Abstract
We propose a Key-policy Attribute-based Encryption (KP-ABE) scheme for (monotone) Boolean circuits based on bilinear maps. The construction is based on secret sharing and just one bilinear map, and it is a proper extension of the KP-ABE scheme in [7] in the sense that it is practically efficient for a class of Boolean circuits which strictly includes all Boolean formulas. Selective security of the proposed scheme in the standard model is proved, and comparisons with the scheme in [5] based on leveled multilinear maps, are provided. Thus, for Boolean circuits representing multilevel access structures, our KP-ABE scheme is more efficient than the one in [5].
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. CCS 2012, pp. 784–796. ACM, New York (2012)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, S&P 2007, pp. 321–334. IEEE Computer Society (2007)
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013)
Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) STOC, pp. 545–554. ACM (2013), preprint on IACR ePrint 2013/337
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2006), preprint on IACR ePrint 2006/309
Karnin, E.D., Greene, J.W., Hellman, M.E.: On secret sharing systems. IEEE Trans. Inf. Theor. 29(1), 35–41 (1983)
Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: ACM Conference on Computer and Communications Security, pp. 195–203. ACM (2007), preprint on IACR ePrint 2007/323
Simmons, G.J.: How to (really) share a secret. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 390–448. Springer, Heidelberg (1990)
Stinson, D.: Cryptography: Theory and Practice, 3rd edn. Chapman and Hall/CRC, Boca Raton (2005)
Tassa, T.: Hierarchical threshold secret sharing. J. Cryptology 20(2), 237–264 (2007)
Tassa, T., Dyn, N.: Multipartite secret sharing by bivariate interpolation. J. Cryptology 22(2), 227–258 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Appendix
In this appendix to prove the security of our KP-ABE_Scheme.
Theorem 2
The KP-ABE_Scheme is secure in the selective model under the decisional bilinear Diffie-Hellman assumption.
Proof
It is sufficient to prove that for any adversary \(\mathcal A\) with an advantage \(\eta \) in the selective game for KP-ABE_Scheme, a PPT algorithm \(\mathcal B\) can be defined, with the advantage \(\eta /2\) over the DBDH problem. The algorithm \(\mathcal B\) plays the role of challenger for \(\mathcal A\) in the selective game for KP-ABE_Scheme.
The algorithm \(\mathcal B\) is given an instance of the DBDH problem, that is: two groups \(G_1\) and \(G_2\) of prime order p, a generator g of \(G_1\), a bilinear map \(e:G_1\times G_1\rightarrow G_2\), the values \(g^a\), \(g^b\), \(g^c\), and \(Z_v\leftarrow \{Z_0,Z_1\}\), where \(Z_0=e(g,g)^{abc}\), \(Z_1=e(g,g)^{z}\), and \(a,b,c,z\leftarrow \mathbb Z_p\).
Now, the algorithm \(\mathcal B\) runs \(\mathcal A\) acting as a challenger for it.
Init. Let A be a non-empty set of attributes the adversary \(\mathcal A\) wishes to be challenged upon.
Setup. \(\mathcal B\) chooses at random \(r_i\in \mathbb Z_p\) for all \(i\in \mathcal U\), and computes \(Y=e(g^a,g^b)=e(g,g)^{ab}\) and \(T_i=g^{t_i}\) for all \(i\in \mathcal U\), where
(\(\mathcal B\) can compute \(T_i\) because it knows \(r_i\) and \(g^b\)). Then, \(\mathcal B\) publishes the public parameters
The choice of \(T_i\) in this way will be transparent in the next step.
Phase 1. The adversary is granted oracle access to the decryption key generation oracle for all queries \(\mathcal C\) with \(\mathcal C(A) = 0\). Given such a query, the decryption key is computed as follows. The algorithm \(\mathcal B\) uses first a procedure FakeShare which will share \(g^a\) as the procedure Share shares \(y=ab\) (remark that \(\mathcal B\) does not know ab). Then, \(\mathcal B\) delivers decryption keys based on \(g^b\). The following requirements are to be fulfilled:
-
1.
from the adversary’s point of view, the secret sharing and distribution of decryption keys should look as in the original scheme;
-
2.
the reconstruction procedure Recon, starting from the decryption keys and an authorized set of attributes, should return \(e(g,g)^{abc}\).
In order to easily describe the procedure FakeShare we adopt the notation \(\mathcal C_w(A)\) for the truth value at the wire w when the circuit \(\mathcal C\) is evaluated for A. The main idea in FakeShare is the following:
-
1.
if the output wire w of a logic gate \(\varGamma =(w_1,w_2,X,w)\) satisfies \(C_w(A)=0\), where X stands for “OR” or “AND”, then the value to be shared at this wire is of the form \(g^x\), for some \(x\in \mathbb Z_p\); otherwise, the value to be shared at this wire is an element \(x\in \mathbb Z_p\);
-
2.
the shares obtained by sharing the value associated to w, and distributed to the input wires of \(\varGamma \), should satisfy the same constraints as above. For instance, if \(C_{w_1}(A)=0\) and \(C_{w_2}(A)=1\), then the share distributed to \(w_1\) should be of the form \(g^{x_1}\) while the share distributed to \(w_2\) should be of the form \(x_2\);
-
3.
the same policy applies to FANOUT-gates as well.
The procedure FakeShare is as follows:
\(\underline{FakeShare(g^a,\mathcal C)}\)
-
1.
Initially, all gates of \(\mathcal C\) are unmarked;
-
2.
\(S(o):=(g^a)\);
-
3.
If \(\varGamma =(w_1,w_2,OR,w)\) is an unmarked OR-gate and \(S(w)=L\), then mark \(\varGamma \) and do the followings:
-
(a)
if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)\), then \(S(w_1):=L\) and \(S(w_2):=L\);
-
(b)
if \(\mathcal C_w(A)=1=\mathcal C_{w_1}(A)\) and \(\mathcal C_{w_2}(A)=0\), then \(S(w_1):=L\) and \(S(w_2):=(g^{L(i)}|1\le i\le |L|)\);
-
(c)
if \(\mathcal C_w(A)=1=\mathcal C_{w_2}(A)\) and \(\mathcal C_{w_1}(A)=0\), then \(S(w_2):=L\) and \(S(w_1):=(g^{L(i)}|1\le i\le |L|)\).
Remark that, in the last two cases (b) and (c), all the elements in L are from \(\mathbb Z_p\);
-
(a)
-
4.
If \(\varGamma =(w_1,w_2,AND,w)\) is an unmarked AND-gate and \(S(w)=L\), then mark \(\varGamma \) and do the followings:
-
(a.)
if \(\mathcal C_w(A)=1\), then:
-
i.
for each \(i\in pos(L)\) choose \(x_i^1\) uniformly at random from \(\mathbb Z_p\) and compute \(x_i^2=(L(i)-x_i^1)\mod p\). Define \(L_1\) (\(L_2\), resp.) as being the list obtained from L by replacing L(i) by \(x_i^1\) (\(x_i^2\), resp.), for all \(i\in pos(L)\);
-
ii.
assign \(S(w_1):=L_1\) and \(S(w_2):=L_2\);
-
i.
-
(b)
if \(\mathcal C_w(A)=0=\mathcal C_{w_2}(A)\) and \(\mathcal C_{w_1}(A)=1\) then:
-
i.
for each \(i\in pos(L)\) choose \(x_i^1\) uniformly at random from \(\mathbb Z_p\) and compute \(g^{x_i^2}=L(i)/g^{x_i^1}\). Define \(L_1\) (\(L_2\), resp.) as being the list obtained from L by replacing L(i) by \(x_i^1\) (\(g^{x_i^2}\), resp.), for all \(i\in pos(L)\);
-
ii.
assign \(S(w_1):=L_1\) and \(S(w_2):=L_2\);
-
i.
-
(c)
if \(\mathcal C_w(A)=0=\mathcal C_{w_1}(A)\) and \(\mathcal C_{w_2}(A)=1\) then do as above by switching \(w_1\) and \(w_2\);
-
(d)
if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)=0\) then:
-
i.
for each \(i\in pos(L)\) choose \(x_i^1\) uniformly at random from \(\mathbb Z_p\) and compute \(g^{x_i^2}=L(i)/g^{x_i^1}\). Define \(L_1\) (\(L_2\), resp.) as being the list obtained from L by replacing L(i) by \(g^{x_i^1}\) (\(g^{x_i^2}\), resp.), for all \(i\in pos(L)\);
-
ii.
assign \(S(w_1):=L_1\) and \(S(w_2):=L_2\);
-
i.
-
(a.)
-
5.
If \(\varGamma =(w,FANOUT,w_1,\ldots ,w_j)\) is an unmarked FANOUT-gate and \(S(w_k)=L_k\) for all \(1\le k\le j\), then mark \(\varGamma \) and do the followings:
-
(a)
if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\cdots =\mathcal C_{w_j}(A)=1\) then
-
i.
for each \(i\in pos(L_1)\) choose uniformly at random \(a_i\in \mathbb Z_p\) and compute \(b_i\) such that \(L_1(i)=(a_i+b_i)\mod p\);
-
ii.
compute \(L_1'=(a_i|1\le i\le |L_1|)\) and \(P(w_1):=(g^{b_i}|1\le i\le |L_1|)\);
-
iii.
compute \(L_k'\) and \(P(w_k)\) in a similar way to \(L_1'\) and \(P(w_1)\), for all \(2\le k\le j\);
-
iv.
Assign \(S(w):=L_1'\cdots L_j'\);
-
i.
-
(b)
if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\cdots =\mathcal C_{w_j}(A)=0\) then
-
i.
for each \(i\in pos(L_1)\) choose uniformly at random \(a_i\in \mathbb Z_p\) and compute \(g^{b_i}=L_1(i)/g^{a_i}\);
-
ii.
compute \(L_1'=(g^{a_i}|1\le i\le |L_1|)\) and \(P(w_1):=(g^{b_i}|1\le i\le |L_1|)\);
-
iii.
compute \(L_k'\) and \(P(w_k)\) in a similar way to \(L_1'\) and \(P(w_1)\), for all \(2\le k\le j\);
-
iv.
Assign \(S(w):=L_1'\cdots L_2'\);
-
i.
-
(a)
-
6.
repeat the last three steps above until all gates get marked.
Let \((S,P)\leftarrow FakeShare(g^a,\mathcal C)\). The algorithm \(\mathcal B\) will deliver to \(\mathcal A\) the decryption key \(D=((D(i)|i\in \mathcal U),P')\), where
for any \(i\in \mathcal U\). Remark that the key component D(i) for \(i\in A\) is of the form
while for \(i\not \in A\) it is of the form
(for some \(y_{i,j}\in \mathbb Z_p\)) because the shares of i are all powers of g.
The distribution of this decryption key is identical to that in the original scheme. Moreover, it is easy to see that the reconstruction procedure Recon, applied to \(V_A(i,j)=e(g,g)^{S(i,j)bc}\) for all \(i\in A\) and \(1\le j\le |S(i)|\), returns \(e(g,g)^{abc}\).
Challenge. The adversary \(\mathcal A\) selects two messages \(m_0\) and \(m_1\) (of the same length) and sends them to \(\mathcal B\). The algorithm \(\mathcal B\) encrypts \(m_{u}\) with \(Z_v\), where \(u\leftarrow \{0,1\}\), and sends it back to the adversary (recall that \(Z_v\) was randomly chosen from \(\{Z_0,Z_1\}\)). The ciphertext is
If \(v=0\), E is a valid encryption of \(m_u\); if \(v=1\), \(E'\) is a random element from \(G_2\).
Phase 2. The adversary may receive again oracle access to the decryption key generation oracle (with the same constraint as in Phase 1).
Guess. Let \(u'\) be \(\mathcal A\)’s guess. If \(u'=u\), then \(\mathcal B\) outputs \(v'=0\); otherwise, it outputs \(v'=1\).
We compute now the advantage of \(\mathcal B\). Clearly,
Both \(P(v=0)\) and \(P(v=1)\) are 1/2. Then, remark that
and \(P(v'=v|v=1)=P(u'\not =u|v=1)=\frac{1}{2}\). Putting all together we obtain that the advantage of \(\mathcal B\) is \(P(v'=v)-\frac{1}{2}=\frac{1}{2}\eta \). \(\Box \)
B Appendix
We will show here, by means of an example, that disjunctive multilevel access structures cannot be represented by Boolean formulas (Boolean circuits without FANOUT-gates).
Let \(\mathcal U=\{1,2,3,4\}\), \(\mathcal U_1=\{1,2\}\), \(\mathcal U_2=\{3,4\}\), \(a_1=2\), and \(a_2=3\). The minimal authorized sets are \(\{1,2\}\), \(\{1,3,4\}\), and \(\{2,3,4\}\). If this disjunctive multilevel access structure would be representable by a Boolean formula, then the following would hold:
-
1.
1 and 2 cannot be connected by an OR-gate because then \(\{1\}\) would be authorized;
-
2.
1 and 2 cannot be connected by an AND-gate because \(\{1,3,4\}\) is authorized and \(\{3,4\}\) would become authorized too, which is a contradiction;
-
3.
1 and 3 cannot be connected by an OR-gate because \(\{1,2,3\}\) is authorized and \(\{2,3\}\) would become authorized too, which is a contradiction. Similarly, 1 and 4 cannot be connected by an OR-gate;
-
4.
1 and 3 cannot be connected by an AND-gate because \(\{1,2\}\) is authorized and \(\{2,3\}\) would become authorized too, which is a contradiction. Similarly, 1 and 4 cannot be connected by an AND-gate;
-
5.
2 and 3 (2 and 4) cannot be connected by OR- or AND-gates by similar reasons as above;
-
6.
3 and 4 cannot be connected by an OR-gate because \(\{1,3,4\}\) is authorized and \(\{1,3\}\) would become authorized too, which is a contradiction;
-
7.
according to the above items, 3 and 4 can be connected only by an AND-gate \(\varGamma \). But then, it is easy to see that there is no way to connect 1, 2, and \(\varGamma \) to obtain this access structure (the discussion is similar to the one above).
Similarly, conjunctive multilevel access structures cannot be represented by Boolean formulas.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Ţiplea, F.L., Drăgan, C.C. (2015). Key-Policy Attribute-Based Encryption for Boolean Circuits from Bilinear Maps. In: Ors, B., Preneel, B. (eds) Cryptography and Information Security in the Balkans. BalkanCryptSec 2014. Lecture Notes in Computer Science(), vol 9024. Springer, Cham. https://doi.org/10.1007/978-3-319-21356-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-21356-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-21355-2
Online ISBN: 978-3-319-21356-9
eBook Packages: Computer ScienceComputer Science (R0)