Multi-authority Distributed Attribute-Based Encryption with Application to Searchable Encryption on Lattices

Abstract

Many Internet users deploy several cloud services for storing sensitive data. Cloud services provide the opportunity to perform cheap and efficient storage techniques. In order to guarantee secrecy of uploaded data, users need first to encrypt it before uploading it to the cloud servers. There are also certain services which allow user to perform search operations according to certain attributes without revealing any information about the encrypted content. In the cryptographic community this service is known as the public key encryption with keyword search. In order to enable user control during performed search operations there exists an attribute-based encryption scheme that provides the required functionality. We introduce the first Key-Policy Multi-Authority Attribute-Based Encryption (KP-MABE) on lattices assuming existence of multiple servers, where each of these servers contributes to the decryption process by computing decryption shares using its own secret share. Furthermore we construct a Key-Policy Distributed Attribute-Based Searchable Encryption (DABSE) which is based on lattices and use the introduced KP-MABE as a building block for the transformation to DABSE. We prove our scheme secure against chosen ciphertext attacks under the assumption that the underlying KP-MABE is secure under the hardness of learning with errors (LWE) problem.

Appendix

Definition 11

(Tensor Product). For vectors \(v,w\in \mathbb {Z}_q^{n}\), where \(\varvec{v}=(v_1,\ldots ,v_n),\varvec{w}=(w_1,\ldots ,w_n)\) the tensor product is given by

$$\begin{aligned} \left( \begin{array}{c} v_1\\ v_2\\ \vdots \\ v_n \end{array}\right) \otimes \left( \begin{array}{c} w_1\\ w_2\\ \vdots \\ w_n\end{array}\right) =\left( v_1w_1,\ldots ,v_1w_n,\ldots ,v_nw_1,\ldots ,w_n\right) ^{t} \end{aligned}$$

For a matrix \(V\in \mathbb {Z}_q^{m\times m}\) and vectors \(\varvec{v}_1,\ldots ,\varvec{v}_n\in \mathbb {Z}_{q}^{m}\) a tensor product has the following property:

$$\begin{aligned}&V(\varvec{v}_1\otimes \ldots \otimes \varvec{v}_n)=V\varvec{v}_1\otimes \varvec{v}_2\otimes \ldots \otimes \varvec{v}_n=(V\otimes I_{m^{n-1}})(\varvec{v}_1\otimes \ldots \otimes \varvec{v}_n). \end{aligned}$$

Note that \(\varvec{v}_1\otimes \ldots \otimes \varvec{v}_n\in \mathbb {Z}_{q}^{m^n}\) and

$$\begin{aligned} V\otimes I_{m^{n-1}}&=\left( \begin{array}{ccc} v_{11} &{} \ldots &{} v_{1m}\\ \vdots &{} \ddots &{} \vdots \\ v_{m1} &{} \ldots &{} v_{mm} \end{array}\right) \otimes \left( \begin{array}{cccc} 1_{11} &{} 0 &{} \ldots &{} 0_{1m^{n-1}} \\ 0 &{} 1 &{} \ldots &{} 0\\ \vdots &{} \ddots &{} \ddots &{} \vdots \\ 0_{m^{n-1}1} &{} \ldots &{} 0 &{} 1_{m^{n-1}m^{n-1}} \end{array}\right) \\&=\left( \begin{array}{ccc} v_{11}I_{m^{n-1}} &{} \ldots &{} v_{1m}I_{m^{n-1}}\\ \vdots &{} \ddots &{} \vdots \\ v_{m1}I_{m^{n-1}} &{} \ldots &{} v_{mm}I_{m^{n-1}} \end{array}\right) \in \mathbb {Z}_{q}^{m^n\times m^n} \end{aligned}$$

We note that in our scheme the vectors \(v_1,\ldots ,v_n\) associates with the different public keys, which are used to decrypt an evaluated ciphertext that associates with the vector space V.

In the following definition we recall the construct of direct sums. We propose this tool in order to provide an optimization during evaluation of different ciphertexts. On the one hand it improves the dimension of evaluated ciphertexts while on the other hand it involves additional rounds of communication between the parties during the decryption process.

Definition 12

(Direct Sum). Let \(V\in \mathbb {Z}_{q}^{n}\) and \(W\in \mathbb {Z}_{q}^{m}\). The vector space \(V\oplus W\) which is spanned by the basis vectors of these two vector spaces, has dimension \(n+m\) and is called the direct sum of V and W. The vectors from each vector space V or W can be seen as vectors of the direct sum, just by filling zeros to the full dimension \(n+m\). Let \(\varvec{v}=(v_1,\ldots ,v_n)\in V\) and \(\varvec{w}=(w_1,\ldots ,w_m)\in W\). Vector \(\varvec{v}\) is an element of direct sum, e.g. \(\varvec{v}=(v_1,\ldots ,v_n,0_1,\ldots ,0_m)\) and \(\varvec{w}=(0_1,\ldots ,0_n,w_1,\ldots ,w_m)\). Then the direct sum of \(\varvec{v}\otimes \varvec{w}=(v_1,\ldots ,v_n,w_1,\ldots ,w_m)\), which is a vector of dimension \(n+m\).

The direct sum of two matrices \(A\in \mathbb {Z}_{q}^{n\times n}, B\in \mathbb {Z}_{q}^{m\times m}\) is given by:

$$\begin{aligned} A\oplus B = \left( \begin{array}{cc} A &{} 0\\ 0 &{} B \end{array}\right) =\left( \begin{array}{cccccc} a_{11} &{} \ldots &{} a_{1n} &{} 0 &{} \ldots &{} 0\\ \vdots &{} \ddots &{} \vdots \ &{} \vdots &{} \ddots &{} \vdots \\ a_{n1} &{} \ldots &{} a_{nn}&{} 0 &{} \ldots &{} 0\\ 0 &{} \ldots &{} 0 &{} b_{11} &{} \ldots &{} b_{1m}\\ \vdots &{} \ddots &{} \vdots &{} \vdots &{} \ddots \vdots \\ 0 &{} \ldots &{} 0 &{} b_{m1} &{} \ldots &{} b_{mm} \end{array}\right) \end{aligned}$$

In general a direct sum of n matrices of dimensions \(n_1,\ldots , n_n\) is given by

$$\begin{aligned} A_1\oplus A_2\oplus \ldots \oplus A_n = \left( \begin{array}{cccc} A_1 &{} 0 &{} \ldots &{} 0\\ 0 &{} A_2 &{} \ldots &{} 0\\ \vdots &{} \ldots &{} \ddots &{} \vdots \\ 0 &{} \ldots &{} 0 &{} A_n \end{array}\right) \end{aligned}$$

The dimension of this direct sum is \(n_1+\ldots +n_n\). Furthermore, \((A_1\oplus \ldots \oplus A_n)(\varvec{v}_1\oplus \ldots \oplus \varvec{v}_n)=A\varvec{v}_1\oplus \ldots \oplus A_n\varvec{v}_n\).