Efficient fully CCA-secure predicate encryptions from pair encodings

Attrapadung (Eurocrypt 2014) proposed a generic framework for fully (adaptively) CPA-secure predicate encryption (PE) based on a new primitive, called pair encodings. Following the CCA conversions of Yamada et al. (PKC 2011, 2012) and Nandi et al. (ePrint Archive: 2015/457, AAECC 2018), one can have CCA-secure PE from CPA-secure PE if the primitive PE has either verifiability or delegation. These traditional approaches degrade the performance of the resultant CCA-secure PE scheme as compared to the primitive CPA-secure PE. As an alternative, we provide a direct fully secure CCA-construction of PE from the pair encoding scheme. This costs an extra computation of group element in encryption, three extra pairing computations and one re-randomization of key in decryption as compared to the CPA-construction of Attrapadung. Recently, Blomer et al. (CT-RSA 2016) proposed a direct CCA-secure construction of predicate encryptions from pair encodings. Although they did not use the aforementioned traditional approaches, a sort of verifiability checking is still involved in the CCA-decryption. The number of pairing computations for this checking is nearly equal to the number of paring computations in CPA-decryption. Therefore, the performance of our direct CCA-secure PE is far better than Blomer et al.


Introduction
Identity-based cryptosystem [43] was introduced to simplify certificate management process of the traditional public key cryptosystems [19,41]. In these cryptosystems, an identity of a user is considered to be the public key. Attribute-based encryption (ABE) [26,31,37] is a generalization of identity-based encryption (IBE) [8,18], a smart way to provide the access control over the secrets. In the literature, the access control that ABE implements are the boolean formulas (access structures), in the form of span programs or access trees. Similar to ABE, there are other classes of encryptions available in the literature. Some of the notable classes are (doubly-)spatial encryption ((D-)SE) [10,27], (hierarchical) inner-product encryption ((H)IPE) [36,39], ABE [22,2] for circuits and functional encryption (FE) [47] for regular languages. All the aforementioned encryptions can be viewed as special cases of a unified class, called predicate encryption (PE). To design a predicate encryption scheme, first fix a tuple (∼, X , Y), called predicate tuple, where X and Y are respectively key space and associated data space and ∼ is predicate or binary relation over X × Y. In this encryption, a key is labeled with an index x ∈ X , called key-index and a ciphertext is associated with another index y ∈ Y, called associated data-index or simply data-index. A user who owns a key for the key-index x can recover the message from a ciphertext encrypted under a data-index y if a relation holds between x and y, i.e., x ∼ y holds. A PE with public index hides only the message, whereas a PE with hidden index conceals both the message and the data-index. However, in this paper, we consider only the predicate encryption with public index.
The dual system methodology of Waters [45] is a well known tool for constructing adaptively secure predicate encryption scheme. But, for some predicates, e.g., regular languages, the adaptively secure predicate encryption was not known, even though their selectively-secure version was available. Therefore, for those class of predicates, the dual system technique of Waters [45] was unreachable. Recently, Attrapadung [1] introduced a new primitive, called pair encoding schemes which are implicitly contained in many predicate encryption schemes. Using the pair encodings, the author proposed a generic framework for adaptively secure predicate encryption, which captures the core technique of the dual system methodology [45]. The author [1] showed that by applying the generic approach on the pair encoding, the adaptively CPA-secure PE is possible. The conversion assumes either the perfect security or computational (doubly-selective) security of the underlying pair encoding scheme. Using this framework, the author constructed the first fully secure predicate encryption schemes for which only selectively secure schemes were known. They instantiated some surprising results, e.g., PE for regular languages, unbounded ABE for large universes, ABE with constant-size ciphertexts, etc.
Motivation: All the predicate encryption schemes of [1,5,48] were shown to be CPA-secure in the adaptive-predicate model. For many practical purposes, the stronger (IND-CCA) security is assumed to be mandatory for the hired encryption scheme. Using the techniques [49,50,33,34], the above CPA-secure schemes can be lifted to show the CCA-security. In all these CCA conversions, a sort of index-transformation for predicate family is applied to the primitive CPA-secure PE scheme for the same family. In addition to the CPA-decryption, the CCAdecryption 1 of the traditional approaches [49,50,33,34] has to preform either delegation or verifiability. But the problems the above techniques suffer, are (1) increased lengths of key-indices and data-indices and (2) extra cost for performing verifiability or delegation. In the literature, most of the predicate encryption schemes are constructed using bilinear pairing groups. If the verifiability-based approach (where delegation is not known) is applied to those schemes, then checking in verifiability requires a number of pairing computations which is nearly equal to the number of pairing computations in the CPA-decryption. Altogether the techniques degrade the performance of CCA-decryption. This leads us to ask the following questions: Can a direct CCA-secure PE scheme be constructed from the pair encoding scheme whose performance is very close to that of CPA-secure construction [1]? Our Result. Affirmatively, we answer the above question. That is, we provide a generic construction (see Section 3) of adaptively CCA-secure predicate encryptions from pair encodings. The high level idea is as follows: The CCA-ciphertext of our construction consists of CPA-ciphertext of [1] and a small tag (a single group element). For generating the tag, first the CPA-ciphertext is hashed using a collision resistant hash function and then the hash value is encoded by a randomness used in the CPA-ciphertext. The style of tag generation is similar to Boyen et al. [12]. Some other changes are made in decrypt algorithm to make sure that a malleable ciphertext can be detected and decrypt queries can be handled easily using dualsystem proof technique [45].
It has one extra group element in ciphertext, three extra pairing computations and one re-randomization of key in decryption as compared to the CPA-decryption of [1]. For this construction, we assume two natural restrictions (see Section 2.9) on the underlying pair encoding scheme. All the underlying pair encodings and their dual [1,5,48] satisfy those restrictions. Therefore, we are able to achieve CCA security of all the predicate encryptions found in [1,5,48] at almost the same cost of CPA-construction [1].
Recently, Blömer and Liske [6] proposed a direct CCA-secure construction of predicate encryptions from pair encodings without using the traditional approaches [49,50,33,34]. Their construction preserves the reduction cost of CPA-construction of [1]. Although they did not use the traditional approaches, a sort of verifiability checking is still involved before the actual CPA-decryption. The number of pairing computations for this checking is nearly equal to the number of paring computations in CPA-decryption. Therefore, our direct CCA-secure construction of PE has far better performance than [6].
In Table 1, we provide a comparison between the performance of the decrypt algorithm of our construction and that of the construction of Blömer et al [6]. Before applying the CPA-decrypt of [1], some sort of checking is run in the decrypt algorithm of both the constructions. As mentioned earlier that two pairing computations are required before applying CPA-decrypt in our construction. In the decrypt algorithm of Blömer et al, a verifiability and other checking (to check the presence of G p3 component) are required before applying the actual CPA-decrypt and which is very costly. It varies depending upon the form of the underlying pair encoding scheme as shown in Table 1. In particular, the paring cost for other checking is ω 1 + 3, where ω 1 is the size of the encoding (used in encrypt algorithm) of the pair encoding scheme. In the table, the symbols "verf" and "other" denote the numbers of pairing computations in verifiability checking and other checking respectively. The notation stands for either the length of string (for regular languages) or the number of rows of the span program. The symbols m and |S| stand for the number of transitions of a deterministic finite automaton (DFA) and the size of the attribute set S respectively. The symbols n and d are related to the number of common variables in pair encoding scheme and the number of independent columns in the affine matrix respectively. The notations KP, CP, PES and DSE stand for key-policy, ciphertext-policy, pair encoding scheme and doubly-spatial encryption respectively. Further, the abbreviations ER, RL, LU, SU, SC and UnLU stand for equality relation, regular languages, large universe, small universe, short ciphertexts, and unbounded & large universe respectively. We consider the different pair encoding schemes of [1] in the table to show how better our construction performs (see the last two columns) than that of Blömer et al. Related to Pair Encodings. In addition to fully CPA-secure construction of PE, Attrapadung [1] showed a dual conversion for pair encodings. If the source pair encoding P is perfectly secure, then the dual of P, denoted by D(P) is also perfectly secure encoding. Using this conversion the full security of the dual of a PE, denoted by D(PE), is guaranteed if the underlying pair encoding P has the perfect security. However, there are many PE schemes for which the perfectly secure encodings were not known, so the fully secure realizations of their dual form were unsolved. Later, Attrapadung and Yamada [5] showed that the same dual conversion of [1] actually works for the computationally secure encodings. Concurrently and independently, Wee [48] proposed the notion of predicate encodings which is exactly identical to the perfectly secure pair encodings of [1]. Some of the instantiations in [48] are similar to [1], viz., the ABE for small universe with improved efficiency and doubly-spatial encryption.
A brief survey of predicate encryption is found in Appendix A.

Preliminaries
The basic notations, composite order bilinear groups, hardness assumptions, predicate family and, the syntaxes and security definitions of predicate encryption and pair encodings are provided in this section.

2.1.
Notations. For a set X, x R ←− X denotes that x is randomly picked from X according to the distribution R. Likewise, x U ←− X indicates x is uniformly selected from X. For an algorithm A and variables x, y, the notation x ←− A(y) (resp. A(y) −→ x) carries the meaning that when A is run on the input y, it outputs x. The symbol, PPT stand for probabilistic polynomial-time. For a, b ∈ N, define [a, b] := {i ∈ N : a ≤ i ≤ b} and [b] := [1, b].
Throughout this paper, bold character denotes vector objects. For h ∈ Z n N and p|N , we define h mod p := (h 1 mod p, . . . , h n mod p). For a vector x (resp. x k ), the i th component is denoted by x i (resp. x ki ). For x, y ∈ Z n N , we define < x, y >:= n i=1 x i · y i . For a matrix M , the notations M and M ij denotes the transpose of M and entry of M at (i, j) th position respectively. The notation M i denotes the i th row of the matrix M . For a group G and n ∈ N, the entries from G n are assumed to be the row vectors.
Let G be a cyclic group of order N with respect to the group operation '·'. For g ∈ G and h ∈ Z n N , we define g h := (g h1 , . . . , g hn ). For X, Y ∈ G n , the notation X · Y stands for component wise group operations, i.e., X·Y := (X 1 ·Y 1 , . . . , X n ·Y n ) ∈ G n . For W ∈ G n and E ∈ Z n×m N , we define W E := z ∈ G m , where z i := W E1i 1 · · · W Eni n . If W = g w , for g ∈ G and w ∈ Z n N , then we can write W E = g wE . For a matrix A ∈ Z ×ϑ q , we define the linear space Ker(A) := {u ∈ Z q | u A = 0}. For (X, x) ∈ Z ×ϑ q × Z q , an affine space generated by (X, x) is defined by The nullity of a matrix A is defined by Null(A) := the dimension of Ker(A ).

2.2.
Composite order bilinear groups. Composite order bilinear groups [9,29] are defined to be a tuple J := (N := p 1 p 2 p 3 , G, G T , e), where p 1 , p 2 , p 3 are three distinct primes and G and G T are cyclic groups of order N and e : G × G → G T is a map with the following properties: 1. (Bilinear). For all g, h ∈ G and ∀s, t ∈ Z p , e(g s , h t ) = e(g, h) st . 2. (Non-degenerate). There exists an element g ∈ G such that e(g, g) has order N in G T . 3. (Computable). There is an efficient algorithm for computing e(g, h) for all g, h ∈ G. Let G cbg denote an algorithm which takes 1 κ as a security parameter and returns a description of composite order bilinear groups J = (N = p 1 p 2 p 3 , G, G T , e). Composite order bilinear groups enjoy orthogonal property defined below. Definition 2.1 (Orthogonal Property). Let G p1 , G p2 and G p3 denote subgroups of G of order p 1 , p 2 and p 3 respectively. The subgroups G p1 , G p2 and G p3 are said to have orthogonal property if for all h i ∈ G pi and h j ∈ G pj with i, j ∈ {1, 2, 3} and i = j, it holds that e(h i , h j ) = 1.
Additional Notations. Let 1 G and 1 denote the identity elements of G and G T respectively. For X, Y ∈ G n , we define e(X, Y ) := n i=1 e(X i , Y i ). For three distinct primes, p 1 , p 2 and p 3 , a cyclic group G of order N = p 1 p 2 p 3 , can be written . . , Y n Gp i ). Let g T stand for the element e(g, g), where g ∈ G p1 .

2.3.
Hardness assumptions in composite order bilinear groups. We describe here three Decisional SubGroup (DSG) assumptions [31] for 3 primes, DSG1, DSG2 and DSS3 in composite order bilinear groups. Let J := (N = p 1 p 2 p 3 , G, G T , e) U ←− G cbg (1 κ ) be the common parameters for each assumptions. In the following, we define instance for each assumption.
The advantage of an algorithm A in breaking DSGi, for i = 1, 2, 3 is defined by We say that the DSGi assumption holds in J if for every PPT algorithm A , the advantage Adv DSGi A (κ) is negligible in security parameter κ.

Predicate family.
To define a predicate-based cryptosystem, we have to define predicate family. The predicate family is defined for an index set Λ. For most of the predicate families, the index sets are considered to be subsets of {j : j ∈ N i and i ∈ N}. The following definition of predicate family is adopted from [6,1]. Definition 2.2 (Predicate Family). For an arbitrary index set Λ, we define predicate family to be ∼:= {∼ j } j∈Λ , where ∼ j : X j ×Y j → {0, 1} is an indicator function, and X j and Y j are respectively called key space and associative data space.
The function ∼ j is also called predicate or binary relation over X j × Y j . For (x, y) ∈ X j × Y j , we write x ∼ j y if ∼ j (x, y) = 1 else x ∼ j y. For a predicate family, the corresponding index set Λ is called system-index space. A member j of the index space Λ is called index for system parameter or simply system-index. To design a predicate-based scheme for some predicate family, first a system-index j is fixed for that family. Then, this index will define a predicate tuple (∼ j , X j , Y j ) for the corresponding predicate-based scheme. For example, the system-indices for predicate families, regular languages, circuits, access structures, inner product and doubly-spatial relation are respectively alphabet, maximum depth and number variables for circuits, attribute universe or size of the attribute universe, length of vectors and dimension of affine space.
In the following, we describe some of the predicates widely used in practice. Note that for most of the relations described below, the system-indices are not given explicitly as it will be understood from the context. For x ∈ X and y ∈ Y, doubly-spatial relation is defined by x ∼ ds y if and only if y ∩ x = ∅. For spatial relation, we restrict Y to be Z q . In [17], the doublyspatial relation was defined over X ×Y, where X := {Ker(X) | X ∈ Z ×k q , 0 ≤ k ≤ } and Y := {Aff(A, a) | (A, a) ∈ Z ×k q × Z q , 0 ≤ k ≤ }. The predicate encryption using the (doubly)-spatial relation is called (doubly)-spatial encryption ((D)SE). The authors in [17] showed that predicate encryption for doubly-spatial relation defined later generalizes the predicate encryption for the former defined doubly-spatial relation. Access structure based relation. Let U be a universe of attributes. Define X = 2 U and Y be the set of all access structures over U. For A ∈ X and Γ ∈ Y, we define a binary relation A ∼ Γ if and only if A ∈ Γ. The encryption scheme realizing this relation is called attribute-based encryption (ABE) for access structures. Policy over doubly-spatial relation. We have defined access structure based relation above through the equality relation over universe of attributes. Here we define a new access structure based relation of [1], called policy over doubly-spatial relation using the doubly-spatial relation over universe of affine subspaces. This predicate generalizes the former access structure based relation. Let  0). The encryption scheme realizing this relation is called policy over doubly-spatial encryption [5,1]. Acceptance relation in regular language. A deterministic finite automaton M is defined to be a quintuple (Q, Σ, δ, q 0 , F ), where Q is a finite set of states, Σ is a finite set of symbols, called alphabet, q 0 ∈ Q is called the start state, F ⊆ Q is called the set of final states and δ : Q × Σ → Q is called transition function. The language, also called regular language, recognized by a deterministic finite automaton (DFA) M is defined as Let Tr denote the set of all transitions (q x , q y , σ) ∈ Q × Q × Σ with the understanding that δ(q x , σ) = q y . If we identify the δ by Tr, then a DFA M can always be represented by (Q, Σ, Tr, q 0 , F ). Let Σ be an alphabet, X := Σ * and Y be the set of all DFAs with the same alphabet Σ. For w ∈ X and M ∈ Y, we define a binary relation w ∼ M if w ∈ L(M ). We also call this relation as DFA-based relation. The corresponding encryption scheme is known as functional encryption (FE) [47] for regular languages.
For an asymmetric relation, we can define its dual relation as follows. Remark 1. In this paper, we consider predicate encryption for all the relations described above and their dual (for asymmetric relations). If the underlying predicate or relation of PE is not clearly stated, we assume that the PE stand for one of the aforementioned relations.
Here we are interested to design an adaptively CCA-secure predicate encryption over composite order bilinear groups (CBG) and let N be the order of the groups. This N describes some domain, for example, the domain of IBE is Z N with equality predicate. We therefore reserve the first entry of j to be N as described in [1]. For notational simplicity, we omit j and write (∼ N , X N , Y N ) or simply (∼, X , Y) depending upon requirement. Definition 2.5. (Domain-transferable [1]). We say that ∼ is domain-transferable if for p dividing N , the projection map f 1 : X N → X p and f 2 : Y N → Y p such that for all (x, y) ∈ X N × Y N , we have: • Setup: It takes a security parameter κ and a system-index j as input, outputs public parameters PP and master secret key MSK. • KeyGen: It takes as input PP, MSK and a key-index x ∈ X and outputs a secret key SK x corresponding to x. • Enc: It takes PP, a message m ∈ M and an associated data-index y ∈ Y and returns a ciphertext C, which implicitly contains y.
2.6. Security of predicate encryption.  Figure 1 is negligible function in security parameter κ, where A is provided access to key-gen oracle O K and decrypt oracle O D (described below) and NRn is a natural restriction that (C * , x) with x ∼ y * was never queried to O D and for each key-index x queried to O K , it holds that x ∼ y * .
• The challenger maintains a log L for storing the pairs of the form (x, SK x ) and initially sets L ← ∅. • KeyGen oracle (O K ): Given a key-index x, it first searches x in the log L. If is found in L, then returns Decrypt(PP, C, SK x ). Otherwise, it runs SK x ←− KeyGen(PP, MSK, x), adds (x, SK x ) to L and returns Decrypt(PP, C, SK x ). A weaker notion of security can be defined similarly as above except, A is not allowed to access to O D oracle. It is called IND-CPA security in both adaptivepredicate and selective predicate models.

2.7.
Pair encoding scheme . A Pair Encoding Scheme [1] P for a predicate family, ∼ consists of four deterministic algorithms, Param, Enc1, Enc2 and Pair.
-Param(j) −→ n ∈ N. n describes the number of common variables involved in Enc1 and Enc2. Let h := (h 1 , . . . , h n ) ∈ Z n N denotes the common variables in Enc1 and Enc2.
polynomial over Z N and m 2 ∈ N specifies the number of its own variables. We require that each polynomial k ι is a linear combination of monomials, α, r j , h i r j , where α, r 1 , . . . , r m2 , h 1 , . . . , h n are variables. In other words, it outputs a set of coefficients which define the sequence of polynomials where r := (r 1 , . . . , r m2 ).
polynomial over Z N and ω 2 ∈ N specifies the number of its own variables. We require that each polynomial c ι is a linear combination of monomials , where s := (s 0 , . . . , s ω2 ). - Similar type of condition is required for Enc2. Properties of pair encoding scheme. We define two properties of pair encoding scheme as follows 2.8. Security of pair encoding scheme . We consider two forms of security, viz., perfect security and computational security as defined in [1].
-Perfect Security: A pair encoding scheme is said to be perfectly master-key and (c y , ω 2 ) ←− Enc2(y, N ), the following two distributions are identical: where the random coins of the distributions are α -Computational Security: Here we consider two types of computational security, viz., selectively master-key hiding (SMH) and co-selectively masterkey hiding (CMH). A pair encoding scheme is said to have G security for defined below is negligible function in security parameter κ: -For Selective Security: O 1 is allowed only once, while O 2 is allowed to query polynomially many times N and return -For Co-selective Security: Both the oracles, O 1 and O 2 are allowed to query only once.
Remark 3. In the above definition of computational security, if the oracles, O 1 and O 2 are allowed to access respectively t 1 and t 2 times, then SMH (resp. CMH)security, will be referred as (t 1 , t 2 )-SMH (resp. (t 1 , t 2 )-CMH) security. What considered in [1], are (1, poly)-SMH and (1, 1)-CMH security respectively for selectively and co-selectively master-key hiding. It is clear from the definitions of PMH and CMH-security that the PMH-security of a pair encoding scheme implies the CMHsecurity.
2.9. Natural requirements on pair encodings. Below, we define two restrictions on pair encoding scheme which are required for correctness and security proof of the proposed construction in Section 3.1.

Conditions 2.7 (Sufficient). We put the following conditions on the pair encodings.
To the best of our knowledge, most of the pair encoding schemes satisfy these conditions.
Let P be a given pair encoding scheme for the predicate ∼. A pair encoding scheme D(P) for the predicate∼ is defined as follows: For (n, h) ← Param, we define Param := (n + 1,h), whereh := (h, φ) and φ is a new variable.
Then sets r := s and k The correctness is verified as follows: If x∼y, then y ∼ x, so from the correctness of P we have ) If a pair encoding scheme P for ∼ is perfectly master-key hiding, then the pair encoding scheme D(P) for∼ is also perfectly master-key hiding.
) If a pair encoding scheme P for ∼ is normal and (1, 1)selectively master-key hiding, then the pair encoding scheme D(P) for∼ is (1, 1)co-selectively master-key hiding.
Observation 2.8. We first note that the pair encoding scheme, D(P) satisfies the condition (1) of Conditions 2.7 due to newly added variable s 0 . Let us examine condition (2). W.l.o.g, we set c y,1 = s 0 and k x,1 = α+φ·s 0 . The correctness of D(P) and ω 1 = m 1 + 1. Hence, the matrix, E has the following form: Therefore, it is straightforward to check that the dual pair encoding scheme D(P) satisfies the condition (2)

Direct CCA-secure predicate encryption
Before describing our CCA-secure construction more formally, we first discuss outline of our construction as follows. Outline of Our Construction. One major concern in designing a CCA-secure PE is that new ciphertext (mostly well-formed or ill-formed but up to a certain extent) must not be created from a given ciphertext. In the traditional approaches [49,50,33,34], the aforementioned concern is handled by using a strongly unforgeable OTS scheme. However, in this direct CCA-secure construction, we neither follow the traditional approaches nor use OTS scheme. Rather, we extend CPA-construction of [1] to CCA-construction by considering an alternative of OTS. We first recall that a ciphertext and key in CPA-construction of [1] are of the forms C cpa := (y, C y := g cy(s,h) , C INT := m · g αs0 T ) and SK x : . We note that a generator of G p3 is given as a part of the public parameters in the CPA-construction. The construction [1] cannot be CCA-secure as C y part of C cpa can be made ill-format by composing with the elements of G p3 . This ill-format can be recognized if each component of C y is checked using extra pairing computations during decryption 2 . So, the aforementioned ill-format does not hamper our focus. But, for this checking, the decryption cost will blow up to the double of the original CPA-decryption as found in CCA-decryption of [6]. However, the well-formedness of a ciphertext may be jeopardized by some other ways which cannot be handled efficiently in straightforward manner. We use collision resistant hash function and a natural encoding to construct CCA-secure version of [1]. The intuitive idea of our construction is described as follows: For CCA-construction, we add g θ1 , g θ2 and a collision-resistant hash function H : {0, 1} * −→ Z N to the public parameters of CPA-construction. A CPA-ciphertext C cpa is first hashed to := H(C cpa ) and then is encoded 3 (locked) to C 0 := g s0(θ1 +θ2) using s 0 , g θ1 and g θ2 . Now, a CCAciphertext of our proposed construction will be of the form CT := (C cpa , C 0 ). The hash value takes care of preserving the well-formedness of C cpa , whereas the new component C 0 keeps track of the actual value = H(C cpa ). By natural restriction (condition (1) of Conditions 2.7) on pair encoding scheme, we have that the first component of g cy(s,h) is g s0 . Without explicit knowledge of s 0 , the component C 0 is computationally hard to compute from the available objects , g s0 , g θ1 and g θ2 . In other word, C 0 can be thought as a natural replacement for OTS in the traditional approaches, where s 0 plays a role like singing key in OTS scheme. If s 0 is not compromised and C cpa is changed, then we can recognize this change by checking the following equation using g, C 0 , = H(C cpa ), g s0 , g θ1 and g θ2 : Now, the aforementioned concern boils down to checking the well-formedness (or ill-format, but up to certain extent) of C 0 , viz., to check whether C 0 contains the element of G p3 or not. If we replace equation (1)  (2) e(g · R, C 0 ) = e(g θ1 +θ2 , g s0 ) Given a CCA-ciphertext CT, first the well-formedness (or ill-format, but up to certain extent) of CT is checked as discussed above. Note that for this checking, we require two pairing computations. Then the actual CPA-decryption (but, slightly different way) is run to recover the underlying message. Another major concern is to show the adaptive security of the proposed construction. We extend the dual system proof style of [1] in novel way. In this approach, security is proven by applying the hybrid arguments over a polynomial number of hybrid games. In addition to answering the various queries of CPA-construction, a simulator has to handle a polynomial number of decrypt queries made by adversary. To smoothen the hybrid arguments, the actual CPA-decryption is slightly modified as shown below: Decrypter first re-randomizes the key SK x and then creates an alternative key SK M x using the key SK x as follows: Pair(x, y). Then, it recovers the underlying message as For doing this, an extra paring computation and cost of rerandomization have to be done as compared to the CPA-decryption. Altogether, three extra pairing computations and cost of re-randomization are involved in the CCA-decryption.
The linear property of the pair encodings guarantees the re-randomization of the keys in the decryption process. The re-randomization simply ensures that decrypt queries can be answered using freshly generated keys each time during the simulation of security games.
3.1. CCA-secure construction from pair encodings. We explore a direct CCA-secure construction of predicate encryptions from the pair encodings. This construction efficiently extends the original CPA-construction of [1] to CCA-secure construction. Using this construction, we achieve CCA security of all the predicate encryptions found in [1,5,48] directly from the pair encodings of [1,5,48] with almost the same cost of CPA construction of [1]. In fact, the difference between the construction of ours and [1] is that, we use an extra component in ciphertext, three extra paring computations and one re-randomization in the decryption process. Terminology: For fixed θ 1 , θ 2 , ∈ Z N and h ∈ Z n N , we define h M := (θ 1 , θ 2 , h), θ := (θ 1 , θ 2 , ) and c 0 (z, θ) := z(θ 1 + θ 2 ), where z is an independent variable. Note that θ 1 , θ 2 , and h will be understood from the context. For (c y , ω 2 ) ←− Enc2(y, N ), we define c It parses CT as (y, C M y = (C 0 , C y ), C INT ) with C 0 = g c0(s0,θ) and C y = N ). Re-Rand picks r U ←− Z m 2 N and R 3 U ←− G m 1 p 3 and returns Kx := g kx(α,r,h) · R 3 · g kx(0,r ,h) · R 3 = g kx(α,r,h) · R 3 , where r :=r + r ∈ Z m 2 N and R 3 := R 3 · R 3 ∈ G m 1 p 3 .
g cy(s,h) . Then sets C cpa := (y, C y , C INT ) and computes := H(C cpa ). It Correctness: Let ∆ := e(SK M x , C M y ). For x ∼ N y (⇒ x ∼ p1 y by domain transferability), we have (by correctness of P) Remark 4. Note that the CCA secure ciphertext can also be represented as CT = (C cpa , C 0 ), where C cpa is the CPA-ciphertext of [1], then followed by the computation of C 0 .

Remark 5.
The key SK M x defined in Decrypt, we call the alternative key (in short alt-key). Using this alternative key if we run AltDecrypt (defined later), we have the same message as in Decrypt using the original key SK x .
3.2. Security of the proposed construction. The core technique used to prove the adaptive CCA-security of the proposed construction in Section 3.1 is the dual system methodology of Waters [45]. Attrapadung [1] abstracted this methodology to prove adaptive security of the CPA-construction based on pair encoding scheme. Our proof technique follows the dual system CPA-proof style of [1], but it extends from CPA-proof style to CCA-proof style. In addition to answering the various queries in CPA-proof, a simulator has to answer different decrypt queries made by adversary in CCA-proof. In this style, the original adaptive CCA-game is changed to the final game through some intermediate games. These changes are made under three subgroup decision problems and (CMH and SMH) or PMH-security of the underlying pair encoding scheme.
To smooth hybrid arguments over the consecutive games, we use the natural restrictions defined in Conditions 2.7. We note that the condition (2) is only used (in Lemma 3.13) for reaching to the final game from the previous game. We use the abbreviation 'sf-type' for semi-functional type. For all the games, we define the semi-functional keys, ciphertexts and alt-keys of various type as follow: -SFSetup(1 κ , j): It runs (PP, MSK) ←− Setup(1 κ , j) and in addition it returns semi-functional parameters, g 2 We setĥ M := (θ 1 ,θ 2 ,ĥ).
-SFKeyGen(PP, MSK, x, g 2 , type,α,ĥ): It outputs the semifunctional key SK x := (x, K x ), where K x is given by: if type= 3. , c 0 (s 0 , θ) := s 0 (θ 1 + θ 2 ) and c 0 (ŝ 0 ,θ) :=ŝ 0 (θ 1 + θ 2 ). It picks g t U ←− G T and returns the following semi-functional ciphertext CT: -AltDecrypt(PP, CT, SK M x ): This is same as Decrypt algorithm, but here we do not need to compute the alt-key as it is supplied. For sake of completeness: x , C M y ). For having a desired type of semi-functional keys (resp. alt-keys and ciphertexts), set the value of type in the arguments of SFKeyGen (resp. SFAltKeyGen and SFEnc). For example, if we set type = 1 in the arguments of SFKeyGen, we will have sf-type 1 key. There is no g 2 component in the normal form of key, alt-key and challenge ciphertext, but their semi-functional variants contain g 2 component. To compute semi-functional objects, a semi-functional component is composed with the normal objects. The semi-functional component is a kind of mimicry of the G 1 -structure of the normal objects into the G 2 subgroup. Some other additional changes are made depending on the type of the semi-functional object. For example, in sf-type 1 (resp. 2 and 3) key, the exponent of g 2 is k x (0,r,ĥ) (resp. k x (α,r,ĥ) and k x (α, 0, 0)). Similar illustartion holds for semi-functional alt-keys and challenge ciphertext. The difference between sf-type 1 and sf-type 2 challange ciphertexts is the distribution of C INT . In former case, C INT is the same as that of normal ciphertext and in the later case, C INT is m · g t , where g t is a random element of G T . Theorem 3.1. Let P be a pair encoding scheme for a predicate ∼ which satisfies Conditions 2.7 and ∼ is domain-transferable. Suppose P has both the security, SMH and CMH, the assumptions, DSG1, DSG2 and DSG3 hold in J and H is a collision resistant hash function, then the proposed predicate encryption scheme PE in Section 3.1 for the predicate ∼ is AP-IND-CCA secure (Definition 2.6).
Proof. Suppose there are at most q (resp. ν) key (resp. decrypt) queries made by an adversary A . Then the security proof consists of hybrid argument over a sequence of 3q 1 +2ν +7 games, where among the q key queries, q 1 is the number of phase-1 key queries. Let Game Real be the original AP-IND-CCA security game of predicate encryption scheme. By applying hybrid arguments on Game Real through the sequence of intermediate games Game Res , we reach to Game F inal . All the games are described in details in Figures 3 and 4, where the expression in the 'box' indicates the modification from the previous game. From Game 0 onwards, SFSetup(1 κ , j) is run in setup phase to output additional components g 2 andĥ M required for generating semi-functional components. For simplicity, PP and MSK are omitted from the respective algorithms appeared in the figure.
In Game Res , the natural restriction x ∼ N y * is replaced by x ∼ p2 y * for each key query x made by A . This game change is taken care of by Lemma 3.2 under DSG2 assumption. In the lemma, domain-transferability is used explicitly. In Game 0 , the challenge ciphertext is changed from normal to sf-type 1. This change is made using Lemma 3.3 under DSG1 assumption. In Game 1-k-ι (for 1 ≤ ι ≤ 3), the challenge ciphertext is sf-type 1, the first (k − 1) keys are of sf-type 3, k th key is of sf-type ι and the rest keys are normal, and all the decrypt queries are answered using normal alt-keys. There are 3q 1 game changes from Game 0 (= Game 1-0-3 ), through Game 1-1-1 , Game 1-1-2 , Game 1-1-3 , Game 1-2-1 , . . ., Game 1-q1-3 . In each subsequent game change, the k th key is changed either from normal to sf-type 1 or sf-type 1 to sf-type 2 or sf-type 2 to sf-type 3. Note that to answer each phase-1 key query x i of the form sf-type 2 or sf-type 3, a freshα i is chosen each time. The game change, where the k th key gets transformed from normal to sf-type 1 (resp. sf-type 2 to sf-type 3) is argued by Lemma 3.4 (resp. 3.6) under DSG2 assumption. The hybrid argument for changing the k th key from sf-type 1 to sf-type 2 is assured by Lemma 3.5 under CMH security of pair encodings. Thus in Game 1-q1-3 , first q 1 keys become sf-type 3 and rest keys are normal. This denotes completion of translation of the phase-1 key queries into semi-functional domain.

Game
Challenge Ciphertext Key SFKeyGen(xi, g2, 3,α, 0) if q1 < i ≤ q Figure 3. The description of the first (3q 1 + 6)-hybrid games used in the security proof, where alt-keys are answered by AltKeyGen(CT j , x j ). The rest of the games are described in Figure  4.
In Game 2-k-ι (for 1 ≤ ι ≤ 2), the challenge ciphertext is sf-type 1, all the key queries are of sf-type 3 and the first (k − 1) decrypt queries are answered using sftype 3 alt-keys, k th decrypt query is answered using the alt-key of sf-type ι and the rest decrypt queries are answered using normal alt-keys. There are 2ν game changes from Game 1-(q1+1)-3 (= Game 2-0-2 ), through Game 2-1-1 , Game 2-1-2 , Game 2-2-1 , . . ., Game 2-ν-2 . In each subsequent game change, the k th alt-key is changed either from normal to sf-type 1 or sf-type 1 to sf-type 2. The game change, where the k th alt-key gets transformed from normal to sf-type 1 is argued by Lemma 3.10 under collision resistant property of hash and DSG2 assumption. The hybrid argument for changing the k th alt-key from sf-type 1 to sf-type 2 is assured by Lemma 3.12

Game
Challenge Ciphertext Alt-key under DSG2 assumption. The description of Game F inal is the same as Game 2-ν-2 , except the challenge ciphertext is sf-type 2. The game change from Game 2-ν-2 to Game F inal is done by Lemma 3.13 under DSG3 assumption.
Since the challenge ciphertext is of sf-type 2 in Game F inal , the challenge message m b gets masked with an independently and uniformly chosen element from G T . This implies that the component C INT does not leak any information of b. Therefore, the adversary A has no advantage in Game F inal .
The complete security redunction is given by: where Adv CRH B5 (κ) is the advantage of B 5 in breaking the collision resistant property of H and, B 1 , B 2 , B 3 , B 4 , B 5 , B 6 are PPT algorithms whose running times are same as that of A . This completes the proof. Proof. Suppose an adversary can distinguish the games with a non-negligible probability. Then we will establish a PPT simulator B for breaking the DSG2 assumption with the same probability. An instance of DSG2, (J , g, The only difference between the games, Game Real and Game Res is that if x is a queried key-index and y * is a challenge associated data-index, then it holds: x ∼ p2 y * but, x ∼ N y * . We show that the above scenario will not happen. In fact, from the soundness of domain-transferability of ∼, we can find a factor F such that p 2 |F |N . There are three possibilities of F : (1) F = p 2 , (2) F = p 1 p 2 and (3) F = p 2 p 3 . We remark the aforesaid cases are recognized using the parameters of the given instance of DSG2. Suppose F = p 2 . Let B := N/F = p 1 p 3 and then by checking (T β ) B ? = 1 G , B can break the DSG2 assumption. Now suppose F = p 1 p 2 or F = p 2 p 3 .
In both case, we have Y 2 ∈ G p2 , then by checking e(T β , Y 2 ) ? = 1, B can break the DSG2 assumption. Analysis: We will show that all the objects are perfectly distributed as required. B implicitly sets g t1 := T β Gp 1 and for β = 1, g t2 2 := T β Gp 2 . Then by linearity of P, . B implicitly sets s := t 1 s mod p 1 and for β = 1,ŝ := t 2 s mod p 2 . By CRT, s mod p 1 is independent from s mod p 2 and therefore s andŝ are perfectly distributed as required. Altogether, we have that the joint distribution of all the objects simulated by B is identical to that of Game Res if β = 0 else Game 0 . Lemma 3.4. Game 1-(k−1)-3 and Game 1-k-1 are indistinguishable under DSG2 assumption. That is, for every adversary A , there exists a PPT algorithm B such that |Adv for 1 ≤ k ≤ q 1 , where q 1 is the number of phase-1 key queries.
Proof. We establish a PPT simulator B who receives an instance of DSG2, (J , g, It computes the sf-type 3 key as defined below:
Lemma 3.5. Game 1-k-1 and Game 1-k-2 are indistinguishable under CMH security of the primitive pair encoding scheme, P. That is, for every adversary A , there exists a PPT algorithm B such that Proof. Suppose A can distinguish Game 1-k-1 and Game 1-k-2 with non-negligible probability. Then we will construct a PPT simulator B for breaking the CMH security of P with the same probability.
Setup: The challenger CH of P gives (g, -KeyGen(x): Let x j be the j th query key-index. B answers the key SK xj as follows: -If j > k, then B runs the KeyGen algorithm and gives the normal key to A . -If j < k, then it is of sf-type 3 key. Using PP, MSK and g 2 , B can generate the required key. -If j = k then it is either of sf-type 1 or sf-type 2 key. B runs (k It makes a query with x k to CH and let T := g kx k (β,r k ,ĥ) 2 be the reply, where β = 0 or random element from Z N . Then B returns the following key SK x k := g kx k (α,r k ,h) · T · R 3 to A . Therefore, SK x k is perfectly distributed sf-type 1 key if β = 0 else sf-type 2. Analysis: It consists of two parts, correctness and perfectness which are described below.
-Correctness: B follows the restriction of CMH security game (while interacting with CH) as long as A does so in CCA-security game with B. In fact, by natural restriction, for all key queries x made by A , we have x ∼ p2 y * , in particular for k th query, x k ∼ p2 y * . Therefore, B does not violate the restriction of the CMH security game with CH. -Perfectness: By the assumption: c y * ,1 (ŝ,ĥ) =ŝ 0 , the first component of D is gŝ 0 2 . So, C * 0 can be easily computable using gŝ 0 2 , s 0 , θ 1 , θ 2 and * . If we setĥ M := h M mod p 2 , then by CRT, we haveĥ M is independent from h M mod p 1 . Hence, CT * can be written as (y * , Therefore, CT * is perfectly distributed sf-type 1 challenge ciphertext. Altogether, we have that the joint distribution of all the objects simulated by B is identical to that of Game 1-k-1 if β = 0 else Game 1-k-2 .
Lemma 3.6. Game 1-k-2 and Game 1-k-3 are indistinguishable under the DSG2 assumption. That is, for every adversary A , there exists a PPT algorithm B such that Proof. We establish a PPT simulator B who receives an instance of DSG2, (J , g, 1} and depending on the distribution of β, it simulates either Game 1-k-2 or Game 1-k-3 . Description of the simulation is same as that of Lemma 3.4 except the answering k th key query. Below, we only describes the simulation of k th query: The k th key is either sf-type 2 or sf-type 3. B runs (k x k , m 2 ) ←− Enc1(x k , N ) with p3 . It generates the following SK x k using T β of the instance of DSG2: and T β = g t1 g t2 2 g t3 3 (for β = 1), then B implicitly setŝ α k := w 2 α k , r k := r k + t 1r k andr k := t 2r k . Note that here we use the linearity and param-vanishing properties of the pair encoding scheme P. Since r k andr k are chosen uniformly and independently from Z m2 N , then so are r k andr k . Therefore, SK x k is perfectly distributed sf-type 2 (resp. sf-type 3) key if β = 1 (resp. β = 0). Lemma 3.7. Game 1-q1-3 and Game 1-(q1+1)-1 are indistinguishable under the DSG2 assumption. That is, for every adversary A , there exists a PPT algorithm B such that Proof. We establish a PPT simulator B who receives an instance of DSG2, (J , g, Query Phase-1: It consists of the following queries in adaptive manner: -KeyGen(x): This is same as the case j < k of that of Lemma 3.4. In fact, let x j be the j th (j ≤ q 1 ) query key-index. B answers the key SK xj as follows: It is of sf-type 3 key. B runs (k xj , m 2 ) ←− Enc1(x j , N ) with |k xj | = m 1 . Picks It computes the sf-type 3 key as defined below: It implicitly setsα j := w 2 α j , where W 2 W 3 = g w2 2 g w3 3 . So, SK xj is properly distributed sf-type 3 key.
2 , it implicitly sets s := z 1 s mod p 1 andŝ := z 2 s mod p 2 . By CRT, we have s mod p 1 is independent from s mod p 2 . Therefore, CT * is perfectly distributed sf-type 1 challenge ciphertext.
Query Phase-2: It consists of the following queries in adaptive manner: -KeyGen(x): This is same as the case j = k of that of Lemma 3.4. In fact, let x j be the j th (j > q 1 ) query key-index. B answers the key SK xj as follows: p3 . It computes SK xj as defined below: B implicitly sets g t1 := T β Gp 1 and for β = 1, g t2 2 := T β Gp 2 . Then by linearity of P, we have g kx j (α, r j , h) · g t1kx j (0,r j , h) = g kx j (α, r j +t1r j , h) and . B implicitly sets r j := r j + t 1r j andr j := t 2r j . Since r j andr j are chosen uniformly and independently from Z m2 N , then so are r j andr j . Therefore, SK xj is perfectly distributed normal (resp. sf-type 1) key if β = 0 (resp. β = 1).
Analysis: Altogether, we have that the joint distribution of all the objects simulated by B is identical to that of Game 1-q1-3 if β = 0 else Game 1-(q1+1)-1 .
Lemma 3.8. Game 1-(q1+1)-1 and Game 1-(q1+1)-2 are indistinguishable under the SMH security of of the primitive pair encoding scheme, P. That is, for every adversary A , there exists a PPT algorithm B such that Proof. Suppose A can distinguish Game 1-(q1+1)-1 and Game 1-(q1+1)-2 with nonnegligible probability. Then we will construct a PPT simulator B for breaking the SMH security of P with the same probability.
Setup: The challenger CH of P gives (g, be the reply. It first computes C * cpa := (y * , C y * := g c y * (s,h) · D, C INT := m b · e(g, g) αs0 ) and then computes * := H(C * cpa ). Finally, returns the challenge ciphertext CT * := (y * , C M y * := (C * 0 , C y * ), C INT ), where C * 0 := (g s0 gŝ 0 2 ) (θ1 * +θ2) . Query Phase-2: It consists of the following queries in adaptive manner: -KeyGen(x): All the keys are either sf-type 1 or sf-type 2. Let x j be the j th query key-index. B runs (k xj , m 2 ) ←− Enc1(x j , N ) with |k xj | = m 1 . Picks It makes a query with x j to CH and let T := g kx j (β,rj ,ĥ) 2 be the reply, where β = 0 or random element from Z N . Then B returns the following key to A . Therefore, SK xj is perfectly distributed sf-type 1 key if β = 0 else sf-type 2.
Guess: A sends a guess b to B. If b = b then B returns 1 else 0.
Analysis: It consists of two parts, correctness and perfectness which are described below.
-Correctness: B follows the restriction of SMH security game (while interacting with CH) as long as A does so in CCA-security game with B. In fact, by natural restriction, for all key queries x made by A , we have x ∼ p2 y * , in particular for k th query, x k ∼ p2 y * . Therefore, B does not violate the restriction of the SMH security game with CH. -Perfectness: By the assumption: c y * ,1 (ŝ,ĥ) =ŝ 0 , the first component of D is gŝ 0 2 . So, C * 0 can be easily computable using gŝ 0 2 , s 0 , θ 1 , θ 2 and * . If we setĥ M := h M mod p 2 , then by CRT, we haveĥ M is independent from h M mod p 1 . Hence, CT * can be written as (y * , Therefore, CT * is perfectly distributed sf-type 1 challenge ciphertext. Altogether, we have that the joint distribution of all the objects simulated by B is identical to that of Game 1-(q1+1)-1 if β = 0 else Game 1-(q1+1)-2 . Lemma 3.9. Game 1-(q1+1)-2 and Game 1-(q1+1)-3 are indistinguishable under the DSG2 assumption. That is, for every adversary A , there exists a PPT algorithm B such that Proof. We establish a PPT simulator B who receives an instance of DSG2, (J , 1} and depending on the distribution of β, it simulates either Game 1-(q1+1)-2 or Game 1-(q1+1)-3 . The simulation is almost similar to Lemma 3.7 except answering the key queries after the challenge phase. We illustrate here only the key queries after the challenge phase. Let x j be the j th (j > q 1 ) query key-index. Note that for all the post key queries x j ,α's appearing in G p2 components of SK xj are identical.
Query Phase-2: It consists of the following queries in adaptive manner: -KeyGen(x): Again note that for all the post key queries x,α's appearing in G p2 p3 . It computes SK xj as defined below: It implicitly setsα := w 2 α , where W 2 W 3 = g w2 2 g w3 3 . So, SK xj is properly distributed sf-type 3 key.
-Decrypt(CT, x): Similar to Query Phase-1 except for the k th decrypt query (CT k , x k ), i.e., if CT * = CT k and * = k , then B aborts.
Guess: A sends a guess b to B. If b = b then B returns 1 else 0.
If * = k , then B aborts the game in query-2 phase. Therefore, we only have to show that the probability of abort is negligible. By Fact 3.11, we have that the probability of abort is bounded by the advantage of an adversary in breaking DSG2 assumption. Altogether, we have that the joint distribution of all the objects simulated by B is identical to that of Game 2-(k−1)-2 if β = 0 else Game 2-k-1 .
Fact 3.11. If for the k th decrypt query (CT k , x k ), CT * = CT k and * = k , then B can solve the given instance of DSG2 assumption.
If Y 2 = g y2 2 , B implicitly setsα j := y 2 +α j mod p 2 and so, SK xj is a perfectly distributed sf-type 3 key.
Query Phase-2: It consists of the following queries in adaptive manner: -KeyGen(x): It is similar to Query Phase-1, exceptα j will be the same for all post queried keys x j . In fact, it is described here. Let x j be the j th query key-index. B runs (k xj , m 2 ) ←− Enc1(x j ). Then picks r j U ←− Z m2 N ,α U ←− Z N and R 3 U ←− G m1 p3 . Finally it returns SK xj := (g α Y 2 ) kx j (1,0,0) · g kx(0,rj ,h) · g kx j (α ,0,0) 2 · R 3 .
Guess: A sends a guess b to B. If b = b then B returns 1 else 0.
Analysis: All the components simulated above are perfectly distributed as required. Therefore, the joint distribution of all the objects simulated by B is identical to that of Game 2-ν-2 if β = 0 else Game F inal . Theorem 3.14. Let P be a pair encoding scheme for a predicate ∼ which satisfies Conditions 2.7 and ∼ is domain-transferable. Suppose P has PMH security, the assumptions, DSG1, DSG2 and DSG3 hold in J and H is a collision resistant hash function, then the proposed predicate encryption scheme PE in Section 3.1 for the predicate ∼ is AP-IND-CCA secure (Definition 2.6).
Proof. Similar to the proof of Theorem 3.1. The reduction of the proof is given by where q and ν respectively be the number of key and decrypt queries made A and B 1 , B 2 , B 3 , B 4 are PPT algorithms whose running times are same as that of A .

Conclusion
In this paper, we have shown an efficient construction of fully CCA-secure predicate encryptions from pair encodings having almost the same cost as the CPA-secure PE of [1]. In particular, it has one extra group element in ciphertext, three extra pairing computations and one re-randomization of key in decryption as compared to the CPA-decryption of [1].
The security of all the aforementioned ABE schemes (except [37,31]) was proven in selective model, a weak model where an adversary has to publish the challenge policy (in case of CP-ABE) or the set of attributes (in case of KP-ABE) before seeing the public parameters. In contrast, the adversary has a flexibility to choose the challenge policy or the set of attributes in challenge phase of adaptive security model. Lewko et al. [31] first took a big step forward in the construction of adaptively secure ABE schemes for monotone access structures in the standard model. The authors show that how to utilize the dual system methodology [45] of Waters in the area of ABE. For utilizing this methodology, the authors [31] used DSG assumptions in composite order bilinear groups. Later, Okamoto and Takashima [37] reached to the adaptively secure predicate encryption schemes with general relations in the prime order bilinear groups. Their constructions are based on the concept of dual pairing vector spaces [36]. The authors [37] used decisional subspace assumptions to abstract the dual system methodology. These subspace assumptions are reduced from the decisional linear (DLIN) assumption.
Similar to the traditional ABE, there are many other encryptions available in the literature. Some of them are ABE for circuits, (doubly-)spatial encryption ((D-)SE), functional encryption for regular languages, (hierarchical) inner-product encryption ((H)IPE), etc. These encryptions are subsumed under a larger class of encryptions, called predicate encryption. These encryptions are briefly described below.