Expanded Framework for Dual System Encryption and Its Application

Abstract

Recently, Attrapadung (Eurocrypt 2014) proposed a generic framework that abstracts the concept of dual system encryption techniques. We expand their framework by proposing an extended perfect security for pair encoding scheme, which implies a new approach to employ dual system encryption methodology to obtain full security of attribute-based encryption (ABE) system via a generic construction.

Using this expanded framework, we obtain a fully secure ciphertext-policy ABE (CP-ABE) construction in composite order groups with short public parameters. Compared with previous works that either have public parameter size scaling linear with the number of attributes or require parameterized assumptions, our CP-ABE system achieves the advantages of an exponential improvement in terms of public parameter size and static assumptions relied on simultaneously.

A Linear Secret Sharing Schemes

Here we present the definition of access structure and linear secret sharing schemes introduced in [4], adapted to match our ABE setting.

Definition 3

(Access Structure). Let \(\mathcal {U}\) be the attribute universe. An access structure on \(\mathcal {U}\) is a collection \(\mathbb {A}\) of non-empty sets of attributes, i.e. \(\mathbb {A}\subseteq 2^{\mathcal {U}} \backslash \{\}\). The sets in \(\mathbb {A}\) are called the authorized sets and the sets not in \(\mathbb {A}\) are called the unauthorized sets.

Additionally, an access structure is called monotone if \(\forall B, C \in \mathbb {A}: \text {if}\ B \in \mathbb {A}\) and \(B \subseteq C\), then \(C \in \mathbb {A}\).

Definition 4

(Linear Secret Sharing Schemes (LSSS)). Let p be a prime and \(\mathcal {U}\) the attribute universe. A secret sharing scheme \(\varPi \) realizing access structures on \(\mathcal {U}\) is linear over \(\mathbb {Z}_p\) if

1. 1.

   The shares of a secret \(s \in \mathbb {Z}_p\) for each attribute form a vector over \(\mathbb {Z}_p\).

2. 2.

   For each access structure \(\mathbb {A}\) on \(\mathcal {U}\), there exists an \(\ell \times n\) matrix A called the share-generating matrix, and a function \(\rho \), that labels the rows of A with attributes from \(\mathcal {U}\), i.e. \(\rho : [\ell ] \rightarrow \mathcal {U}\), which satisfy the following: During the generation of the shares, we consider the column vector \(\varvec{v} = (s, v_2, \ldots , v_n)\), where \(v_2, \ldots , v_n \leftarrow \mathbb {Z}_p\). Then the vector of \(\ell \) shares of the secret s according to \(\varPi \) is equal to \(A\varvec{v}\). The share \((A\varvec{v})_j\) where \(j \in [\ell ]\) belongs to attribute \(\rho (j)\). We will refer to the pair \((A, \rho )\) as the policy of the access structure \(\mathbb {A}\).

According to [4], each secret sharing scheme should satisfy the reconstruction requirement (each authorized set can reconstruct the secret) and the security requirement (any unauthorized set cannot reveal any partial information about the secret).

For our composite order group construction, we will employ LSSS matrices over \(\mathbb {Z}_N\), where N is a product of three distinct primes \(p_1\), \(p_2\) and \(p_3\). Let S denote an authorized set for the access structure \(\mathbb {A}\), and I be the set of rows whose labels are in S, i.e. \(I = \{i | i \in [\ell ] \wedge \rho (i) \in S\}\). The reconstruction requirement asserts that the vector \((1, 0, \ldots , 0)\) is in the span of rows of A indexed by I modulo N. This means that there exist constants \(\{\omega _i\}_{i \in I}\) such that, for any valid shares \(\{\lambda _i = {(A\varvec{v})}\}_{i \in I}\) of a secret s according to \(\varPi \), we have \(\sum \nolimits _{i \in I} {{\omega _i}\lambda _i} = s\). Furthermore, these constants \(\{\omega _i\}_{i \in I}\) can be found in time polynomial in the size of the share-generating matrix A.

On the other hand, for unauthorized sets \(S'\), no such \(\{\omega _i\}\) exist. However, in our security proof for composite order system, we will further assume that for an unauthorized set, the corresponding rows of A do not include the vector \((1, 0, \ldots , 0)\) in their span modulo \(p_2\). We may assume this because if an adversary can produce an access matrix A over \(\mathbb {Z}_N\) and an unauthorized set over \(\mathbb {Z}_N\) that is authorized over \(\mathbb {Z}_{p_2}\), this can be used to produce a non-trivial factor of the group order N, which would violate our subgroup decision assumptions.