See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338680802

Matchmaking Encryption from Functional Encryption for Deterministic

Functionalities

Article · January 2020

CITATIONS READS

0 99

2 authors, including:

Xi-Jun Lin
Ocean University of China
21 PUBLICATIONS   62 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Public Key Encryption with Equality Test View project

All content following this page was uploaded by Xi-Jun Lin on 19 January 2020.

The user has requested enhancement of the downloaded file.

 Matchmaking Encryption from Functional Encryption for
Deterministic Functionalities
Xi-Jun Lin ∗and Lin Sun †

January 19, 2020

Abstract
Recently, an interesting form of encryption, called matchmaking encryption (ME),
was first proposed by Ateniese et al. (CRYPTO 2019). On the theoretical side, they
claimed that it is difficult to construct ME from functional encryption for determinis-
tic functionalities (FE) because it is hard to guarantee the privacy completely by using
FE. They proposed instead two constructions of ME from functional encryption for ran-
domized functionalities (rFE) and two-input functional encryption (2FE), respectively.
This motivates the question: Is it feasible to construct ME from FE to guarantee the
privacy completely? In this paper, we answer this question to the positive by proposing
new constructions of ME from FE, which establishes the feasibility of ME supporting
arbitrary policies by using FE (for deterministic functionalities) as the building block.

Keywords: matchmaking encryption; ME; functional encryption; deterministic func-

tionality; privacy

1 Introduction
In CRYPTO 2019, an interesting cryptographic primitive, called matchmaking encryp-
tion (ME), was first proposed by Ateniese et al. [2]. Using ME, which can be seen as a
non-interactive version of secret handshake protocol [3, 4, 7, 11–16], sender and receiv-
er (each with its own attributes) can both specify policies the other party must satisfy
in order for the message to be revealed. The main security guarantee is that of privacy-
preserving policy matching: Nothing is leaked during decryption beyond the fact that a
match occurred/did not occur.
In ME, roughly speaking, a trusted authority (TA) generates encryption key associated
to attributes σ of the sender. TA also generates two decryption keys associated, respectively,
to attributes ρ and an arbitrary policy S of the receiver. The sender encrypts a plaintext m
associated with an arbitrary policy R by using its encryption key. The receiver will retrieve
the plaintext m iff a match occurs, that is, the sender’s attributes σ match the receiver’s
policy S (i.e., S(σ) = 1) and at the same time the receiver’s attributes ρ match the sender’s
policy R (i.e., R(ρ) = 1). If no match occurs (i.e., S(σ) = 0 or R(ρ) = 0), the receiver learns
nothing about the plaintext m, sender’s attributes σ and policy R. On the other hand, TA
∗
X.-J. Lin is with the Department of Computer Science and Technology, Ocean University of China.
email: [email protected]
†
L. Sun is with the College of Liberal Arts, Qingdao University. P.R.China.

1
certifies the sender’s attributes σ to avoid a malicious sender embedding fake attributes into
a valid ciphertext.
As for the security, privacy and authenticity are considered. Roughly speaking, privacy
looks at the secrecy of the sender. That is, given a ciphertext generated on (m, σ, R),
a receiver who possesses decryption keys for attributes ρ and policy S can decrypt the
ciphertext iff both S(σ) = 1 and R(ρ) = 1 hold. Moreover, a malicious receiver cannot
decrypt the ciphertext if either S(σ) = 0 or R(ρ) = 0. Authenticity means that a malicious
sender who does not possess certified attributes σ cannot generate a valid ciphertext.
By presenting two unsuccessful attempts in [2], Ateniese et al. claimed that it is difficult
to build a secure ME supporting arbitrary policies from functional encryption for deter-
ministic functionalities (FE) [6, 8], because it is hard to guarantee the privacy completely
by using FE. They presented instead two black-box constructions of ME from functional
encryption schemes for randomized functionalities (rFE) [1, 10] and two-input functional
encryption (2FE) [9], respectively. This naturally motivates the question:

Is it feasible to construct ME from FE to guarantee the privacy completely?

1.1 Contribution and Technical Overview

In this paper, we formally address this issue. We can answer this question to the positive
by presenting two black-box constructions of ME from FE to provide the complete privacy.
Before describing the idea behind our constructions, we first review Ateniese et al.’s two
unsuccessful attempts [2].
Ateniese et al.’s first attempt. In their first construction, the idea is to apply
sequentially two FE schemes for functionalities fρ1 and fS2 respectively, where fρ1 checks
whether the sender’s policy R is satisfied by the receiver’s attributes ρ (i.e., whether R(ρ) =
1 holds), whereas fS2 checks whether the receiver’s policy S is satisfied by the sender’s
attributes σ (i.e., whether S(σ) = 1 holds).
A sender encrypts (σ, m) under the second FE scheme, and then encrypts (R, c) under
the first FE scheme, where m is a plaintext and c is the corresponding output of the second
FE scheme. The receiver first decrypts the ciphertext by using private key dkρ associated
with function fρ1 , where the output is c if R(ρ) = 1 and ⊥ (to indicate decryption failure)
otherwise. If the output of the decryption is not ⊥, the receiver decrypts the obtained value
by using private key dkS associated with function fS2 . Finally, m is retrieved if S(σ) = 1
and ⊥ otherwise.
A malicious receiver cannot reveal the plaintext m because the semantic security of
the second FE scheme computationally hides m. However, the privacy is not guaranteed
completely because the receiver infers that the sender’s attributes σ match (resp. do not
match) its policy S if the first encrypted layer decrypts correctly (resp. does not decrypt
correctly).
Ateniese et al.’s second attempt. In their second construction, the idea is also
to apply two FE schemes for functionalities fρ1 and fS2 , respectively. The functions are
fρ1 (R, r1 , k1 ) and fS2 (σ, r2 , k2 ). fρ1 (R, r1 , k1 ) (resp. fS2 (σ, r2 , k2 )) returns r1 (resp. r2 ) if
R(ρ) = 1 (resp. S(σ) = 1); otherwise, it returns Fk1 (ρ) (resp. Fk2 (S)), where k1 (resp.
k2 ) is a key for the pseudorandom function [5] (PRF) F. A ciphertext consists of three
values (c1 , c2 , c3 ), where c1 is an encryption of (R, r1 , k1 ) under the first FE scheme, c2 is

2
an encryption of (σ, r2 , k2 ) under the second FE scheme, and c3 = r1 ⊕ r2 ⊕ m. A receiver
decrypts c1 and c2 by using the decryption keys dkρ and dkS respectively, and finally xor
the outputs between them and with c3 .
However, the privacy is not guaranteed completely as well. A malicious receiver who
possesses decryption keys for distinct attributes ρ and ρ′ , such that both satisfy the sender’s
policy R, is able to figure out whether R is matched by simply decrypting c1 twice (using
attributes ρ and ρ′ ) and comparing whether the same value (i.e., r1 ) is outputted twice.
Our technical approaches. As mentioned in [2], the main technical challenge of
building ME is to ensure that the policies of sender and receiver are simultaneously checked
to avoid any leakage. That is, it is needed to check whether R(ρ) = 1 and S(σ) = 1 hold
simultaneously to avoid the above attacks. In our constructions, the idea is also to apply
sequentially two FE schemes for functionalities fρ1 and fS2 , respectively.
(1) In our first construction, the function fρ1 is fρ1 (m, R, σ, k1 , k2 , k), where k, k1 , k2 are
keys for the PRF F. It returns an encryption of (r1 , r2 , m, σ) under the second FE scheme
which is randomized by the value of Fk (ρ) to provide semantic security since fρ1 is deter-
ministic, where r1 = r2 = Fk1 (ρ) if R(ρ) = 1, and r1 = Fk1 (ρ), r2 = Fk2 (ρ) otherwise. The
function fS2 checks whether r1 = r2 and S(σ) = 1 hold simultaneously: If it is the case, it
returns the plaintext m; otherwise, it returns ⊥ to indicate decryption failure.
A sender first picks random numbers k, k1 , k2 and then encrypts (m, R, σ, k1 , k2 , k) under
the first FE scheme. The receiver first decrypts the ciphertext by using decryption key dkρ
to obtain the encryption of (r1 , r2 , m, σ) under the second FE scheme, and then decrypts
the obtained value by using decryption key dkS .
Note that, semantic security of the first FE scheme computationally hides the information
of (m, R, σ). Moreover, (Fk1 (ρ), Fk1 (ρ), m, σ) and (Fk1 (ρ), Fk2 (ρ), m, σ) is indistinguishable
due to the semantic security of the second FE scheme, which implies that a malicious
receiver cannot distinguish between R(ρ) = 1 and R(ρ) = 0 from the output of the first
decryption procedure. Therefore, the above attacks are avoided.
(2) Our second construction is simpler than the first. The function fρ1 (m, R, σ, k), where
k is a key for the PRF F, returns an encryption of (m, R, σ, ρ) under the second FE scheme,
which is randomized by the value of Fk (ρ) to provide semantic security since fρ1 is deter-
ministic. The function fS2 checks whether R(ρ) = 1 and S(σ) = 1 hold simultaneously: If it
is the case, it returns the plaintext m; otherwise, it returns ⊥ to indicate decryption failure.
A sender first picks a random number k and then encrypts (m, R, σ, k) under the first FE
scheme. The receiver first decrypts the ciphertext by using decryption key dkρ to obtain
the encryption of (m, R, σ, ρ) under the second FE scheme, and then decrypts the obtained
value by using decryption key dkS .
It is obvious that semantic security of the underlying FE schemes provides the privacy
completely, because the plaintext is returned iff the policies are satisfied simultaneously.
As for the authenticity, we follow the technique presented in [2]: The sender obtains a
signature s on its own attributes σ from TA (the pair (σ, s) is the sender’s encryption key),
and then proves in zero knowledge that it knows a valid signature for the attributes which
are hidden in the ciphertext.

3
1.2 Organization
In the following section, we review several definitions of the building blocks. We follow
it with a section to review the formal definition of ME, which is followed by a section to
present our black-box constructions. In the last section, we conclude our work.

2 Preliminaries
Notation. Throughout the paper, λ ∈ N denotes a security parameter, and we implicitly
assume that every algorithm takes as input the security parameter. For a positive integer
n, we denote by [n] the set {1, · · · , n}.
By y ← A(x), we denote the operation of running an algorithm A on input x and
outputting y; if A is randomized, y is a random variable and A(x; r) denotes a run of A on
input x and (uniform) randomness r. If algorithm A, which is modeled as Turing machine,
has oracle access to some oracle O, we implicitly denote QO as the set of queries asked by A
to the oracle O. We write negl(λ) to denote a negligible function in the security parameter.
By ≡, we denote the equality of statistical distributions, and for any c > 0, we denote
by ≈c the c-statistical difference of two distributions.

2.1 Pseudorandom Functions

Let K be a distribution over {0, 1}n and {Fk : {0, 1}λ → {0, 1}ℓ } be a family of functions
indexed by strings k in the support of K.

Definition 1 (Pseudorandom function) {Fk } is a (t, ϵ)-PRF family if for every Boolean-
valued oracle circuit D of size at most t,

|Pr[DFk accepts] − Pr[DR accepts]| ≤ ϵ,

k R

where k is distributed according to K, and R is a function sampled uniformly at random

from the set of all functions from {0, 1}λ to {0, 1}ℓ .

The string k is called the key, the circuit D is called the distinguisher, and the difference
in probabilities is its distinguishing advantage with respect to Fk . Since D is nonuniform, we
may assume that it is deterministic, as it can always hardwire the coin tosses that maximize
its distinguishing advantage.
The definition of PRFs can be restated by requiring that the following two games are
(t, ϵ)-computationally indistinguishable:
• Fk : Sample k ∈ {0, 1}n from K and give D adaptive oracle access to Fk .
• R: Sample R : {0, 1}λ → {0, 1}ℓ and give D adaptive oracle access to R.

2.2 Signature Schemes

A signature scheme consists of the following polynomial-time algorithms.
• KGen(1λ ): On input of the security parameter, this algorithm outputs a public/private
key pair (pk, sk).

4
 • Sign(sk, m): On input of the private key sk and a message m ∈ M, this algorithm
outputs a signature s w.r.t the message m.

• Ver(pk, s, m): On input of the public key pk, a signature s and a message m, this
algorithm returns a decision bit.

Correctness. A signature scheme Π = (KGen, Sign, Ver) with message space M is correct
if ∀λ ∈ N, ∀(pk, sk) ← KGen(1λ ), and ∀m ∈ M, the following holds:

Pr[Ver(pk, Sign(sk, m), m) = 1] = 1.

Definition 2 We say a signature scheme Π = (KGen, Sign, Ver) is existentially unforgeable

under chosen-message attacks (EUF-CMA) if for all probabilistic polynomial-time (PPT)
adversaries A, the following holds:

Pr[Geuf
Π,A (λ) = 1] ≤ negl(λ),

where Geuf
Π,A (λ) is the following experiment:

Geuf
Π,A (λ):
(pk, sk) ← KGen(1λ )
(m, s) ← ASign(sk,·) (1λ , pk)
If m ∈/ QSign and Ver(pk, s, m) = 1
output 1
Else output 0.

2.3 Functional Encryption for Deterministic Functionalities

An FE scheme for a deterministic functionality f : K × X → Y consists of the following
polynomial-time algorithms:

• Setup(1λ ): On input of the security parameter, this algorithm outputs a master pub-
lic/private key pair (mpk, msk).

• KGen(msk, k): On input of the master private key msk and an index k ∈ K, this
algorithm outputs a private key skk for fk .

• Enc(mpk, x): On input of the master public key mpk and an input x ∈ X , this
algorithm outputs a ciphertext cx .

• Dec(skk , cx ): On input of a private key skk and a ciphertext cx , this algorithm outputs
a value y ∈ Y.

Correctness. An FE scheme Π = (Setup, KGen, Enc, Dec) for a deterministic functional-

ity f : K × X → Y is correct if ∀x ∈ X and ∀k ∈ K, the following holds:

Pr[Dec(skk , Enc(mpk, x)) = fk (x)] = 1],

5
 where (mpk, msk) ← Setup(1λ ) and skk ← KGen(msk, k).

Definition 3 ((q1 , qc , q2 )-SIM-Security) An FE scheme Π = (Setup, KGen, Enc, Dec)

for a deterministic functionality f : K × X → Y is (q1 , qc , q2 )-SIM-secure if there exists
an efficient (stateful) simulator S = (S1 , S2 , S3 , S4 ) such that for all PPT adversaries A =
(A1 , A2 ), where A1 makes at most q1 oracle queries and A2 makes at most q2 oracle queries,
the outputs of the following two experiments are computationally indistinguishable:

REALΠ,A (λ): IDEALΠ,A (λ):

(mpk, msk) ← Setup(1λ ) (mpk, α′ ) ← S1 (1λ )
O′ (α′ ,·)
(x∗ , α) ← A1 1 (x∗ , α) ← A1 1
O (msk,·)
(1λ , mpk) (1λ , mpk)
∗
where x = (x0 , · · · , xqc ) ∗
where x = (x0 , · · · , xqc )
ci ← Enc(mpk, xi ) for i ∈ [qc ] Let {k1 , · · · , kq1 } ∈ QO1′
O (msk,·)
out ← A2 2 (1λ , {ci }, α) For i ∈ [qc ], j ∈ [q1 ]
return (x, {k}, out) yi,j = fkj (xi )
({ci }, α′ ) ← S3 (α′ , {yi,j })
O′ (α′ ,·)
out ← A2 2 (1λ , {ci }, α)
′
return (x, {k }, out)

Note that, the key generation oracles are defined as follows:

• O1 (msk, ·) and O2 (msk, ·) are implemented with the algorithm KGen(msk, ·). The
ordered set {k} consists of the queries made to oracles O1 and O2 .
• O1′ (α′ , ·) and O2′ (α′ , ·) are implemented with two simulators S2 (α′ , ·), S4 (α′ , ·). The
simulator S4 is given oracle access to KeyIdeal(x∗ , ·), which on input k, outputs fk (xi )
for every xi ∈ x∗ . The ordered set {k ′ } consists of the queries made to oracles O1′ and
the queries made by S4 to KeyIdeal.

2.4 Non-Interactive Zero Knowledge

Let R be a relation, corresponding to an NP language L. A non-interactive zero-
knowledge (NIZK) proof system for R consists of the following polynomial-time algorithms:
• I(1λ ): On input of the security parameter, this algorithm outputs a common reference
string (CRS) ω.
• P(ω, (y, x)): On input of the CRS ω and a pair (y, x) ∈ R, this algorithm outputs a
proof π.
• V(ω, (y, π)): On input of the CRS ω, an instance y and a proof π, this algorithm
outputs either 0 (for “reject”) or 1 (for “accept”).
Correctness. We say that a NIZK proof system Π = (I, P, V) for relation R is correct if
∀λ ∈ N, ∀ω ← I(1λ ), and any (y, x) ∈ R, we have that V(ω, (y, P (ω, (y, x)))) = 1.

Definition 4 (Adaptive multi-theorem zero-knowledge) A NIZK Π for a relation R

satisfies adaptive multi-theorem zero-knowledge if there exists a PPT simulator Z = (Z0 , Z1 )
such that the following holds:

6
 • Algorithm Z0 outputs ω and a simulation trapdoor ζ.

• For all PPT distinguishers D, we have that

|Pr[DP(ω,(·,·)) (ω) = 1 : ω ← I(1λ )] − Pr[DO(ζ,(·,·)) (ω) = 1 : (ω, ζ) ← Z0 (1λ )]|

≤ negl(λ),

where the oracle O(ζ, (·, ·)) takes as input a pair (y, x) and returns Z1 (ζ, y) if (y, x) ∈ R
(and otherwise ⊥).

We note that “adaptive multi-theorem zero knowledge” says that honest proofs do not
reveal anything beyond the fact that y ∈ L.

Definition 5 (Knowledge soundness) A NIZK Π for a relation R satisfies knowledge

soundness if there exists a PPT extractor K = (K0 , K1 ) such that the following holds:

• Algorithm K0 outputs ω and an extraction trapdoor ζ, such that the distribution of ω

is computationally indistinguishable to that of I(1λ ).

• For all PPT adversaries A, we have that

Pr[V(ω, (y, π)) = 1 ∧ (y, x) ∈

/ R : (ω, ζ) ← K0 (1λ ), (y, π) ← A(ω), x ← K1 (ζ, (y, π)]
≤ negl(λ).

We note that “knowledge soundness” says that every adversary creating a valid proof for
some statement, must know the corresponding witness.

3 Definition of Matchmaking Encryption

An ME consists of the following polynomial-time algorithms:

• Setup(1λ ): On input of the security parameter, this algorithm outputs the master
public key mpk, the master policy key kpol, and the master private key msk. We
implicitly assume that all other algorithms take mpk as input.

• SKGen(msk, σ): On input of the master private key msk and attributes σ ∈ {0, 1}∗ ,
this algorithm outputs an encryption key ekσ for attributes σ.

• RKGen(msk, ρ): On input of the master private key msk and attributes ρ ∈ {0, 1}∗ ,
this algorithm outputs a decryption key dkρ for attributes ρ.

• PolGen(kpol, S): On input of the master policy key kpol and a policy S : {0, 1}∗ →
{0, 1} represented as a circuit, this algorithm outputs a decryption key dkS for the
policy S.

• Enc(ekσ , R, m): On input of an encryption key ekσ for attributes σ ∈ {0, 1}∗ , a policy
(circuit) R : {0, 1}∗ → {0, 1} represented as a circuit, and a message m ∈ M, this
algorithm outputs a ciphertext c linked to both σ and R.

7
 • Dec(dkρ , dkS , c): On input of a decryption key dkρ for attributes ρ ∈ {0, 1}∗ , a de-
cryption key dkS for a policy (circuit) S : {0, 1}∗ → {0, 1}, and a ciphertext c, this
algorithm outputs either a message m or ⊥ (denoting an error).

Correctness. An ME with message space M is correct if ∀λ ∈ N, ∀m ∈ M, ∀σ, ρ ∈

{0, 1}∗ , ∀R, S : {0, 1}∗ → {0, 1} and (mpk, kpol, msk) ← Setup(1λ ), the following holds:

Pr[Dec(dkρ , dkS , Enc(ekσ , R, m)) = m] ≥ 1 − negl(λ),

whenever S(σ) = 1 and R(ρ) = 1, and otherwise

Pr[Dec(dkρ , dkS , Enc(ekσ , R, m)) = ⊥] ≥ 1 − negl(λ),

where ekσ ← SKGen(msk, σ), dkρ ← RKGen(msk, ρ) and dkS ← PolGen(kpol, S).

Definition 6 (Privacy of ME) We say that an ME Π satisfies privacy if for all valid
PPT adversaries A:
1
|Pr[Gpriv
Π,A (λ)] − | ≤ negl(λ),
2
where game GprivΠ,A is depicted in Tab. 1. Adversary A is called valid if ∀ρ ∈ QO2 , ∀S ∈ QO3
it satisfies the following invariant:

• (Mismatch condition). Either

(R0 (ρ) = R1 (ρ) = 0) ∨ (S(σ0 ) = S(σ1 ) = 0)∨

(R0 (ρ) = S(σ1 ) = 0) ∨ (R1 (ρ) = S(σ0 ) = 0); (1)

• (Match condition). Or (if ∃ρ̂ ∈ QO2 , Ŝ ∈ QO3 s.t. Eq. (1) does not hold)

(m0 = m1 ) ∧ (R0 (ρ) = R1 (ρ)) ∧ (S(σ0 ) = S(σ1 )). (2)

Definition 7 (Authenticity of ME) We say that an ME Π satisfies authenticity if for

all PPT adversaries A:
|Pr[Gauth
Π,A (λ)] = 1| ≤ negl(λ),

where game Gauth

Π,A is depicted in Tab. 1.

Definition 8 (Secure ME) We say that an ME Π is secure, if Π satisfies privacy and

authenticity.

4 Our Constructions
4.1 First Construction
Let FE1 = (Setup1 , KGen1 , Enc1 , Dec1 ), FE2 = (Setup2 , KGen2 , Enc2 , Dec2 ), SS =
(KGenSS , SignSS , VerSS ), Fk (·) and NIZK = (I, P, V) be respectively two FE schemes for
the deterministic functionalities f 1 and f 2 , a signature scheme, a PRF, and a NIZK proof
system for the NP relation R1 , where the functionalities f 1 , f 2 and the NP relation R1 are
defined as follows:

8
Table 1: Games defining privacy and authenticity of ME. Oracles O1 , O2 , O3 are implement-
ed by SKGen(msk, ·), RKGen(msk, ·), PolGen(kpol, ·).

Gpriv
Π,A (λ): Gauth
Π,A (λ):
(mpk, kpol, msk) ← Setup(1λ ) (mpk, kpol, msk) ← Setup(1λ )
(m0 , m1 , R0 , R1 , σ0 , σ1 , α) ← AO
1
1 ,O2 ,O3
(1λ , mpk) (c, ρ, S) ← AO1 ,O2 ,O3 (1λ , mpk)
b ∈ {0, 1} is picked randomly dkρ ← RKGen(msk, ρ)
ekσb ← SKGen(msk, σb ) dkS ← PolGen(kpol, S)
c ← Enc(ekσb , Rb , mb ) m = Dec(dkρ , dkS , c)
b′ ← AO 2
1 ,O2 ,O3
(1λ , c, α) If ∀σ ∈ QO1 : (S(σ) = 0) ∧ (m ̸= ⊥)
If b = b′ return 1 return 1
Else return 0 Else return 0

{
Enc2 (mpk2 , (r1 , r1 , m, σ); r), R(ρ) = 1
1
f(ρ,mpk 2)
(m, R, σ, k1 , k2 , k) =
Enc2 (mpk2 , (r1 , r2 , m, σ); r), otherwise,
where r = Fk (ρ), r1 = Fk1 (ρ) and r2 = Fk2 (ρ),
{
m, if r1 = r2 ∧ S(σ) = 1
fS2 (r1 , r2 , m, σ) =
⊥, otherwise,

and
 
 ∃m, R, k1 , k2 , k s.t. 
R1 = (pk, c, mpk1 ), (σ, s) : c = Enc1 (mpk1 , (m, R, σ, k1 , k2 , k))∧ .
 
VerSS (pk, s, σ) = 1
We construct an ME in the following way:

• Setup(1λ ): This algorithm computes ω ← I(1λ ), (mpk1 , msk1 ) ← Setup1 (1λ ), (mpk2 ,
msk2 ) ← Setup2 (1λ ) and (pk, sk) ← KGenSS (1λ ). Then, it outputs the master key
msk = (msk1 , sk), the master policy key kpol = msk2 and the master public key

mpk = (mpk1 , mpk2 , ω, pk).

• SKGen(msk, σ): Let msk = (msk1 , sk) and σ ∈ {0, 1}∗ . This algorithm returns the
encryption key ekσ = (σ, s), where s ← SignSS (sk, σ).

• RKGen(msk, ρ): Let msk = (msk1 , sk) and ρ ∈ {0, 1}∗ . This algorithm computes
the decryption key
sk(ρ,mpk2 ) ← KGen1 (msk1 , (ρ, mpk2 )).
Then, it outputs the decryption key dkρ = sk(ρ,mpk2 ) .

• PolGen(kpol, S): Let kpol = msk2 and S be a policy represented as a circuit. This

9
 algorithm computes the decryption key

skS ← KGen2 (msk2 , S).

Then, it outputs the decryption key dkS = skS .

• Enc(ekσ , R, m): Let ekσ = (σ, s), R be a policy represented as a circuit and m a
message. This algorithm first selects random numbers k1 , k2 , k ∈ {0, 1}λ , and then
outputs the ciphertext ĉ = (c, π) by computing

c ← Enc1 (mpk1 , (m, R, σ, k1 , k2 , k)),

π ← P(ω, (pk, c, mpk1 ), (σ, s)).

• Dec(dkρ , dkS , ĉ): Let dkρ = sk(ρ,mpk2 ) , dkS = skS , and ĉ = (c, π) be a ciphertext.
This algorithm first checks whether V(ω, (pk, c, mpk1 ), π) = 1. If it is not the case, it
returns ⊥; otherwise, it returns Dec2 (skS , Dec1 (sk(ρ,mpk2 ) , c)).

Correctness of the scheme follows directly by the correctness of the underlying primitives.

Theorem 1 Let FE1 , FE2 , F and NIZK be as above. If FE1 is (q1 , 1, q2 )-SIM-secure, FE2
is (q1′ , q1 , q2′ )-SIM-secure, F is a (t, ϵ)-PRF, and NIZK satisfies adaptive multi-theorem zero
knowledge, then our construction is (q1 , q1′ , q2 , q2′ )-privacy.

Proof. Similarly to the proof in [2], we also use a hybrid argument by considering the
following hybrid experiments:

• Hyb0 (λ): This is exactly the experiment Gpriv

Π,A (λ).

• Hyb1 (λ): Same as Hyb0 , except that the challenger uses the zero-knowledge simu-
lator Z = (Z0 , Z1 ) to generate the CRS ω and the proof π contained in the challenge
ciphertext. At the beginning of the experiment, the challenger computes (ω, ζ) ←
Z0 (1λ ). Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A1 , the chal-
lenger picks a random bit b ∈ {0, 1} and random numbers k1 , k2 , k ∈ {0, 1}λ , and
then computes c ← Enc1 (mpk1 , (mb , Rb , σb , k1 , k2 , k)) and π ← Z1 (ζ, (pk, c, mpk1 )).
Finally, it sets the challenge ciphertext to ĉ = (c, π).

• Hyb2 (λ): Same as Hyb1 , except that Fk (ρ), Fk1 (ρ) and Fk2 (ρ) used in f 1 are re-
placed with R(ρ), R′ (ρ) and R′′ (ρ) respectively, where R, R′ and R′′ are truly random
functions.

• Hyb3 (λ): Same as Hyb2 , except that the challenger uses the simulator S 1 = (S11 , S21 ,
S31 , S41 ) to generate mpk1 and answer the queries submitted to the oracle RKGen.
Formally, the challenger computes (mpk1 , α1 ) ← S11 (1λ ) to generate the master public
key of FE1 , and uses S21 (α1 , ·) and S41 (α1 , ·) to answer the queries submitted to RKGen
by A1 and A2 . Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A1 , the
challenger picks a random bit b ∈ {0, 1} and performs as follows: For ∀ρi ∈ Q1RKGen ,
the challenger computes:

– c′i ← Enc2 (mpk2 , (R′ (ρi ), R′ (ρi ), mb , σb ); R(ρi )) if Rb (ρi ) = 1.

– c′i ← Enc2 (mpk2 , (R′ (ρi ), R′′ (ρi ), mb , σb ); R(ρi )) if Rb (ρi ) = 0.

10
 Finally, it returns the challenge ciphertext ĉ = (c, π), where c ← S31 (α1 , {c′i }i∈[q1 ] ) and
π ← Z1 (ζ, (pk, c, mpk1 )).

• Hyb4 (λ): Same as Hyb3 , except that the challenger uses the simulator S 2 = (S12 , S22 ,
S32 , S42 ) to generate mpk2 and answer the queries submitted to the oracle PolGen.
Formally, the challenger computes (mpk2 , α2 ) ← S12 (1λ ) to generate the master public
key of FE2 , and uses S22 (α2 , ·) and S42 (α2 , ·) to answer the queries submitted to PolGen
by A1 and A2 . Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A1 , the
challenger picks a random bit b ∈ {0, 1} and performs as follows: For ∀ρi ∈ Q1RKGen ,
∀Sj ∈ Q1PolGen , the challenger computes:

– yi,j = ⊥ if Rb (ρi ) = 0 ∨ Sj (σb ) = 0,

– yi,j = mb if Rb (ρi ) = 1 ∧ Sj (σb ) = 1.

Then, the challenger returns ĉ = (c, π) as the challenge ciphertext, where c′i ←
S32 (α2 , {yi,j }j∈[q1′ ] ) (for ∀i ∈ [q1 ]), c ← S31 (α1 , {c′i }i∈[q1 ] ) and π ← Z1 (ζ, (pk, c, mpk1 )).

Lemma 1 {Hyb0 (λ)}λ∈N ≈c {Hyb1 (λ)}λ∈N .

Proof. The proof is down to the adaptive multi-theorem zero-knowledge property of

NIZK. We omit the reduction here since it is standard.

Lemma 2 {Hyb1 (λ)}λ∈N ≈c {Hyb2 (λ)}λ∈N .

Proof. The proof is down to the security property of PRF. We omit the reduction here
since it is standard as well.

Lemma 3 {Hyb2 (λ)}λ∈N ≈c {Hyb3 (λ)}λ∈N .

Proof. We suppose that there exists an adversary A which distinguishes between Hyb2 (λ)
and Hyb3 (λ) with non-negligible (in λ) probability. We create an algorithm B which
distinguishes between REALF E1 ,B (λ) and IDEALF E1 ,B (λ) with the same probability.

1. B first receives the challenge master public key mpk1∗ . Then, it computes (ω, ζ) ←
Z0 (1λ ), (mpk2 , msk2 ) ← Setup2 (1λ ) and (pk, sk) ← KGenSS (1λ ). Finally, B sends
mpk = (mpk1∗ , mpk2 , ω, pk) to A.

2. B answers oracle queries in the following way:

(a) Upon input σ for SKGen, compute s = SignSS (sk, σ) and return ekσ = (σ, s).
(b) Upon input ρ for RKGen, send (ρ, mpk2 ) to the key generation oracle O1F E1 and
return the corresponding output.
(c) Upon input S for PolGen, return KGen2 (msk2 , S).

3. Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A, B sends m∗b =

(mb , Rb , σb , k1 , k2 , k) to the challenger, where b ∈ {0, 1} and k1 , k2 , k ∈ {0, 1}λ are
picked randomly. Finally, it receives c from the challenger as the challenge ciphertext
of FE1 .

4. Return ĉ = (c, π) as the challenge ciphertext, where π ← Z1 (ζ, (pk, c, mpk1∗ )).

11
 5. Answer the incoming queries as in step 2.

6. Finally, B outputs whatever A outputs.

Note that, A submits q1 and q2 queries to RKGen (because, it is playing an hybrid version
of game (q1 , q1′ , q2 , q2′ )-privacy), which implies that B is a valid adversary for (q1 , 1, q2 )-SIM
security game. Moreover, if B is playing REALF E1 ,B (λ) and IDEALF E1 ,B (λ) respectively,
then the reduction perfectly simulates games Hyb2 (λ) and Hyb3 (λ). This is because, in
the experiment IDEALF E1 ,B (λ), B answers to the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 )
with ĉ = (c, π), where π is the NIZK proof simulated by Z1 (ζ, (pk, c, mpk1∗ )), c is the output
of S31 (α1 , {c′i }i∈[q1 ] ) and {c′i }i∈[q1 ] are distributed exactly as in Hyb3 (λ). Additionally, mpk1∗
is generated by S11 and the outputs of oracle RKGen are simulated using S21 and S41 , as it
happens in Hyb3 (λ). On the other hand, in the experiment REALF E1 ,B (λ), B answers
using the real FE1 algorithms. This concludes the proof.

Lemma 4 {Hyb3 (λ)}λ∈N ≈c {Hyb4 (λ)}λ∈N .

Proof. We suppose that there exists an adversary A which distinguishes between Hyb3 (λ)
and Hyb4 (λ) with non-negligible (in λ) probability. We create an algorithm B which
distinguishes between REALF E2 ,B (λ) and IDEALF E2 ,B (λ) with the same probability.

1. B first receives the challenge master public key mpk2∗ . Then, it computes (ω, ζ) ←
Z0 (1λ ), (mpk1 , α1 ) ← S11 (1λ ) and (pk, sk) ← KGenSS (1λ ). Finally, B sends mpk =
(mpk1 , mpk2∗ , ω, pk) to A.

2. B answers oracle queries in the following way:

(a) Upon input σ for SKGen, compute s = SignSS (sk, σ) and return ekσ = (σ, s).
(b) Upon input ρ for RKGen, answer with S21 (α1 , (ρ, mpk2∗ )).
(c) Upon input S for PolGen, send S to the key generation oracle O1F E2 and return
the corresponding output.

3. Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A, B picks a random

bit b ∈ {0, 1} and performs as follows: ∀ρi ∈ Q1RKGen , set m∗i = (R′ (ρi ), R′ (ρi ), mb , σb )
if R(ρi ) = 1; otherwise, set m∗i = (R′ (ρi ), R′′ (ρi ), mb , σb ).

4. B sends {m∗i }i∈[q1 ] to the challenger.

5. Upon receiving the corresponding ciphertexts {c∗i }i∈[q1 ] from the challenger, B returns
ĉ = (c, π) as the challenge ciphertext for A, where c ← S31 (α1 , {c∗i }i∈[q1 ] ) and π ←
Z1 (ζ, (pk, c, mpk1 )).

6. Answer the incoming queries as in step 2.

7. Finally, B outputs whatever A outputs.

Note that, A submits q1′ and q2′ queries to PolGen (q1′ before seeing the challenge ci-
phertext and q2′ afterwards), which implies that B is a valid adversary for (q1′ , q1 , q2′ )-SIM
security game. Thus, a similar analysis as in the proof of Lemma 3 allows us to conclude
that Hyb3 (λ) and Hyb4 (λ) are computationally indistinguishable.

12
 Now, we conclude that Hyb4 (λ, 0) ≡ Hyb4 (λ, 1), where Hyb4 (λ, 0) (resp. Hyb4 (λ, 1))
denotes the hybrid game Hyb4 (λ) conditioned on the challenge bit b = 0 (resp. b = 1).
Note that, A is valid because either for ∀ρi ∈ Q1RKGen , ∀Sj ∈ Q1PolGen , Eq. (1) is satisfied, or
there exists ρ̂i ∈ Q1RKGen , Ŝj ∈ Q1PolGen such that Eq. (1) is not satisfied. Note also that the
only dependency on the bit b in hybrid Hyb4 (λ, b) comes from the definitions of the values
yi,j . Moreover, we stress here that r1 = r2 implies that Rb (ρi ) = 1, and r1 ̸= r2 implies that
Rb (ρi ) = 0 in the functionality fS2 . We observe that:

• Both Hyb4 (λ, 0) and Hyb4 (λ, 1) set yi,j = m0 = m1 since it holds that R1−b (ρi ) =
1 ∧ Sj (σ1−b ) = 1 and m0 = m1 whenever Rb (ρi ) = 1 ∧ Sj (σb ) = 1.
• Both Hyb4 (λ, 0) and Hyb4 (λ, 1) set yi,j = ⊥ since it holds that R1−b (ρi ) = 0 ∨
Sj (σ1−b ) = 0 whenever Rb (ρi ) = 0 ∨ Sj (σb ) = 0;

We conclude that our construction satisfies (q1 , q1′ , q2 , q2′ )-privacy by combining the above
lemmas since Hyb4 (λ, 0) ≡ Hyb4 (λ, 1).

Theorem 2 Let SS and NIZK be as above. If SS is EUF-CMA and NIZK has knowledge
soundness, then our first construction satisfies authenticity.

Proof. Similarly to the proof in [2], we suppose that there exists an adversary A that has
Π,A (λ). We create an algorithm B to break unforgeability
a non-negligible advantage in Gauth
of SS by performing the following steps:
1. B receives the challenge public key pk ∗ from the challenger.
2. B computes (mpk1 , msk1 ) ← Setup1 (1λ ), (mpk2 , msk2 ) ← Setup2 (1λ ) and (ω, ζ) ←
K0 (1λ ), and then sends mpk = (mpk1 , mpk2 , ω, pk ∗ ) to A.
3. B answers oracle queries in the following way:
(a) Upon input σ for SKGen, forward the query to oracle Sign obtaining s as the
answer, and return (σ, s).
(b) Upon input ρ for RKGen, return the decryption key dkρ ← KGen1 (msk1 , (ρ, mpk2 )).
(c) Upon input S for PolGen, return the decryption key dkS ← KGen2 (msk2 , S).
4. Upon receiving the forgery (ĉ∗ , ρ∗ , S∗ ) from A, where ĉ∗ = (c∗ , π ∗ ), B computes dkρ∗ ←
KGen1 (msk1 , (ρ∗ , mpk2 )) and dkS∗ ← KGen2 (msk2 , S∗ ). If either V(ω, (pk ∗ , c∗ , mpk1 ),
π ∗ ) = 0 or Dec2 (dkS∗ , Dec1 (dkρ∗ , c∗ )) = ⊥, it aborts; otherwise, B returns (σ ∗ , s∗ ) ←
K1 (ζ, ((pk ∗ , c∗ , mpk1 ), π ∗ )) as forgery to the challenger.
Now, we show that the simulation is perfect, except with negligible probability. Note
that, conditioned on (pk ∗ , mpk1 , msk1 , mpk2 , msk2 , ω), A’s oracle queries are perfectly sim-
ulated by B for ∀σ, ρ ∈ {0, 1}∗ and ∀S : {0, 1}∗ → {0, 1}, and the only difference is that
ω is computed by K0 in the reduction, but this distribution is computationally close to
that of an honestly generated CRS. Therefore, the ciphertext ĉ∗ = (c∗ , π ∗ ) returned by A is
valid with non-negligible probability, which implies that the proof π ∗ verifies correctly, and
moreover Dec2 (dkS∗ , Dec1 (dkρ∗ , c∗ )) ̸= ⊥ (so c∗ is also a valid ciphertext).
By knowledge soundness of the NIZK proof, except with negligible probability, we have
((pk ∗ , c∗ , mpk1 ), (σ ∗ , s∗ )) ∈ R1 , which implies that s∗ is a valid signature on σ ∗ with respect
to the challenge public key pk ∗ . Finally, S∗ (σ) = 0 in Gauth Π,A (λ) for ∀σ ∈ QSKGen , which
implies that σ ∈ ∗ / QSign , and B wins with non-negligible probability.

13
4.2 Second Construction
Let FE1 = (Setup1 , KGen1 , Enc1 , Dec1 ), FE2 = (Setup2 , KGen2 , Enc2 , Dec2 ), SS =
(KGenSS , SignSS , VerSS ), Fk (·) and NIZK = (I, P, V) be respectively two FE schemes for
the deterministic functionalities f 1 and f 2 , a signature scheme, a PRF, and a NIZK proof
system for the NP relation R2 , where the functionalities f 1 , f 2 and the NP relation R2 are
defined as follows:

1
f(ρ,mpk 2)
(m, R, σ, k) = Enc2 (mpk2 , (m, R, σ, ρ); Fk (ρ)),

{
m, if R(ρ) = 1 ∧ S(σ) = 1,
fS2 (m, R, σ, ρ) =
⊥, otherwise.

and
 
 ∃m, R, k s.t. 
R2 = (pk, c, mpk1 ), (σ, s) : c = Enc1 (mpk1 , (m, R, σ, k))∧ .
 
VerSS (pk, s, σ) = 1
We construct an ME in the following way:

• Setup(1λ ): This algorithm computes ω ← I(1λ ), (mpk1 , msk1 ) ← Setup1 (1λ ), (mpk2 ,
msk2 ) ← Setup2 (1λ ) and (pk, sk) ← KGenSS (1λ ). Then, it outputs the master key
msk = (msk1 , sk), the master policy key kpol = msk2 and the master public key

mpk = (mpk1 , mpk2 , ω, pk).

• SKGen(msk, σ): Let msk = (msk1 , sk) and σ ∈ {0, 1}∗ . This algorithm returns the
encryption key ekσ = (σ, s), where s ← SignSS (sk, σ).

• RKGen(msk, ρ): Let msk = (msk1 , sk) and ρ ∈ {0, 1}∗ . This algorithm computes
the decryption key
sk(ρ,mpk2 ) ← KGen1 (msk1 , (ρ, mpk2 )).
Then, it outputs the decryption key dkρ = sk(ρ,mpk2 ) .

• PolGen(kpol, S): Let kpol = msk2 and S be a policy represented as a circuit. This
algorithm computes the decryption key

skS ← KGen2 (msk2 , S).

Then, it outputs the decryption key dkS = skS .

• Enc(ekσ , R, m): Let ekσ = (σ, s), R be a policy represented as a circuit and m a
message. This algorithm first selects a random number k ∈ {0, 1}λ , and then outputs
the ciphertext ĉ = (c, π) by computing

c ← Enc1 (mpk1 , (m, R, σ, k)),

π ← P(ω, (pk, c, mpk1 ), (σ, s)).

14
 • Dec(dkρ , dkS , ĉ): Let dkρ = sk(ρ,mpk2 ) , dkS = skS , and ĉ = (c, π) be a ciphertext.
This algorithm first checks whether V(ω, (pk, c, mpk1 ), π) = 1. If it is not the case, it
returns ⊥; otherwise, it returns Dec2 (skS , Dec1 (sk(ρ,mpk2 ) , c)).

Correctness of the scheme follows directly by the correctness of the underlying primitives.

Theorem 3 Let FE1 , FE2 , F and NIZK be as above. If FE1 is (q1 , 1, q2 )-SIM-secure, FE2
is (q1′ , q1 , q2′ )-SIM-secure, F is a (t, ϵ)-PRF, and NIZK satisfies adaptive multi-theorem zero
knowledge, then our construction is (q1 , q1′ , q2 , q2′ )-privacy.

Proof. Similarly to the proof in [2], we use a hybrid argument by considering the following
hybrid experiments:

• Hyb0 (λ): This is exactly the experiment Gpriv

Π,A (λ).

• Hyb1 (λ): Same as Hyb0 , except that the challenger uses the zero-knowledge simu-
lator Z = (Z0 , Z1 ) to generate the CRS ω and the proof π contained in the challenge
ciphertext. At the beginning of the experiment, the challenger computes (ω, ζ) ←
Z0 (1λ ). Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A1 , the chal-
lenger picks a random bit b ∈ {0, 1} and a random number k ∈ {0, 1}λ , and then
computes c ← Enc1 (mpk1 , (mb , Rb , σb , k)) and π ← Z1 (ζ, (pk, c, mpk1 )). Finally, it
sets the challenge ciphertext to ĉ = (c, π).

• Hyb2 (λ): Same as Hyb1 , except that Fk (ρ) used in f 1 is replaced with R(ρ), where
R is a truly random function.

• Hyb3 (λ): Same as Hyb2 , except that the challenger uses the simulator S 1 = (S11 , S21 ,
S31 , S41 ) to generate mpk1 and answer the queries submitted to the oracle RKGen.
Formally, the challenger computes (mpk1 , α1 ) ← S11 (1λ ) to generate the master public
key of FE1 , and uses S21 (α1 , ·) and S41 (α1 , ·) to answer the queries submitted to RKGen
by A1 and A2 . Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A1 , the
challenger picks a random bit b ∈ {0, 1} and performs as follows: For ∀ρi ∈ Q1RKGen ,
compute c′i ← Enc2 (mpk2 , (mb , Rb , σb , ρi ); ri ), where ri ← R(ρi ).
Finally, it returns the challenge ciphertext ĉ = (c, π), where c ← S31 (α1 , {c′i }i∈[q1 ] ) and
π ← Z1 (ζ, (pk, c, mpk1 )).

• Hyb4 (λ): Same as Hyb3 , except that the challenger uses the simulator S 2 = (S12 , S22 ,
S32 , S42 ) to generate mpk2 and answer the queries submitted to the oracle PolGen.
Formally, the challenger computes (mpk2 , α2 ) ← S12 (1λ ) to generate the master public
key of FE2 , and uses S22 (α2 , ·) and S42 (α2 , ·) to answer the queries submitted to PolGen
by A1 and A2 . Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A1 , the
challenger picks a random bit b ∈ {0, 1} and performs as follows: For ∀ρi ∈ Q1RKGen ,
∀Sj ∈ Q1PolGen , the challenger computes

– yi,j = ⊥ if Rb (ρi ) = 0 ∨ Sj (σb ) = 0,

– yi,j = mb if Rb (ρi ) = 1 ∧ Sj (σb ) = 1.

Then, the challenger returns ĉ = (c, π) as the challenge ciphertext, where c′i ←
S32 (α2 , {yi,j }j∈[q1′ ] ) (for ∀i ∈ [q1 ]), c ← S31 (α1 , {c′i }i∈[q1 ] ) and π ← Z1 (ζ, (pk, c, mpk1 )).

15
Lemma 5 {Hyb0 (λ)}λ∈N ≈c {Hyb1 (λ)}λ∈N .

Proof. The proof is down to the adaptive multi-theorem zero-knowledge property of

NIZK. We omit the reduction here since it is standard.

Lemma 6 {Hyb1 (λ)}λ∈N ≈c {Hyb2 (λ)}λ∈N .

Proof. The proof is down to the security property of PRF. We omit the reduction here
since it is standard as well.

Lemma 7 {Hyb2 (λ)}λ∈N ≈c {Hyb3 (λ)}λ∈N .

Proof. We suppose that there exists an adversary A which distinguishes between Hyb2 (λ)
and Hyb3 (λ) with non-negligible (in λ) probability. We create an algorithm B which
distinguishes between REALF E1 ,B (λ) and IDEALF E1 ,B (λ) with the same probability.

1. B first receives the challenge master public key mpk1∗ . Then, it computes (ω, ζ) ←
Z0 (1λ ), (mpk2 , msk2 ) ← Setup2 (1λ ) and (pk, sk) ← KGenSS (1λ ). Finally, B sends
mpk = (mpk1∗ , mpk2 , ω, pk) to A.

2. B answers oracle queries in the following way:

(a) Upon input σ for SKGen, compute s = SignSS (sk, σ) and return ekσ = (σ, s).
(b) Upon input ρ for RKGen, send (ρ, mpk2 ) to the key generation oracle O1F E1 and
return the corresponding output.
(c) Upon input S for PolGen, return KGen2 (msk2 , S).

3. Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A, B sends m∗b =

(mb , Rb , σb , k) to the challenger, where b ∈ {0, 1} and k ∈ {0, 1}λ are picked randomly.
Finally, it receives c from the challenger as the challenge ciphertext of FE1 .

4. Return ĉ = (c, π) as the challenge ciphertext, where π ← Z1 (ζ, (pk, c, mpk1∗ )).

5. Answer the incoming queries as in step 2.

6. Finally, B outputs whatever A outputs.

Note that, A submits q1 and q2 queries to RKGen (because, it is playing an hybrid version
of game (q1 , q1′ , q2 , q2′ )-privacy), which implies that B is a valid adversary for (q1 , 1, q2 )-SIM
security game. Moreover, if B is playing REALF E1 ,B (λ) and IDEALF E1 ,B (λ) respectively,
then the reduction perfectly simulates games Hyb2 (λ) and Hyb3 (λ). This is because, in
the experiment IDEALF E1 ,B (λ), B answers to the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 )
with ĉ = (c, π), where π is the NIZK proof simulated by Z1 (ζ, (pk, c, mpk1∗ )), c is the output
of S31 (α1 , {c′i }i∈[q1 ] ) and {c′i }i∈[q1 ] are distributed exactly as in Hyb3 (λ). Additionally, mpk1∗
is generated by S11 and the outputs of oracle RKGen are simulated using S21 and S41 , as it
happens in Hyb3 (λ). On the other hand, in the experiment REALF E1 ,B (λ), B answers
using the real FE1 algorithms. This concludes the proof.

Lemma 8 {Hyb3 (λ)}λ∈N ≈c {Hyb4 (λ)}λ∈N .

16
Proof. We suppose that there exists an adversary A that distinguishes between Hyb3 (λ)
and Hyb4 (λ) with non-negligible (in λ) probability. We create an algorithm B which
distinguishes between REALF E2 ,B (λ) and IDEALF E2 ,B (λ) with the same probability.

1. B first receives the challenge master public key mpk2∗ . Then, it computes (ω, ζ) ←
Z0 (1λ ), (mpk1 , α1 ) ← S11 (1λ ) and (pk, sk) ← KGenSS (1λ ). Finally, B sends mpk =
(mpk1 , mpk2∗ , ω, pk) to A.

2. B answers oracle queries in the following way:

(a) Upon input σ for SKGen, compute s = SignSS (sk, σ) and return ekσ = (σ, s).
(b) Upon input ρ for RKGen, answer with S21 (α1 , (ρ, mpk2∗ )).
(c) Upon input S for PolGen, send S to the key generation oracle O1F E2 and return
the corresponding output.

3. Upon receiving the challenge tuple (m0 , m1 , R0 , R1 , σ0 , σ1 ) from A, B picks a random

bit b ∈ {0, 1} and performs as follows: ∀ρi ∈ Q1RKGen , set m∗i = (mb , Rb , σb , ρi ).

4. B sends {m∗i }i∈[q1 ] to the challenger.

5. Upon receiving the corresponding ciphertexts {c∗i }i∈[q1 ] from the challenger, B re-
turns ĉ = (c, π) as the challenge ciphertext, where c ← S31 (α1 , {c∗i }i∈[q1 ] ) and π ←
Z1 (ζ, (pk, c, mpk1 )).

6. Answer the incoming queries as in step 2.

7. Finally, B outputs whatever A outputs.

Note that, A submits q1′ and q2′ queries to PolGen (q1′ before seeing the challenge ci-
phertext and q2′ afterwards), which implies that B is a valid adversary for (q1′ , q1 , q2′ )-SIM
security game. Thus, a similar analysis as in the proof of Lemma 7 allows us to conclude
that Hyb3 (λ) and Hyb4 (λ) are computationally indistinguishable. 2
Now, we conclude that Hyb4 (λ, 0) ≡ Hyb4 (λ, 1), where Hyb4 (λ, 0) (resp. Hyb4 (λ, 1))
denotes the hybrid game Hyb4 (λ) conditioned on the challenge bit b = 0 (resp. b = 1).
Note that, A is valid because either for ∀ρi ∈ Q1RKGen , ∀Sj ∈ Q1PolGen , Eq. (1) is satisfied,
or there exists ρ̂i ∈ Q1RKGen , Ŝj ∈ Q1PolGen such that Eq. (1) is not satisfied. Note also that
the only dependency on the bit b in hybrid Hyb4 (λ, b) comes from the definitions of the
values yi,j . We observe that:

• Both Hyb4 (λ, 0) and Hyb4 (λ, 1) set yi,j = m0 = m1 since it holds that R1−b (ρi ) =
1 ∧ Sj (σ1−b ) = 1 and m0 = m1 whenever Rb (ρi ) = 1 ∧ Sj (σb ) = 1.

• Both Hyb4 (λ, 0) and Hyb4 (λ, 1) set yi,j = ⊥ since it holds that R1−b (ρi ) = 0 ∨
Sj (σ1−b ) = 0 whenever Rb (ρi ) = 0 ∨ Sj (σb ) = 0;

We conclude that our construction satisfies (q1 , q1′ , q2 , q2′ )-privacy by combining the above
lemmas since Hyb4 (λ, 0) ≡ Hyb4 (λ, 1).

Theorem 4 Let SS and NIZK be as above. If SS is EUF-CMA and NIZK has knowledge
soundness, then our second construction satisfies authenticity.

17
Proof. Similarly to the proof in [2], we suppose that there exists an adversary A that has
Π,A (λ). We create an algorithm B to break unforgeability
a non-negligible advantage in Gauth
of SS by performing the following steps:

1. B receives the challenge public key pk ∗ from the challenger.

2. B computes (mpk1 , msk1 ) ← Setup1 (1λ ), (mpk2 , msk2 ) ← Setup2 (1λ ) and (ω, ζ) ←
K0 (1λ ), and then sends mpk = (mpk1 , mpk2 , ω, pk ∗ ) to A.

3. B answers oracle queries in the following way:

(a) Upon input σ for SKGen, forward the query to oracle Sign obtaining s as the
answer, and return (σ, s).
(b) Upon input ρ for RKGen, return the decryption key dkρ ← KGen1 (msk1 , (ρ, mpk2 )).
(c) Upon input S for PolGen, return the decryption key dkS ← KGen2 (msk2 , S).

4. Upon receiving the forgery (ĉ∗ , ρ∗ , S∗ ) from A, where ĉ∗ = (c∗ , π ∗ ), B computes dkρ∗ ←
KGen1 (msk1 , (ρ∗ , mpk2 )) and dkS∗ ← KGen2 (msk2 , S∗ ). If either V(ω, (pk ∗ , c∗ , mpk1 ),
π ∗ ) = 0 or Dec2 (dkS∗ , Dec1 (dkρ∗ , c∗ )) = ⊥, it aborts; otherwise, B returns (σ ∗ , s∗ ) ←
K1 (ζ, ((pk ∗ , c∗ , mpk1 ), π ∗ )) as forgery to the challenger.

Now, we show that the simulation is perfect, except with negligible probability. Note
that, conditioned on (pk ∗ , mpk1 , msk1 , mpk2 , msk2 , ω), A’s oracle queries are perfectly sim-
ulated by B for ∀σ, ρ ∈ {0, 1}∗ and ∀S : {0, 1}∗ → {0, 1}, and the only difference is that
ω is computed by K0 in the reduction, but this distribution is computationally close to
that of an honestly generated CRS. Therefore, the ciphertext ĉ∗ = (c∗ , π ∗ ) returned by A is
valid with non-negligible probability, which implies that the proof π ∗ verifies correctly, and
moreover Dec2 (dkS∗ , Dec1 (dkρ∗ , c∗ )) ̸= ⊥ (so c∗ is also a valid ciphertext).
By knowledge soundness of the NIZK proof, except with negligible probability, we have
((pk ∗ , c∗ , mpk1 ), (σ ∗ , s∗ )) ∈ R1 , which implies that s∗ is a valid signature on σ ∗ with respect
to the challenge public key pk ∗ . Finally, S∗ (σ) = 0 in Gauth Π,A (λ) for ∀σ ∈ QSKGen , which
implies that σ ∗ ∈ / QSign , and B wins with non-negligible probability.

5 Conclusion
On the theoretical side, we have proposed in this paper a new construction of ME from
FE, which establishes the feasibility of ME supporting arbitrary policies by using FE. That
is, our constructions imply that the privacy of ME can be guaranteed completely by using
FE.

References
[1] Agrawal, S., and Wu, D.J. Functional encryption: Deterministic to randomized functions
from simple assumptions. In EUROCRYPT, pp. 30-61, 2017.

[2] Ateniese, G., Francatiy, D., Nuñezz, D., and Venturix, D. Match Me if You Can: Match-
making Encryption and its Applications. In CRYPTO, pp.701-731, 2019.

18
 [3] Ateniese, G., Kirsch, J., and Blanton, M. Secret handshakes with dynamic and fuzzy
matching. In NDSS, volume 7, pp. 1-19, 2007.

[4] Balfanz, D., Durfee, G., Shankar, N., Smetters, D., Staddon, J., and Wong, H.C.: Secret
handshakes from pairing-based key agreements. In: IEEE S&P, pp. 180-196, 2003.

[5] Bogdanov, A. , and Rosen, A. Pseudorandom Functions: Three Decades Later. Tutorials
on the Foundations of Cryptography. Springer International Publishing. pp. 79-158,
2017.

[6] Boneh, D., Sahai, A., and Waters, B. Functional encryption: Definitions and challenges.
In TCC, pp. 253-273, 2011.

[7] Castelluccia, C., Jarecki, S. l., and Tsudik, G. Secret handshakes from CAoblivious
encryption. In ASIACRYPT, pp. 293-307, 2004.

[8] Fisch, B., Vinayagamurthy, D., Boneh, D., and Gorbunov. S. Iron: Functional encryp-
tion using intel SGX. In CCS, pp. 765-782, 2017.

[9] Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.-H., Sahai, A., Shi,
E., and Zhou, H.-S. Multi-input functional encryption. In EUROCRYPT, pages 578-602,
2014.

[10] Goyal, V., Jain, A., Koppula, V., and Sahai, A. Functional encryption for randomized
functionalities. In TCC, pp. 325-351, 2015.

[11] Hou, L., Lai, J., and Liu, L. Secret handshakes with dynamic expressive matching
policy. In ACISP, pages 461-476, 2016.

[12] Jarecki, S. l., Kim, J., and Tsudik, G. Authentication for paranoids: Multi-party secret
handshakes. In ACNS, pp. 325-339, 2006.

[13] Jarecki, S. l., and Liu, X. Unlinkable secret handshakes and key-private group key
management schemes. In ACNS, pp. 270-287, 2007.

[14] Sorniotti, A. and Molva, R. Secret handshakes with revocation support. In ICISC, pp.
274-299, 2009.

[15] Sorniotti, A. and Molva, R. A provably secure secret handshake with dynamic con-
trolled matching. Computers & Security, 29(5), pp.619-627, 2010.

[16] Xu, S. and Yung, M. K-anonymous secret handshakes with reusable credentials. In
CCS, pp. 158-167, 2004.

19

View publication stats