Circuit ABE with \(\textsf{poly}(\text {depth},\lambda )\)-Sized Ciphertexts and Keys from Lattices

Abstract

We present new lattice-based attribute-based encryption (ABE) and laconic function evaluation (LFE) schemes for circuits with sublinear ciphertext overhead. For depth d circuits over \(\ell \)-bit inputs, we obtain

• an ABE with ciphertext and secret key size O(1);

• a LFE with ciphertext size \(\ell + O(1)\) and digest size O(1);

• an ABE with public key and ciphertext size \(O(\ell ^{2/3})\) and secret key size O(1),

where \(O(\cdot )\) hides \(\textsf{poly}(d,\lambda )\) factors. The first two results achieve almost optimal ciphertext and secret key/digest sizes, up to the \(\textsf{poly}(d)\) dependencies. The security of our schemes relies on \(\ell \)-succinct LWE, a falsifiable assumption which is implied by evasive LWE. At the core of our results is a new technique for compressing LWE samples \(\textbf{s}(\textbf{A}-\textbf{x}\otimes \textbf{G})\) as well as the matrix \(\textbf{A}\).

A Comparison with WW

In this section, we describe an alternative derivation of our scheme, starting from the WW commitment scheme.

The WW Commitment Scheme. We begin with the core WW commitment scheme in [50, Remark 4.12], adapted to the notation and setting in this work. The scheme achieves succinct commitments of size independent of the input length \(\ell \); this succinct commitment can in turn be expanded to a GVW commitment of the same input.

• The public parameters comprise

  $$\begin{aligned} \textbf{B}\leftarrow \mathbb {Z}_q^{n \times m}, \textbf{V}\in \mathbb {Z}_q^{\ell n \times n} \end{aligned}$$

  along with a random Gaussian \(\textbf{T}= {\overline{\textbf{T}}\atopwithdelims ()\underline{\textbf{T}}} \in \mathbb {Z}^{(\ell +1)m \times \ell m}\) where \(\overline{\textbf{T}}\in \mathbb {Z}^{\ell m \times \ell m}, \underline{\textbf{T}}\in \mathbb {Z}^{m \times \ell m}\) such that

  $$\begin{aligned} \overbrace{[ \textbf{I}_\ell \otimes \textbf{B}\mid \textbf{V}\textbf{G}] \cdot \textbf{T}}^{= (\textbf{I}_\ell \otimes \textbf{B}) \cdot \overline{\textbf{T}}+ \textbf{V}\textbf{G}\cdot \underline{\textbf{T}}} = \textbf{I}_\ell \otimes \textbf{G}\end{aligned}$$

  (16)

  That is, \(\textbf{T}\) is a random gadget trapdoor [40] for \([\textbf{I}_\ell \otimes \textbf{B}\mid \textbf{V}\textbf{G}]\).⁶

• Given \(\textbf{x}\in \{0,1\}^\ell \), we multiply both sides of (16) on the right by \(\textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{I}_m\) to obtain

  $$\begin{aligned} (\textbf{I}_\ell \otimes \textbf{B}) \cdot \overbrace{\overline{\textbf{T}}(\textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{I}_m)}^{\text {opening}} + \textbf{V}\cdot \overbrace{\textbf{G}\underline{\textbf{T}}(\textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{I}_m)}^{\text {commitment}} = \textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{G}\end{aligned}$$

  (17)

  The commitment \(\textbf{C}\) to \(\textbf{x}\in \{0,1\}^\ell \) is given by \(\textbf{G}\cdot \underline{\textbf{T}}(\textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{I}_m) \in \mathbb {Z}_q^{n \times m}\) and the opening by \(\overline{\textbf{T}}(\textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{I}_m) \in \mathbb {Z}^{\ell m \times m}\). Verification checks that the opening has low norm and satisfies the above relation in (17).

Binding follows from the \(\textsf{BASIS}_\textsf{struct}\) assumption, which states that SIS is hard with respect to \(\textbf{B}\), given \(\textbf{V},\textbf{T}\). Moreover, we can expand \(\textbf{C}\) into \(\textbf{V}\cdot \textbf{C}\in \mathbb {Z}_q^{\ell n \times m}\), which is a GVW commitment to \(\textbf{x}\) with opening \(\overline{\textbf{T}}(\textbf{x}^{\!\scriptscriptstyle {\top }}\otimes \textbf{I}_m)\).

Compressing \(\textbf{s}(\textbf{A}- \textbf{x}\otimes \textbf{G})\). In the BGGHNSVV ABE, the public key specifies a uniformly random \(\textbf{A}\leftarrow \mathbb {Z}_q^{n \times \ell m}\) and the ciphertext for an attribute \(\textbf{x}\in \{0,1\}^\ell \) contains

Our goal is to compress the above quantity into a vector in \(\mathbb {Z}_q^{O(m)}\) using \(\textbf{B},\textbf{V},\textbf{T}\).

First Idea. A natural strategy following GVW would be to use as the compressed ciphertext, where \(\textbf{C}\) is a homomorphic commitment to \(\textbf{x}\) (looking ahead, we will rely on homomorphic opening in the security proof). Instantiating this idea with the WW commitment is problematic because multiplying \(\textbf{C}\) on the left by \(\textbf{V}\) as in (17) interacts poorly with both the error term \(\textbf{e}\) and the secret \(\textbf{s}\). Instead, we will modify the commitment scheme and (17) as follows. We start by multiplying both sides of (16) on the left by \(\textbf{x}\otimes \textbf{I}_n\) and use the fact that \(\textbf{x}\otimes \textbf{I}_n\) “commutes” with \(\textbf{I}_\ell \otimes \textbf{B}\) —i.e., \((\textbf{x}\otimes \textbf{I}_n)(\textbf{I}_\ell \otimes \textbf{B}) = \textbf{B}(\textbf{x}\otimes \textbf{I}_m)\)— to obtain:

$$\begin{aligned} \textbf{B}\cdot \overbrace{(\textbf{x}\otimes \textbf{I}_m) \overline{\textbf{T}}}^{\text {opening}} + \overbrace{(\textbf{x}\otimes \textbf{I}_n)\textbf{V}\textbf{G}}^{\text {commitment}} \cdot \underline{\textbf{T}}= \textbf{x}\otimes \textbf{G}\end{aligned}$$

(18)

Now, consider a commitment \(\textbf{C}\) to \(\textbf{x}\) is given by \((\textbf{x}\otimes \textbf{I}_n) \textbf{V}\textbf{G}\in \mathbb {Z}_q^{n \times m}\). This fixes both of the issues above: multiplying \(\textbf{C}\) on the right by the low-norm matrix \(\underline{\textbf{T}}\) is compatible with both \(\textbf{e}\) and \(\textbf{s}\), but introduces a security issue – given \(\textbf{s}\textbf{C}+\textbf{e}= \textbf{s}(\textbf{x}\otimes \textbf{I}_n) \textbf{V}\textbf{G}+\textbf{e}\), we can efficiently recover \(\textbf{s}\) due to the gadget matrix \(\textbf{G}\) in \(\textbf{C}\).

Second Idea. To solve the latter issue, we append to the public key a matrix \(\textbf{B}_1 \leftarrow \mathbb {Z}_q^{n \times m}\), and our compressed ciphertext is now given by:

(19)

Towards decompression, add \(\textbf{B}_1\underline{\textbf{T}}\) to both sides of (18) and flip the signs to obtain:

$$\begin{aligned} [\textbf{B}\mid \textbf{B}_1 + (\textbf{x}\otimes \textbf{I}_n)\textbf{V}\textbf{G}] \cdot \overbrace{{ - (\textbf{x}\otimes \textbf{I}_m)\overline{\textbf{T}}\atopwithdelims ()-\underline{\textbf{T}}}}^{\textbf{T}_\textbf{x}\,\text {small}} \;=\; \overbrace{-\textbf{B}_1 \underline{\textbf{T}}}^{\textbf{A}} \,-\, \textbf{x}\otimes \textbf{G}\end{aligned}$$

(20)

We can now define \(\textbf{A}:= -\textbf{B}_1\underline{\textbf{T}}\) and \(\textbf{T}_\textbf{x}:= { - (\textbf{x}\otimes \textbf{I}_m)\overline{\textbf{T}}\atopwithdelims ()-\underline{\textbf{T}}}\). Multiplying both sides of (20) by \(\textbf{s}\) on the left yields the desired decompression:

(21)

Weakening the Assumption. The security of our scheme so far would rely on \(\textsf{BALWE}_\textsf{struct}\) (the LWE analogue of \(\textsf{BASIS}_\textsf{struct}\) introduced in [50]), namely \((\textbf{B},\textbf{s}\textbf{B}+\textbf{e})\) is pseudorandom, given \(\textbf{V},\textbf{T}\). As noted in [50, § 6.1], \(\textsf{BALWE}_\textsf{struct}\) is implied by evasive LWE plus the following non-standard variant of LWE (related to building simpler PRFs from lattices, c.f., the discussion in [11, §1.2, 1.3]), namely:

$$\begin{aligned} & (\textbf{B}, \textbf{V}_1, \ldots , \textbf{V}_\ell , \textbf{R}, \textbf{s}\textbf{B}+\textbf{e}, \textbf{s}\textbf{V}_i \textbf{R}+ \textbf{e}'_i) \end{aligned}$$

(22)

is pseudorandom, where \(\textbf{V}_i \leftarrow \mathbb {Z}_q^{n \times n}, \textbf{R}\leftarrow \mathbb {Z}_q^{n \times 2\,m}, \textbf{e}\leftarrow \mathcal {D}_{\mathbb {Z},\chi }^m, \textbf{e}'_i \leftarrow \mathcal {D}_{\mathbb {Z},\chi }^{2\,m}\).

In this work, we introduce \(\ell \)-succinct LWE, where we replace \(\textbf{W}\) in \(\textsf{BALWE}_\textsf{struct}\) with \(\textbf{W}\leftarrow \mathbb {Z}_q^{\ell n \times m}\). That is, \(\ell \)-succinct LWE states that \((\textbf{B},\textbf{s}\textbf{B}+\textbf{e})\) is pseudorandom, given \(\textbf{W},\textbf{T}\), where \([\textbf{I}_\ell \otimes \textbf{B}\mid \textbf{W}] \cdot \textbf{T}= \textbf{I}_\ell \otimes \textbf{G}\). We would then also replace \(\textbf{W}\) in our compressed LWE sample in (19) with \(\textbf{W}\) to obtain:

Extending the analysis in [50, § 6.1], we have that \(\ell \)-succinct LWE is implied by evasive LWE, plus pseudorandomness of the following distribution:

$$\begin{aligned} & (\textbf{B}, \textbf{W}_1, \ldots , \textbf{W}_\ell , \textbf{R}, \textbf{s}\textbf{B}+\textbf{e}, \textbf{s}\textbf{W}_i \textbf{R}+ \textbf{e}'_i) \end{aligned}$$

where \(\textbf{W}_i \leftarrow \mathbb {Z}_q^{n \times m}, \textbf{R}\leftarrow \mathcal {D}_{\mathbb {Z},\chi }^{m \times 2\,m}, \textbf{e}\leftarrow \mathcal {D}_{\mathbb {Z},\chi }^m, \textbf{e}'_i \leftarrow \mathcal {D}_{\mathbb {Z},\chi }^{2\,m}\). The key distinctions from (22) are that \(\textbf{W}_i\) are wider than \(\textbf{V}_i\), and that \(\textbf{R}\) has low-norm, which allow us to base pseudorandomness of the latter on LWE, following [15].