Ciphertext Policy Attribute-Based Encryption for Circuits from LWE Assumption

Abstract

Attribute-based encryption (ABE) is a standard method for achieving access control using cryptography, and is related to many other powerful primitives such as functional encryption. While classical pairing based ABE schemes support only boolean formulas as access policy, the first ABE scheme for arbitrary polynomial size circuits is given in [GVW13], and its security is based on LWE assumption. However, the GVW13 scheme is a key policy ABE (KP-ABE), and whether their method can be used to construct a ciphertext policy ABE (CP-ABE) scheme is currently unknown.

In this paper, we present the first direct construction (not from universal circuits) of CP-ABE scheme for circuits. Similar to the two-to-one recoding technique used in GVW13, we introduce three-to-one recoding, and use it to construct our scheme, which can be proved for selective security assuming that LWE problem is hard, for arbitrary polynomial size circuits. Compared with universal circuit based constructions, our scheme is simpler and has lesser decryption cost.

This work is supported by the National Key Research and Development Program of China (No. 2016QY071401).

A Correctness and Security of Three-to-One Recoding from LWE

Correctness. We define the sets \(\varPhi _{\mathbf {A},\mathbf {s},j}\) for \(\mathsf {pk}:=\mathbf {A}\in \mathbb {Z}_q^{n\times m}\), \(\mathbf {s}\in \mathbb {Z}_q^n\) and \(j\in [0,d_\mathrm {max}]\) as follows:

$$\begin{aligned} \varPhi _{\mathbf {A},\mathbf {s},j}=\mathbf {A}^T\mathbf {s}+\mathbf {e}:\Vert \mathbf {e}\Vert _\infty \le B\cdot (3\sigma m\sqrt{m})^j. \end{aligned}$$

Given this definition:

• Observe that when \(\mathbf {e}\in \chi ^m\), \(\Vert \mathbf {e}\Vert _\infty \le B\) by the definition of \(\chi \) and B. So \(\mathrm {Pr}[\mathsf {Encode}(\mathbf {A,s})\in \varPhi _{\mathbf {A},\mathbf {s},0}]=1\).

• \(\varPhi _{\mathbf {A,s},0}\subseteq \varPhi _{\mathbf {A,s},1}\subseteq ...\subseteq \varPhi _{\mathbf {A,s},d_\mathrm {max}}\), by definition of the sets above.

• For any two encodings \(\mathbf {\phi }=\mathbf {A}^T\mathbf {s}+\mathbf {e}\), \(\mathbf {\phi }'=\mathbf {A}^T\mathbf {s}+\mathbf {e}'\in \varPhi _{\mathbf {A,s},d_\mathrm {max}}\):

  $$\begin{aligned} \Vert \mathbf {\phi }-\mathbf {\phi }'\Vert _\infty =\Vert \mathbf {e}-\mathbf {e}'\Vert _\infty \le 3\cdot B\cdot (3\sigma m\sqrt{m})^{d_\mathrm {max}} < q/4, \end{aligned}$$

  which holds as long as \(n\cdot O(n^2\log q)^{d_\mathrm {max}}<q/4\). Thus, \(\mathbf {\phi }\) and \(\mathbf {\phi }'\) are “close”, and by the correctness property of the symmetric encryption scheme \((\mathsf {E,D})\) described above, \(\mathsf {D}(\mathbf {\phi }',\mathsf {E}(\mathbf {\phi },\mathbf {\mu })) =\mathbf {\mu }\) for any \(\mathbf {\mu }\in \{0,1\}^m\).

• Consider three encodings \(\mathbf {\phi }_0\in \varPhi _{\mathbf {A}_0,\mathbf {s},j_0}\), \(\mathbf {\phi }_1\in \varPhi _{\mathbf {A}_1,\mathbf {s},j_1}\) and \(\mathbf {\phi }_2\in \varPhi _{\mathbf {A}_2,\mathbf {s},j_2}\), for any \(j_0,j_1,j_2\in [0,d_\mathrm {max}-1]\), any \(\mathbf {A}_0,\mathbf {A}_1,\mathbf {A}_2\in \mathbb {Z}_q^{n\times m}\) and \(\mathbf {s}\in \mathbb {Z}_q^n\). Then, \(\mathbf {\phi }_0=\mathbf {A}_0^T\mathbf {s}+\mathbf {e}_0\), \(\mathbf {\phi }_1=\mathbf {A}_1^T\mathbf {s}+\mathbf {e}_1\) and \(\mathbf {\phi }_2=\mathbf {A}_2^T\mathbf {s}+\mathbf {e}_2\), where \(\Vert \mathbf {e}_0\Vert _\infty \le B(3\sigma m\sqrt{m})^{j_0}\), \(\Vert \mathbf {e}_1\Vert _\infty \le B(3\sigma m\sqrt{m})^{j_1}\) and \(\Vert \mathbf {e}_2\Vert _\infty \le B(3\sigma m\sqrt{m})^{j_2}\). Then, the recoding \(\mathbf {\phi }_\mathrm {tgt}\) is computed as follows:

  $$ \begin{array}{ll} \mathbf {\phi }_\mathrm {tgt}^T &{}:= [\mathbf {\phi }_0^T\Vert \mathbf {\phi }_1^T\Vert \mathbf {\phi }_2^T]\mathbf {R}_{0,1,2}^\mathrm {tgt} \\ &{}=[\mathbf {s}^T\mathbf {A}_0+\mathbf {e}_0^T\Vert \mathbf {s}^T\mathbf {A}_1+\mathbf {e}_1^T\Vert \mathbf {s}^T\mathbf {A}_2+\mathbf {e}_2^T]\mathbf {R}_{0,1,2}^\mathrm {tgt} \\ &{}=\mathbf {s}^T[\mathbf {A}_0\Vert \mathbf {A}_1\Vert \mathbf {A}_2]\mathbf {R}^\mathrm {tgt}_{0,1,2}+[\mathbf {e}_0^T\Vert \mathbf {e}_1^T\Vert \mathbf {e}_2^T]\mathbf {R}^\mathrm {tgt}_{0,1,2} \\ &{}=\mathbf {s}^T\mathbf {A}_\mathrm {tgt}+\mathbf {e}_\mathrm {tgt}^T \end{array} $$

  where \(\mathbf {e}_\mathrm {tgt}:=[\mathbf {e}_0^T\Vert \mathbf {e}_1^T\Vert \mathbf {e}_2^T]\mathbf {R}^\mathrm {tgt}_{0,1,2}\). Thus, we have:

  $$ \begin{array}{ll} \Vert \mathbf {e}_\mathrm {tgt}\Vert _\infty &{}:= m\cdot \Vert \mathbf {R}_{0,1,2}^\mathrm {tgt}\Vert _\infty \cdot (\Vert \mathbf {e}_0\Vert _\infty +\Vert \mathbf {e}_1\Vert _\infty +\Vert \mathbf {e}_0\Vert _\infty ) \\ &{}\le m\cdot \sigma \sqrt{m}\cdot (B\cdot (3\sigma m\sqrt{m})^{j_0}+B\cdot (3\sigma m\sqrt{m})^{j_1}+B\cdot (3\sigma m\sqrt{m})^{j_2})\\ &{}\le B\cdot (3\sigma m\sqrt{m})^{\mathrm {max}(j_0,j_1,j_2)+1} \end{array} $$

  and we complete the proof.

Key Indistinguishability. Let \((\mathbf {A}_1,\mathbf {T}_1),(\mathbf {A}_2,\mathbf {T}_2)\leftarrow \mathsf {TrapSamp}(1^n,1^m,q)\), and \(\mathbf {R}_1,\mathbf {R}_2\xleftarrow {\$} D_{\mathbb {Z}^m,\sigma }^m\). By the property of lattice trapdoors, we can see that the following two distribution \((\mathbf {U},\mathbf {R}_0)\):

• \((\mathbf {A}_0,\mathbf {T}_0)\leftarrow \mathsf {TrapSamp}(1^n,1^m,q)\); \(\mathbf {U}\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\), \(\mathbf {R}\leftarrow \mathsf {SampleD}(\mathbf {A,T},\mathbf {U},\sigma )\);

• \((\mathbf {A}_0,\mathbf {T}_0)\leftarrow \mathsf {TrapSamp}(1^n,1^m,q)\); \(\mathbf {R_0}\xleftarrow {\$}D_{\mathbb {Z}^m,\sigma }^m\), \(\mathbf {U}:=\mathbf {A}_0\mathbf {R}_0\).

are statistically indistinguishable. Thus for the two distributions, \((\mathbf {A}_\mathrm {tgt}:=\mathbf {U}+\mathbf {A}_1\mathbf {R}_1+\mathbf {A}_2\mathbf {R}_2\ \mathrm {mod}\ q, \mathbf {R}=[\mathbf {R}_0^T\Vert \mathbf {R}_1^T\Vert \mathbf {R}_2^T]^T)\) are statistically indistinguishable. In the first distribution, we change the sampling of \(\mathbf {U}\) into: \(\mathbf {A}_\mathrm {tgt}\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\), \(\mathbf {U}:=\mathbf {A}_\mathrm {tgt}-\mathbf {A}_1\mathbf {R}_1-\mathbf {A}_2\mathbf {R}_2\ \mathrm {mod}\ q\), which does not change the distribution, and \(\mathbf {R}\) is generated from \(\mathsf {ReKeyGen3}(\mathbf {A}_0,\mathbf {A}_1,\mathbf {A}_2,\mathbf {T}_0,\mathbf {A}_\mathrm {tgt})\) in the first distribution. Also \((\mathbf {A}_\mathrm {tgt},\mathbf {R})\) are generated from \(\mathsf {SimReKeyGen3}(\mathbf {A}_0,\mathbf {A}_1,\mathbf {A}_2)\) in the second distribution. Thus we have the recoding simulation property.

Similarly, each recoding key generated from \(\mathsf {ReKeyGen3}(\mathbf {A}_0,\mathbf {A}_1,\mathbf {A}_2,\mathbf {T}_i,\mathbf {A}_\mathrm {tgt})\) for \(i\in \{0,1,2\}\) is statistically indistinguishable from the recoding key generated from \(\mathsf {SimReKeyGen3}(\mathbf {A}_0,\mathbf {A}_1,\mathbf {A}_2)\). So the recoding keys generated from all four methods are statistically indistinguishable.

Correlated Pseudorandomness

We construct the following interactive games. Let Game 0 be the original game.

Game 1: Instead of letting \((\mathsf {pk}_i,\mathsf {sk}_i)\leftarrow \mathsf {Keygen(pp)}\), we let \(\mathsf {pk}_i\xleftarrow {\$}\mathbb {Z}_q^{n\times m}\). Game 1 is statistically indistinguishable from Game 0 because of the property of lattice trapdoors.

Game 2: Instead of letting \(\phi _i=\mathsf {Encode}(\mathsf {pk}_i,s)\) for \(i=1,...,l\) and \(\phi '_0=\mathsf {Encode}(\mathsf {pk}_{l+1},s)\), we let \(\phi _1,...,\phi _l,\phi '_0\xleftarrow {\$}\mathbb {Z}_q^m\). Game 2 is computationally indistinguishable from Game 1 because of LWE assumption.

In Game 2, \(\phi '_0\) and \(\phi '_1\) are both uniformly distributed, so the adversary cannot do better than random guess. Thus we prove the pseudorandomness of the scheme.