Keywords

1 Introduction

Attribute-based encryption (ABE), introduced by Sahai and Waters [23], is a useful paradigm that generalizes traditional public key encryption. Instead of encrypting to a target recipient, a sender can specify in a more general way about who should be able to view the message. In ABE for predicate R, which is a boolean function \(R:\mathbb {X}\times \mathbb {Y}\rightarrow \{0,1\}\), a private key, which is issued by an authority, is associated with an attribute \(X\in \mathbb {X}\), while a ciphertext encrypting a message M is associated with an attribute \(Y\in \mathbb {Y}\). A key for X can decrypt a ciphertext for Y if and only if \(R(X,Y)=1\). In this paper, we focus on ABE for boolean formulae predicate, which is one of the most useful ABE primitive, first considered by Goyal et al. [13]. For simplicity, we mainly consider the key-policy type of ABE [13]Footnote 1. In such a scheme, a key is associated with a boolean formula (a policy), while a ciphertext is associated with an assignment of boolean variables (an attribute set), and the decryption succeeds if and only if the assignment satisfies the formula. In what follows, we let t be the size of an attribute set corresponding to a ciphertext and m be the size of a policy corresponding to a private key.

Two of the state-of-the-art fully-secure Footnote 2 ABE schemes for boolean formulae were proposed by Attrapadung [2]:

  1. 1.

    The first scheme is the fully-secure unbounded ABE of [2]. Such a scheme has a (completely) unbounded property where every parameter does not require any maximum bound at the setup of the scheme. All the other ABE schemes for boolean formulae in the literature either have bounds in some parameters [10, 16, 1821, 26] and/or only selectively secureFootnote 3 [15, 17, 22]. This scheme has an obvious advantage in that the scheme has scalability in their functionality, in particular, it works for any sizes of attribute sets and policies, and any number of attribute multi-use in one policy. In this scheme, the ciphertext size is O(t) (or more precisely, ct group elements for a constant \(c > 1\)) and the key size is O(m).

  2. 2.

    The second scheme is the fully-secure ABE with constant-size ciphertexts of [2]. All the other constant-size-ciphertext ABE schemes for boolean formulae in the literature are only selectively secure [6] or semi-adaptively secureFootnote 4 [11, 24]. This scheme has an advantage of scalability in efficiency: it requires very short ciphertexts of size O(1), regardless of any t, which is the size of an attribute set assigned to a ciphertext. On the downside, it requires the maximum bound for t, say T, to be fixed at the setup (but no bound is required for all the other parameters). Moreover, the key size is quite large as it becomes O(mT).

Note that the above two schemes were originally proposed in composite-order groups in [2]. Their prime-order variants, which are considered more efficient (cf. [14]), were then subsequently obtained in [3].

Due to the drawback of the first scheme in that the ciphertext size is not constant (hence we may say that it lacks scalability in efficiency) and the drawbacks of the second scheme in that the key size is large and the attribute set size is bounded (and hence it lacks scalability in functionality), it is natural to seek for a new scheme with better scalability in both efficiency and functionality.

To this end, we consider the following important open problem:

Is it possible to achieve fully-secure unbounded ABE with short ciphertext size (less than t group elements)?

We note that constructing even only selectively secure ABE with the above property is also an open problem.

Our Contribution. In this paper, we answer the above question affirmatively by proposing a new fully-secure unbounded ABE scheme with a direct tradeoff between ciphertext and key size: the ciphertext size is O(t/d) and the key size is O(md), where the “adjusting parameter”d is any positive integer which can be arbitrarily chosen at setup. The efficiency comparison is shown in Table 1 below.

Table 1. Comparison among fully-secure KP-ABE
Full size table

Our tradeoff scheme can be thought of a generalization that includes both the unbounded ABE and the constant-size-ciphertext ABE of [2, 3] as the two extreme cases on the spectrum over the tradeoff parameter d. That is, when setting \(d=1\), we recover the unbounded ABE, while setting \(d=T\) (and thus posing the maximum bound of t) gives us back the constant-size-ciphertext ABE.

Adjusting d also consequently results in a tradeoff between encryption time and decryption time. We give the performance estimation in Sect. 4, where we show the efficiency comparison in details and more concretely in Tables 23 and 4. Interestingly, as shown in Fig. 1, when estimating efficiency using numerical parameters, e.g., from the 254-bit Barreto-Naehrig (BN) curve, the decryption time is minimized at d being somewhere in the middle of the spectrum.

Our Approach. Our new scheme is constructed based on Key-Policy over Doubly Spatial Encryption (KP-DSE) scheme, which is a primitive introduced also in [2] (with a prime-order version subsequently proposed in [3]). KP-DSE was shown to imply both the unbounded ABE and the constant-size-ciphertext ABE in [2]. We extend these implications by showing a new conversion from KP-DSE to KP-ABE with tradeoff, which is our goal. Applying this new conversion to the KP-DSE schemes of [2] and [3], we obtain a new KP-ABE with tradeoff in composite-order groups and prime-order groups, respectively.

Our idea for achieving the ciphertext of size O(t/d) is to first partition the attribute set (of size t) associated to a ciphertext to t/d disjoint subsets each of size d. We then associate each subset by encoding it to an affine subspace in KP-DSE. Due to the efficiency of the concrete KP-DSE scheme of [2] where each affine space requires a corresponding ciphertext portion of constant size, the total ciphertext size is thus O(t/d), the number of partitioned subsets. The fact that we require an affine subspace to encode a set of size d results in an increasing factor d for the key size, hence the tradeoff.

We describe our approach in details in Sect. 3. Before that, we give the definition of KP-DSE in Sect. 2.

Perspective. We believe that the tradeoff property of our scheme can provide advantages in real-world applications where size and/or time resources are concretely fixed in advance, as we can flexibly adjust d to match available resources and thus make the most of them. Such situations include, but are not limited to, implementations of ABE in tiny hardware tokens, such as secure applications for the Internet of Things.

2 Preliminaries

2.1 Definitions for ABE

Predicate Family. Let \(R= \{R_\kappa : \mathbb {X}_\kappa \times \mathbb {Y}_\kappa \rightarrow \{0,1\} | \kappa \in \mathbb {N}^c \}\) be a predicate family where \(\mathbb {X}_\kappa \) and \(\mathbb {Y}_\kappa \) denote “key attribute" and “ciphertext attribute” spaces and c is some fixed constant. The index \(\kappa =(n_1,n_2,\ldots ,n_c)\) denotes some bounds for parameters specific to each predicate family.

ABE Syntax. An attribute-based encryption (ABE) scheme for predicate family R is defined by the following algorithms:

  • \(\mathsf {Setup}(1^\lambda ,\kappa )\rightarrow (\mathsf {PK},\mathsf {MSK})\): takes as input a security parameter \(1^\lambda \) and a family index \(\kappa \) of predicate family R, and outputs a master public key \(\mathsf {PK}\) and a master secret key \(\mathsf {MSK}\).

  • \(\mathsf {Encrypt}(Y, {M}, \mathsf {PK})\rightarrow {\mathsf {CT}}\): takes as input a ciphertext attribute \(Y\in \mathbb {Y}_\kappa \), a message \({M}\in \mathcal {M}\), and public key \(\mathsf {PK}\). It outputs a ciphertext \({\mathsf {CT}}\).

  • \(\mathsf {KeyGen}(X, \mathsf {MSK}, \mathsf {PK})\rightarrow {\mathsf {SK}}\): takes as input a key attribute \(X\in \mathbb {X}_\kappa \) and the master key \(\mathsf {MSK}\). It outputs a secret key \({\mathsf {SK}}\).

  • \(\mathsf {Decrypt}({\mathsf {CT}}, {\mathsf {SK}})\rightarrow {M}\): given a ciphertext \({\mathsf {CT}}\) with its attribute \(Y\) and the decryption key \({\mathsf {SK}}\) with its attribute \(X\), it outputs a message \({M}\) or \(\bot \).

Correctness. Consider all indexes \(\kappa \), all \({M}\in \mathcal {M}\), \(X\in \mathbb {X}_\kappa \), \(Y\in \mathbb {Y}_\kappa \) such that \(R_{\kappa }(X,Y)=1\). If \(\mathsf {Encrypt}(Y, {M}, \mathsf {PK})\rightarrow {\mathsf {CT}}\) and \(\mathsf {KeyGen}(X, \mathsf {MSK}, \mathsf {PK})\rightarrow {\mathsf {SK}}\) where \((\mathsf {PK},\mathsf {MSK})\) is generated from \(\mathsf {Setup}(1^\lambda ,\kappa )\), then \(\mathsf {Decrypt}({\mathsf {CT}}, {\mathsf {SK}})\rightarrow {M}\).

Security. The standard notion for ABE is called full security. We refer its definition to [2], as we do not work directly on it but rather use the embedding lemma for implications below (Lemma 1).

KP-ABE for Monotone Span Program Predicates. Let \(\mathcal {U}\) be the universe of attributes. If \(|\mathcal {U}|\) is of super-polynomial size, it is called large universe [13, 22], otherwise, it is small universe. This predicate is indexed by \(N\in \mathbb {N}\). In this predicate, the key attribute domain \(\mathbb {X}_{N}\) is the set of all policies. A policy is specified by a monotone span program (or access structure) \((A,\pi )\) where A is a matrix in \(\mathbb {Z}_N^{m \times k}\) for some \(m,k \in \mathbb {N}\), and \(\pi \) is a map \(\pi :[1,m]\rightarrow \mathcal {U}\). The ciphertext attribute domain is the collection of all sets, S, of attributes in \(\mathcal {U}\). For a set \(S\subseteq \mathcal {U}\), let \(A|_S\) be the sub-matrix of A that takes all the rows j such that \(\pi (j)\in S\). We say that \((A,\pi )\) accepts S if \((1,0,\ldots ,0)\in \mathsf {rspan}(A|_S)\), where \(\mathsf {rspan}()\) denotes the row span. That is,

$$\begin{aligned} R_{N}^{\textsf {KP-ABE}} ((A,\pi ), S) = 1 \quad \Longleftrightarrow \quad (1,0,\ldots ,0)\in \mathsf {span}\{ A_i | \pi (i) \in S\}. \end{aligned}$$

In this paper, we consider unbounded KP-ABE, which is KP-ABE with large universe such that all parameters |S|, mk and the number of attribute re-use (the repetition in the range \(\pi ([1,m])\)) are unbounded. It is well known that ABE for monotone span program implies ABE for monotone Boolean formulae [13].

2.2 KP-DSE

Our new KP-ABE scheme will use an implication from KP-DSE [2]. We briefly review it here.

Notions for Affine Spaces. Let \(N,n,d \in \mathbb {N}\) where \(0\le d \le n\). Let \({\varvec{t}}^\top \) be a vertical vector in \(\mathbb {Z}_N^n\). Let \({{\varvec{M}}} \in \mathbb {Z}_N^{n\times d}\) be a matrix whose columns are all linearly independent. An affine space in \(\mathbb {Z}_N^n\) specified by a pair \(({\varvec{t}}, {{\varvec{M}}})\) is defined as \({\varvec{t}}^\top + \mathsf {cspan}({{\varvec{M}}})\), where \(\mathsf {cspan}()\) denotes the column span; more precisely, it is

$$\begin{aligned} {\varvec{t}}^\top + \mathsf {cspan}({{\varvec{M}}}) = \{ {\varvec{t}}^\top + {{\varvec{M}}}{\varvec{v}}^\top | {\varvec{v}} \in \mathbb {Z}_N^d\}. \end{aligned}$$

Key-Policy over Doubly Spatial Encryption (KP-DSE). The predicate for KP-DSE is defined as follows. The predicate family is indexed by \((N,n)\in \mathbb {N}^2\). Define the key attribute domain \(\mathbb {X}_{(N,n)}\) as the set of all pairs of an access matrix \(A \in \mathbb {Z}_N^{m\times k}\) for any polynomial-size \(m,k \in \mathbb {N}\) and a labelling map \(\pi \) that maps each row in [1, m] to an affine space in \(\mathbb {Z}_N^n\). Define the ciphertext attribute domain \(\mathbb {Y}_{(N,n)}\) as the collection of all sets, T, of affine spaces in \(\mathbb {Z}_N^n\). The predicate evaluation is defined by

$$\begin{aligned}&R_{(N,n)}^{\textsf {KP-DSE}}\big ((A,\pi ),T\big ) = 1 \quad \Longleftrightarrow \\&\qquad \qquad \qquad \qquad (1,0,\ldots ,0) \in \mathsf {span}\{ A_i | \exists {Y\in T}\ \text { s.t. } \pi (i) \cap Y \ne \emptyset \}. \end{aligned}$$

2.3 Embedding Lemma

The following useful lemma from [4, 9] describes a sufficient criterion for implication from ABE for a given predicate to ABE for another predicate. We will use this lemma in Sect. 3.1 for showing that KP-DSE implies KP-ABE with tradeoff, which is our main proposal.

The lemma considers two arbitrary predicate families:

$$\begin{aligned} R^{\mathsf {F}}_\kappa :\mathbb {X}_\kappa \times \mathbb {Y}_\kappa \rightarrow \{ 0,1 \}, \qquad R^{\mathsf {F}'}_{\kappa '}: \mathbb {X}'_{\kappa '} \times \mathbb {Y}'_{\kappa '} \rightarrow \{ 0,1 \}, \end{aligned}$$

which is parametrized by \(\kappa \in \mathbb {N}^c\) and \(\kappa '\in \mathbb {N}^{c'}\) respectively. Suppose that there exists three efficient mappings

$$\begin{aligned} f_{\mathsf {p}}: \mathbb {Z}^{c'} \rightarrow \mathbb {Z}^{c} \qquad f_{\mathsf {e}}: \mathbb {X}'_{\kappa '} \rightarrow \mathbb {X}_{f_{\mathsf {p}}(\kappa ')} \qquad f_{\mathsf {k}}: \mathbb {Y}'_{\kappa '} \rightarrow \mathbb {Y}_{f_{\mathsf {p}}(\kappa ')} \end{aligned}$$

which maps parameters, ciphertext attributes, and key attributes, respectively, such that for all \(X'\in \mathbb {X}'_{\kappa '},Y'\in \mathbb {Y}'_{\kappa '}\),

$$\begin{aligned} R^{\mathsf {F}'}_{\kappa '}(X',Y')=1 \quad \Leftrightarrow \quad R^{\mathsf {F}}_{f_{\mathsf {p}}(\kappa ')}(f_{\mathsf {e}}(X'),f_{\mathsf {k}}(Y') )=1. \end{aligned}$$
(1)

We can then construct an ABE scheme

$$\begin{aligned} \varPi '=\{\mathsf{Setup}',\mathsf{Encrypt}', \mathsf{KeyGen}', \mathsf{Decrypt}' \} \text { for predicate } R^{\mathsf {F}'}_{\kappa '} \end{aligned}$$

from an ABE scheme

$$\begin{aligned} \varPi =\{\mathsf{Setup}, \mathsf{Encrypt}, \mathsf{KeyGen}, \mathsf{Decrypt} \} \text { for predicate } R^{\mathsf {F}}_\kappa \end{aligned}$$

by letting

$$\begin{aligned} \mathsf{Setup}'(\lambda ,\kappa ')&= \mathsf{Setup}(\lambda , f_{\mathsf {p}}(\kappa ')) \\ \mathsf{Encrypt}' (\mathsf {PK},{M},X')&= \mathsf{Encrypt}(\mathsf {PK}, {M}, f_{\mathsf {e}}(X')), \\ \mathsf{KeyGen}'(\mathsf {MSK}, \mathsf {PK}, Y')&= \mathsf{KeyGen}( \mathsf {MSK}, \mathsf {PK}, f_{\mathsf {k}}(Y')), \\ \mathsf{Decrypt}'({\mathsf {CT}}_{X'}, {\mathsf {SK}}_{Y'})&= \mathsf{Decrypt}({\mathsf {CT}}_{f_{\mathsf {e}}(X')}, {\mathsf {SK}}_{f_{\mathsf {k}}(Y')}). \end{aligned}$$

Lemma 1

(Embedding lemma [4, 9]). If \(\varPi \) is correct and secure, then so is \(\varPi '\). This holds for both the cases of selective security and full security.

2.4 Notations

Notation for Matrix in the Exponents. Vectors will be treated as either row or column matrices. When unspecified, we shall let it be a row vector. Let \(\mathbb {G}\) be a group. Let \({\varvec{a}}=(a_1,\dots ,a_n)\) and \({\varvec{b}}=(b_1,\dots ,b_n)\in \mathbb {G}^n\). We denote \({\varvec{a}}\cdot {{\varvec{b}}}=(a_1 \cdot {b_1},\dots ,a_n \cdot {b_n})\), where ‘\(\cdot \)’ is the group operation of \(\mathbb {G}\). For \(g \in \mathbb {G}\) and \({\varvec{c}}=(c_1,\dots ,c_n)\in \mathbb {Z}^n\), we denote \(g^{{\varvec{c}}}=(g^{c_1},\dots ,g^{c_n})\). We denote by \({\mathbb {GL}}_{p,n}\) the group of invertible matrices (the general linear group) in \(\mathbb {Z}_{p}^{n \times n}\). Consider \({{{\varvec{M}}} \in \mathbb {Z}_p^{d \times n}}\) (the set of all \(d \times n\) matrices in \(\mathbb {Z}_p\)). Denote the transpose of \({{\varvec{M}}}\) as \({{\varvec{M}}}^\top \). Denote \({{\varvec{M}}}^{-\top }=({{\varvec{M}}}^\top )^{-1}\). We denote by \(g^{{{\varvec{M}}}}\) the matrix in \(\mathbb {G}^{d \times n}\) of which its (ij) entry is \(g^{{{\varvec{M}}}_{i,j}}\), where \({{\varvec{M}}}_{i,j}\) is the (ij) entry of \({{\varvec{M}}}\). For \({{\varvec{Q}}} \in \mathbb {Z}_p^{\ell \times d}\), we denote \((g^{{{\varvec{Q}}}})^{{\varvec{M}}}=g^{{{\varvec{Q}}}{{\varvec{M}}}}\). Note that from \({{\varvec{M}}}\) and \(g^{{\varvec{Q}}} \in \mathbb {G}^{\ell \times d}\), we can compute \(g^{{{\varvec{Q}}}{{\varvec{M}}}}\) without knowing \({{\varvec{Q}}}\), since its (ij) entry is \(\prod _{k=1}^d (g^{{{\varvec{Q}}}_{i,k}})^{{{\varvec{M}}}_{k,j}}\). The same goes for \(g^{{\varvec{M}}}\) and \({{\varvec{Q}}}\). For \({{\varvec{X}}}\in \mathbb {Z}_p^{r\times c_1}\) and \({{\varvec{Y}}}\in \mathbb {Z}_p^{r\times c_2}\), we denote its pairing as:

$$\begin{aligned} e(g_1^{{{\varvec{X}}}},g_2^{{{\varvec{Y}}}})=e(g_1,g_2)^{{{\varvec{Y}}}^\top {{\varvec{X}}}} \in \mathbb {G}_T^{c_2 \times c_1}. \end{aligned}$$

Projection Maps. As used in [3], \( \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) \) denotes the \((b+1)\times b\) matrix where the first b rows comprise the identity matrix while the last row is zero. It functions as a left-projection map. That is, \(X \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) \in \mathbb {Z}_p^{(d+1)\times d}\) is the matrix consisting of all left d columns of X for any \(X\in \mathbb {Z}_p^{(d+1)\times (d+1)}\). Similarly, \( \left( {\begin{matrix} {\varvec{0}} \\ 1 \end{matrix}} \right) \) is the \((b+1)\times 1\) matrix where the last row is 1; it functions as a right-projection map.

3 Our Key-Policy ABE Schemes

Main Idea for Our Scheme. The main idea for our new KP-ABE scheme is that we set an parameter d and partition the attribute set S to a disjoint unionFootnote 5 as \(S=S_1 \sqcup \cdots \sqcup S_\ell \) where \(|S_j| \le d\) for all \(j\in [1,\ell ]\) and \(\ell = \lceil |S|/d \rceil \). We then represent each subset \(S_j\) by an affine space using an embedding method similar to the KP-ABE with constant-size ciphertext of [2] (which extends [6]). This method results in KP-DSE with the set of \(\ell \) affine spaces in \(\mathbb {Z}_N^{d+1}\). An implementation using the KP-DSE of [2] requires \(O(\ell )\)-size ciphertext for the set of \(\ell \) affine spaces. Hence, we will achieve the ciphertext size of \(O(\ell )=O(|S|/d)\) as desired.

Partitioned KP-ABE. As an intermediate predicate family, we define “partitioned KP-ABE” (for monotone span program). The purpose is only syntactic: to have a predicate family that is indexed also by the adjustable integer d. (The original definition has only index N specifying \(\mathbb {Z}_N\)). More precisely, it is indexed by \((N,d) \in \mathbb {N}^2\). The key attribute domain is the same as normal KP-ABE. The ciphertext attribute domain is the set of all collections of disjointed subsets of \(\mathcal {U}\) each with size \(\le d\). The predicate evaluation is defined by

$$\begin{aligned}&R_{(N,d)}^{\textsf {Partition-KP-ABE}}\big ((A,\pi ),U\big ) = 1 \quad \Longleftrightarrow \\&\qquad \qquad \qquad \qquad \qquad \quad (1,0,\ldots ,0) \in \mathsf {span}\{ A_i | \exists {W\in U}\ \text { s.t. } \pi (i) \in W \}. \end{aligned}$$

(Here, U is a collection of disjointed subsets of \(\mathcal {U}\) each with size \(\le d\).)

Partitioned KP-ABE implies Normal KP-ABE. Partitioned KP-ABE immediately implies KP-ABE by mapping ciphertext attribute as

$$\begin{aligned} S \mapsto \{S_1, \cdots S_\ell \} \end{aligned}$$

where \(S=S_1 \sqcup \cdots \sqcup S_\ell \) where \(|S_j| \le d\) for all \(j\in [1,\ell ]\) and \(\ell = \lceil |S|/d \rceil \). To obtain a unique partition, we can arrange attributes in S in a lexicographical order as \(S=\{b_1,\ldots ,b_{|S|}\}\) and let \(S_j=\{b_{(j-1)d+1},\ldots ,b_{jd}\}\) for all \(j\in [1,\ell -1]\) (and hence, \(S_\ell =\{b_{(\ell -1)d+1},\ldots ,b_{|S|}\}\)). Straightforwardly, we have the following lemma:

Lemma 2

For any monotone access structure \(\mathbb {A}=(A,\pi )\), any attribute set S, and \(\{S_j\}_j\) defined as above, we have

$$\begin{aligned} R_{N}^{\textsf {KP-ABE}}\big ((A,\pi ),S\big )=1 \quad \Longleftrightarrow \quad R_{(N,d)}^{\textsf {Partition-KP-ABE}}\big ((A,\pi ),\{S_1, \cdots S_\ell \}\big )=1. \end{aligned}$$

Proof

This trivially holds since \(\pi (i) \in S \) iff there exists \(j\in [1,\ell ]\) such that \(\pi (i) \in S_j\).

3.1 Implication of Partitioned KP-ABE from KP-DSE

We now show that partitioned KP-ABE is implied from KP-DSE. The conversion is as follows.

  • Mapping Parameters. We map \(f_{\mathsf {p}}: (N,d) \mapsto (N,d+1)\). That is, we let the full dimension of affine spaces be \(n=d+1\).

  • Mapping Key Attributes. Consider an access structure \(\mathbb {A}=(A, \pi )\). Let m be the number of rows of the access matrix A. We map

    $$\begin{aligned} f_{\mathsf {k}}: \mathbb {A}=(A, \pi ) \mapsto \mathbb {A}'=(A, \pi ') \end{aligned}$$

    where for \(i=1,\ldots ,m\), we let \(\pi '(i)=\mathsf {cspan}({{\varvec{X}}}^{(i)})\) where

    $$\begin{aligned} {{\varvec{X}}}^{(i)}:= \begin{pmatrix} -\pi (i) &{} -\pi (i)^2 &{} \cdots &{} -\pi (i)^d \\ 1 &{}&{}&{}\\ &{} 1 &{}&{}\\ &{}&{} \ddots &{}\\ &{}&{}&{} 1 \end{pmatrix}. \end{aligned}$$

    In particular, each \(\pi '(i)\) is an affine space passing through the point \({\varvec{0}}^\top \) (i.e., it is a vector space).

  • Mapping Ciphertext Attributes. Consider a disjoint collection \(\{S_1 ,\ldots , S_\ell \}\) where \(|S_j| \le d\) for all \(j\in [1,\ell ]\). We map

    $$\begin{aligned} f_{\mathsf {c}}:\{S_1 ,\ldots , S_\ell \} \mapsto \{{\varvec{y}}^{(1)},\ldots ,{\varvec{y}}^{(\ell )}\} \end{aligned}$$

    where for \(j=1,\ldots ,\ell \), we let \({\varvec{y}}^{(i)}\) be 0-dimensional affine space (a point) as

    $$\begin{aligned} {\varvec{y}}^{(j)} := (a_{j,0},a_{j,1},\ldots ,a_{j,d})^\top . \end{aligned}$$

    where we define \(a_{j,\iota }\) to be the coefficient of \(z^\iota \) in \(p_j(z):=\prod _{y\in S_j} (z-y) = a_{j,0} + a_{j,1} z + \cdots +a_{j,d} z^d\).

We show the following lemma for the above conversion. The implication from KP-DSE to KP-ABE will then follow from the embedding lemma.

Lemma 3

For any monotone access structure \(\mathbb {A}=(A,\pi )\) and a collection \(\{S_1 ,\ldots , S_\ell \}\) where each \(|S_j|\le d\), we have

$$\begin{aligned}&R_d^{\textsf {Partition-KP-ABE}}(\mathbb {A},\{S_1 ,\ldots , S_\ell \})=1 \quad \Longleftrightarrow \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad R_{f_{\mathsf {p}}(d)}^{\textsf {KP-DSE}}(f_{\mathsf {k}}(\mathbb {A}),f_{\mathsf {c}}(\{S_1 ,\ldots , S_\ell \}))=1. \end{aligned}$$

Proof

From the definition of the KP-DSE predicate, to prove the statement of the theorem, it suffices to prove that for all \(i\in [1,m], j\in [1,\ell ]\),

$$\begin{aligned} \pi (i) \in S_j \quad \Leftrightarrow \quad {\varvec{y}}^{(j)} \in \mathsf {cspan}({{\varvec{X}}}^{(i)}) \end{aligned}$$
(2)

Forward Direction ( \(\Rightarrow \) ). Suppose \(\pi (i) \in S_j\). Thus, \(p_j(\pi (i))=0\) (by the definition of \(p_j\)). Therefore,

$$\begin{aligned} {{\varvec{X}}}^{(i)} ({\varvec{a}}^{(j)})^\top&= \big (- (a_{j,1} \pi (i) + \cdots + a_{j,d} \pi (i)^d), a_{j,1}, \ldots , a_{j,d}\big )^\top \\&= (a_{j,0},a_{j,1},\ldots ,a_{j,d})^\top \\&= {\varvec{y}}^{(j)}, \end{aligned}$$

where we use the fact that \(p_j(\pi (i))= a_{j,0} + a_{j,1} \pi (i) + \cdots + a_{j,d} \pi (i)^d = 0\) in the second line. From this, we obtain that \({\varvec{y}}^{(j)} \in \mathsf {cspan}({{\varvec{X}}}^{(i)}) \), which is the the right-hand side of (2), as desired. This concludes the forward part.

Backward Direction ( \(\Leftarrow \) ). We prove by contrapositive. Suppose \(\pi (i)\not \in S_j \). Hence, \(p_j(\pi (i)) \ne 0\). Suppose for contradiction that \({\varvec{y}}^{(j)} \in \mathsf {cspan}({{\varvec{X}}}^{(i)}) \). Hence there is a linear combination \({\varvec{v}}^\top = (v_1,\ldots ,v_d)^\top \) such that

$$\begin{aligned} {{\varvec{X}}}^{(i)} {\varvec{v}}^\top = {\varvec{y}}^{(j)}. \end{aligned}$$
(3)

Thus, by our definitions of \({{\varvec{X}}}^{(i)},{\varvec{y}}^{(j)}\), we must have that

$$\begin{aligned} \big (- (v_1 \pi (i) + \cdots + v_d \pi (i)^d), v_1, \ldots , v_d\big )^\top&= (a_{j,0},a_{j,1},\ldots ,a_{j,d})^\top \end{aligned}$$

But this implies that \(p_{j}(\pi (i)) = 0\), a contradiction. Therefore, \({\varvec{y}}^{(j)} \not \in \mathsf {cspan}({{\varvec{X}}}^{(i)}) \). This concludes the proof for the backward part.

3.2 Our KP-ABE in Composite-Order Groups

In this subsection, we apply our KP-DSE-to-KP-ABE conversion above to the KP-DSE scheme in composite-order groups proposed in [2]. We use asymmetric groups instead of symmetric groups as defined for the original scheme in [2].

The scheme will use a composite-order asymmetric bilinear group generator \(\mathcal {G}_\mathsf {composite}\) which outputs \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,N, p_1,p_2,p_3) \overset{_{\tiny \$}}{\leftarrow }\mathcal {G}_\mathsf {composite}(\lambda )\), where \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) are of order \(N=p_1p_2p_3\). The bilinear map takes the form \(e:\mathbb {G}_1\times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). Let \(\mathbb {G}_{1,p_i}, \mathbb {G}_{2,p_i}\) be the subgroup of order \(p_i\) of \(\mathbb {G}_1,\mathbb {G}_2\) respectively. The scheme is as follows.

  • \(\mathsf {Setup}(1^\lambda , d)\): Generate a composite-order group parameter as \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,N, p_1,p_2,p_3) \overset{_{\tiny \$}}{\leftarrow }\mathcal {G}_\mathsf {composite}(\lambda )\). Pick generators \(g_1 \overset{_{\tiny \$}}{\leftarrow }\mathbb {G}_{1,p_1}\), \(g_2 \in \mathbb {G}_{2,p_1}\), and \(Z_3 \overset{_{\tiny \$}}{\leftarrow }\mathbb {G}_{2,p_3}\). Pick \({\varvec{h}}=(h_0, h_1, \ldots , h_{d+1}, \phi _1, \phi _2, \phi _3, \eta )\overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_N^{d+6}\) and \(\alpha \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_{N}\). The public key is \(\mathsf {PK}=\big ( g_1, g_2, e(g_1,g_2)^\alpha , g_1^{{\varvec{h}}}, Z_3 \big )\). The master secret key is \(\mathsf {MSK}= \alpha \).

  • \(\mathsf {Encrypt}(S, {M}, \mathsf {PK})\): Upon input a set \(S\subseteq \mathbb {Z}_N\), do as follows.

    1. 1.

      Let \(\ell =\lceil |S|/d \rceil \). Partition S to a disjoint union as \(S=S_1 \sqcup \cdots \sqcup S_\ell \) where \(|S_j| \le d\) for all \(j\in [1,\ell ]\). For all \(j\in [1,\ell ]\), let \(a_{j,\iota }\) be the coefficient of \(z^\iota \) in \(p_j(z):=\prod _{y\in S_j} (z-y)\).

    2. 2.

      Pick \(s, w, s_1,\ldots ,s_\ell \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_N\). Output a ciphertext \({\mathsf {CT}}=(C_0,C_1,C_2,C_3,C_4,\{C_{5,j},C_{6,j}\}_{j\in [1,\ell ]})\) where we let \(C_0=(e(g_1,g_2)^\alpha )^{s} {M}\in \mathbb {G}_T\) and

      $$\begin{aligned} C_1&= g_1^{s},&C_2&= g_1^{s\eta }, \\ C_3&= g_1^{s\phi _1 + w \phi _2},&C_4&= g_1^{w}, \\ C_{5,j}&= g_1^{w\phi _3+ s_j (h_0 + h_1 a_{j,0} + \cdots + h_{d+1} a_{j,d})},&C_{6,j}&= g_1^{s_j} \end{aligned}$$

  • \(\mathsf {KeyGen}((A,\pi ), \mathsf {MSK}, \mathsf {PK})\): Upon input an access structure \((A,\pi )\), where \(A\in \mathbb {Z}_N^{m\times k}\) and \(\pi :[1,m] \rightarrow \mathbb {Z}_N \) for some \(m,k\in \mathbb {N}\), do as follows. Parse \(\mathsf {MSK}=\alpha \). Pick randomly \(r,u,r_1,\ldots ,r_m, v_2, \ldots , v_k \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_N\). Define \(v_1=r \phi _2\) and let \({\varvec{v}}=(v_1, \ldots , v_k)\). Compute a secret key \({\varvec{K}}=\big (K_1,K_2,K_3,\{K_{4,i},K_{5,i},{\varvec{K}}_{6,i}\}_{i\in [1,m]}\big )\) as

    $$\begin{aligned} K_1&= g_2^{\alpha + r\phi _1 + u \eta }, \\ K_2&= g_2^{u}, \\ K_3&= g_2^{r}, \\ K_{4,i}&= g_2^{A_i {\varvec{v}}^\top + r_i \phi _3}, \\ K_{5,i}&= g_2^{r_i}, \\ {\varvec{K}}_{6,i}&= {\Big (g_2^{r_i h_0}, g_2^{r_i\big (h_2-h_1\pi (i) \big )}, \ldots , g_2^{r_i\big (h_{d+1}-h_1\pi (i)^d \big )} \Big )}. \end{aligned}$$

    Pick a randomness mask \({\varvec{R}} \overset{_{\tiny \$}}{\leftarrow }\mathbb {G}_{2,p_3}^{3+(d+3)m}\) (hence, \({\varvec{R}}\) is of the same length as \({\varvec{K}}\)). Output a secret key \({\mathsf {SK}}={\varvec{K}}\cdot {\varvec{R}}\) (here, ‘\(\cdot \)’ denotes the component-wise multiplication).

  • \(\mathsf {Decrypt}({\mathsf {CT}},{\mathsf {SK}})\): Parse \((S,(A,\pi ))\) from \({\mathsf {CT}},{\mathsf {SK}}\). Assume \((A,\pi )\) accepts S, so that the decryption can be performed. Let \(I:=\{ i\in [1,m] | \pi (i)\in S\}\). From the property of LSSS, we have reconstruction coefficients \(\{\mu _i\}_{i\in I}\) such that \(\sum _{i\in I} \mu _i A_i {\varvec{v}}^\top = v_1 (= r \phi _2)\). Do as follows

    1. 1.

      For all \(i\in I\), do as follows. Let \(j_i\) be the index such that \(\pi (i) \in S_{j_i}\). (There is such an index since \(\pi (i) \in S\) for all \(i \in I\)). Parse \({\varvec{K}}_{6,i} = (K_{6,i,0},\ldots ,K_{6,i,d})\). Compute

      $$\begin{aligned} D_{6,i}:= K_{6,i,0} \cdot K_{6,i,1}^{a_{j_1}} \cdots K_{6,i,d}^{a_{j_d}}. \end{aligned}$$

      (Also recall that \(a_{j,\iota }\) be the coefficient of \(z^\iota \) in \(p_j(z):=\prod _{y\in S_j} (z-y)\)).

    2. 2.

      Compute \(e(g_1,g_2)^{\alpha s} = L_1 L_2\) where

      $$\begin{aligned} \nonumber L_1&:= e(C_1, K_1) e(C_2, K_2)^{-1} e(C_3,K_3)^{-1}, \\ L_2&:= \prod _{i\in I} \big ( e(C_4,K_{4,i}) e(C_{5,j_i},K_{5,i})^{-1} e( C_{6,j_i},D_{6,i}) \big )^{\mu _i }. \end{aligned}$$
      (4)
    3. 3.

      Finally compute \({M}\leftarrow C_0/e(g_1,g_2)^{\alpha s}\).

Security. The full security of the above scheme follows from the full security of the KP-DSE scheme in [2] and the embedding lemma for our KP-DSE-to-KP-ABE conversion. This is captured in the theorem below. We refer the Subgroup Decision Assumptions and the Expanded Diffie-Hellman Exponent (EDHE3, EDHE4) Assumptions to [2]. The notation \(\mathsf {Adv}_\mathcal {A}^{P}(\lambda )\) denotes the advantage of an adversary \(\mathcal {A}\) against the security of primitive or assumption P, in function of the security parameter \(\lambda \). We also refer its precise definition for each assumption in [2].

Theorem 1

The above KP-ABE is fully-secure under the Subgroup Decision Assumption 1,2,3, the \((d+1,\ell )\)-\(\mathsf {EDHE3}\), and the \((d+1,m,k)\)-\(\mathsf {EDHE4}\) Assumption (in asymmetric composite-order groups), where d is the adjustable integer, \(\ell =\lceil |S|/d \rceil \), where S is the ciphertext query, and mk are the maximum numbers of rows and columns of access matrices among all key queries, respectively. More precisely, for any ppt adversary \(\mathcal {A}\), let \(q_1\) denote the number of queries in phase 1, there exist ppt algorithms \(\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3,\mathcal {B}_4,\mathcal {B}_5\), whose running times are the same as \(\mathcal {A}\) plus some polynomial times, such that for any \(\lambda \),

$$\begin{aligned}&\mathsf {Adv}_\mathcal {A}^{\mathsf {KP}\text {-}\mathsf {ABE}}(\lambda ) \le 2\mathsf {Adv}_{\mathcal {B}_1}^{\mathsf {SD}1}(\lambda ) + (2q_1+3) \mathsf {Adv}_{\mathcal {B}_2}^{\mathsf {SD}2}(\lambda ) + \mathsf {Adv}_{\mathcal {B}_3}^{\mathsf {SD}3}(\lambda ) \\&\qquad \qquad \qquad \qquad \qquad \quad + q_1\mathsf {Adv}_{\mathcal {B}_4}^{(d+1,m,k)\text {-}\mathsf {EDHE4}}(\lambda ) + \mathsf {Adv}_{\mathcal {B}_5}^{(d+1,\ell )\text {-}\mathsf {EDHE3}}(\lambda ). \end{aligned}$$

Proof

This follows immediately from the KP-DSE-to-KP-ABE implication (i.e., Lemma 1 via Lemmas 2 and 3) and the security of KP-DSE of [2] (i.e., Theorems 1, 11 and 12 in [2]).

3.3 Our KP-ABE in Prime-Order Groups

In this subsection, we apply our KP-DSE-to-KP-ABE conversion to the KP-DSE scheme in prime-order groups proposed in [3] (which is then converted from [2]). The security is based on the Matrix Diffie-Hellman Assumption with parameter \(b\in \mathbb {N}\). When \(b=1\), we can use the SXDH Assumption, and when \(b=2\), we can use the Decision Linear Assumption.

The scheme will use a prime-order asymmetric bilinear group generator \(\mathcal {G}_\mathsf {prime}\) which outputs \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e, p) \overset{_{\tiny \$}}{\leftarrow }\mathcal {G}_\mathsf {prime}(\lambda )\), where \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) are of order p. The bilinear map takes the form \(e:\mathbb {G}_1\times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). The scheme is as follows.

  • \(\mathsf {Setup}(1^\lambda , d)\): Run \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,p) \overset{_{\tiny \$}}{\leftarrow }\mathcal {G}_\mathsf {prime}(\lambda )\). Pick generators \(g_1 \overset{_{\tiny \$}}{\leftarrow }\mathbb {G}_1\), \(g_2 \overset{_{\tiny \$}}{\leftarrow }\mathbb {G}_2\). Pick \({{\varvec{H}}}_0, {{\varvec{H}}}_1,\ldots ,{{\varvec{H}}}_{d+5}, \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_p^{(b+1)\times (b+1)}\). Pick \({{\varvec{B}}} \overset{_{\tiny \$}}{\leftarrow }{\mathbb {GL}}_{p,b+1} \subset \mathbb {Z}_p^{(b+1)\times (b+1)}\). Choose \(\tilde{{{\varvec{D}}}} \overset{_{\tiny \$}}{\leftarrow }{\mathbb {GL}}_{p,b}\), define and \({{\varvec{Z}}}:={{{\varvec{B}}}}^{-\top }{{\varvec{D}}}\). Choose \({\varvec{\alpha }} \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_p^{(b+1) \times 1}\). Output

    $$\begin{aligned} \begin{aligned} \mathsf {PK}&= \left( e(g_1,g_2)^{{\varvec{\alpha }}^\top {{\varvec{B}}} \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) }, g_1^{{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) }, \left\{ g_1^{{{\varvec{H}}}_i {{\varvec{B}}} \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) }\right\} _{i\in [0,d+5]} \right) , \\ \mathsf {MSK}&= \left( g_2^{{\varvec{\alpha }}}, g_2^{{{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) }, \left\{ g_2^{{{\varvec{H}}}_i^\top {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{I}}}_{b} \\ 0 \end{matrix}} \right) } \right\} _{i\in [0,d+5]} \right) . \end{aligned} \end{aligned}$$

  • \(\mathsf {Encrypt}(S \subset \mathbb {Z}_p, {M}, \mathsf {PK})\): Upon input a set \(S\subseteq \mathbb {Z}_p\), do as follows.

    1. 1.

      Let \(\ell =\lceil |S|/d \rceil \). Partition S to a disjoint union as \(S=S_1 \sqcup \cdots \sqcup S_\ell \) where \(|S_j| \le d\) for all \(j\in [1,\ell ]\). For all \(j\in [1,\ell ]\), let \(a_{j,\iota }\) be the coefficient of \(z^\iota \) in \(p_j(z):=\prod _{y\in S_j} (z-y)\).

    2. 2.

      Pick \({\varvec{s}}_0, {\varvec{w}}, {\varvec{s}}_1,\ldots ,{\varvec{s}}_\ell \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_p^{b \times 1}\). Output a ciphertext as \({\mathsf {CT}}= ({\varvec{C}}_1,{\varvec{C}}_2,{\varvec{C}}_3, {\varvec{C}}_4, \{{\varvec{C}}_{5,j}, {\varvec{C}}_{6,j}\}_{j\in [1,\ell ]}, C_0)\) where

      $$\begin{aligned} {\varvec{C}}_1&= g_1^{{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{0} \\ 0 \end{matrix}} \right) }, \\ {\varvec{C}}_2&= g_1^{{{\varvec{H}}}_{d+5}{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{0} \\ 0 \end{matrix}} \right) }, \\ {\varvec{C}}_3&= g_1^{{{\varvec{H}}}_{d+2}{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{0} \\ 0 \end{matrix}} \right) + {{\varvec{H}}}_{d+3}{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{w}}}_{} \\ 0 \end{matrix}} \right) }, \\ {\varvec{C}}_4&= g_1^{{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{w}}}_{} \\ 0 \end{matrix}} \right) }, \\ {\varvec{C}}_{5,j}&= g_1^{{{\varvec{H}}}_{d+4}{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{w}}}_{} \\ 0 \end{matrix}} \right) + \left( {{\varvec{H}}}_0{{\varvec{B}}} + a_{j,0} {{\varvec{H}}}_1{{\varvec{B}}} + \cdots + a_{j,d} {{\varvec{H}}}_{d+1}{{\varvec{B}}} \right) \left( {\begin{matrix} {{\varvec{s}}}_{j} \\ 0 \end{matrix}} \right) }, \\ {\varvec{C}}_{6,j}&= g_1^{{{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{j} \\ 0 \end{matrix}} \right) }, \end{aligned}$$

      and \(C_0=e(g_1,g_2)^{{\varvec{\alpha }}^\top {{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{0} \\ 0 \end{matrix}} \right) } \cdot {M}\in \mathbb {G}_T.\)

  • \(\mathsf {KeyGen}((A,\pi ), \mathsf {MSK})\): Upon input an access structure \((A,\pi )\), where \(A\in \mathbb {Z}_N^{m\times k}\) and \(\pi :[1,m] \rightarrow \mathbb {Z}_N \) for some \(m,k\in \mathbb {N}\), do as follows. Parse \(\mathsf {MSK}=\alpha \). Pick randomly \({\varvec{r}}, {\varvec{u}}, {\varvec{r}}_1, \ldots , {\varvec{r}}_{m}, {\varvec{v}}_2, \ldots , {\varvec{v}}_k \overset{_{\tiny \$}}{\leftarrow }\mathbb {Z}_p^{b \times 1}\). Output a secret key \({\mathsf {SK}}= ({\varvec{K}}_1,{\varvec{K}}_2,{\varvec{K}}_3, \{{\varvec{K}}_{4,i},{\varvec{K}}_{5,i},{{\varvec{K}}}_{6,i,j}\}_{i\in [1,m], j\in [0,d]} )\) where

    $$\begin{aligned} {\varvec{K}}_1&= g_2^{ {\varvec{\alpha }} + {{\varvec{H}}}_{d+2}^\top {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{} \\ 0 \end{matrix}} \right) + {{\varvec{H}}}_{d+5}^\top {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{u}}}_{} \\ 0 \end{matrix}} \right) }, \\ {\varvec{K}}_2&= g_2^{{{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{u}}}_{} \\ 0 \end{matrix}} \right) }, \\ {\varvec{K}}_3&= g_2^{{{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{} \\ 0 \end{matrix}} \right) }, \\ {\varvec{K}}_{4,i}&= g_2^{ A_{i,1} {{\varvec{H}}}_{d+3}^\top {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{} \\ 0 \end{matrix}} \right) + \sum _{j=2}^k A_{i,j} {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{v}}}_{j} \\ 0 \end{matrix}} \right) + {{\varvec{H}}}_{d+4}^\top {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{i} \\ 0 \end{matrix}} \right) }, \\ {\varvec{K}}_{5,i}&= g_2^{{{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{i} \\ 0 \end{matrix}} \right) }, \\ {\varvec{K}}_{6,i,0}&= g_2^{ {{\varvec{H}}}_0^\top {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{i} \\ 0 \end{matrix}} \right) },\\ \forall _{j\in [1,d]}\ {\varvec{K}}_{6,i,j}&= g_2^{ \left( {{\varvec{H}}}_{j+1}^\top - \pi (i)^j {{\varvec{H}}}_1^\top \right) {{\varvec{Z}}} \left( {\begin{matrix} {{\varvec{r}}}_{i} \\ 0 \end{matrix}} \right) }. \end{aligned}$$

  • \(\mathsf {Decrypt}({\mathsf {CT}},{\mathsf {SK}})\): Suppose \((A,\pi )\) accepts the set S. Let \(I=\{ i\in [1,m] | \pi (i)\in S\}\). Compute coefficients \(\{\mu _i\}_{i\in I}\) such that \(\sum _{i\in I} \mu _i A_i = (1,0,\ldots ,0)\). Do as follows

    1. 1.

      For all \(i\in I\), do as follows. Let \(j_i\) be the index such that \(\pi (i) \in S_{j_i}\). (There is such an index since \(\pi (i) \in S\) for all \(i \in I\)). Compute

      $$\begin{aligned} {{\varvec{D}}}_{6,i}:= {\varvec{K}}_{6,i,0} \cdot {\varvec{K}}_{6,i,1}^{a_{j_1}} \cdots {\varvec{K}}_{6,i,d}^{a_{j_d}}. \end{aligned}$$

      (Also recall that \(a_{j,\iota }\) be the coefficient of \(z^\iota \) in \(p_j(z):=\prod _{y\in S_j} (z-y)\)).

    2. 2.

      Compute \(e(g_1,g_2)^{{\varvec{\alpha }}^\top {{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{0} \\ 0 \end{matrix}} \right) } = L_1 \cdot L_2\) where

      $$\begin{aligned} L_1&:= e({\varvec{C}}_1,{\varvec{K}}_1) e({\varvec{C}}_2,{\varvec{K}}_2)^{-1} e({\varvec{C}}_3,{\varvec{K}}_3)^{-1}, \\ L_2&:= \prod _{i\in I} \big ( e({\varvec{C}}_4,{\varvec{K}}_{4,i}) e({\varvec{C}}_{5,\pi (i)},{\varvec{K}}_{5,i})^{-1} e({\varvec{C}}_{6,\pi (i)},{{\varvec{D}}}_{6,i}) \big )^{\mu _i}. \end{aligned}$$
    3. 3.

      Finally compute \({M}\leftarrow C_0/e(g_1,g_2)^{{\varvec{\alpha }}^\top {{\varvec{B}}} \left( {\begin{matrix} {{\varvec{s}}}_{0} \\ 0 \end{matrix}} \right) }\).

Security. The full security of the above scheme follows from the full security of the KP-DSE scheme in [3] and the embedding lemma for our KP-DSE-to-KP-ABE conversion. This is captured in the theorem below. We refer the Matrix Diffie-Hellman Assumption and the Expanded Diffie-Hellman Exponent Assumptions in prime-order subgroups (EDHE3p, EDHE4p) to [3, 12], respectively.

Theorem 2

The above KP-ABE is fully-secure under the \(\mathcal {D}_b\)-Matrix-DH, \((d+1,\ell )\)-\(\mathsf {EDHE3p}\), and \((d+1,m,k)\)-\(\mathsf {EDHE4p}\) Assumptions (in asymmetric prime-order groups), where d is the adjustable integer, \(\ell =\lceil |S|/d \rceil \), where S is the ciphertext query, and mk are the maximum numbers of rows and columns of access matrices among all key queries, respectively. More precisely, for any ppt adversary \(\mathcal {A}\), let \(q_1\) denote the number of queries in phase 1, there exist ppt algorithms \(\mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3\), whose running times are the same as \(\mathcal {A}\) plus some polynomial times, such that for any \(\lambda \),

$$\begin{aligned}&\mathsf {Adv}_\mathcal {A}^{\mathsf {KP}\text {-}\mathsf {ABE}}(\lambda ) \le (2q_1+3) \mathsf {Adv}_{\mathcal {B}_1}^{\mathcal {D}_b\text {-}\mathsf {Mat}\mathsf {DH}}(\lambda ) + \\&\qquad \qquad \qquad \qquad \qquad \qquad q_1\mathsf {Adv}_{\mathcal {B}_2}^{(d+1,m,k)\text {-}\mathsf {EDHE4p}}(\lambda ) + \mathsf {Adv}_{\mathcal {B}_3}^{(d+1,\ell )\text {-}\mathsf {EDHE3p}}(\lambda ). \end{aligned}$$

Proof

This follows immediately from the KP-DSE-to-KP-ABE implication (i.e., Lemma 1 via Lemma 2,3) and the security of the prime-order KP-DSE of [3] (i.e., Theorem 3 in [3] via Theorem 11,12 in [2]).

4 Efficiency Performance

Optimizing Decryption Time. The decryption time of our scheme can be optimized by reducing the number of pairings, which are the dominant operations. This is done by using the identity \(\prod _{i} e(a_i,b) = e(\prod _{i} a_i, b)\), where we bundle the group-\(\mathbb {G}_1\) elements \(a_i\) that are paired to the same element of group \(\mathbb {G}_2\) (here, it is b).

For simplicity here, we consider the composite-order scheme. The prime-order scheme can be done in a similar manner. In decryption, we can compute the element \(L_2\) also as:

$$\begin{aligned} L_2 = e(C_4, \prod _{i\in I} K_{4,i}) \cdot \prod _{x=1}^\ell \big ( e(C_{5,x},\prod _{\begin{array}{c} i\in I \\ \text {s.t.} j_i=x \end{array}} K_{5,i}^{-\mu _i} ) e( C_{6,x}, \prod _{\begin{array}{c} i\in I \\ \text {s.t.} j_i=x \end{array}} D_{6,i}^{\mu _i }) \big ). \end{aligned}$$
(5)

The original decryption as in Eq. (4) requires at most \(2m+4\) pairings, while the above alternative via Eq. (5) requires \(2\ell +4=2t/d+4\) pairings. To minimize the decryption time, we choose the method of which the cost is the minimum of both.

Table 2. Comparison for asymptotic efficiency among KP-ABE
Full size table
Table 3. Efficiency of our prime-order KP-ABE with \(b=1\). Here we use an example with \(m=40,t=60\).
Full size table

Beside pairings, the total decryption time also include the cost for exponentiations, which is at most \(md+m\) times. Hence, the total decryption time for the composite-order scheme is \(c_1(md+m)+c_2(\min \{2m+4,2t/d+4\})\), where \(c_1,c_2\) are the costs for one exponentiation and one pairing, respectively. When fixing all parameters except d, this amount becomes \(k_1d + k_2/d + k_3\) for some constants \(k_1,k_2,k_3\). This is minimized at d being somewhere in the middle (which will depend on \(k_1,k_2,k_3\)). This minimization will be depicted in Fig. 1(d) below. We also note that the min function is reflected at the sharp rigs at the leftmost parts of the graphs in Fig. 1(d).

Comparison for Asymptotic Efficiency. We provide a comparison of asymptotic efficiency among ABE schemes in Table 2. We consider fully-secure schemes that are either completely unbounded or admitting constant-size ciphertexts. The schemes that satisfy this criteria are the unbounded ABE of [2, 3] and the constant-size ciphertext scheme also of [2, 3]. All the other schemes in the literature are either only selectively-secure or bounded in some parameters.

Table 4. Concrete efficiency of our KP-ABE from Table 3 when instantiated using BN curves.
Full size table
Fig. 1.
figure 1

Efficiency of our scheme when (blue line), (green dashed line), (red dotted line). (Color figure online)

Full size image

Concrete Efficiency. We provide the concrete efficiency of our KP-ABE scheme in prime-order groups. We use the instantiation where \(b=1\), to maximize the efficiency, hence the scheme can be based on the SXDH Assumption [3]. To show concrete performance, we use an example with \(m=40,t=60\) and vary \({d=1,4,20}\) in Table 3. We note that we simply directly count the number of respective operations. This can be further improved by considering multi-exponentiation and multi-pairing algorithms (e.g., [27]); we omit it here.

To obtain an even more concrete picture, we instantiate with the 254-bit Barreto-Naehrig (BN) curves in Table 4. Such curves admits the sizes of group elements as follows: \(|\mathbb {G}_1|=509\), \( |\mathbb {G}_2|=255\), and \(|\mathbb {G}_T|=2032\) bits [1]. As for the time performances in these curves, we refer to the implementation of [27], where exponentiations in \(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\) take 104, 57, 164 microseconds, respectively, while a pairing operation takes 342 microseconds.

For ease of viewing, we also plot the graphs for the estimated efficiency in Fig. 1 in three cases: (1) \(m=40,t=60\), (2) \(m=30,t=30\), and (3) \(m=10,t=20\), in blue, green, and red color, respectively.

We can observe that by adjusting d we obtain a tradeoff among size and time performances: the larger d tends to imply the larger public key and private keys but the smaller ciphertext size and the faster encryption time. Interestingly, the total decryption time is minimized somewhere in the middle (e.g., in the case when \(m=40,t=60\), it is optimized at \(d=4\)).

5 Extensions

Ciphertext-Policy, Dual-Policy ABE with Tradeoff. By using the generic dual conversion of [7], we immediately obtain also the ciphertext-policy ABE schemes with a similar tradeoff (but somewhat dual) to our KP-ABE schemes. Moreover, by using the generic dual-policy conversion also of [7], we obtain the dual-policy ABE [5] with combined tradeoffs from both key-policy and ciphertext-policy parts.