1 with a 10 uniformly random matrix S ′ . 1) Setup Phase: The challenger recei ves 1 n and 1 m . d) It then samples S ′ $ ← − Z n × k q and R 2 $ ← − {− 1 , 1 } m/ 2 × k , and S ← S ′ + B 2 R 2 . Game H 4 This game is deﬁned identically to Game H 3 except that we do not add the term B 2 R 2 to S , but instead sample S uniformly at random. 1) Setup Phase: The challenger recei ves 1 n and 1 m . d) It then samples S $ ← − Z n × k q . Game H 5 This game is deﬁned identically to Game H 4 except that the challenger samples B 1 using the algorithm T rapGen instead of sampling it uniformly at random. 1) Setup Phase: The challenger recei ves 1 n and 1 m . a) It samples ( B 1 , td B 1 ) ← T rapGen (1 n , 1 m/ 2 , q ) , ( B 2 , td B 2 ) ← T rapGen (1 n , 1 m/ 2 , q ) and sets B = [ B 1 | B 2 ] . Game H 6 This game is deﬁned identically to Game H 5 except that we sample ( B , td B ) and T as in Game H 0 , and answer preimage queries directly using td B . This game corresponds to the original game with b = 1 . 1) Setup Phase: The challenger recei ves 1 n and 1 m . a) It samples ( B , td B ) ← T rapGen (1 n , 1 m , q ) . c) T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) and sets pp := ( B , W , T ) . 2) Query Phase: The adversary makes polynomially many queries z ∈ Z n q . The challenger responds to each query as follo ws: a) It samples s ← SamplePre ( B , td B , z , χ ) and sends s to A . Lemma 6. Suppose that χ, σ ≥ χ 0 , wher e χ 0 is the polynomial given in Lemma 3. W e have H 0 s ≈ H 1 . Pr oof. First we consider the matrix B in two games. In Game H 0 , the challenger samples ( B , td B ) ← T rapGen (1 n , 1 m , q ) . In Game H 1 , it samples ( B 1 , td B 1 ) , ( B 2 , td B 2 ) ← T rapGen (1 n , 1 m/ 2 , q ) and sets B = [ B 1 | B 2 ] instead. Since T rapGen outputs a matrix that is statistically close to a uniform one together with a trapdoor , the resulting matrix B in both games is statistically indistinguishable from each other . Next we consider the matrix T . It sufﬁces to consider each block T i . In Game H 0 , the block T i is distributed as a discrete Gaussian distribution with parameter σ conditioned on BT i + W i T 2 m 2 +1 = e i ⊗ G . (3) In Game H 1 , the matrices T up i and T down i are sampled from discrete Gaussian distribution with parameter σ satisfying B 2 T down i = e i ⊗ G − W i T 2 m 2 +1 − B 1 T up i , which aligns with (3) if we write B = [ B 1 | B 2 ] and T i = h T up i T down i i . W e no w consider the matrix S in two games. In Game H 0 , the challenger samples R ← {− 1 , 1 } m × k and sets S = BR . In Game H 1 , it samples R 1 , R 2 ← {− 1 , 1 } m/ 2 × k independently and sets S = B 1 R 1 + B 2 R 2 . If we write R =  R 1 R 2  ∈ {− 1 , 1 } m × k , then the distribution of S = BR in Game H 1 is identical to that in Game H 0 . 11 Finally , it sufﬁces to consider the answers to preimage queries. In Game H 0 , on input z ∈ Z n q the challenger returns s ← SamplePre ( B , td B , z , χ ) , which is a discrete Gaussian preimage of z under B . In Game H 1 , on input the same z it samples s 1 ← χ m/ 2 and then s 2 ← SamplePre ( B 2 , td B 2 , z − B 1 s 1 , χ ) , and outputs s =  s 1 s 2  . By the preimage-sampling process and the well-sampleness of the preimage with respect to SamplePre , this procedure yields exactly the same discrete Gaussian distribution over all solutions s ∈ Z m q to Bs = z mo d q , which is identical to that in H 0 . Putting everything together , we see that the joint distrib ution of ( pp , S ) and all oracle answers in Game H 1 is statistically indistinguishable from that in Game H 0 . Lemma 7. Suppose that m ≥ m 0 , wher e m 0 is the polynomials given in Lemma 3. W e have H 1 s ≈ H 2 . Pr oof. This follows directly from the well-sampleness of T rapGen : in Game H 1 the matrix B 1 output by T rapGen is statistically indistinguishable from a uniform matrix in Z n × m/ 2 q , and its trapdoor td B 1 is neither used nor revealed. All other v alues are generated identically in the two games. Moreov er , all subsequent steps depend on B 1 itself or ( B 2 , td B 2 ) in the same way in both games. Hence the lemma holds. Lemma 8. Suppose that m ≥ 2 n log q + ω (log n ) . Let k = k ( n ) be some polynomial. W e have H 2 s ≈ H 3 . Pr oof. Suppose there e xists an adv ersary A that distinguishes between Hybrid H 2 and H 3 with non- negligible probability . W e construct an adversary B that violates the leftover hash lemma (Lemma 4). The algorithm B proceeds as follo ws: • The algorithm B receiv es a challenge ( B 1 , S ′ ) , where B 1 $ ← − Z n × m/ 2 q and S ′ is either sampled from S ′ = B 1 R 1 with R 1 $ ← − {− 1 , 1 } m/ 2 × k or S ′ $ ← − Z n × k q . • It samples ( B 2 , td B 2 ) ← T rapGen (1 n , 1 m/ 2 , q ) and sets B = [ B 1 | B 2 ] . • It samples W = " W 1 . . . W 2 m 2 # $ ← − Z 2 m 2 n × m q , where W i ∈ Z n × m q for each i ∈ [2 m 2 ] . • It samples T 2 m 2 +1 ← D m × 2 m 3 Z ,σ . F or each i ∈ [2 m 2 ] , it samples T up i ← D m/ 2 × 2 m 3 Z ,σ , and T down i ← SamplePre ( B 2 , td B 2 , e i ⊗ G − W i T 2 m 2 +1 − B 1 T up i , σ ) , where e i ∈ { 0 , 1 } 2 m 2 represents the vector with the i -th entry 1 and the other entries 0. It sets T i = h T up i T down i i and T = " T 1 . . . T 2 m 2 # , and sets pp := ( B , W , T ) . • It then samples R 2 $ ← − {− 1 , 1 } m/ 2 × k , and S ← S ′ + B 2 R 2 . • It sends ( pp , B , S ) to the adversary A . • It responds to each query z ∈ Z n q gi ven by the adversary A as follows: – It samples s 1 ← χ m/ 2 , and samples s 2 ← SamplePre ( B 2 , td B 2 , z − B 1 s 1 , χ ) and answers with s = [ s 1 s 2 ] . • It outputs whate ver the adversary A outputs. From the deﬁnition of the algorithm B , we notice that when S ′ = B 1 R 1 with R 1 $ ← − {− 1 , 1 } m/ 2 × k , the adversary B simulates the challenger in Game H 2 perfectly , when S ′ $ ← − Z n × k q , the adversary B simulates the challenger in Game H 3 perfectly . Hence the adversary B in the leftov er hash lemma game has the same advantage as that of the adversary A of distinguish between Game H 2 and H 3 . By the leftover hash lemma (Lemma 4) and the assumption m/ 2 ≥ 2 n log q + ω (log n ) , this advantage must be ne gligible, contradicting our assumption on A . Hence H 2 s ≈ H 3 . Lemma 9. W e have H 3 ≡ H 4 . 12 Pr oof. The difference between Hybrid H 3 and Hybrid H 4 is merely syntactic. In Game H 3 , S ′ $ ← − Z n × k q is uniform and B 2 R 2 is independent of S ′ , so S = S ′ + B 2 R 2 is also uniform over Z n × k q . In Game H 4 , S is sampled directly and uniformly from Z n × k q . Thus S has exactly the same distribution in both games, and all other v ariables are generated identically . Hence H 3 ≡ H 4 . Lemma 10. Suppose that m ≥ m 0 , wher e m 0 is the polynomials given in Lemma 3. W e have H 4 s ≈ H 5 . Pr oof. The lemma follo ws the same reason as Lemma 7. Lemma 11. Suppose that χ, σ ≥ χ 0 , wher e χ 0 is the polynomial given in Lemma 3. W e have H 5 s ≈ H 6 . Pr oof. The lemma follo ws the same reason as Lemma 6. By combining Lemmas 6 – 11, we can conclude that H 0 s ≈ H 6 , which completes the proof of the theorem. A. Matrix commitment Our scheme relies on the matrix commitment presented by [W ee25]. W e refer to the formal description of the algorithm to [W ee25]. Roughly , the matrix commitment scheme ﬁrst gi ves the public parameters pp := ( B , W , T ) which are sampled according to the same procedure as in the succinct L WE assumption. It then commits to a matrix M ∈ Z n × L q and the commitment is a matrix C ∈ Z n × m q . The veriﬁcation matrix V L ∈ Z n × L q only depends on the width of the matrix M . The opening matrix Z ∈ Z n × L q is such that C · V L = M − B · Z . Lemma 12 (Matrix Commitment [W ee25]) . Let n, m, q be lattice parameters with m ≥ 2 n log q . Ther e exists a tuple of deterministic efﬁcient algorithms ( Com mx , Ver mx , Op en mx ) with the following syntax: • Com mx ( pp , M ) → C : On input the public par ameter pp , and a matrix M ∈ Z n × L q , the algorithm outputs a matrix C ∈ Z n × m q . • V er mx ( pp , 1 L ) → V L : On input the public parameters pp and the length parameter L , the algorithm outputs a matrix V L ∈ Z m × L q . • Op en mx ( pp , M ) → Z : On input the public parameters pp , and a matrix M ∈ Z n × L q , the algorithm outputs a matrix Z ∈ Z m × L q . F or all pp = ( B , W , T ) , wher e B ∈ Z n × m q , W ∈ Z 2 m 2 n × m q , T ∈ Z (2 m 2 +1) m × 2 m 3 q ar e such that [ I 2 m 2 ⊗ B | W ] · T = I 2 m 2 ⊗ G , all L ∈ N , all matrices M ∈ Z n × L q , the matrices C ← Com mx ( pp , M ) , V L ← V er mx ( pp , 1 L ) , Z ← Op en mx ( pp , M ) satisfy C · V L = M − B · Z , ∥ V L ∥ ≤ O ( ∥ T ∥ 4 · m 4 log q ) , ∥ Z ∥ ≤ O ( ∥ T ∥ · m 7 log q log L ) . I V . LSSS A N D CP - ABE F O R LSSS - R E A L I Z A B L E A C C E S S S T R U C T U R E S In this section, we ﬁrst introduce the notion of Linear Secret Sharing Scheme ( LSSS ) which we use to describe the access structure in our construction, and the ciphertext-polic y attribute-based encryption ( CP - ABE ). Deﬁnition 13 (Access Structure, [Bei96]) . Let S be a set and 2 S be the power set of S , i.e., the collection of all subsets of S . An access structure on S is a set A ⊆ 2 S \ { ∅ } , consisting of some non-empty subsets of S . A subset A ∈ 2 S is called authorized if A ∈ A , and unauthorized otherwise. An access structur e is called monotone if it satisﬁes the following condition: for all subsets B , C ∈ 2 S , if B ∈ A and B ⊆ C , then C ∈ A . In other words, adding more elements to an authorized subset does not in validate its authorization. 13 In the following, we present a result giv en by [DKW21], which sho ws that there exists a non-monotone { 0 , 1 } - LSSS for access structure represented by a Boolean formula. Lemma 14 ([DKW21]) . F or any access structur e A which is described by a Boolean formula, ther e is a deterministic polynomial time algorithm for generating ( M , ρ ) , wher e M ∈ {− 1 , 0 , 1 } ℓ × d and ρ : [ ℓ ] → [2 n ] satisfying that 1) ( M , ρ ) yields a non-monotone { 0 , 1 } - LSSS for A , namely • F or S ⊆ [ n ] , let ˆ S = S ∪ { i ∈ [ n + 1 , . . . , 2 n ] | i − n / ∈ S } ⊆ [2 n ] . Let M ˆ S be the submatrix that consists of all the r ows of M with r ow indices in ρ − 1 ( ˆ S ) . F or any authorized set of parties S ⊆ [ n ] , ther e is a linear combination of the r ows of M ˆ S that gives (1 , 0 , . . . , 0) ∈ Z d q . Moreo ver , the coefﬁcients in this linear combination ar e fr om { 0 , 1 } . • F or any unauthorized set of parties S ⊆ [ n ] , ther e is no linear combination of the r ows of M ˆ S that gives (1 , 0 , . . . , 0) ∈ Z d q . Mor eover , there exists a vector d ∈ Z d q , such that its ﬁrst component d 1 = 1 and M ˆ S d = 0 . 2) F or any unauthorized set of parties S ⊆ [ n ] , all of the r ows of M ˆ S ar e linearly independent. Here we present the notion of ciphertext-polic y attribute-based encryption ( CP - ABE ) for LSSS . Deﬁnition 15 ( CP - ABE for LSSS ) . Let λ be the security parameter , and n = n ( λ ) , q = q ( λ ) be lattice parameter s. A ciphertext-polic y attrib ute-based encryption ( CP - ABE ) scheme for access structur es captur ed by a linear secret sharing scheme ( LSSS ) over some ﬁnite ﬁeld Z q is deﬁned as four efﬁcient algorithms Π CP - ABE = ( Setup , Keygen , Enc , Dec ) . These algorithms pr oceed as follows: • Setup (1 λ , U ) → ( pk , msk ) : The setup algorithm takes as input the security parameter λ and an attribute universe U , and outputs the public parameters pk and a master secret ke y msk . W e assume that pk speciﬁes the attribute universe U . • Keygen ( msk , U ) → sk U : The ke y generation algorithm takes as input the master secr et ke y msk and an attribute set U ⊆ U . It outputs a secret ke y sk U associated with attribute set U . W ithout loss of gener ality , we assume that the secr et ke y sk U implicitly contains the attribute set U . • Enc ( pk , msg , ( M , ρ )) → ct : The encryption algorithm tak es as input the public par ameters pk , a message msg , and an LSSS access policy ( M , ρ ) such that M is a matrix over Z q and ρ is a r ow-labeling function that assigns each r ow of M to an attribute in U . It outputs a cipherte xt ct . • Dec ( pk , sk , ( M , ρ ) , ct ) → msg ′ / ⊥ : The decryption algorithm takes as input the public parameters pk , a secret ke y sk , an access structure ( M , ρ ) , and a ciphertext ct . It outputs a value msg ′ ∈ Z q when the attributes in U satisfy the LSSS structur e ( M , ρ ) , i.e., the vector (1 , 0 , . . . , 0) lies in the span of the r ows of M whose labels are in U . Otherwise, the decryption outputs ⊥ , indicating the failur e of the decryption. Correctness. A CP - ABE scheme for LSSS -realizable access structures is said to be corr ect if for ev ery λ ∈ N , ev ery attribute univ erse U , ev ery message msg , ev ery LSSS access policy ( M , ρ ) , and e very attribute set U ⊆ U that satisﬁes the access policy ( M , ρ ) , it holds that Pr     msg ′ = msg         ( pk , msk ) ← Setup (1 λ , U ); sk U ← Keygen ( msk , U ); ct ← Enc ( pk , msg , ( M , ρ )); msg ′ ← Dec ( pk , sk U , ( M , ρ ) , ct )     ≥ 1 − negl( λ ) . Selective Security . Here we deﬁne the selectiv e security of a CP - ABE for LSSS -realizable access structures by a game between a challenger and an adversary . For a security parameter λ ∈ N , the game proceeds as follo ws: • Setup Phase: The adversary ﬁrst sends an LSSS access policy ( M , ρ ) . The challenger runs algorithm ( pk , msk ) ← Setup and sends the public parameters pk to the adversary . 14 • K ey Query Phase 1: The adversary can make polynomially many secret-key queries to the challenger . Each secret-key query is of the form U ⊆ U such that U does not satisfy the LSSS access policy ( M , ρ ) . The challenger then runs sk U ← Keygen ( msk , U ) and sends sk U to the adversary . • Challenge Phase: The challenger ﬂips a coin b $ ← − { 0 , 1 } and encrypts the message b with respect to the LSSS access policy ( M , ρ ) as ct ← Enc ( pk , b, ( M , ρ )) . Then the challenger sends the ciphertext ct to the adversary . • K ey Query Phase 2: This phase is the same as K ey Query Phase 1. • Guess Phase: The adversary outputs a guess b ′ ∈ { 0 , 1 } for the value of b . The advantage of the adversary A in this game is deﬁned by Adv CP - ABE A ( λ ) := | Pr[ b = b ′ ] − 1 / 2 | . Deﬁnition 16 (Selectiv e security for CP - ABE for LSSS ) . A CP - ABE scheme for LSSS -r ealizable access structur es is selecti vely secure if for any PPT adversary A , ther e exists a ne gligible function negl( · ) such that Adv CP - ABE A ( λ ) ≤ negl( λ ) for all λ ∈ N . V . CP - ABE F O R LSSS F RO M T H E ℓ - S U C C I N C T L WE A S S U M P T I O N In this section, we present our construction of a CP - ABE scheme supporting access structures represented by NC 1 circuits. As discussed in [DKW21], we achiev e our goal by presenting a CP - ABE scheme supporting access structures realized by LSSS . More precisely , we construct a CP - ABE scheme for LSSS access policies ( M , ρ ) , where ev ery entry of M lies in {− 1 , 0 , 1 } and the reconstruction coefﬁcients are in { 0 , 1 } . W e then prove our construction achie ves selecti ve security as in Deﬁnition 16, which in turn yields a CP - ABE schemes for access structures represented by NC 1 circuits. W e assume that all LSSS access policies in the scheme correspond to matrices M with s max columns and an injectiv e row-labeling function ρ . The bound s max can also be vie wed as a bound on the circuit size of the corresponding NC 1 circuits. Construction 1. Let λ be the security parameter , and n = n ( λ ) , q = q ( λ ) , m = m ( λ ) be lattice parameter s. W e describe the algorithms Π CP - ABE = ( Setup , Keygen , Enc , Dec ) as follows: • Setup (1 λ , U , s max ) : The global setup algorithm takes as input the security parameter λ , an attribute universe U , and the maximum width of the LSSS matrix s max = s max ( λ ) . Let N := | U | . W e ﬁx an arbitrary or dering of U and henceforth identify it with the index set [ N ] := { 1 , 2 , . . . , N } . W ith a slight ab use of notation, we write u ∈ [ N ] to denote the u -th attrib ute in this or dering. F irst, it c hooses the distributions σ, χ, χ 1 , χ s . Next, it samples ( B , td B ) ← T rapGen (1 n , 1 m , q ) , W $ ← − Z 2 m 2 n × m q , and T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . It then samples A $ ← − Z n × m q , B i $ ← − Z n × ( m +1) q for eac h i ∈ { 2 , . . . , s max } , D u $ ← − Z n × ( m +1) q for eac h u ∈ [ N ] , Q u $ ← − Z n × ( m +1) q for eac h u ∈ [ N ] , and a vector y $ ← − Z n q . It sets pp := ( B , W , T ) . It outputs the public parameter s pk = ( pp , n, m, q , σ, χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) and a master secr et ke y msk = ( pk , td B ) . • Keygen ( msk , U ) : The ke y generation algorithm takes as input the master secr et ke y msk and an attribute set U ⊆ U . It ﬁrst computes V ← Ver mx ( pp , 1 ( m +1) N ) ∈ Z m × ( m +1) N q , and parses it as V = [ V 1 | · · · | V N ] with V u ∈ Z m × ( m +1) q for all u ∈ [ N ] . Then it samples a vector ˆ t ← D m Z ,χ and sets the vector t = (1 , ˆ t ⊤ ) ⊤ ∈ Z m +1 q . F or each attribute u ∈ U , the algorithm samples ˆ k u ← D m Z ,χ s and ˜ k u ← SamplePre ( B , td B , ( A V u + Q u ) t − B ˆ k u , χ 1 ) , 15 and sets k u = ˆ k u + ˜ k u . It outputs sk = ( { k u } u ∈ U , t ) . • Enc ( pk , msg , ( M , ρ )) : The encryption algorithm takes as input the public parameter s pk , a message msg ∈ { 0 , 1 } , and an LSSS access policy ( M , ρ ) , wher e M := ( M i,j ) ∈ {− 1 , 0 , 1 } ℓ × s max and ρ : [ ℓ ] → [ N ] . The function ρ associates r ows of M to attributes in U . Assume that ρ is an injective function (hence ℓ ≤ N = | U | ). The algorithm ﬁrst computes U ρ ( i ) ← M i, 1 ( y | 0 | · · · | 0 ) + X 2 ≤ j ≤ s max M i,j B j + Q ρ ( i ) ∈ Z n × ( m +1) q , ∀ i ∈ [ ℓ ] , U u ← Q u + D u ∈ Z n × ( m +1) q , ∀ u ∈ [ N ] \ ρ ([ ℓ ]) , and sets U ← [ U 1 | · · · | U N ] ∈ Z n × ( m +1) N q . It then computes C ← Com mx ( pp , U ) ∈ Z n × m q and samples s $ ← − Z n q , e 1 ← D m Z ,χ , e 2 ← D m Z ,χ s , e 3 ← D Z ,χ s . It then computes cipherte xt components c 1 ∈ Z m q , c 2 ∈ Z m q and c 3 ∈ Z q as follows: c ⊤ 1 ← s ⊤ B + e ⊤ 1 , c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 , c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . Then the algorithm outputs the ciphertext ct = ( c 1 , c 2 , c 3 ) . • Dec ( pk , sk , ( M , ρ ) , ct ) : The decryption algorithm takes as input the public parameter s pk , a secr et ke y sk = ( { k u } u ∈ U , t ) for an attribute subset U ⊆ U . If (1 , 0 , . . . , 0) is not in the span of the r ows of M associated with U , then the decryption fails and outputs ⊥ . Otherwise, “let I ⊆ [ ℓ ] be the set of r ow indices such that I = { i ∈ [ ℓ ] | ρ ( i ) ∈ U } . F irst, the algorithm ﬁnds the r econstruction coefﬁcients { w i } i ∈ I such that (1 , 0 , . . . , 0) = P i ∈ I w i M i , wher e M i is the i -th r ow vector of M . It then computes V ← Ver mx ( pp , 1 ( m +1) N ) and parses it as V = [ V 1 | V 2 | · · · | V N ] wher e V i ∈ Z m × ( m +1) q . U ρ ( i ) ← M i, 1 ( y | 0 | · · · | 0 ) + X 2 ≤ j ≤ s max M i,j B j + Q ρ ( i ) ∈ Z n × ( m +1) q , ∀ i ∈ [ ℓ ] , U u ← Q u + D u ∈ Z n × ( m +1) q , ∀ u ∈ [ N ] \ ρ ([ ℓ ]) . and sets U ← [ U 1 | · · · | U N ]] ∈ Z n × ( m +1) N q . It then computes Z ← Op en mx ( pp , U ) ∈ Z m × ( m +1) N q , and parses Z := [ Z 1 | · · · | Z N ] wher e Z i ∈ Z m × ( m +1) q . F inally , it computes µ ← c 3 − X i ∈ I w i [( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) t − c ⊤ 1 k ρ ( i ) ] mo d q , and it outputs 0 if − q / 4 < µ < q / 4 and 1 otherwise. Parameters. The parameters are selected as follows: • q / 4 > N · p oly( λ, log N , m ) · σ · ( χ + χ s ) . (for correctness) • m > 2 n log q + ω (log n ) . (for leftov er hash lemma) • σ = p oly ( m, λ ) . (for succinct L WE ) • χ 1 > p oly( m, N , σ, log q ) · ω ( √ log n ) . (for preimage sampling) • χ > √ mχ 1 · λ ω (1) . (for noise-smudging/security) 16 • χ s ≥ χ · ( χ 1 + σ ) · log q · log N · p oly ( m ) · λ ω (1) . (for noise-smudging/security) For example, ﬁx 0 < ε < 1 , where 2 m 2 -succinct L WE is hard for 2 n ε modulus-to-noise ratio. Speciﬁcally , we set n = p oly( λ ) , m = n · p oly ( λ ) , χ = p oly ( n, N , λ ) · λ ω (1) , q = p oly ( n, N , λ ) · χ · λ ω (1) . This gi ves the parameters of our CP - ABE scheme: | pk | = O ( s max ) , | ct | = O (1) , | sk | = O ( N ) , where O ( · ) hides the polynomial in λ . Note that N scales with the input length of the NC 1 circuit and s max scales with the size of the circuit. A. Corr ectness Theorem 17 (Correctness) . Suppose that q > N · p oly ( λ, log N , m ) · σ · ( χ + χ s ) . The Construction 1 is corr ect as a CP - ABE scheme . Pr oof. W e begin the proof by analyzing the term P i ∈ I w i [( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) t − c ⊤ 1 k ρ ( i ) ] . First, by the commitment scheme, we kno w for all u ∈ [ N ] , we have CV u = U u − BZ u , then ( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) t ≈ s ⊤ ( A V ρ ( i ) + CV ρ ( i ) + BZ ρ ( i ) ) t = s ⊤ ( A V ρ ( i ) + U ρ ( i ) ) t = s ⊤ ( A V ρ ( i ) + M i, 1 ( y | 0 | · · · | 0 ) + X 2 ≤ j ≤ s max M i,j B j + Q ρ ( i ) ) t , (4) where “ ≈ ” hides the error term. By the Keygen algorithm, we hav e for all u ∈ U , we ha ve that k u = ˆ k u + ˜ k u and B ˜ k u = ( A V u + Q u ) t − B ˆ k u . Therefore, for all i ∈ I , we have c ⊤ 1 k ρ ( i ) ≈ s ⊤ Bk ρ ( i ) = s ⊤ ( A V ρ ( i ) + Q ρ ( i ) ) t . (5) Combining (4) and (5), we obtain that X i ∈ I w i [( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) t − c ⊤ 1 k ρ ( i ) ] ≈ X i ∈ I s ⊤ ( w i M i, 1 ( y | 0 | · · · | 0 ) + X 2 ≤ j ≤ s max w i M i,j B j ) t . (6) From the LSSS access structure, if the ro ws of indices in I satisfy the polic y ( M , ρ ) , we ha ve P i ∈ I w i M i, 1 = 1 and P i ∈ I w i M i,j = 0 for all j ∈ { 2 , . . . , s max } . Since t = (1 | ˆ t ⊤ ) ⊤ , we hav e X i ∈ I w i [( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) t − c ⊤ 1 k ρ ( i ) ] ≈ s ⊤ y . It follo ws that c 3 − X i ∈ I w i [( c ⊤ 2 V ρ ( i ) + c ⊤ 1 Z ρ ( i ) ) t − c ⊤ 1 k ρ ( i ) ] ≈ msg · ⌈ q / 2 ⌋ , where the error term is gi ven by e 3 − X i ∈ I w i (( e ⊤ 2 V ρ ( i ) + e ⊤ 1 Z ρ ( i ) ) t − e ⊤ 1 k ρ ( i ) ) . The follo wing bounds hold except with negligible probability: • ∥ k ρ ( i ) ∥ ≤ √ mχ s for all i ∈ I : Since ˜ k u ← D m Z ,χ 1 conditioned on ( A V u + Q u ) t − B ˆ k u = B ˜ k u , ˆ k u ← D m Z ,χ s , and by the noise-smudging lemma (Lemma 2), we obtain that ˆ k u + ˜ k u s ≈ ˆ k u , and hence ∥ k u ∥ ≤ √ mχ s for all u ∈ U . • ∥ e 1 ∥ ≤ √ mχ, ∥ e 2 ∥ ≤ √ mχ s , ∥ e 3 ∥ ≤ χ s : It follo ws from the fact that e 1 ← D m Z ,χ , e 2 ← D m Z ,χ s , e 3 ← D Z ,χ s and Lemma 1. 17 • ∥ V u ∥ ≤ O ( σ · p oly( m ) · log q ) , ∥ Z u ∥ ≤ O ( σ · p oly( m ) · log q · log N ) : It follows from the ma- trix commitment (Lemma 12) and the matrix T is sampled as T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . • ∥ t ∥ ≤ √ mχ : It follo ws from the fact that ˆ t ← D m Z ,χ and t ← (1 | ˆ t ⊤ ) ⊤ . By combining the results abov e and the fact that w i ∈ { 0 , 1 } by our restriction on LSSS , we hav e that the error term is bounded by N poly ( λ, log N , m ) · σ · ( χ + χ s ) . Therefore, the correctness holds under the condition presented in the theorem. B. Selective Security Theorem 18. Suppose the 2 m 2 -succinct L WE assumption holds, then Construction 1 is selectively secur e. Pr oof. W e prov e the selectiv e security of Construction 1 by giving a sequence of hybrid games. W e claim that each adjacent pair of games is indistinguishable. Game H 0 corresponds to the real selecti ve-security game (deﬁned in 16), while in the ﬁnal game the challenge bit is information-theoretically hidden, hence the adversary’ s advantage is 0. Therefore, the adversary’ s advantage in the real game is negligible. Throughout the hybrid games, the adversary A ﬁrst commits to an access policy ( M , ρ ) , in which M = ( M i,j ) ∈ {− 1 , 0 , 1 } ℓ × s max and ρ : [ ℓ ] → [ N ] is an injectiv e row-labeling function for M . Then the challenger sends the public parameters to A . In the key query phase, the adv ersary can query secret keys corresponding to the attribute sets U such that the ro w indices in ρ − 1 ( U ) are not authorized with respect to the access policy ( M , ρ ) . In the challenge phase, the challenger tosses a coin b $ ← − { 0 , 1 } and provides the ciphertext of the bit b under the committed policy ( M , ρ ) . Finally , in the guess phase, the adversary outputs a guess bit ˆ b for b . 18 Game H 0 . This game corresponds to the real selecti ve security game for our CP - ABE scheme. Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. A $ ← − Z n × m q . 6. y $ ← − Z n q . 7. { B i } i ∈{ 2 ,...,s max } $ ← − Z n × ( m +1) q . 8. { D u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 9. { Q u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 10. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. ˆ t ← D m Z ,χ . 3. t = (1 , ˆ t ⊤ ) ⊤ ∈ Z m +1 q . 4. { ˆ k u } u ∈ U ← D m Z ,χ s . 5. ∀ u ∈ U : ˜ k u ← SamplePre ( B , td B , ( A V u + Q u ) t − B ˆ k u , χ 1 ) . 6. ∀ u ∈ U : k u ← ˆ k u + ˜ k u . 7. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. ∀ i ∈ [ ℓ ] : U ρ ( i ) ← M i, 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M i,j B j + Q ρ ( i ) . 3. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : U u ← Q u + D u . 4. U ← [ U 1 | · · · | U N ] . 5. C ← Com mx ( pp , U ) . 6. s $ ← − Z n q . 7. e 1 ← D m Z ,χ . 8. e 2 ← D m Z ,χ s . 9. e 3 ← D Z ,χ s . 10. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 11. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 12. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 13. ct ← ( c 1 , c 2 , c 3 ) . 19 Game H 1 . This game is deﬁned identically to Game H 0 , except for ho w the matrix A is sampled and ho w the matrices { U u } u ∈ [ N ] and { Q u } u ∈ [ N ] are generated during the setup phase. The indistinguishability between Game H 0 and Game H 1 (Lemma 19) follo ws from the fact that this change is merely syntactic. Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. A ′ $ ← − Z n × m q . 6. y $ ← − Z n q . 7. { B i } i ∈{ 2 ,...,s max } $ ← − Z n × ( m +1) q . 8. { U u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 9. { D u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 10. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 11. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 12. U ← [ U 1 | · · · | U N ] . 13. C ← Com mx ( pp , U ) . 14. A ← A ′ − C ∈ Z n × m q . 15. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. ˆ t ← D m Z ,χ . 3. t = (1 , ˆ t ⊤ ) ⊤ ∈ Z m +1 q . 4. { ˆ k u } u ∈ U ← D m Z ,χ s . 5. ∀ u ∈ U : ˜ k u ← SamplePre ( B , td B , ( A V u + Q u ) t − B ˆ k u , χ 1 ) . 6. ∀ u ∈ U : k u ← ˆ k u + ˜ k u . 7. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 8. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 9. ct ← ( c 1 , c 2 , c 3 ) . 20 Game H 2 . This game is deﬁned identically to Game H 1 , except for the way the challenger generates the matrices A ′ , { U u } u ∈ [ N ] and the vector y during the setup phase. The indistinguishability between Games H 1 and H 2 (Lemma 20) follo ws from the leftover hash lemma with trapdoor (Lemma 5). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m . 6. A ′ ← BR . 7. y ← Br . 8. { B i } i ∈{ 2 ,...,s max } $ ← − Z n × ( m +1) q . 9. ∀ u ∈ [ N ] : U u ← BR u . 10. { D u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 11. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 12. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 13. U ← [ U 1 | · · · | U N ] . 14. C ← Com mx ( pp , U ) . 15. A ← A ′ − C ∈ Z n × m q . 16. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. ˆ t ← D m Z ,χ . 3. t = (1 , ˆ t ⊤ ) ⊤ ∈ Z m +1 q . 4. { ˆ k u } u ∈ U ← D m Z ,χ s . 5. ∀ u ∈ U : ˜ k u ← SamplePre ( B , td B , ( A V u + Q u ) t − B ˆ k u , χ 1 ) . 6. ∀ u ∈ U : k u ← ˆ k u + ˜ k u . 7. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 8. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 9. ct ← ( c 1 , c 2 , c 3 ) . 21 Game H 3 . This game is identical to Game H 2 , except for how the challenger generates the responses to secret-key queries. The indistinguishability between Games H 2 and H 3 (Lemma 21) follows from the noise-smudging lemma (Lemma 2). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m . 6. A ′ ← BR . 7. y ← Br . 8. { B i } i ∈{ 2 ,...,s max } $ ← − Z n × ( m +1) q . 9. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] where b ′ i ∈ Z n q , B ′ i ∈ Z n × m q . 10. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 11. ∀ u ∈ [ N ] : U u ← BR u . 12. { D u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 13. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] where d ′ u ∈ Z n q , D ′ u ∈ Z n × m q . 14. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 15. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 16. U ← [ U 1 | · · · | U N ] . 17. C ← Com mx ( pp , U ) . 18. A ← A ′ − C ∈ Z n × m q . 19. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. t = (1 , ˆ t ⊤ ) ⊤ ∈ Z m +1 q . 5. { ˆ k u } u ∈ U ← D m Z ,χ s . 6. ∀ u ∈ U ∩ ρ ([ ℓ ]) : ˜ k u ← SamplePre ( B , td B , − M ρ − 1 ( u ) , 1 y − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − B ˆ k u , χ 1 ) . 7. ∀ u ∈ U \ ρ ([ ℓ ]) : ˜ k u ← SamplePre ( B , td B , − d ′ u − D ′ u ˆ t − B ˆ k u , χ 1 ) . 8. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 9. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 8. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 9. ct ← ( c 1 , c 2 , c 3 ) . 22 Game H 4 . This game is identical to Game H 3 , except for how the challenger generates the responses to secret-ke y queries. More precisely , for each secret-ke y query in this game, the challenger samples ˆ t ← D m Z ,χ and ˜ t ← D m Z ,χ 1 , and sets the last m entries of t to be ˆ t + ˜ t . The indistinguishability between Game H 3 and Game H 4 (Lemma 22) follo ws from the noise-smudging lemma (Lemma 2). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m . 6. A ′ ← BR . 7. y ← Br . 8. { B i } i ∈{ 2 ,...,s max } $ ← − Z n × ( m +1) q . 9. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] where b ′ i ∈ Z n q , B ′ i ∈ Z n × m q . 10. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 11. ∀ u ∈ [ N ] : U u ← BR u . 12. { D u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 13. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] where d ′ u ∈ Z n q , D ′ u ∈ Z n × m q . 14. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 15. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 16. U ← [ U 1 | · · · | U N ] . 17. C ← Com mx ( pp , U ) . 18. A ← A ′ − C ∈ Z n × m q . 19. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. ˜ t ← D m Z ,χ 1 . 5. t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 6. { ˆ k u } u ∈ U ← D m Z ,χ s . 7. ∀ u ∈ U ∩ ρ ([ ℓ ]) : ˜ k u ← SamplePre ( B , td B , − M ρ − 1 ( u ) , 1 y − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − N u ˜ t − B ˆ k u , χ 1 ) . 8. ∀ u ∈ U \ ρ ([ ℓ ]) : ˜ k u ← SamplePre ( B , td B , − d ′ u − D ′ u ˆ t − D ′ u ˜ t − B ˆ k u , χ 1 ) . 9. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 10. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 8. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 9. ct ← ( c 1 , c 2 , c 3 ) . 23 Game H 5 . This game is identical to Game H 4 , e xcept for how the challenger generates the matrices { B i } i ∈{ 2 ,...,s max } and { D u } u ∈ [ N ] , which are no longer sampled uniformly at random. In this game, the vector u i ∈ { 0 , 1 } N + s max − 1 represents the unit v ector whose i -th entry is 1. The indistinguishability between Game H 4 and Game H 5 (Lemma 23) follo ws from the leftov er hash lemma with trapdoor (Lemma 5). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m , { R ′ i } i ∈{ 2 ,...,s max } $ ← − {− 1 , 1 } m × m , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 6. A ′ ← BR . 7. y ← Br . 8. ∀ i ∈ { 2 , . . . , s max } , C i ← Com mx ( pp , u i − 1 ⊗ G ) . 9. ∀ u ∈ [ N ] , C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 10. { b ′ i } i ∈{ 2 ,...,s max } $ ← − Z n q . 11. ∀ i ∈ { 2 , . . . , s max } : B ′ i ← BR ′ i + C i . 12. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] ∈ Z n × ( m +1) q . 13. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 14. ∀ u ∈ [ N ] : U u ← BR u . 15. { d ′ u } u ∈ [ N ] $ ← − Z n q . 16. ∀ u ∈ [ N ] : D ′ u ← BR ′′ u + C ′ u . 17. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] ∈ Z n × ( m +1) q . 18. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 19. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 20. U ← [ U 1 | · · · | U N ] . 21. C ← Com mx ( pp , U ) . 22. A ← A ′ − C ∈ Z n × m q . 23. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. ˜ t ← D m Z ,χ 1 . 5. t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 6. { ˆ k u } u ∈ U ← D m Z ,χ s . 7. ∀ u ∈ U ∩ ρ ([ ℓ ]) : ˜ k u ← SamplePre ( B , td B , − M ρ − 1 ( u ) , 1 y − P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − N u ˜ t − B ˆ k u , χ 1 ) . 8. ∀ u ∈ U \ ρ ([ ℓ ]) : ˜ k u ← SamplePre ( B , td B , − d ′ u − D ′ u ˆ t − D ′ u ˜ t − B ˆ k u , χ 1 ) . 9. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 10. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 8. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 9. ct ← ( c 1 , c 2 , c 3 ) . 24 Game H 6 . This game is identical to Game H 5 , except for ho w the challenger generates the responses to secret-ke y queries. More precisely , the challenger answers secret-ke y queries without using the trapdoor td B . Instead, in this game we use a trapdoor td for the matrix [ I g + h ⊗ B | W ′ ] in order to in voke SamplePre in the key- generation algorithm. This trapdoor is obtained from ( B , W , T ) by the procedure described in the proof of Lemma 24, which is based on the W ee25 commitment scheme. The indistinguishability between Games H 5 and H 6 (Lemma 24) follo ws from the well-sampleness of the preimage distribution for SamplePre (Lemma 3) and the noise-smudging lemma (Lemma 2). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m , { R ′ i } i ∈{ 2 ,...,s max } $ ← − {− 1 , 1 } m × m , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 6. A ′ ← BR . 7. y ← Br . 8. ∀ i ∈ { 2 , . . . , s max } , C i ← Com mx ( pp , u i − 1 ⊗ G ) . 9. ∀ u ∈ [ N ] , C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 10. { b ′ i } i ∈{ 2 ,...,s max } $ ← − Z n q . 11. ∀ i ∈ { 2 , . . . , s max } : B ′ i ← BR ′ i + C i . 12. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] ∈ Z n × ( m +1) q . 13. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 14. ∀ u ∈ ρ ([ ℓ ]) : n u ← M ρ − 1 ( u ) , 1 y + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j . 15. ∀ u ∈ [ N ] : U u ← BR u . 16. { d ′ u } u ∈ [ N ] $ ← − Z n q . 17. ∀ u ∈ [ N ] : D ′ u ← BR ′′ u + C ′ u . 18. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] ∈ Z n × ( m +1) q . 19. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 20. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 21. U ← [ U 1 | · · · | U N ] . 22. C ← Com mx ( pp , U ) . 23. A ← A ′ − C ∈ Z n × m q . 24. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. Denote U ∩ ρ ([ ℓ ]) = { u 1 , . . . , u g } and U \ ρ ([ ℓ ]) = { u ′ 1 , . . . , u ′ h } . 5. W ′ ← [ N ⊤ u 1 | · · · | N ⊤ u g | D ′⊤ u ′ 1 | · · · | D ′⊤ u ′ h ] ⊤ . 6. { ˆ k u } u ∈ U ← D m Z ,χ s . 7.           ˜ k u 1 . . . ˜ k u g ˜ k u ′ 1 . . . ˜ k u ′ h ˜ t           ← SamplePre (  I g + h ⊗ B | W ′  , td ,          − n u 1 − N u 1 ˆ t − B ˆ k u 1 . . . − n u g − N u g ˆ t − B ˆ k u g − d ′ u ′ 1 − D ′ u ′ 1 ˆ t − B ˆ k u ′ 1 . . . − d ′ u ′ h − D ′ u ′ h ˆ t − B ˆ k u ′ h          , χ 1 ) . 8. t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 9. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 10. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 . 8. c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 9. ct ← ( c 1 , c 2 , c 3 ) . 25 Game H 7 . This game is deﬁned identically to Game H 6 except for the way the challenger generates the challenge ciphertext components c 2 and c 3 . The indistinguishability between Game H 6 and Game H 7 (Lemma 25) follo ws from the noise-smudging lemma (Lemma 2). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m , { R ′ i } i ∈{ 2 ,...,s max } $ ← − {− 1 , 1 } m × m , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 6. A ′ ← BR . 7. y ← Br . 8. ∀ i ∈ { 2 , . . . , s max } , C i ← Com mx ( pp , u i − 1 ⊗ G ) . 9. ∀ u ∈ [ N ] , C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 10. { b ′ i } i ∈{ 2 ,...,s max } $ ← − Z n q . 11. ∀ i ∈ { 2 , . . . , s max } : B ′ i ← BR ′ i + C i . 12. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] ∈ Z n × ( m +1) q . 13. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 14. ∀ u ∈ ρ ([ ℓ ]) : n u ← M ρ − 1 ( u ) , 1 y + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j . 15. ∀ u ∈ [ N ] : U u ← BR u . 16. { d ′ u } u ∈ [ N ] $ ← − Z n q . 17. ∀ u ∈ [ N ] : D ′ u ← BR ′′ u + C ′ u . 18. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] ∈ Z n × ( m +1) q . 19. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 20. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 21. U ← [ U 1 | · · · | U N ] . 22. C ← Com mx ( pp , U ) . 23. A ← A ′ − C ∈ Z n × m q . 24. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. Denote U ∩ ρ ([ ℓ ]) = { u 1 , . . . , u g } and U \ ρ ([ ℓ ]) = { u ′ 1 , . . . , u ′ h } . 5. W ′ ← [ N ⊤ u 1 | · · · | N ⊤ u g | D ′⊤ u ′ 1 | · · · | D ′⊤ u ′ h ] ⊤ . 6. { ˆ k u } u ∈ U ← D m Z ,χ s . 7.           ˜ k u 1 . . . ˜ k u g ˜ k u ′ 1 . . . ˜ k u ′ h ˜ t           ← SamplePre (  I g + h ⊗ B | W ′  , td ,          − n u 1 − N u 1 ˆ t − B ˆ k u 1 . . . − n u g − N u g ˆ t − B ˆ k u g − d ′ u ′ 1 − D ′ u ′ 1 ˆ t − B ˆ k u ′ 1 . . . − d ′ u ′ h − D ′ u ′ h ˆ t − B ˆ k u ′ h          , χ 1 ) . 8. t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 9. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 10. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. s $ ← − Z n q . 3. e 1 ← D m Z ,χ . 4. e 2 ← D m Z ,χ s . 5. e 3 ← D Z ,χ s . 6. c ⊤ 1 ← s ⊤ B + e ⊤ 1 . 7. c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 . 8. c 3 ← c ⊤ 1 r + msg · ⌈ q / 2 ⌋ + e 3 . 26 Game H 8 . This game is deﬁned identically to Game H 7 , except for the way the challenger generates the ciphertext component c 1 . In Game H 8 , c 1 is generated uniformly and independently at random. The indistinguishability between Games H 7 and H 8 (Lemma 26) follows from the (2 m 2 , σ ) -succinct L WE assumption. Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m , { R ′ i } i ∈{ 2 ,...,s max } $ ← − {− 1 , 1 } m × m , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 6. A ′ ← BR . 7. y ← Br . 8. ∀ i ∈ { 2 , . . . , s max } , C i ← Com mx ( pp , u i − 1 ⊗ G ) . 9. ∀ u ∈ [ N ] , C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 10. { b ′ i } i ∈{ 2 ,...,s max } $ ← − Z n q . 11. ∀ i ∈ { 2 , . . . , s max } : B ′ i ← BR ′ i + C i . 12. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] ∈ Z n × ( m +1) q . 13. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 14. ∀ u ∈ ρ ([ ℓ ]) : n u ← M ρ − 1 ( u ) , 1 y + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j . 15. ∀ u ∈ [ N ] : U u ← BR u . 16. { d ′ u } u ∈ [ N ] $ ← − Z n q . 17. ∀ u ∈ [ N ] : D ′ u ← BR ′′ u + C ′ u . 18. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] ∈ Z n × ( m +1) q . 19. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 20. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 21. U ← [ U 1 | · · · | U N ] . 22. C ← Com mx ( pp , U ) . 23. A ← A ′ − C ∈ Z n × m q . 24. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. Denote U ∩ ρ ([ ℓ ]) = { u 1 , . . . , u g } and U \ ρ ([ ℓ ]) = { u ′ 1 , . . . , u ′ h } . 5. W ′ ← [ N ⊤ u 1 | · · · | N ⊤ u g | D ′⊤ u ′ 1 | · · · | D ′⊤ u ′ h ] ⊤ . 6. { ˆ k u } u ∈ U ← D m Z ,χ s . 7.           ˜ k u 1 . . . ˜ k u g ˜ k u ′ 1 . . . ˜ k u ′ h ˜ t           ← SamplePre (  I g + h ⊗ B | W ′  , td ,          − n u 1 − N u 1 ˆ t − B ˆ k u 1 . . . − n u g − N u g ˆ t − B ˆ k u g − d ′ u ′ 1 − D ′ u ′ 1 ˆ t − B ˆ k u ′ 1 . . . − d ′ u ′ h − D ′ u ′ h ˆ t − B ˆ k u ′ h          , χ 1 ) . 8. t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 9. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 10. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. msg $ ← − { 0 , 1 } . 2. e 2 ← D m Z ,χ s . 3. e 3 ← D Z ,χ s . 4. c 1 $ ← − Z m q . 5. c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 . 6. c 3 ← c ⊤ 1 r + msg · ⌈ q / 2 ⌋ + e 3 . 27 Game H 9 . The game is deﬁned identically to Game H 8 except for the process for generating the ciphertext component c 3 . In this game, the element c 3 is generated uniformly and independently at random instead. The advantage of the adversary A in this game is 0 , since the message msg is information-theoretically hidden. The indistinguishability between Game H 8 and H 9 (Lemma 27) follows from the leftover hash lemma (Lemma 4). Setup phase: 1. ( B , td B ) ← T rapGen (1 n , 1 m , q ) . 2. W $ ← − Z 2 m 2 n × m q . 3. T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4. pp := ( B , W , T ) . 5. R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , r $ ← − {− 1 , 1 } m , { R ′ i } i ∈{ 2 ,...,s max } $ ← − {− 1 , 1 } m × m , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 6. A ′ ← BR . 7. y ← Br . 8. ∀ i ∈ { 2 , . . . , s max } , C i ← Com mx ( pp , u i − 1 ⊗ G ) . 9. ∀ u ∈ [ N ] , C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 10. { b ′ i } i ∈{ 2 ,...,s max } $ ← − Z n q . 11. ∀ i ∈ { 2 , . . . , s max } : B ′ i ← BR ′ i + C i . 12. ∀ i ∈ { 2 , . . . , s max } , B i := [ b ′ i | B ′ i ] ∈ Z n × ( m +1) q . 13. ∀ u ∈ ρ ([ ℓ ]) : N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j . 14. ∀ u ∈ ρ ([ ℓ ]) : n u ← M ρ − 1 ( u ) , 1 y + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j . 15. ∀ u ∈ [ N ] : U u ← BR u . 16. { d ′ u } u ∈ [ N ] $ ← − Z n q . 17. ∀ u ∈ [ N ] : D ′ u ← BR ′′ u + C ′ u . 18. ∀ u ∈ [ N ] , D u := [ d ′ u | D ′ u ] ∈ Z n × ( m +1) q . 19. ∀ u ∈ ρ ([ ℓ ]) : Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 20. ∀ u ∈ [ N ] \ ρ ([ ℓ ]) : Q u ← U u − D u . 21. U ← [ U 1 | · · · | U N ] . 22. C ← Com mx ( pp , U ) . 23. A ← A ′ − C ∈ Z n × m q . 24. pk = ( pp , n, m, q , σ , χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) . Secret-k ey query for attribute set U : 1. V = [ V 1 | · · · | V N ] ← Ver mx ( pp , 1 ( m +1) N ) . 2. Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 3. ˆ t ← D m Z ,χ . 4. Denote U ∩ ρ ([ ℓ ]) = { u 1 , . . . , u g } and U \ ρ ([ ℓ ]) = { u ′ 1 , . . . , u ′ h } . 5. W ′ ← [ N ⊤ u 1 | · · · | N ⊤ u g | D ′⊤ u ′ 1 | · · · | D ′⊤ u ′ h ] ⊤ . 6. { ˆ k u } u ∈ U ← D m Z ,χ s . 7.           ˜ k u 1 . . . ˜ k u g ˜ k u ′ 1 . . . ˜ k u ′ h ˜ t           ← SamplePre (  I g + h ⊗ B | W ′  , td ,          − n u 1 − N u 1 ˆ t − B ˆ k u 1 . . . − n u g − N u g ˆ t − B ˆ k u g − d ′ u ′ 1 − D ′ u ′ 1 ˆ t − B ˆ k u ′ 1 . . . − d ′ u ′ h − D ′ u ′ h ˆ t − B ˆ k u ′ h          , χ 1 ) . 8. t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 9. ∀ u ∈ U : k u ← ˆ k u + ˜ k u + R V u t + Z u t . 10. sk ← ( { k u } u ∈ U , t ) . Challenge phase: 1. e 2 ← D m Z ,χ s . 2. c 1 $ ← − Z m q . 3. c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 . 4. c 3 $ ← − Z q . Lemma 19. W e have H 0 ≡ H 1 . Pr oof. The only difference between Games H 0 and H 1 is the way the matrices A , { U u } u ∈ [ N ] and { Q u } u ∈ [ N ] are generated. In Game H 0 , the matrices A , { Q u } u ∈ [ N ] are generated uniformly and independently at 28 random. Then, for all i ∈ [ ℓ ] , it sets U ρ ( i ) ← M i, 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M i,j B j + Q ρ ( i ) , and for all u ∈ [ N ] \ ρ ([ ℓ ]) , it sets U u ← Q u + D u . In Game H 1 , the matrix A is obtained by ﬁrst sampling A ′ $ ← − Z n × m q and then setting A ← A ′ − C , where C is a matrix independent of A ′ ( C is not sent to the adversary , and in both games it is computed as Com mx ( pp , U ) from the same distribution of U ). Then the challenger instead samples { U u } u ∈ [ N ] $ ← − Z n × ( m +1) q and sets Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) for all u ∈ ρ ([ ℓ ]) and Q u ← U u − D u for all u ∈ [ N ] \ ρ ([ ℓ ]) . In Game H 1 the matrix A is obtained as a ﬁxed shift of the uniform matrix A ′ , so A itself is uniform and independent of { U u } and { Q u } , exactly as in Game H 0 . For each u ∈ ρ ([ ℓ ]) , the pair ( Q u , U u ) in Game H 0 is uniformly distributed ov er Z n × ( m +1) q × Z n × ( m +1) q subject to U u − Q u = M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j , and e xactly the same relation holds in Game H 1 . Similarly , for each u ∈ [ N ] \ ρ ([ ℓ ]) , the triple ( Q u , D u , U u ) is uniformly distributed subject to U u = Q u + D u in both games. Hence the joint distribution of ( A , { Q u } , { U u } ) is exactly the same in Games H 0 and H 1 . Observ e that all the changes between Game H 0 and H 1 are merely syntactic. Since all subsequent uses of these matrices in the query phase and challenge phase are identical in both games, we conclude that H 0 ≡ H 1 . Lemma 20. Let q be a prime, and let n, m be such that m > 2 n log q + ω (log n ) . Let m ≥ m 0 ( n, q ) and σ, χ 1 ≥ χ 0 ( n, q ) , where m 0 and χ 0 ar e polynomials given in Lemma 3. W e have H 1 s ≈ H 2 . Pr oof. This lemma follows from the leftov er hash lemma with trapdoor (Lemma 5). Suppose there exists an adversary A that can distinguish between Game H 1 and Game H 2 with non-negligible adv antage. Then we can construct an adversary B that can win the game Exp LHL - T rap ,q ,σ,χ 1 B with non-negligible probability , which leads to a contradiction. The algorithm B proceeds as follo ws: Setup Phase. The algorithm B receiv es 1 λ , q , σ, χ 1 from its challenger . Then it in vokes A and receiv es an access policy ( M , ρ ) , where M ∈ {− 1 , 0 , 1 } ℓ × s max and ρ : [ ℓ ] → [ N ] is an injectiv e function. Then it proceeds as follo ws: 1) It sends 1 n , 1 m , 1 s max to its challenger and receives a challenge { pp = ( B , W , T ) , S } . It then parses S := [ S 1 | · · · | S N | S 0 | s ′ ] where S i ∈ Z n × ( m +1) q for each i ∈ [ N ] , S 0 ∈ Z n × m q , and s ′ ∈ Z n q . 2) It sets A ′ ← S 0 and y ← s ′ . 3) It samples { B i } i ∈{ 2 ,...,s max } $ ← − Z n × ( m +1) q . 4) It sets U u ← S u for all u ∈ [ N ] . 5) It samples { D u } u ∈ [ N ] $ ← − Z n × ( m +1) q . 6) For all u ∈ ρ ([ ℓ ]) , it sets Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 7) For all u ∈ [ N ] \ ρ ([ ℓ ]) , it sets Q u ← U u − D u . 8) It sets U ← [ U 1 | · · · | U N ] and computes C ← Com mx ( pp , U ) . 9) It sets A ← A ′ − C . 10) It sends the public parameters pk = ( pp , n, m, q , σ, χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) to the adversary A . Query Phase. T o respond to a secret-ke y query for an attribute set U ⊆ U , the algorithm B proceeds as follo ws: 1) It ﬁrst computes V = [ V 1 | · · · | V N ] ← V er mx ( pp , 1 ( m +1) N ) . 2) It samples ˆ t ← D m Z ,χ and sets t = (1 , ˆ t ⊤ ) ⊤ ∈ Z m +1 q . 3) It samples { ˆ k u } u ∈ U ← D m Z ,χ s . 29 4) For all u ∈ U , B sends ( A V u + Q u ) t − B ˆ k u to its challenger in Exp LHL - T rap ,q ,σ,χ 1 B , and recei ves ˜ k u . 5) For all u ∈ U , it sets k u ← ˆ k u + ˜ k u . 6) Then it provides sk ← ( { k u } u ∈ U , t ) to the adversary A . Challenge Phase. In this phase, B proceeds exactly as the challenger in Games H 1 and H 2 . Precisely , 1) It samples msg $ ← − { 0 , 1 } . 2) It samples s $ ← − Z n q , e 1 ← D m Z ,χ , e 2 ← D m Z ,χ s , and e 3 ← D Z ,χ s . 3) It computes c ⊤ 1 ← s ⊤ B + e ⊤ 1 , c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 , and c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 4) Finally , it provides the challenge ciphertext ct ← ( c 1 , c 2 , c 3 ) to the adversary A . Guess Phase. The algorithm B outputs whate ver the adversary A outputs. It is straightforward that the algorithm B simulates either the game H 1 or H 2 perfectly depending on whether S $ ← − Z n × ( m +1)( N +1) q or S ← BR for some R $ ← − {− 1 , 1 } m × ( m +1)( N +1) . Therefore, the adv antage of B in Exp LHL - T rap ,q ,σ,χ 1 B is at least the advantage of A in distinguishing between the game H 1 and H 2 . This completes the proof. Lemma 21. Suppose that χ s ≥ χ · ( χ 1 + σ ) · log q · log N · p oly ( m ) · λ ω (1) . Then we have H 2 s ≈ H 3 . Pr oof. The only dif ference between the two games lies in the responses to the secret-ke y queries. In Game H 2 , the secret-ke y responses { k u } u ∈ U are computed as follows: the challenger sets k u ← ˆ k u + ˜ k u , where ˆ k u ← D m Z ,χ s and samples ˜ k u ← SamplePre ( B , td B , ( A V u + Q u ) t − B ˆ k u , χ 1 ) , where t = (1 , ˆ t ⊤ ) ⊤ with ˆ t ← D m Z ,χ . By the construction abov e, we have Bk u = B ˆ k u + B ˜ k u = ( A V u + Q u ) t , ∀ u ∈ U. (7) Moreov er , ˜ k u is sampled from a discrete Gaussian D m Z ,χ 1 conditioned on equation 7. Since χ s ≥ √ m · χ 1 · λ ω (1) by our choice of parameters, the noise-smudging lemma (Lemma 2) implies that in Game H 2 each k u is statistically indistinguishable from a fresh sample from D m Z ,χ s conditioned on (7). In Game H 3 , the secret-key responses { k u } u ∈ U are generated as follows. First the challenger samples ˆ t ← D m Z ,χ and sets t ← (1 , ˆ t ⊤ ) ⊤ . For each u ∈ U ∩ ρ ([ ℓ ]) , the challenger sets k u ← ˆ k u + ˜ k u + R V u t + Z u t , where ˆ k u ← D m Z ,χ s and ˜ k u ← SamplePre ( B , td B , − M ρ − 1 ( u ) , 1 y − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − B ˆ k u , χ 1 ) . By bounding the norm of ˜ k u + R V u t + Z u t , we obtain ∥ ˜ k u + R V u t + Z u t ∥ ≤ χ · ( χ 1 + σ ) log q · log N · p oly( m ) . Hence, by the noise-smudging lemma (Lemma 2), the distrib ution of k u is again statistically indistin- guishable from that of ˆ k u . Moreov er , in Game H 3 , we hav e Bk u = B ( ˆ k u + ˜ k u + R V u t + Z u t ) = B ˆ k u − M ρ − 1 ( u ) , 1 y − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − B ˆ k u + BR V u t + BZ u t = ( − M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j + A ′ V u + BZ u ) t = ( − M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j + A V u + CV u + BZ u ) t = ( − M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j + A V u + U u ) t = ( A V u + Q u ) t , 30 which matches the equation (7). For each u ∈ U \ ρ ([ ℓ ]) , the challenger sets k u ← ˆ k u + ˜ k u + R V u t + Z u t , where ˆ k u ← D m Z ,χ s and ˜ k u ← SamplePre ( B , td B , − d ′ u − D ′ u ˆ t − B ˆ k u , χ 1 ) . By bounding the norm of R V u t + Z u t in the same way as above, we obtain that the distribution of k u is statistically indistinguishable from that of ˆ k u . Furthermore, we hav e Bk u = B ( ˆ k u + ˜ k u + R V u t + Z u t ) = B ˆ k u − d ′ u − D ′ u ˆ t − B ˆ k u + BR V u t + BZ u t = B ˆ k u − D u t − B ˆ k u + A V u t + U u t = ( A V u + Q u ) t , which matches the ke y equation (7) as well. In summary , for e very attribute u and ev ery secret-key query , the distribution of k u in Game H 3 is statistically indistinguishable from a sample from D m Z ,χ s (and hence from that of k u in Game H 2 ), and the ke y equation Bk u = ( A V u + Q u ) t holds in both games. Since the adversary makes only polynomially many secret-key queries, a union bound shows that the joint distribution of all secret-key answers in H 2 and H 3 is statistically indistinguishable. All other parts of the two games are identical. Therefore, H 2 s ≈ H 3 . Lemma 22. Suppose that χ > √ mχ 1 · λ ω (1) . W e have H 3 s ≈ H 4 . Pr oof. This lemma follo ws directly from the noise-smudging lemma (Lemma 2). The only difference between Games H 3 and H 4 lies in the way that the challenger generates the vector component t of each secret-ke y queries. In Game H 3 , for each secret-ke y query , the challenger samples ˆ t ← D m Z ,χ and sets t = (1 , ˆ t ⊤ ) ⊤ . In Game H 4 , for each secret-ke y query , the challenger samples ˆ t ← D m Z ,χ , ˜ t ← D m Z ,χ 1 , and sets t ← (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ instead. Since χ > √ mχ 1 · λ ω (1) , the noise-smudging lemma (Lemma 2) implies that in Game H 4 we hav e ˆ t + ˜ t s ≈ ˆ t . Therefore, the distributions of the secret ke ys in Games H 3 and H 4 are statistically indistinguishable, and hence H 3 s ≈ H 4 . Lemma 23. Let q be a prime, and let n, m be such that m > 2 n log q + ω (log n ) . Let m ≥ m 0 ( n, q ) and σ, χ 1 ≥ χ 0 ( n, q ) , where m 0 and χ 0 ar e polynomials given in Lemma 3. W e have H 4 s ≈ H 5 . Pr oof. This lemma follows from the leftov er hash lemma with trapdoor (Lemma 5). Suppose there exists an adversary A that can distinguish between Game H 4 and Game H 5 with non-negligible adv antage, we can construct an adversary B that can win the game Exp LHL - T rap ,q ,σ,χ 1 B with non-ne gligible adv antage, which leads to a contradiction. The algorithm B proceeds as follo ws: Setup Phase. The algorithm B receiv es 1 λ , q , σ, χ 1 from its challenger . Then it in vokes A and receiv es an access policy ( M , ρ ) , where M ∈ {− 1 , 0 , 1 } ℓ × s max and ρ : [ ℓ ] → [ N ] is an injectiv e function. Then it proceeds as follo ws: 1) It sends 1 n , 1 m , 1 s max to its challenger and receives a challenge { pp = ( B , W , T ) , S } . It then parses S := [ S ′ 2 | · · · | S ′ s max | S ′′ 1 | · · · | S ′′ N ] where S ′ i ∈ Z n × m q for each i ∈ { 2 , . . . , s max } and S ′′ i ∈ Z n × m q for each i ∈ [ N ] . 2) It samples R $ ← − {− 1 , 1 } m × m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , and r $ ← − {− 1 , 1 } m . 3) It sets A ′ ← BR and y ← Br . 4) It computes C i ← Com mx ( pp , u i − 1 ⊗ G ) for all i ∈ { 2 , . . . , s max } , and C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) for all u ∈ [ N ] . 5) It samples { b ′ i } i ∈{ 2 ,...,s max } $ ← − Z n q . 6) For each i ∈ { 2 , . . . , s max } , it sets B ′ i ← S ′ i + C i and sets B i ← [ b ′ i | B ′ i ] . 7) It computes N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j for each u ∈ ρ ([ ℓ ]) . 31 8) It sets U u ← BR u for all u ∈ [ N ] . 9) It samples { d ′ u } u ∈ [ N ] $ ← − Z n q , computes D ′ u ← S ′′ u + C ′ u and sets D u := [ d ′ u | D ′ u ] for all u ∈ [ N ] . 10) For all u ∈ ρ ([ ℓ ]) , it sets Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 11) For all u ∈ [ N ] \ ρ ([ ℓ ]) , it sets Q u ← U u − D u . 12) It sets U ← [ U 1 | · · · | U N ] and computes C ← Com mx ( pp , U ) . 13) It sets A ← A ′ − C . 14) It sends the public parameters pk = ( pp , n, m, q , σ, χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) to the adversary A . Query Phase. T o respond to a secret-ke y query for an attribute set U ⊆ U , the algorithm B proceeds as follo ws: 1) It ﬁrst computes V = [ V 1 | · · · | V N ] ← V er mx ( pp , 1 ( m +1) N ) and Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 2) It samples ˆ t ← D m Z ,χ , ˜ t ← D m Z ,χ 1 and sets t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 3) It samples { ˆ k u } u ∈ U ← D m Z ,χ s . 4) For all u ∈ U ∩ ρ ([ ℓ ]) , B sends − M ρ − 1 ( u ) , 1 y − P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − N u ˜ t − B ˆ k u to its challenger in Exp LHL - T rap ,q ,σ,χ 1 B , and recei ves ˜ k u . 5) For all u ∈ U \ ρ ([ ℓ ]) , B sends − d ′ u − D ′ u ˆ t − D ′ u ˜ t − B ˆ k u to its challenger in Exp LHL - T rap ,q ,σ,χ 1 B , and recei ves ˜ k u . 6) For all u ∈ U , it sets k u ← ˆ k u + ˜ k u + R V u t + Z u t . 7) Then it provides sk ← ( { k u } u ∈ U , t ) to the adversary A . Challenge Phase. In this phase, B proceeds exactly as the challenger in Game H 4 and Game H 5 does. Precisely , 1) It samples msg $ ← − { 0 , 1 } , s $ ← − Z n q , e 1 ← D m Z ,χ , e 2 ← D m Z ,χ s , and e 3 ← D Z ,χ s . 2) It computes c ⊤ 1 ← s ⊤ B + e ⊤ 1 , c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 , and c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . 3) Finally , it provides the challenge ciphertext ct ← ( c 1 , c 2 , c 3 ) to the adversary A . Guess Phase. The algorithm B outputs whate ver the adversary A outputs. It is straightforw ard that the algorithm B simulates either the game H 4 or H 5 perfectly depending on whether S $ ← − Z n × m ( N + s max − 1) q or S ← BR for some R $ ← − {− 1 , 1 } m × m ( N + s max − 1) . Therefore, the adv antage of B in Exp LHL - T rap ,q ,σ,χ 1 B is no less than the adv antage of A in distinguishing the game H 4 and H 5 . This completes the proof. Lemma 24. Suppose that χ s ≥ χ · ( χ 1 + σ ) log q · log N · p oly ( m ) and χ 1 > p oly( m, N , σ, log q ) · ω ( √ log n ) . W e have H 5 s ≈ H 6 . Pr oof. The only difference between Games H 5 and H 6 lies in the way the challenger responds to secret-key queries. In Game H 5 , the challenger ﬁrst samples ˆ t ← D m Z ,χ and ˜ t ← D m Z ,χ 1 , and sets t ← (1 | ˆ t ⊤ + ˜ t ⊤ ) ⊤ . For each u ∈ U ∩ ρ ([ ℓ ]) , it samples ˜ k u ← SamplePre ( B , td B , − M ρ − 1 ( u ) , 1 y − X 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j − N u ˆ t − N u ˜ t − B ˆ k u , χ 1 ) . For each u ∈ U \ ρ ([ ℓ ]) , it samples ˜ k u ← SamplePre ( B , td B , − d ′ u − D ′ u ˆ t − D ′ u ˜ t − B ˆ k u , χ 1 ) . 32 For each u ∈ U , it sets k u ← ˆ k u + ˜ k u + R V u t + Z u t . In Game H 6 , the challenger ﬁrst samples ˆ t ← D m Z ,χ and samples             ˜ k u 1 . . . ˜ k u g ˜ k u ′ 1 . . . ˜ k u ′ h ˜ t             = SamplePre (  I g + h ⊗ B | W ′  , td ,            − n u 1 − N u 1 ˆ t − B ˆ k u 1 . . . − n u g − N u g ˆ t − B ˆ k u g − d ′ u ′ 1 − D ′ u ′ 1 ˆ t − B ˆ k u ′ 1 . . . − d ′ u ′ h − D ′ u ′ h ˆ t − B ˆ k u ′ h            , χ 1 ) and sets t ← (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ . In Game H 6 , for each u i ∈ U ∩ ρ ([ ℓ ]) , from the preimage sampling process, we obtain that B ˜ k u i + N u i ˜ t = − n u i − N u i ˆ t − B ˆ k u i , which matches the secret-ke y equation in Game H 5 . For each u ′ j ∈ U \ ρ ([ ℓ ]) , we hav e B ˜ k u ′ j + D ′ u ′ j ˜ t = − d ′ u ′ j − D ′ u ′ j ˆ t − B ˆ k u ′ j , which also matches the corresponding secret-ke y equation in Game H 5 . By the noise-smudging lemma, in either game, since χ > √ mχ 1 · λ ω (1) , the distrib ution of ˆ t + ˜ t is statistically indistinguishable from a v ector sampled from D m Z ,χ . By bounding the norm of ˜ k u + R V u t + Z u t , we hav e ∥ ˜ k u + R V u t + Z u t ∥ ≤ χ · ( χ 1 + σ ) log q · log N · p oly( m ) . According to the selection of the parameters, we know each k u in either game is statistically indistin- guishable from a sample from D m Z ,χ s conditioned on Bk u = ( A V u + Q u ) t . It sufﬁces to clarify that the challenger can construct the trapdoor for the matrix [ I g + h ⊗ B | W ′ ] ef ﬁciently . Denote s = N + s max − 1 . From the correctness of the commitment scheme, we have C i V ns = u i − 1 ⊗ G − BZ i , ∀ i ∈ { 2 , . . . , s max } , C ′ i V ns = u i + s max − 1 ⊗ G − BZ ′ i , ∀ i ∈ [ N ] . If we write C ′ = [ C ⊤ 2 | · · · | C ⊤ s max | C ′⊤ 1 | · · · | C ′⊤ N ] ⊤ and Z ′ = [ Z ⊤ 2 | · · · | Z ⊤ s max | Z ′⊤ 1 | · · · | Z ′⊤ N ] ⊤ , we hav e [ I s ⊗ B | C ′ ]  Z ′ V ns  = I s ⊗ G (8) Then by the norm bound of the matrices Z ′ and V ns , the matrix  Z ′ V ns  serves as a trapdoor for [ I s ⊗ B | C ′ ] . Denote the set I = ρ − 1 ( U ) ∩ [ ℓ ] and M I ∈ {− 1 , 0 , 1 } | I |× ( s max − 1) the submatrix of M containing all the ro ws with indices in I and remo ving the ﬁrst column. Let e i ∈ { 0 , 1 } N be the unit vector whose i -th entry is 1. Let M U =        M I e ⊤ u ′ 1 e ⊤ u ′ 2 . . . e ⊤ u ′ h        ∈ {− 1 , 0 , 1 } ( g + h ) × s . Now we prov e the matrix M U has full row rank. By the restriction on secret-key queries submitted by the adversary , the rows of the access matrix in ρ − 1 ( U ) are required to be linearly independent and unauthorized. This means that no non-zero linear combination 33 ov er Z q of the vectors obtained by removing the ﬁrst entries of the rows of M with indices in ρ − 1 ( U ) can span the zero vector in dimension s max − 1 , i.e., M I has full ro w rank. Since u ′ 1 , . . . , u ′ h are dif ferent from each other , it also follows that e u ′ 1 , . . . , e u ′ h are linearly independent. Therefore, we can conclude M U has full ro w rank. Let R ′ = [ R ′⊤ 2 | · · · | R ′⊤ s max | R ′′⊤ 1 | · · · | R ′′⊤ N ] ⊤ . W e prove W ′ = ( M U ⊗ I n )(( I s ⊗ B ) R ′ + C ′ ) . It follo ws from that ( M U ⊗ I n )(( I s ⊗ B ) R ′ + C ′ ) = ( M U ⊗ I n )          BR ′ 2 + C 2 . . . BR ′ s max + C s max BR ′′ 1 + C ′ 1 . . . BR ′′ N + C ′ N          = ( M U ⊗ I n )          B ′ 2 . . . B ′ s max D ′ 1 . . . D ′ N          =           P 2 ≤ j ≤ s max M ρ − 1 ( u 1 ) ,j B ′ j . . . P 2 ≤ j ≤ s max M ρ − 1 ( u g ) ,j B ′ j D ′ u ′ 1 . . . D ′ u ′ h           =           N u 1 . . . N u g D ′ u ′ 1 . . . D ′ u ′ h           = W ′ W e claim that td :=  ( M U ⊗ I m )( Z ′ − R ′ V ns ) V ns  can serve as a trapdoor for the matrix [ I g + h ⊗ B | W ′ ] . [ I g + h ⊗ B | W ′ ]  ( M U ⊗ I m )( Z ′ − R ′ V ns ) V ns  = ( I g + h ⊗ B )( M U ⊗ I m )( Z ′ − R ′ V ns ) + ( M U ⊗ I n )(( I s ⊗ B ) R ′ + C ′ ) V ns = ( M U ⊗ I n )( I s ⊗ B )( Z ′ − R ′ V ns ) + ( M U ⊗ I n )(( I s ⊗ B ) R ′ + C ′ ) V ns = ( M U ⊗ I n )[ I s ⊗ B | C ′ ]  Z ′ V ns  = ( M U ⊗ I n )( I s ⊗ G ) = M U ⊗ G . Since M U has full ro w rank, we know td serves as a trapdoor for [ I g + h ⊗ B | W ′ ] by Lemma 1. Lemma 25. Suppose that χ s > m 2 χ · λ ω (1) . W e have H 6 s ≈ H 7 . Pr oof. The only difference between Games H 6 and H 7 lies in the way the ciphertext components c 2 and c 3 are sampled. In Game H 6 , the challenger ﬁrst samples s $ ← − Z n q , e 1 ← D m Z ,χ , e 2 ← D m Z ,χ s , e 3 ← D Z ,χ s , and computes c ⊤ 1 ← s ⊤ B + e ⊤ 1 , c ⊤ 2 ← s ⊤ ( A + C ) + e ⊤ 2 and c 3 ← s ⊤ y + msg · ⌈ q / 2 ⌋ + e 3 . In Game H 7 , the challenger generates c 1 exactly the same as in Game H 6 , samples e 2 ← D m Z ,χ s , e 3 ← D Z ,χ s , and computes c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 and c 3 ← c ⊤ 1 r + msg · ⌈ q / 2 ⌋ + e 3 . In Game H 7 , using the relations A ′ = BR and A = A ′ − C , we have that c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 = s ⊤ BR + e ⊤ 1 R + e ⊤ 2 = s ⊤ A ′ + e ⊤ 1 R + e ⊤ 2 = s ⊤ ( A + C ) + e ⊤ 1 R + e ⊤ 2 . By bounding the error term, we have ∥ e ⊤ 1 R ∥ ≤ m 3 / 2 · χ with ov erwhelming probabiliry . By the noise- smudging lemma, we obtain that e ⊤ 1 R + e ⊤ 2 is statistically indistinguishable from e ⊤ 2 . Therefore, the ciphertexts c 2 generated in two games are statistically indistinguishable. An analogous argument applies 34 to c 3 . Since ( c 2 , c 3 ) are the only ciphertext components that dif fer between the two games, the full ciphertext distributions in Games H 6 and H 7 are statistically indistinguishable. Therefore, H 6 s ≈ H 7 . Lemma 26. Suppose that (2 m 2 , σ ) -succinct L WE assumption holds. W e have H 7 c ≈ H 8 . Pr oof. Suppose that there exists an PPT adversary A that can distinguish between Game H 7 and H 8 with non-negligible adv antage. W e construct an PPT adversary B that can break the (2 m 2 , σ ) -succinct L WE assumption with non-negligible advantage. The adversary B proceeds as follows: Setup Phase. The algorithm B recei ves from its challenger a succinct L WE challenge ( B , W , T , c ) , where B ∈ Z n × m q , W ∈ Z 2 m 2 n × m q , T ∈ Z (2 m 2 +1) m × 2 m 3 q , and c is sampled as c ⊤ ← s ⊤ B + e ⊤ for some s ∈ Z n q , e ← D m Z ,χ or c $ ← − Z m q . It sets pp := ( B , W , T ) . 1) It samples r $ ← − {− 1 , 1 } m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , and R , { R ′ i } i ∈{ 2 ,...,s max } , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 2) It sets A ′ ← BR and y ← Br . 3) For all i ∈ { 2 , . . . , s max } , it computes C i ← Com mx ( pp , u i − 1 ⊗ G ) . F or all u ∈ [ N ] , it computes C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 4) It samples { b ′ i } 2 ,...,s max $ ← − Z n q and { d ′ u } u ∈ [ N ] $ ← − Z n q . 5) For all i ∈ { 2 , . . . , s max } , it sets B ′ i ← BR ′ i + C i and B i ← [ b ′ i | B ′ i ] . 6) For all u ∈ [ N ] , it sets D ′ u ← BR ′′ u + C ′ u and D u ← [ d ′ u | D ′ u ] . 7) For all u ∈ ρ ([ ℓ ]) , it sets N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j and n u ← M ρ − 1 ( u ) , 1 y + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j . 8) For all u ∈ [ N ] set U u ← BR u , and set U ← [ U 1 | · · · | U N ] . 9) For all u ∈ ρ ([ ℓ ]) , it sets Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 10) For all u ∈ [ N ] \ ρ ([ ℓ ]) , it sets Q u ← U u − D u . 11) It computes C ← Com mx ( pp , U ) and sets A ← A ′ − C ∈ Z n × m q . 12) It sets the public ke y pk = ( pp , n, m, q , σ, χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) and sends it to A . Query Phase. T o respond to a secret-ke y query for an attribute set U ⊆ U = [ N ] , the adversary B proceeds exactly as in Games H 7 and H 8 : 1) It ﬁrst computes V = [ V 1 | · · · | V N ] ← V er mx ( pp , 1 ( m +1) N ) and Z = [ Z 1 | · · · | Z N ] ← Op en mx ( pp , U ) . 2) It samples ˆ t ← D m Z ,χ . 3) Denote U ∩ ρ ([ ℓ ]) = { u 1 , . . . , u g } and U \ ρ ([ ℓ ]) = { u ′ 1 , . . . , u ′ h } and set W ′ ← [ N ⊤ u 1 | · · · | N ⊤ u g | D ′⊤ u ′ 1 | · · · | D ′⊤ u ′ h ] ⊤ . 4) It samples { ˆ k u } u ∈ U ← D m Z ,χ s . 5) It computes             ˜ k u 1 . . . ˜ k u g ˜ k u ′ 1 . . . ˜ k u ′ h ˜ t             = SamplePre (  I g + h ⊗ B | W ′  , td ,            − n u 1 − N u 1 ˆ t − B ˆ k u 1 . . . − n u g − N u g ˆ t − B ˆ k u g − d ′ u ′ 1 − D ′ u ′ 1 ˆ t − B ˆ k u ′ 1 . . . − d ′ u ′ h − D ′ u ′ h ˆ t − B ˆ k u ′ h            , χ 1 ) using the trap- door td for [ I g + h ⊗ B | W ′ ] . The construction of td is gi ven in the proof of Lemma 24. 6) It sets t = (1 , ˆ t ⊤ + ˜ t ⊤ ) ⊤ ∈ Z m +1 q . 7) For all u ∈ U , it computes k u ← ˆ k u + ˜ k u + R V u t + Z u t . 35 8) Then it provides the secret-key response sk ← ( { k u } u ∈ U , t ) to the adversary A . Challenge Phase. 1) It sets c 1 ← c . 2) It samples msg $ ← − { 0 , 1 } , e 2 ← D m Z ,χ s , and e 3 ← D Z ,χ s . 3) It computes c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 , and c 3 ← c ⊤ 1 r + msg · ⌈ q / 2 ⌋ + e 3 . 4) Finally , it provides the challenge ciphertext ct ← ( c 1 , c 2 , c 3 ) to the adversary A . Guess Phase. The algorithm B outputs whate ver the adversary A outputs. It is straightforward that the algorithm B simulates either Game H 7 or Game H 8 perfectly , depending on whether c ⊤ = s ⊤ B + e ⊤ 1 for some s ∈ Z n q and e 1 ← D m Z ,χ , or c $ ← − Z m q . Therefore, the advantage of B in breaking the succinct L WE assumption is no less than the adv antage of A in distinguishing Games H 7 and H 8 , which leads to a contradiction. Hence, we complete the proof. Lemma 27. Suppose that m > 2 n log q + ω (log n ) . W e have H 8 s ≈ H 9 . Pr oof. This lemma follows from the leftov er hash lemma (Lemma 4). Suppose there exists an adversary A that can distinguish between Game H 8 and Game H 9 with non-negligible adv antage, we can construct an adversary B that can break leftov er hash lemma with non-ne gligible adv antage, which leads to a contradiction. The algorithm B proceeds as follo ws: Setup Phase. The algorithm B ﬁrst in vokes A and recei ves an access policy ( M , ρ ) , where M ∈ {− 1 , 0 , 1 } ℓ × s max and ρ : [ ℓ ] → U is an injectiv e function. Then it proceeds as follows: 1) It recei ves a challenge ( b ⊤ 0 , s 0 ) , where b 0 ∈ Z m q , s 0 ∈ Z q . 2) It samples ( B , td B ) ← T rapGen (1 n , 1 m , q ) and W $ ← − Z 2 m 2 n × m q . 3) Then it samples T ← SamplePre ([ I 2 m 2 ⊗ B | W ] ,  I 2 m 2 ⊗ td B 0  , I 2 m 2 ⊗ G , σ ) . 4) It sets pp := ( B , W , T ) . 5) It samples r $ ← − {− 1 , 1 } m , { R u } u ∈ [ N ] $ ← − {− 1 , 1 } m × ( m +1) , and R , { R ′ i } i ∈{ 2 ,...,s max } , { R ′′ u } u ∈ [ N ] $ ← − {− 1 , 1 } m × m . 6) It sets A ′ ← BR and y ← Br . 7) For all i ∈ { 2 , . . . , s max } , it computes C i ← Com mx ( pp , u i − 1 ⊗ G ) . F or all u ∈ [ N ] , it computes C ′ u ← Com mx ( pp , u u + s max − 1 ⊗ G ) . 8) It samples { b ′ i } s max i =2 $ ← − Z n q and { d ′ u } u ∈ [ N ] $ ← − Z n q . 9) For all i ∈ { 2 , . . . , s max } , it sets B ′ i ← BR ′ i + C i and B i ← [ b ′ i | B ′ i ] . 10) For all u ∈ [ N ] , it sets D ′ u ← BR ′′ u + C ′ u and D u ← [ d ′ u | D ′ u ] . 11) For all u ∈ ρ ([ ℓ ]) , it sets N u ← P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B ′ j and n u ← M ρ − 1 ( u ) , 1 y + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j b ′ j . 12) For all u ∈ [ N ] : U u ← BR u and sets U ← [ U 1 | · · · | U N ] . 13) For all u ∈ ρ ([ ℓ ]) , it sets Q u ← U u − ( M ρ − 1 ( u ) , 1 ( y | 0 | · · · | 0 ) + P 2 ≤ j ≤ s max M ρ − 1 ( u ) ,j B j ) . 14) For all u ∈ [ N ] \ ρ ([ ℓ ]) , it sets Q u ← U u − D u . 15) It computes C ← Com mx ( pp , U ) and sets A ← A ′ − C ∈ Z n × m q . 16) The challenger sets the public ke y pk = ( pp , n, m, q , σ, χ, χ 1 , χ s , A , { B i } i ∈{ 2 ,...,s max } , { D u } u ∈ [ N ] , { Q u } u ∈ [ N ] , y ) and sends it to A . Query Phase. T o respond to a secret-ke y query for an attribute set U ⊆ U = [ N ] , the adversary B proceeds exactly as in Games H 8 and H 9 . Challenge Phase. Precisely , 36 1) It samples msg $ ← − { 0 , 1 } , e 2 ← D m Z ,χ s , e 3 ← D Z ,χ s . 2) It samples c 1 ← b 0 and computes c ⊤ 2 ← c ⊤ 1 R + e ⊤ 2 , and c 3 ← s 0 + msg · ⌈ q / 2 ⌋ + e 3 . 3) Finally , it provides the challenge ciphertext ct ← ( c 1 , c 2 , c 3 ) to the adversary A . Guess Phase. The algorithm B outputs whate ver the adversary A outputs. It is straightforward that the algorithm B simulates either the game H 8 or H 9 depending on whether s 0 = b ⊤ 0 r for some r $ ← − {− 1 , 1 } m or s 0 $ ← − Z q . W e know B simulates either Game H 8 or Game H 9 up to negligible statistical distance. Therefore, the advantage of the algorithm B of breaking leftover hash lemma has negligible difference from the adv antage of the adversary A of distinguishing between Game H 8 and H 9 . Hence H 8 s ≈ H 9 . C. Br oadcast Encryption As discussed in [BV22, W ee22, W ee24], CP - ABE for circuits giv es a broadcast encryption for N = ℓ users. In the broadcast encryption, we can use a circuit of size O ( N log N ) and depth O (log N ) to check the membership of the users. More precisely , Corollary 2 (Broadcast encryption) . Under the p oly( λ ) -succinct L WE assumption, we have a br oadcast encryption scheme for N users with parameter s | pk | = N · p oly ( λ, log N ) , | sk | = p oly( λ, log N ) , | ct | = p oly ( λ ) . R E F E R E N C E S [ABB10] Shweta Agrawal, Dan Boneh, and Xavier Bo yen. Efﬁcient lattice (h)ibe in the standard model. In Advances in Cryptology – EUR OCRYPT 2010 , pages 553–572, 2010. [AFV11] Shweta Agrawal, David Mandell Freeman, and V inod V aikuntanathan. Functional encryption for inner product predicates from learning with errors. In Advances in Cryptology – ASIA CRYPT 2011 , pages 21–40, 2011. [Ajt96] Mikl ´ os Ajtai. Generating hard instances of lattice problems. In Pr oceedings of the twenty- eighth annual A CM symposium on Theory of computing , pages 99–108, 1996. [AKY24] Shweta Agra wal, Simran Kumari, and Shota Y amada. Attrib ute based encryption for turing machines from lattices. In Advances in Cryptology – CRYPTO 2024 , pages 352–386, 2024. [A WY20] Shweta Agraw al, Daniel W ichs, and Shota Y amada. Optimal broadcast encryption from lwe and pairings in the standard model. In Theory of Cryptogr aphy , pages 149–178, 2020. [A Y20] Shweta Agrawal and Shota Y amada. Optimal broadcast encryption from pairings and l we. In Advances in Cryptology – EUR OCRYPT 2020 , pages 13–43, 2020. [Ban93] W ojciech Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Math. Annalen , 296(4):625–635, 1993. [BDE + 18] Jonathan Bootle, Claire Delaplace, Thomas Espitau, Pierre-Alain Fouque, and Mehdi T i- bouchi. L WE without modular reduction and improved side-channel attacks against BLISS. In Advances in Cryptology - ASIACR YPT 2018 , pages 494–524, 2018. [Bei96] Amos Beimel. Secur e schemes for secr et sharing and ke y distrib ution . PhD thesis, T echnion - Israel Institute of T echnology , Israel, 1996. [BGG + 14] Dan Boneh, Craig Gentry , Serge y Gorbuno v , Shai Hale vi, V aleria Nikolaenk o, Gil Sege v , V inod V aikuntanathan, and Dhinakaran V inayagamurthy . Fully ke y-homomorphic encryption, arithmetic circuit abe and compact garbled circuits. In Advances in Cryptolo gy – EUR OCRYPT 2014 , pages 533–556, 2014. 37 [Boy13] Xa vier Boyen. Attribute-based functional encryption on lattices. In Theory of Cryptography , pages 122–142, 2013. [BTVW17] Zvika Brakerski, Rotem Tsabary , V inod V aikuntanathan, and Hoeteck W ee. Pri vate con- strained PRFs (and more) from L WE. In Theory of Cryptography - 15th International Confer ence, TCC 2017 , pages 264–302, 2017. [BV16] Zvika Brakerski and V inod V aikuntanathan. Circuit-abe from lwe: Unbounded attrib utes and semi-adapti ve security . In Advances in Cryptology – CR YPTO 2016 , pages 363–384, 2016. [BV22] Zvika Brak erski and V inod V aikuntanathan. Lattice-inspired broadcast encryption and succinct ciphertext-polic y ABE. In 13th Innovations in Theor etical Computer Science Confer ence, ITCS 2022 , volume 215, pages 28:1–28:20, 2022. [CW23] V alerio Cini and Hoeteck W ee. ABE for circuits with p oly ( λ ) -sized keys from L WE. In 2023 IEEE 64th Annual Symposium on F oundations of Computer Science (FOCS) , pages 435–446, 2023. [DKW21] Pratish Datta, Ilan K omargodski, and Brent W aters. Decentralized multi-authority abe for dnfs from lwe. In Advances in Cryptology – EUR OCRYPT 2021 , pages 177–209, 2021. [GGH + 13] Sanjam Garg, Craig Gentry , Shai Halevi, Amit Sahai, and Brent W aters. Attribute-based encryption for circuits from multilinear maps. In Ran Canetti and Juan A. Garay , editors, Advances in Cryptology – CRYPTO 2013 , pages 479–499, 2013. [GPSW06] V ipul Goyal, Omkant P andey , Amit Sahai, and Brent W aters. Attribute-based encryption for ﬁne-grained access control of encrypted data. In Pr oceedings of the 13th ACM Confer ence on Computer and Communications Security , CCS 2006 , pages 89–98, 2006. [GPV08] Craig Gentry , Chris Peikert, and V inod V aikuntanathan. T rapdoors for hard lattices and new cryptographic constructions. In Pr oc. 41st Annu. A CM Symp. Theory Comput. , pages 197–206, 2008. [GV15] Serge y Gorbuno v and Dhinakaran V inayagamurthy . Riding on asymmetry: Efﬁcient abe for branching programs. In Advances in Cryptology – ASIA CRYPT 2015 , pages 550–574, 2015. [HLL24] Y ao-Ching Hsieh, Huijia Lin, and Ji Luo. A general framew ork for lattice-based ABE using e vasi ve inner-product functional encryption. In Advances in Cryptology – EUR OCRYPT 2024 , pages 433–464, 2024. [MP12] Daniele Micciancio and Chris Peikert. T rapdoors for lattices: Simpler , tighter , faster , smaller . In Advances in Cryptology - EUR OCRYPT 2012 , pages 700–718, 2012. [MR07] Daniele Micciancio and Oded Rege v . W orst-case to av erage-case reductions based on Gaussian measures. SIAM J . Comput. , 37(1):267–302, 2007. [SW05] Amit Sahai and Brent W aters. Fuzzy identity-based encryption. In Advances in Cryptology – EUR OCRYPT 2005 , pages 457–473, 2005. [Tsa19] Rotem Tsabary . Fully secure attribute-based encryption for t-cnf from lwe. In Advances in Cryptology – CRYPTO 2019 , pages 62–85, 2019. [W ee22] Hoeteck W ee. Optimal broadcast encryption and CP-ABE from e vasi ve lattice assumptions. In Advances in Cryptology – EUR OCRYPT 2022 , pages 217–241, 2022. [W ee24] Hoeteck W ee. Circuit ABE with p oly( depth , λ ) -sized ciphertexts and keys from lattices. In Advances in Cryptology – CRYPTO 2024 , pages 178–209, 2024. [W ee25] Hoeteck W ee. Almost optimal KP and CP-ABE for circuits from Succinct L WE. In Advances in Cryptology – EUR OCRYPT 2025 , pages 34–62, 2025. [WWW22] Brent W aters, Hoeteck W ee, and Da vid J. W u. Multi-authority ABE from lattices without random oracles. In Theory of Cryptography - 20th International Conference , TCC 2022 , pages 651–679, 2022.

Ciphertext-Policy ABE for $\mathsf{NC}^1$ Circuits with Constant-Size Ciphertexts from Succinct LWE

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment