Abstract
We propose adaptively secure attribute-based encryption (ABE) schemes for boolean formulas over large universe attributes from the decisional linear (DLIN) assumption, which allow attribute reuse in an available formula without the previously employed redundant multiple encoding technique. Thus our KP-(resp. CP-)ABE has non-redundant ciphertexts (resp. secret keys). For achieving the results, we develop a new encoding method for access policy matrix for ABE, by decoupling linear secret sharing (LSS) into its matrix and randomness, and partially randomizing the LSS shares in simulation. The new techniques are of independent interest and we expect it will find another application than ABE.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, S., Chase, M.: A study of pair encodings: predicate encryption in prime order groups. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 259–288. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_10
Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_31
Attrapadung, N.: Dual system encryption framework in prime-order groups via computational pair encodings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 591–623. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53890-6_20
Attrapadung, N., Hanaoka, G., Yamada, S.: Conversions among several classes of predicate encryption and applications to ABE with various compactness tradeoffs. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 575–601. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_24
Attrapadung, N., Libert, B., Panafieu, E.: Expressive key-policy attribute-based encryption with constant-size ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 90–108. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19379-8_6
Beimel, A.: Secure schemes for secret sharing and key distribution. Ph.D. thesis, Israel Institute of Technology, Technion, Haifa (1996)
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_3
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_30
Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46803-6_20
Cheon, J.H.: Security analysis of the strong diffie-hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006). doi:10.1007/11761679_1
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC 2013, pp. 545–554 (2013)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM CCS 2006, pp. 89–98 (2006)
Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43948-7_54
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_4
Lewko, A., Waters, B.: Decentralizing attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20465-4_31
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_12
Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_13
Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_11
Okamoto, T., Takashima, K.: Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption. Des. Codes Crypt. 77(2–3), 725–771 (2015). the preliminary version appeared in CANS 2011
Okamoto, T., Takashima, K.: Dual pairing vector spaces and their applications. In: IEICE Transactions 98-A(1), pp. 3–15 (2015)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi:10.1007/11426639_27
Takashima, K.: Expressive attribute-based encryption with constant-size ciphertexts from the decisional linear assumption. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 298–317. Springer, Cham (2014). doi:10.1007/978-3-319-10879-7_17
Takashima, K.: New proof techniques for DLIN-based adaptively secure attribute-based encryption. IACR Cryptology ePrint Archive 2015, 1021 (2015)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_36
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19379-8_4
Acknowledgement
This work was supported by JST CREST Grant Number JPMJCR14D6.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Decisional Linear (DLIN) Assumption
Definition 6
(DLIN: Decisional Linear Assumption [7]). The DLIN problem is to guess \(\beta \in \{ 0,1 \}\), given \(( \mathsf{param}_{{\mathbb {G}}}, \ {G},{\xi }{G},{\kappa }{G},\delta {\xi }{G}, \sigma {\kappa }{G}, S_\beta ) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}{{{\mathcal {G}}}}_{\beta }^\mathsf{DLIN}(1^\lambda )\), where \({{{\mathcal {G}}}}_{\beta }^\mathsf{DLIN}(1^\lambda ): \mathsf{param}_{{\mathbb {G}}} :=(q,{\mathbb {G}},{\mathbb {G}}_T,{G},e) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}{{\mathcal {G}}}_\mathsf{bpg}(1^\lambda ), {\kappa }, \delta , {\xi },\sigma \mathop {\leftarrow }\limits ^{\ \mathsf{U}}{\mathbb {F}}_q, S_0 :=(\delta + \sigma ) {G}, S_1 \mathop {\leftarrow }\limits ^{\ \mathsf{U}}{\mathbb {G}}, \mathrm {return} \ ( \mathsf{param}_{{\mathbb {G}}},\) \( {G},{\xi }{G}, {\kappa }{G}, \delta {\xi }{G}, \sigma {\kappa }{G}, S_\beta )\), for \(\beta \mathop {\leftarrow }\limits ^{\ \mathsf{U}}\{0,1\}\). For a probabilistic machine \({{\mathcal {E}}}\), we define the advantage of \({{\mathcal {E}}}\) for the DLIN problem as: \(\mathsf{Adv}^\mathsf{DLIN}_{{{\mathcal {E}}}}(\lambda ) \! :=\! \left| \mathsf{Pr}\left[ {{\mathcal {E}}}(1^\lambda ,\varrho ) \! \rightarrow \! 1 \left| \varrho \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\! {{{{\mathcal {G}}}}_0^\mathsf{DLIN}}(1^\lambda ) \right. \right] \! - \right. \) \(\left. \! \mathsf{Pr}\left[ {{\mathcal {E}}}(1^\lambda ,\varrho ) \! \rightarrow \! 1 \left| \varrho \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\right. \right. \right. \) \(\left. \left. \left. {{{{\mathcal {G}}}}_1^\mathsf{DLIN}}(1^\lambda ) \right. \right] \right| .\) The DLIN assumption is: For any probabilistic polynomial-time adversary \({{\mathcal {E}}}\), the advantage \(\mathsf{Adv}^\mathsf{DLIN}_{{{\mathcal {E}}}}(\lambda )\) is negligible in \(\lambda \).
B Adaptively Secure Multi-Use CP-ABE Scheme with Short Secret Keys
1.1 B.1 Definition of CP-ABE
Definition 7
(Ciphertext-Policy Attribute-Based Encryption: CP-ABE). A ciphertext-policy attribute-based encryption scheme consists of four algorithms.
-
\(\mathsf{Setup}\) takes as input security parameter. It outputs the public parameters pk and a master key sk.
-
\(\mathsf{KeyGen}\) takes as input a set of attributes, \(\varGamma :=\{ x_j \}_{1 \le j \le n' }\), pk and sk. It outputs a decryption key.
-
\(\mathsf{Enc}\) takes as input public parameters pk, message m in some associated message space \(\mathsf{msg}\), and access structure \({{\mathbb {S}}}:=(M, \rho )\). It outputs the ciphertext.
-
\(\mathsf{Dec}\) takes as input public parameters pk, decryption key \(\mathsf{sk}_{\varGamma }\) for a set of attributes \(\varGamma \), and ciphertext \(\mathsf{ct}_{{{\mathbb {S}}}}\) that was encrypted under access structure \({{\mathbb {S}}}\). It outputs either \(m' \in \mathsf{msg}\) or the distinguished symbol \(\bot \).
A CP-ABE scheme should have the correctness property: for all \((\mathsf{pk}, \mathsf{sk}) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Setup}(1^\lambda )\), all attribute sets \(\varGamma \), all decryption keys \(\mathsf{sk}_{\varGamma } \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{KeyGen}(\mathsf{pk}, \) \(\mathsf{sk}, \varGamma )\), all messages m, all access structures \({{\mathbb {S}}}\), all ciphertexts \(\mathsf{ct}_{{{\mathbb {S}}}} \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Enc}(\mathsf{pk}, m, {{\mathbb {S}}})\), it holds that \(m = \mathsf{Dec}(\mathsf{pk}, \mathsf{sk}_{\varGamma }, \mathsf{ct}_{{{\mathbb {S}}}})\) with overwhelming probability, if \({{\mathbb {S}}}\) accepts \(\varGamma \).
Definition 8
The model for proving the adaptively payload-hiding security of CP-ABE under chosen plaintext attack is:
-
Setup. The challenger runs the setup algorithm, \((\mathsf{pk}, \mathsf{sk}) \mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Setup}(1^\lambda )\), and gives the public parameters \(\mathsf{pk}\) to the adversary.
-
Phase 1. The adversary is allowed to issue a polynomial number of queries, \(\varGamma \), to the challenger or oracle \(\mathsf{KeyGen}(\mathsf{pk}, \mathsf{sk}, \cdot )\) for private keys, \(\mathsf{sk}_\varGamma \) associated with \(\varGamma \).
-
Challenge. The adversary submits two messages \(m^{(0)}, m^{(1)}\) and an access structure, \({{\mathbb {S}}}:=(M, \rho )\), provided that the \({{\mathbb {S}}}\) does not accept any \(\varGamma \) sent to the challenger in Phase 1. The challenger flips a random coin \(b \mathop {\leftarrow }\limits ^{\ \mathsf{U}}\{ 0,1 \}\), and computes \(\mathsf{ct}^{(b)}_{{\mathbb {S}}}\mathop {\leftarrow }\limits ^{\ \mathsf{R}}\mathsf{Enc}(\mathsf{pk}, m^{(b)}, {{\mathbb {S}}})\). It gives \(\mathsf{ct}^{(b)}_{{\mathbb {S}}}\) to the adversary.
-
Phase 2. The adversary is allowed to issue a polynomial number of queries, \(\varGamma \), to the challenger or oracle \(\mathsf{KeyGen}(\mathsf{pk}, \mathsf{sk}, \cdot )\) for private keys, \(\mathsf{sk}_\varGamma \) associated with \(\varGamma \), provided that \({{\mathbb {S}}}\) does not accept \(\varGamma \).
-
Guess. The adversary outputs a guess \(b'\) of b.
The advantage of an adversary \({{\mathcal {A}}}\) in the above game is defined as \(:=\Pr [b'=b] -1/2\) for any security parameter \(\lambda \). A CP-FE scheme is adaptively payload-hiding secure if all polynomial time adversaries have at most a negligible advantage in the above game.
1.2 B.2 Dual Orthonormal Basis Generator
We describe random dual orthonormal basis generator \({{{{\mathcal {G}}}^\mathsf{CP}_\mathsf{ob}}}\) below, which is used as a subroutine in the proposed CP-ABE scheme, where \({{{{\mathcal {G}}}^\mathsf{KP}_\mathsf{ob}}}\) is defined in Sec. 5.2.
1.3 B.3 Construction
[Correctness] If \(\varGamma \) satisfies \({{\mathbb {S}}}\), \( K \!=\! e(\varvec{c}_0,\varvec{k}^*_0) \cdot e(\varvec{c}^{\,\prime }, \varvec{k}^*_1) \!=\! g_T^{-\xi s_0 + \zeta } g_T^{\xi \sum _{i \in I} \alpha _i s_i} \) \(= g_T^{\zeta } \ \ \mathrm {where} \ s_0 :=\vec {1} \cdot \vec {f}, \ s_i :=M_i \cdot \vec {f} \ \mathrm {for} \ i=1,\ldots ,\ell . \)
Theorem 3
The proposed multi-use CP-ABE scheme is adaptively payload-hiding against chosen plaintext attacks under the DLIN assumption.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Takashima, K. (2017). New Proof Techniques for DLIN-Based Adaptively Secure Attribute-Based Encryption. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10342. Springer, Cham. https://doi.org/10.1007/978-3-319-60055-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-60055-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60054-3
Online ISBN: 978-3-319-60055-0
eBook Packages: Computer ScienceComputer Science (R0)