Abstract
We propose a construction of Attribute-Based Encryption for deterministic finite automata with bounded input length from lattices. The security of our construction can be reduced to the hardness of learning with errors (LWE) problem in the selective security model.
The main technique in our scheme is a novel way to securely encode the deterministic finite automata and the input string as a “matrix ribbon” that closely mimics the structure of the tape and supports simple operations that rely only on traditional preimage sampling on lattices.
Our result is the first direct construction of key-policy attribute-based encryption for deterministic finite automata. Comparing with the existing indirect constructions from lattices, our scheme is conceptually simpler and also more efficient.
Q. Li—Research conducted with generous support from the Australian Research Council under Discovery Project grant ARC DP-140103885.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011)
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of STOC 1996, pp. 99–108. ACM (1996)
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theor. Comput. Syst. 48(3), 535–553 (2011)
Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014)
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of STOC 2013, pp. 575–584. ACM (2013)
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC 2008, pp. 197–206. ACM (2008)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Proceedings of STOC 2013, pp. 545–554. ACM (2013)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of CCS 2006, pp. 89–98. ACM (2006)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008)
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of STOC 2009, pp. 333–342. ACM (2009)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of STOC 2005, pp. 84–93. ACM (2005)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)
Waters, B.: Functional encryption for regular languages. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 218–235. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Parameters and Correctness of Construction
A Parameters and Correctness of Construction
By applying the decryption algorithm, we have \(\mathrm {\Delta } = \textsf {Msg}\cdot \lfloor q/2\rfloor + \nu _0- \mathbf \nu _1^{\top }\cdot \mathbf d\). Let \(\textsf {Error} = \nu _0- \mathbf \nu _1^{\top }\cdot \mathbf d \). In order to correctly recover the message, we must ensure that the noise term \(|\textsf {Error}| < q/4\). The following lemma states this fact.
Lemma 5
Suppose the parameters \(\alpha \) and q are set as:
the quantity \(|\textsf {Error}|\) is bounded by q / 4 with overwhelming probability.
Proof
Notice that all the transition matrices used to construct the decryption vector \(\mathbf d\) have discrete Gaussian distribution in \(\mathbb {Z}^{2m\times m}\) with parameter \(\sigma \). The norm of those are all bounded by \(\sigma \sqrt{m}\) according to the fact 1 of Lemma 1. Likewise, since the vector \(\mathbf d_{s_x}\sim \mathcal D_{\mathrm {\Lambda }_q^{\mathbf u}( \mathbf A_{s_x}^{(0)} ),\sigma }\), by the fact 1 of Lemma 1, we also have \(\Vert \mathbf d_{s_x} \Vert \le \beta = \sigma \sqrt{m}.\)
Therefore, by using Lemma 4,
It now suffices to bound \(\mathbf d\). We have \(\Vert \mathbf d\Vert ^2 \le \sum _{i=1}^{\ell +1} (\beta ^i)^2 \cdot \Vert \mathbf d_{s_x}\Vert ^2 \le (\eta +~1)(\sigma ^2 m)^{\eta +2}\). Thus \(\Vert \mathbf d\Vert \le \sqrt{(\eta +1)} \sigma ^{\eta +2} m^{(\eta +2)/2} \le O(\sigma ^{\eta +2} m^{(\eta +2)/2})\).
Summing up, we have
To make \(|\textsf {Error}| < q/4\), it is sufficient to set \(\alpha \le \left( \omega (\sqrt{\log m}) \sigma ^{\eta +2} m^{(\eta +2)/2} \right) ^{-1}\) and \(q = \varOmega \left( \sigma ^{\eta +2} m^{(\eta +3)/2} \right) \). \(\square \)
To set the remaining parameters, we need to ensure the conditions:
-
1.
we be able to run the algorithm \(\textsf {TrapGen}\) (i.e. \(m > 6n\log q\));
-
2.
the Gaussian parameter \(\sigma \) be large enough for \(\textsf {SamplePre}\) and \(\textsf {SampleLeft}\) (i.e. \(\sigma > \Vert \tilde{\mathbf B} \Vert \cdot \omega (\sqrt{\log m})\) where \(\mathbf B\) is a basis output by \(\textsf {TrapGen}\));
-
3.
the LWE average-case to worst-case reduction apply (i.e. \(q > 2\sqrt{n}/\alpha \)).
One consistent selection is to set the parameters as follows:
-
The maximum length of input: \(\eta =O(\lambda )\)
-
The lattice dimensions: \(m = 6n^{1+\delta }\), where \(n^{\delta } > \lceil \log q \rceil \)
-
The Gaussian parameter \(\sigma = m \cdot \omega (\sqrt{\log n})\)
-
The prime modulus \(q= m^{(3\eta +5)/2} \cdot \omega (\sqrt{\log n})\)
-
The LWE parameter \(\alpha = \left( m^{3(\eta +2)/2} \cdot \omega (\sqrt{\log n}) \right) ^{-1}\)
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Boyen, X., Li, Q. (2015). Attribute-Based Encryption for Finite Automata from LWE. In: Au, MH., Miyaji, A. (eds) Provable Security. ProvSec 2015. Lecture Notes in Computer Science(), vol 9451. Springer, Cham. https://doi.org/10.1007/978-3-319-26059-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-26059-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26058-7
Online ISBN: 978-3-319-26059-4
eBook Packages: Computer ScienceComputer Science (R0)