Key-Policy Attribute-Based Encryption for Boolean Circuits from Bilinear Maps

Abstract

We propose a Key-policy Attribute-based Encryption (KP-ABE) scheme for (monotone) Boolean circuits based on bilinear maps. The construction is based on secret sharing and just one bilinear map, and it is a proper extension of the KP-ABE scheme in [7] in the sense that it is practically efficient for a class of Boolean circuits which strictly includes all Boolean formulas. Selective security of the proposed scheme in the standard model is proved, and comparisons with the scheme in [5] based on leveled multilinear maps, are provided. Thus, for Boolean circuits representing multilevel access structures, our KP-ABE scheme is more efficient than the one in [5].

Appendices

A Appendix

In this appendix to prove the security of our KP-ABE_Scheme.

Theorem 2

The KP-ABE_Scheme is secure in the selective model under the decisional bilinear Diffie-Hellman assumption.

Proof

It is sufficient to prove that for any adversary \(\mathcal A\) with an advantage \(\eta \) in the selective game for KP-ABE_Scheme, a PPT algorithm \(\mathcal B\) can be defined, with the advantage \(\eta /2\) over the DBDH problem. The algorithm \(\mathcal B\) plays the role of challenger for \(\mathcal A\) in the selective game for KP-ABE_Scheme.

The algorithm \(\mathcal B\) is given an instance of the DBDH problem, that is: two groups \(G_1\) and \(G_2\) of prime order p, a generator g of \(G_1\), a bilinear map \(e:G_1\times G_1\rightarrow G_2\), the values \(g^a\), \(g^b\), \(g^c\), and \(Z_v\leftarrow \{Z_0,Z_1\}\), where \(Z_0=e(g,g)^{abc}\), \(Z_1=e(g,g)^{z}\), and \(a,b,c,z\leftarrow \mathbb Z_p\).

Now, the algorithm \(\mathcal B\) runs \(\mathcal A\) acting as a challenger for it.

Init. Let A be a non-empty set of attributes the adversary \(\mathcal A\) wishes to be challenged upon.

Setup. \(\mathcal B\) chooses at random \(r_i\in \mathbb Z_p\) for all \(i\in \mathcal U\), and computes \(Y=e(g^a,g^b)=e(g,g)^{ab}\) and \(T_i=g^{t_i}\) for all \(i\in \mathcal U\), where

$$ t_{i}= {\left\{ \begin{array}{ll} r_i, &{} \hbox {if }{ i}\ \in \ { A } \\ br_i, &{} \text {otherwise} \end{array}\right. } $$

(\(\mathcal B\) can compute \(T_i\) because it knows \(r_i\) and \(g^b\)). Then, \(\mathcal B\) publishes the public parameters

$$PP=(p,G_1,G_2,g,e,n,Y,(T_i|i\in \mathcal U)).$$

The choice of \(T_i\) in this way will be transparent in the next step.

Phase 1. The adversary is granted oracle access to the decryption key generation oracle for all queries \(\mathcal C\) with \(\mathcal C(A) = 0\). Given such a query, the decryption key is computed as follows. The algorithm \(\mathcal B\) uses first a procedure FakeShare which will share \(g^a\) as the procedure Share shares \(y=ab\) (remark that \(\mathcal B\) does not know ab). Then, \(\mathcal B\) delivers decryption keys based on \(g^b\). The following requirements are to be fulfilled:

1. 1.

   from the adversary’s point of view, the secret sharing and distribution of decryption keys should look as in the original scheme;

2. 2.

   the reconstruction procedure Recon, starting from the decryption keys and an authorized set of attributes, should return \(e(g,g)^{abc}\).

In order to easily describe the procedure FakeShare we adopt the notation \(\mathcal C_w(A)\) for the truth value at the wire w when the circuit \(\mathcal C\) is evaluated for A. The main idea in FakeShare is the following:

1. 1.

   if the output wire w of a logic gate \(\varGamma =(w_1,w_2,X,w)\) satisfies \(C_w(A)=0\), where X stands for “OR” or “AND”, then the value to be shared at this wire is of the form \(g^x\), for some \(x\in \mathbb Z_p\); otherwise, the value to be shared at this wire is an element \(x\in \mathbb Z_p\);

2. 2.

   the shares obtained by sharing the value associated to w, and distributed to the input wires of \(\varGamma \), should satisfy the same constraints as above. For instance, if \(C_{w_1}(A)=0\) and \(C_{w_2}(A)=1\), then the share distributed to \(w_1\) should be of the form \(g^{x_1}\) while the share distributed to \(w_2\) should be of the form \(x_2\);

3. 3.

   the same policy applies to FANOUT-gates as well.

The procedure FakeShare is as follows:

\(\underline{FakeShare(g^a,\mathcal C)}\)

1. 1.

   Initially, all gates of \(\mathcal C\) are unmarked;

2. 2.

   \(S(o):=(g^a)\);

3. 3.

   If \(\varGamma =(w_1,w_2,OR,w)\) is an unmarked OR-gate and \(S(w)=L\), then mark \(\varGamma \) and do the followings:

   1. (a)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)\), then \(S(w_1):=L\) and \(S(w_2):=L\);

   2. (b)

      if \(\mathcal C_w(A)=1=\mathcal C_{w_1}(A)\) and \(\mathcal C_{w_2}(A)=0\), then \(S(w_1):=L\) and \(S(w_2):=(g^{L(i)}|1\le i\le |L|)\);

   3. (c)

      if \(\mathcal C_w(A)=1=\mathcal C_{w_2}(A)\) and \(\mathcal C_{w_1}(A)=0\), then \(S(w_2):=L\) and \(S(w_1):=(g^{L(i)}|1\le i\le |L|)\).

   Remark that, in the last two cases (b) and (c), all the elements in L are from \(\mathbb Z_p\);

4. 4.

   If \(\varGamma =(w_1,w_2,AND,w)\) is an unmarked AND-gate and \(S(w)=L\), then mark \(\varGamma \) and do the followings:

   1. (a.)

      if \(\mathcal C_w(A)=1\), then:

      1. i.

         for each \(i\in pos(L)\) choose \(x_i^1\) uniformly at random from \(\mathbb Z_p\) and compute \(x_i^2=(L(i)-x_i^1)\mod p\). Define \(L_1\) (\(L_2\), resp.) as being the list obtained from L by replacing L(i) by \(x_i^1\) (\(x_i^2\), resp.), for all \(i\in pos(L)\);

      2. ii.

         assign \(S(w_1):=L_1\) and \(S(w_2):=L_2\);

   2. (b)

      if \(\mathcal C_w(A)=0=\mathcal C_{w_2}(A)\) and \(\mathcal C_{w_1}(A)=1\) then:

      1. i.

         for each \(i\in pos(L)\) choose \(x_i^1\) uniformly at random from \(\mathbb Z_p\) and compute \(g^{x_i^2}=L(i)/g^{x_i^1}\). Define \(L_1\) (\(L_2\), resp.) as being the list obtained from L by replacing L(i) by \(x_i^1\) (\(g^{x_i^2}\), resp.), for all \(i\in pos(L)\);

      2. ii.

         assign \(S(w_1):=L_1\) and \(S(w_2):=L_2\);

   3. (c)

      if \(\mathcal C_w(A)=0=\mathcal C_{w_1}(A)\) and \(\mathcal C_{w_2}(A)=1\) then do as above by switching \(w_1\) and \(w_2\);

   4. (d)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)=0\) then:

      1. i.

         for each \(i\in pos(L)\) choose \(x_i^1\) uniformly at random from \(\mathbb Z_p\) and compute \(g^{x_i^2}=L(i)/g^{x_i^1}\). Define \(L_1\) (\(L_2\), resp.) as being the list obtained from L by replacing L(i) by \(g^{x_i^1}\) (\(g^{x_i^2}\), resp.), for all \(i\in pos(L)\);

      2. ii.

         assign \(S(w_1):=L_1\) and \(S(w_2):=L_2\);

5. 5.

   If \(\varGamma =(w,FANOUT,w_1,\ldots ,w_j)\) is an unmarked FANOUT-gate and \(S(w_k)=L_k\) for all \(1\le k\le j\), then mark \(\varGamma \) and do the followings:

   1. (a)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\cdots =\mathcal C_{w_j}(A)=1\) then

      1. i.

         for each \(i\in pos(L_1)\) choose uniformly at random \(a_i\in \mathbb Z_p\) and compute \(b_i\) such that \(L_1(i)=(a_i+b_i)\mod p\);

      2. ii.

         compute \(L_1'=(a_i|1\le i\le |L_1|)\) and \(P(w_1):=(g^{b_i}|1\le i\le |L_1|)\);

      3. iii.

         compute \(L_k'\) and \(P(w_k)\) in a similar way to \(L_1'\) and \(P(w_1)\), for all \(2\le k\le j\);

      4. iv.

         Assign \(S(w):=L_1'\cdots L_j'\);

   2. (b)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\cdots =\mathcal C_{w_j}(A)=0\) then

      1. i.

         for each \(i\in pos(L_1)\) choose uniformly at random \(a_i\in \mathbb Z_p\) and compute \(g^{b_i}=L_1(i)/g^{a_i}\);

      2. ii.

         compute \(L_1'=(g^{a_i}|1\le i\le |L_1|)\) and \(P(w_1):=(g^{b_i}|1\le i\le |L_1|)\);

      3. iii.

         compute \(L_k'\) and \(P(w_k)\) in a similar way to \(L_1'\) and \(P(w_1)\), for all \(2\le k\le j\);

      4. iv.

         Assign \(S(w):=L_1'\cdots L_2'\);

6. 6.

   repeat the last three steps above until all gates get marked.

Let \((S,P)\leftarrow FakeShare(g^a,\mathcal C)\). The algorithm \(\mathcal B\) will deliver to \(\mathcal A\) the decryption key \(D=((D(i)|i\in \mathcal U),P')\), where

$$ D(i)=\left\{ \begin{array}{ll} \big ((g^b)^{S(i,j)/r_i}|1\le j\le |S(i)|\big ), &{} \hbox {if }i\ \in \ A \\ \big (S(i,j)^{1/r_i}|1\le j\le |S(i)|\big ), &{} \text {if }i\ \not \in \ A \end{array} \right. $$

for any \(i\in \mathcal U\). Remark that the key component D(i) for \(i\in A\) is of the form

$$\big (g^{bS(i,j)/r_i}|1\le j\le |S(i)|\big )$$

while for \(i\not \in A\) it is of the form

$$\big (g^{y_{i,j}/r_i}|1\le j\le |S(i)|\big )= \big (g^{by_{i,j}/br_i}|1\le j\le |S(i)|\big )$$

(for some \(y_{i,j}\in \mathbb Z_p\)) because the shares of i are all powers of g.

The distribution of this decryption key is identical to that in the original scheme. Moreover, it is easy to see that the reconstruction procedure Recon, applied to \(V_A(i,j)=e(g,g)^{S(i,j)bc}\) for all \(i\in A\) and \(1\le j\le |S(i)|\), returns \(e(g,g)^{abc}\).

Challenge. The adversary \(\mathcal A\) selects two messages \(m_0\) and \(m_1\) (of the same length) and sends them to \(\mathcal B\). The algorithm \(\mathcal B\) encrypts \(m_{u}\) with \(Z_v\), where \(u\leftarrow \{0,1\}\), and sends it back to the adversary (recall that \(Z_v\) was randomly chosen from \(\{Z_0,Z_1\}\)). The ciphertext is

$$E=(A,E'=m_{u}Z_v,\{E_i=T_{i}^{c}=g^{cr_i}\}_{i\in A})$$

If \(v=0\), E is a valid encryption of \(m_u\); if \(v=1\), \(E'\) is a random element from \(G_2\).

Phase 2. The adversary may receive again oracle access to the decryption key generation oracle (with the same constraint as in Phase 1).

Guess. Let \(u'\) be \(\mathcal A\)’s guess. If \(u'=u\), then \(\mathcal B\) outputs \(v'=0\); otherwise, it outputs \(v'=1\).

We compute now the advantage of \(\mathcal B\). Clearly,

$$P(v'=v)-\frac{1}{2} = P(v'=v|v=0)\cdot P(v=0)+P(v'=v|v=1)\cdot P(v=1)-\frac{1}{2}$$

Both \(P(v=0)\) and \(P(v=1)\) are 1/2. Then, remark that

$$P(v'=v|v=0)=P(u'=u|v=0)=\frac{1}{2}+\eta $$

and \(P(v'=v|v=1)=P(u'\not =u|v=1)=\frac{1}{2}\). Putting all together we obtain that the advantage of \(\mathcal B\) is \(P(v'=v)-\frac{1}{2}=\frac{1}{2}\eta \).    \(\Box \)

B Appendix

We will show here, by means of an example, that disjunctive multilevel access structures cannot be represented by Boolean formulas (Boolean circuits without FANOUT-gates).

Let \(\mathcal U=\{1,2,3,4\}\), \(\mathcal U_1=\{1,2\}\), \(\mathcal U_2=\{3,4\}\), \(a_1=2\), and \(a_2=3\). The minimal authorized sets are \(\{1,2\}\), \(\{1,3,4\}\), and \(\{2,3,4\}\). If this disjunctive multilevel access structure would be representable by a Boolean formula, then the following would hold:

1. 1.

   1 and 2 cannot be connected by an OR-gate because then \(\{1\}\) would be authorized;

2. 2.

   1 and 2 cannot be connected by an AND-gate because \(\{1,3,4\}\) is authorized and \(\{3,4\}\) would become authorized too, which is a contradiction;

3. 3.

   1 and 3 cannot be connected by an OR-gate because \(\{1,2,3\}\) is authorized and \(\{2,3\}\) would become authorized too, which is a contradiction. Similarly, 1 and 4 cannot be connected by an OR-gate;

4. 4.

   1 and 3 cannot be connected by an AND-gate because \(\{1,2\}\) is authorized and \(\{2,3\}\) would become authorized too, which is a contradiction. Similarly, 1 and 4 cannot be connected by an AND-gate;

5. 5.

   2 and 3 (2 and 4) cannot be connected by OR- or AND-gates by similar reasons as above;

6. 6.

   3 and 4 cannot be connected by an OR-gate because \(\{1,3,4\}\) is authorized and \(\{1,3\}\) would become authorized too, which is a contradiction;

7. 7.

   according to the above items, 3 and 4 can be connected only by an AND-gate \(\varGamma \). But then, it is easy to see that there is no way to connect 1, 2, and \(\varGamma \) to obtain this access structure (the discussion is similar to the one above).

Similarly, conjunctive multilevel access structures cannot be represented by Boolean formulas.