New Proof Techniques for DLIN-Based Adaptively Secure Attribute-Based Encryption

Abstract

We propose adaptively secure attribute-based encryption (ABE) schemes for boolean formulas over large universe attributes from the decisional linear (DLIN) assumption, which allow attribute reuse in an available formula without the previously employed redundant multiple encoding technique. Thus our KP-(resp. CP-)ABE has non-redundant ciphertexts (resp. secret keys). For achieving the results, we develop a new encoding method for access policy matrix for ABE, by decoupling linear secret sharing (LSS) into its matrix and randomness, and partially randomizing the LSS shares in simulation. The new techniques are of independent interest and we expect it will find another application than ABE.

Appendices

A Decisional Linear (DLIN) Assumption

Definition 6

(DLIN: Decisional Linear Assumption [7]). The DLIN problem is to guess \(\beta \in \{ 0,1 \}\), given \(( \mathsf{param}_{{\mathbb {G}}}, \ {G},{\xi }{G},{\kappa }{G},\delta {\xi }{G}, \sigma {\kappa }{G}, S_\beta ) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}{{{\mathcal {G}}}}_{\beta }^\mathsf{DLIN}(1^\lambda )\), where \({{{\mathcal {G}}}}_{\beta }^\mathsf{DLIN}(1^\lambda ): \mathsf{param}_{{\mathbb {G}}} :=(q,{\mathbb {G}},{\mathbb {G}}_T,{G},e) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}{{\mathcal {G}}}_\mathsf{bpg}(1^\lambda ), {\kappa }, \delta , {\xi },\sigma \mathop {\leftarrow }\limits ^{\ \mathsf{U}}{\mathbb {F}}_q, S_0 :=(\delta + \sigma ) {G}, S_1 \mathop {\leftarrow }\limits ^{\ \mathsf{U}}{\mathbb {G}}, \mathrm {return} \ ( \mathsf{param}_{{\mathbb {G}}},\) \( {G},{\xi }{G}, {\kappa }{G}, \delta {\xi }{G}, \sigma {\kappa }{G}, S_\beta )\), for \(\beta \mathop {\leftarrow }\limits ^{\ \mathsf{U}}\{0,1\}\). For a probabilistic machine \({{\mathcal {E}}}\), we define the advantage of \({{\mathcal {E}}}\) for the DLIN problem as: \(\mathsf{Adv}^\mathsf{DLIN}_{{{\mathcal {E}}}}(\lambda ) \! :=\! \left| \mathsf{Pr}\left[ {{\mathcal {E}}}(1^\lambda ,\varrho ) \! \rightarrow \! 1 \left| \varrho \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\! {{{{\mathcal {G}}}}_0^\mathsf{DLIN}}(1^\lambda ) \right. \right] \! - \right. \) \(\left. \! \mathsf{Pr}\left[ {{\mathcal {E}}}(1^\lambda ,\varrho ) \! \rightarrow \! 1 \left| \varrho \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\right. \right. \right. \) \(\left. \left. \left. {{{{\mathcal {G}}}}_1^\mathsf{DLIN}}(1^\lambda ) \right. \right] \right| .\) The DLIN assumption is: For any probabilistic polynomial-time adversary \({{\mathcal {E}}}\), the advantage \(\mathsf{Adv}^\mathsf{DLIN}_{{{\mathcal {E}}}}(\lambda )\) is negligible in \(\lambda \).

B Adaptively Secure Multi-Use CP-ABE Scheme with Short Secret Keys

1.1 B.1 Definition of CP-ABE

Definition 7

(Ciphertext-Policy Attribute-Based Encryption: CP-ABE). A ciphertext-policy attribute-based encryption scheme consists of four algorithms.

• \(\mathsf{Setup}\) takes as input security parameter. It outputs the public parameters pk and a master key sk.

• \(\mathsf{KeyGen}\) takes as input a set of attributes, \(\varGamma :=\{ x_j \}_{1 \le j \le n' }\), pk and sk. It outputs a decryption key.

• \(\mathsf{Enc}\) takes as input public parameters pk, message m in some associated message space \(\mathsf{msg}\), and access structure \({{\mathbb {S}}}:=(M, \rho )\). It outputs the ciphertext.

• \(\mathsf{Dec}\) takes as input public parameters pk, decryption key \(\mathsf{sk}_{\varGamma }\) for a set of attributes \(\varGamma \), and ciphertext \(\mathsf{ct}_{{{\mathbb {S}}}}\) that was encrypted under access structure \({{\mathbb {S}}}\). It outputs either \(m' \in \mathsf{msg}\) or the distinguished symbol \(\bot \).

A CP-ABE scheme should have the correctness property: for all \((\mathsf{pk}, \mathsf{sk}) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Setup}(1^\lambda )\), all attribute sets \(\varGamma \), all decryption keys \(\mathsf{sk}_{\varGamma } \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{KeyGen}(\mathsf{pk}, \) \(\mathsf{sk}, \varGamma )\), all messages m, all access structures \({{\mathbb {S}}}\), all ciphertexts \(\mathsf{ct}_{{{\mathbb {S}}}} \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Enc}(\mathsf{pk}, m, {{\mathbb {S}}})\), it holds that \(m = \mathsf{Dec}(\mathsf{pk}, \mathsf{sk}_{\varGamma }, \mathsf{ct}_{{{\mathbb {S}}}})\) with overwhelming probability, if \({{\mathbb {S}}}\) accepts \(\varGamma \).

Definition 8

The model for proving the adaptively payload-hiding security of CP-ABE under chosen plaintext attack is:

• Setup. The challenger runs the setup algorithm, \((\mathsf{pk}, \mathsf{sk}) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Setup}(1^\lambda )\), and gives the public parameters \(\mathsf{pk}\) to the adversary.

• Phase 1. The adversary is allowed to issue a polynomial number of queries, \(\varGamma \), to the challenger or oracle \(\mathsf{KeyGen}(\mathsf{pk}, \mathsf{sk}, \cdot )\) for private keys, \(\mathsf{sk}_\varGamma \) associated with \(\varGamma \).

• Challenge. The adversary submits two messages \(m^{(0)}, m^{(1)}\) and an access structure, \({{\mathbb {S}}}:=(M, \rho )\), provided that the \({{\mathbb {S}}}\) does not accept any \(\varGamma \) sent to the challenger in Phase 1. The challenger flips a random coin \(b \mathop {\leftarrow }\limits ^{\ \mathsf{U}}\{ 0,1 \}\), and computes \(\mathsf{ct}^{(b)}_{{\mathbb {S}}}\mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Enc}(\mathsf{pk}, m^{(b)}, {{\mathbb {S}}})\). It gives \(\mathsf{ct}^{(b)}_{{\mathbb {S}}}\) to the adversary.

• Phase 2. The adversary is allowed to issue a polynomial number of queries, \(\varGamma \), to the challenger or oracle \(\mathsf{KeyGen}(\mathsf{pk}, \mathsf{sk}, \cdot )\) for private keys, \(\mathsf{sk}_\varGamma \) associated with \(\varGamma \), provided that \({{\mathbb {S}}}\) does not accept \(\varGamma \).

• Guess. The adversary outputs a guess \(b'\) of b.

The advantage of an adversary \({{\mathcal {A}}}\) in the above game is defined as \(:=\Pr [b'=b] -1/2\) for any security parameter \(\lambda \). A CP-FE scheme is adaptively payload-hiding secure if all polynomial time adversaries have at most a negligible advantage in the above game.

1.2 B.2 Dual Orthonormal Basis Generator

We describe random dual orthonormal basis generator \({{{{\mathcal {G}}}^\mathsf{CP}_\mathsf{ob}}}\) below, which is used as a subroutine in the proposed CP-ABE scheme, where \({{{{\mathcal {G}}}^\mathsf{KP}_\mathsf{ob}}}\) is defined in Sec. 5.2.

$$\begin{aligned}&{{{{\mathcal {G}}}^\mathsf{CP}_\mathsf{ob}}}(1^\lambda , 5, (n,r)): \\&\ \ \ (\mathsf{param}_{(n,r)}, {\mathbb {D}}_0, {\mathbb {D}}_0^*, {\mathbb {D}}_1, \{ D^*_{i,j,\iota }, D'^*_{i,j,l} \}^{i,j=1,\ldots ,5; \iota =1,2}_{l=1,\ldots ,n+r} ) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}{{{{\mathcal {G}}}^\mathsf{KP}_\mathsf{ob}}}(1^\lambda ,5,(n,r)), \\&\ \ \ {{\mathbb {B}}}_0 :={\mathbb {D}}_0^*, \ {{\mathbb {B}}}^*_0 :={\mathbb {D}}_0, \ {{\mathbb {B}}}^*_1 :={\mathbb {D}}_1, \ B_{i,j,\iota } :=D^*_{i,j,\iota },\ B'_{i,j,l} :=D'^*_{i,j,l} \ \mathrm {for \ all} \ i,j,l,\iota , \\&\ \ \ \mathrm{return} \ \ (\mathsf{param}_{(n,r)}, {\mathbb {B}}_0, {\mathbb {B}}_0^*, {\mathbb {B}}^*_1, \{ B_{i,j,\iota }, B'_{i,j,l} \}^{i,j=1,\ldots ,5; \iota =1,2}_{l=1,\ldots ,n+r} ). \end{aligned}$$

1.3 B.3 Construction

[Correctness] If \(\varGamma \) satisfies \({{\mathbb {S}}}\), \( K \!=\! e(\varvec{c}_0,\varvec{k}^*_0) \cdot e(\varvec{c}^{\,\prime }, \varvec{k}^*_1) \!=\! g_T^{-\xi s_0 + \zeta } g_T^{\xi \sum _{i \in I} \alpha _i s_i} \) \(= g_T^{\zeta } \ \ \mathrm {where} \ s_0 :=\vec {1} \cdot \vec {f}, \ s_i :=M_i \cdot \vec {f} \ \mathrm {for} \ i=1,\ldots ,\ell . \)

Theorem 3

The proposed multi-use CP-ABE scheme is adaptively payload-hiding against chosen plaintext attacks under the DLIN assumption.

Theorem 3 is similarly proven to Theorem 2.