A New Encoding Framework for Predicate Encryption with Non-linear Structures in Prime Order Groups

Abstract

We present a new encoding framework for predicate encryption (PE) in prime order groups. Our framework captures a broader range of adaptively secure PE schemes by allowing PE schemes to have more flexible (i.e., non-linear) structures. The existing works dealing with adaptively secure PE schemes in prime order groups require strict structural restrictions on PE schemes. In particular, the exponents of public keys and master secret keys of the PE schemes, which are referred to as common variables, must be linear. In this paper, we introduce a modular approach which includes non-linear common variables in PE schemes. First, we formalize non-linear structures by improving Attrapadung’s pair encoding framework (Eurocrypt’14). Then, we provide a generic compiler that incorporates encodings under our framework to PE schemes in prime order groups. Notably, we prove the security of our compiler by introducing a new technique that decomposes common variables into two types and makes one of them shared between semi-functional and normal spaces on processes of the dual system encryption. As instances of our new framework, we introduce new attribute-based encryption schemes supporting non-monotone access structures, namely non-monotonic ABE. Our new schemes are adaptively secure in prime order groups and have either short ciphertexts (in the case of KP-ABE) or short keys (in the case of CP-ABE).

A Appendix

1.1 A.1 Syntax of Pair Encoding Framework

We briefly introduce Attrapadung’s pair encoding framework [3]. In pair encoding, instances for a predicate \(R_\kappa :\mathcal {X} \times \mathcal {Y} \rightarrow \lbrace 0, 1 \rbrace \) consist of four deterministic algorithms which are Param, Enc1, Enc2 and Pair.

• Param\((\kappa ) \rightarrow \, \omega \): It takes as input an index \(\kappa \) and outputs the number of common variables \(\omega \) of \(\varvec{b}= (b_1, ..., b_\omega )\). The common variables are shared with Enc1 and Enc2.

• Enc1\((x) \rightarrow (\varvec{k}:= (k_1, ..., k_{m_1});m_2)\): It takes as \(x \in \mathcal {X}\) and outputs a sequence of polynomials of \(\lbrace {k}_i \rbrace _{i \in [m_1]}\) with coefficient in \(\mathbb {Z}_p\) and \(m_2\) which is the number of variables. Every \(k_i\) is a linear combination of monomials \(\alpha \), \(r_k\), \(b_jr_k\) where \(k \in [m_2]\) and \(\alpha , r_1, ..., r_{m_2} \in \mathbb {Z}_p\) are variables.

  Enc2\((y) \rightarrow (\varvec{c}:= (c_1, ..., c_{w_1});w_2)\) It takes as \(y \in \mathcal {Y}\) and outputs a sequence of polynomials of \(\lbrace {c}_i \rbrace _{i \in [1,w_1]}\) with coefficient in \(\mathbb {Z}_p\) and \(w_2\) which is the number of variables. Every \(c_i\) is a linear combination of monomials s, \(s_k\), \(b_js\), \(b_js_k\) where \(k \in [w_2]\) and \(s, s_1, ..., s_{w_2} \in \mathbb {Z}_p\) are variables.

• Pair\((x,y) \rightarrow \varvec{E}\) takes as inputs x and y and outputs a reconstruction matrix \(\varvec{E}\) such that \(\varvec{k} \varvec{E} \varvec{c}^{\top } = \alpha s\).

The instances of the pair encoding framework satisfy multiple properties, namely linearity in random variables, parameter vanishing and (computational or perfect) \(\alpha \) hiding [3].