Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
2 views

Attribute-Based Encryption With Fast Decryption

Uploaded by

zabith
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Attribute-Based Encryption With Fast Decryption

Uploaded by

zabith
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Attribute-Based Encryption with Fast Decryption

Susan Hohenberger and Brent Waters

May 8, 2013

Abstract
Attribute-based encryption (ABE) is a vision of public key encryption that allows users to
encrypt and decrypt messages based on user attributes. This functionality comes at a cost. In
a typical implementation, the size of the ciphertext is proportional to the number of attributes
associated with it and the decryption time is proportional to the number of attributes used dur-
ing decryption. Specifically, many practical ABE implementations require one pairing operation
per attribute used during decryption.
This work focuses on designing ABE schemes with fast decryption algorithms. We restrict
our attention to expressive systems without system-wide bounds or limitations, such as placing
a limit on the number of attributes used in a ciphertext or a private key. In this setting, we
present the first key-policy ABE system where ciphertexts can be decrypted with a constant
number of pairings. We show that GPSW ciphertexts can be decrypted with only 2 pairings by
increasing the private key size by a factor of |Γ|, where Γ is the set of distinct attributes that
appear in the private key. We then present a generalized construction that allows each system
user to independently tune various efficiency tradeoffs to their liking on a spectrum where the
extremes are GPSW on one end and our very fast scheme on the other. This tuning requires
no changes to the public parameters or the encryption algorithm. Strategies for choosing an
individualized user optimization plan are discussed. Finally, we discuss how these ideas can be
translated into the ciphertext-policy ABE setting at a higher cost.

1 Introduction
Attribute-based encryption (ABE) [18] is an expansion of public key encryption that allows users
to encrypt and decrypt messages based on user attributes. In a key-policy ABE (KP-ABE) system,
an encrypted message can be tagged with a set of attributes, such as tagging an email with the
metadata “from: Alice”, “to: IACR board”, “subject: voting”, “date: October 1, 2012”, etc. The
master authority for the system can issue private decryption keys to users including an access
policy, such as giving to Bob a decryption key that enables him to decrypt any ciphertexts that
satisfy “to: Bob” OR (“to: IACR board” AND (January 1, 2011 ≤“date” ≤ December 31, 2012)).
This access control functionality can be very powerful, but also costly. In this work, we focus on
the cost of decryption. In many key-policy ABE systems, such as that of Goyal, Pandey, Sahai and
Waters (GPSW) [13], the decryption algorithm requires one pairing for each attribute used during
decryption. (Encryption does not require any pairings, and is thus already fast by comparison.)
It seems conceivable that one might reduce the cost of decryption by making tradeoffs elsewhere.
One tradeoff we allow ourselves in this work is to increase the private key size, although we ideally
want to limit any increase as much as possible. We do not, however, consider tradeoffs that increase
the ciphertext size or that place any limitations on how the ABE system can be used. That is, we

1
focus on fast decryption for the most general setting possible – an expressive, large-universe system,
where there are no bounds on, say, the number of attributes that can appear in a ciphertext or
private key. While good progress has been made on efficient ABE in “bounded settings”, as we
discuss shortly, our focus is to develop techniques for improving efficiency in the most general
setting and for applications where it is infeasible to trade system-wide usability for performance.

Our Contributions We present the first expressive and “unbounded” key-policy ABE (KP-
ABE) system in a pairing setting, which requires only a constant number of pairings to decrypt
any ciphertext. It builds upon the GPSW system [13]. It reduces the decryption requirements to
two pairings and two exponentiations (these exponents are 1 or 0 if the access policy is a boolean
formula), while increasing the number of multiplications by a factor of |∆|, where ∆ is the set of
distinct attributes used during decryption. It also increases the private key size by a factor of |Γ|,
where Γ is the set of distinct attributes used in the private key.
We discuss several variants of this system, including a method for reducing the ciphertext size
from O(|∆|) to three group elements (in the small universe setting only) at the cost of larger
private keys. We also discuss the difficulties of achieving fast decryption for ciphertext-policy ABE
(CP-ABE) systems in an unbounded setting, as well as progress in the bounded setting.
In Section 5, we present generalized decryption and “key storage” algorithms that allow each
system user to independently tune various efficiency tradeoffs to their liking on a spectrum that
ranges from GPSW (shorter keys, slow decryption) on one end to our main KP-ABE construction
(longer keys, fast decryption) on the other. This tuning requires no changes to the setup, encryption
or key generation algorithms of our base construction. Rather, it is managed transparently by each
user, who can choose among many possible decryption algorithms where the amount of her private
key that she needs to securely store scales accordingly. We conclude with some strategies for
choosing an individualized user optimization plan.

1.1 Related Work


To our knowledge, the only prior work to achieve constant pairings in decryption for an expressive
KP-ABE system is that of Attrapadung, Herranz, Laguillaumie, Libert, de Panafieu and Ráfols [3,
2]. The goal of their work was on achieving short ciphertexts. They were able to achieve very
short ciphertexts (constant number of group elements) using novel applications of aggregation
techniques that have roots in those used to achieve hierarchical identity-based encryption [14, 11]
with constant size ciphertexts by Boneh, Boyen and Goh [6] and those used to achieve practical
broadcast encryption by Boneh, Gentry and Waters [8]. Our ideas begin at this starting point as
well. However, Attrapadung et al. brought in an inner product instance as a base building block
which fundamentally demands a bound, n, on the maximum number of attributes that can appear
in a ciphertext. This choice of n forces a tradeoff between flexibility and performance.
One needs to set n high to cover the “worst” case even if the typical encryption uses far fewer
attributes. Unfortunately, their private key size blows up by a factor of n, whereas our key size
only increases by a factor of the number of distinct attributes used in that particular key. Moreover,
for a ciphertext that encrypts with |S| attributes, they have an added cost of |S| exponentiations
during decryption. This could be very costly in some situations. Suppose Alice has the key policy
(A1 AND A2 ) and receives a ciphertext with many attributes A1 , A2 , . . . , A1000 . In their system,
Alice must do 1000 exponentiations, which is actually much worse than if she was only required to

2
do one pairing per attribute used in decryption.1
This work aims to avoid these “worst case” penalties. In particular, we want that a user’s key
size be related to the complexity of her key. In their scheme, it grows with n. In decryption, the
computational cost should be related to how many rows of the LSSS one must use. In their scheme,
the number of exponentiations grows with the number of attributes in the ciphertext. This is a
tradeoff relative to GPSW [13]. Finally, in their scheme, the number of multiplications is roughly
|I| · |S|, the number of rows used in decryption times the number of attributes in a ciphertext. Ours
is |I| · |∆|, the number of rows used in decryption times the number of distinct attributes used in
decryption. Note that |∆| ≤ |S|.
While we have pointed out some of the areas for improvement in Attrapadung et al. for compar-
ison’s sake, we do wish to stress that this was a pioneering work that showed that short ciphertexts
and fast decryption was possible at all for KP-ABE. We also refer the reader to that work for an
excellent summary of the efficiency of prior ABE schemes. Our work compliments theirs by taking
the study of fast decryption for ABE into the unbounded realm with tighter growth.
We note that Identity-Based Encryption [19, 7, 10] was an early forerunner of ABE and several
technique from IBE impact ABE systems. Finally, in this work, we only consider selective secu-
rity [9], however, we believe our techniques could apply to more recent systems proven adaptively
secure using dual system encryption [15, 17].

2 Background
This section covers background information. We make use of the standard definitions for access
structures and linear secret sharing schemes (LSSS), as well as the conventions and notation for
these employed in several prior ABE works. These are included in Appendix A for reference.

2.1 Definitions of Security for Key Policy ABE Schemes


Definition 2.1 (KP-ABE Algorithm Specification) A key-policy attribute-based encryption
system for message space M and access structure space G is a tuple of the following algorithms:

Setup(λ, U ) → (PK, MK). The setup algorithm takes as input a security parameter λ and a uni-
verse description U , which defines the set of allowed attributes in the system. It outputs the
public parameters PK and the master secret key MK.
Encrypt(PK, M, S) → CT. The encryption algorithm takes as input the public parameters PK, a
message M and a set of attributes S and outputs a ciphertext CT associated with the attribute
set.
KeyGen(MK, A) → SK. The key generation algorithm takes as input the master secret key MK
and an access structure A and outputs a private key SK associated with the attributes.
Decrypt(SK, CT) → M . The decryption algorithm takes as input a private key SK associated with
access structure A and a ciphertext CT associated with attribute set S and outputs a message
M if S satisfies A or the error message ⊥ otherwise.

The correctness property requires that for all sufficiently large λ ∈ N, all universe descriptions
U , all (PK, MK) ∈ Setup(λ, U ), all S ⊆ U , all SK ∈ KeyGen(MK, A), all M ∈ M, all A ∈ G and
all CT ∈ Encrypt(PK, M, S), if S satisfies A, then Decrypt(SK, CT) outputs M .
1
The polynomial related to Y in their construction grows with the number of attributes in the ciphertext.

3
Security Model for KP-ABE Let Π = (Setup, Encrypt, KeyGen, Decrypt) be a KP-ABE scheme
for message space M and access structure space G, and consider the following experiment for an
adversary A, parameter λ and attribute universe U :

The KP-ABE experiment KP-ABE-ExpA,Π (λ, U ):

Setup. The challenger runs the Setup algorithm and gives the public parameters, PK to the
adversary.
Phase 1. The challenger initializes an empty table T , an empty set D and an integer counter
j = 0. Proceeding adaptively, the adversary can repeatedly make any of the following queries:
• Create(A): The challenger sets j := j + 1. It runs the key generation algorithm on A to
obtain the private key SK and stores in table T the entry (j, A, SK).
Note: Create can be repeatedly queried with the same input.
• Corrupt(i): If there exists an ith entry in table T , then the challenger obtains the entry
(i, A, SK) and sets D := D ∪ {A}. It then returns to the adversary the private key SK.
If no such entry exists, then it returns ⊥.
• Decrypt(i, CT): If there exists an ith entry in table T , then the challenger obtains the
entry (i, A, SK) and returns to the adversary the output of the decryption algorithm on
input (SK, CT). If no such entry exists, then it returns ⊥.
Challenge. The adversary submits two equal length messages M0 and M1 . In addition the
adversary gives a set of attributes S ∗ such that for all A ∈ D, the set S ∗ does not satisfy the
access structure A. The challenger flips a random coin b, and encrypts Mb under S ∗ . The
resulting ciphertext CT∗ is given to the adversary.
Phase 2. Phase 1 is repeated with the restrictions that the adversary cannot
• trivially obtain a private key for the challenge ciphertext. That is, it cannot issue a
Corrupt query that would result in an access structure A which S ∗ satisfies being added
to D.
• issue a decryption query on the challenge ciphertext CT∗ .
Guess. The adversary outputs a guess b0 of b. The output of the experiment is 1 if and only if
b = b0 .

Definition 2.2 (KP-ABE Security) A KP-ABE scheme Π is CCA-secure (or secure against
chosen-ciphertext attacks) for attribute universe U if for all probabilistic polynomial-time adver-
saries A, there exists a negligible function negl such that:
1
Pr[KP-ABE-ExpA,Π (λ, U ) = 1] ≤ + negl (λ).
2

CPA Security. We say that a system is CPA-secure (or secure against chosen-plaintext attacks)
if we remove the Decrypt oracle in both Phase 1 and 2.

Selective Security. We say that a system is selectively secure if we add an Init stage before Start
where the adversary outputs the challenge attribute set S ∗ (instead of waiting until Challenge).

4
2.2 Bilinear Maps
Let G and GT be two multiplicative cyclic groups of prime order p. Let g be a generator of G
and e : G × G → GT be a bilinear map with the properties: (1) Bilinearity: for all u, v ∈ G and
a, b ∈ Zp , we have e(ua , v b ) = e(u, v)ab and (2) Non-degeneracy: e(g, g) 6= 1. We say that G is a
bilinear group if the group operation in G and the bilinear map e : G × G → GT are both efficiently
computable. We now state an assumption used in the constructions.

Definition 2.3 (Decisional BDHE [6]) Let a, s ∈ Zp be chosen at random and g be a generator
of group G of prime order p ∈ Θ(2λ ). The decisional q-BDHE assumption is that all probabilistic
polynomial-time algorithms A given the vector ~y =
q q+2 ) 2q )
G, p, g, g s , g a , . . . , g (a ) , g (a , . . . , g (a
q+1 s
have an advantage negligible in λ of distinguishing e(g, g)a ∈ GT from a random element in
R ∈ GT . The advantage of A is defined as
h q+1
i
Pr A ~y , e(g, g)a s ) = 0 − Pr A ~y , R = 0
  

where the probability is taken over the random choice of a, s in Zp , R in GT and the generator g,
and the random bits consumed by A.

3 ABE with Fast Decryption


3.1 The Base Construction: Small Universe KP-ABE
We first describe a system for a small universe U of attributes, where |U | is a polynomial in 1λ , and
the attributes are the integers 1, . . . , U . Subsequently, we will describe how to alter this construction
to accommodate a large universe U = {0, 1}∗ of attributes in the random oracle model. When we
refer to our base construction in a setting where large universes are assumed, we mean this close
variant. The message space is GT .

Setup(λ, U ) → (PK, MK). The setup algorithm first chooses a bilinear group G of prime order
p ∈ Θ(2λ ). It selects a random generator g ∈ G. It next selects random values h1 , . . . , h|U | ∈ G and
α ∈ Zp . It then sets the keys as:

PK = (G, p, g, e(g, g)α , h1 , . . . , h|U | ), MK = (PK, α).

Encrypt(PK, M, S) → CT. The encryption algorithm takes as input the public parameters PK,
a message M ∈ GT to encrypt, and a set of attributes S. It chooses a random s ∈ Zp . The
ciphertext is published as CT = (S, C, Ĉ, {Cx }) where

C = M · e(g, g)αs , Ĉ = g s , {Cx = hsx }x∈S .

5
KeyGen(MK, A) → SK. The key generation algorithm takes as input the master secret key and
an LSSS access structure (W, ρ). Let W be an ` × n matrix. The function ρ associates rows of
W to attributes. Let Γ denote the set of distinct attributes the appear in the access structure
matrix W ; that is, Γ = {d : ∃i ∈ [1, `], ρ(i) = d}. The algorithm first chooses a random vector
~v = (α, y2 , ..., yn ) ∈ Znp . These values will be used to share the master secret α. For i = 1 to `, it
calculates λi = ~v · Wi , where Wi is the vector corresponding to the ith row of W . In addition, the
algorithm chooses random r1 , . . . , r` ∈ Zp . It sets the private key SK as:

PK, (D1 = g λ1 · hrρ(1)


1
, R1 = g r1 , ∀d ∈ Γ/ρ(1), Q1,d = hrd1 ), . . . ,
r`
(D` = g λ` · hρ(`) , R` = g r` , ∀d ∈ Γ/ρ(`), Q`,d = hrd` ).

In our notation above, we slightly abuse the set minus notation, and by Γ/x, where Γ is a set and
x is a single element, we mean Γ/{x}; i.e., the set Γ with the element x removed if present.
These keys contain GPSW [13] keys with the addition of the “helper values” Qi,d . The key size
is proportional to |Γ| · `, which is the number of distinct attributes that appear in the access matrix
times the number of rows in the matrix. Since |Γ| ≤ `, we have |Γ| · ` ≤ `2 .

Decrypt(SK, CT) → M . The decryption algorithm takes as input a key SK = (PK, (D1 , R1 , {Q1,d }),
. . . , (D` , R` , {Q`,d })) for access structure (W, ρ) and a ciphertext CT = (C, Ĉ, {Cx }x∈S ) for set S.
Let W be an ` × n matrix. The function ρ associates rows of W to attributes. If S does not
satisfy the access structure, it outputs ⊥. Suppose that S satisfies the access structure and let
I ⊆ {1, 2, . . . , `} be a set of indices and {ωi }i∈I ∈ Zp be a set of constants such that:

1. For all i ∈ I, ρ(i) ∈ S.


P
2. i∈I ωi · Wi = (1, 0, 0, . . . , 0).

We then define ∆ = {x : ∃i ∈ I, ρ(i) = x}. That is, I is the set of indices corresponding to the rows
used in one possible way to decrypt the ciphertext and ∆ is the set of distinct attributes associated
with these rows. In general, there can be multiple such I that satisfy the above constraints.
Typically, one will wish to minimize the size of I. Note that ∆ ⊆ S, where S is the attributes used
to encrypt the ciphertext, and ∆ ⊆ Γ, the set of attributes used to create the private key.
Next we define the function f which transforms a set of attributes into an element of G as:
Y
f (∆) = hx .
x∈∆

To decrypt, the algorithm will first do a pre-processing step on the private key. For each i ∈ I, it
will compute the value
Y
D̂i = Di · Qi,x = g λi f (∆)ri .
x∈∆/ρ(i)

Next, the algorithm will do a pre-processing step on the ciphertext by computing the value
Y Y
L= Cx = hsx = f (∆)s .
x∈∆ x∈∆

6
The algorithm now recovers the value e(g, g)αs by computing
Y ω Y
e(Ĉ, D̂i i )/e( Riωi , L) =
i∈I i∈I
Y Y
s λi ωi ri ωi
e(g , g f (∆) )/e( g ri ωi , f (∆)s ) =
i∈I i∈I
P P
αs s r i ωi
e(g, g) · e(g, f (∆)) i∈I /e(g, f (∆))s i∈I ri ωi
= e(g, g)αs .

The decryption algorithm can then divide out this value from C and obtain the message M . The
decryption algorithm requires the computation of only two pairing operations.

3.2 Efficiency and Tradeoffs


The main feature of the above scheme is that decryption only requires two pairings. While decryp-
tion also requires two exponentiations per row used, if the LSSS is derived from an AND/OR tree
then the exponents wi will be 1. (That is, they will be either 0 or 1, but the wi = 0 rows should
not be used.) Thus, decryption can be very fast. There are two tradeoffs:

1. The private key size and generation time blows up by roughly a factor of |Γ| compared to
GPSW, where Γ is the set of distinct attributes used in making the key.

2. Decryption reduces the number of pairings, but requires modular multiplications of roughly a
factor of |∆| compared to GPSW, where ∆ is the set of distinct attributes used in decryption.

Thus, while there is a blow-up, this increase is tied only to the number of distinct attributes
“touched” by the corresponding operation, and not by a global bound. Depending on the appli-
cation, one should take into consideration whether the blow up in key size is worth it. Moreover,
the decryption time could actually increase over GPSW [13] once ∆ becomes sufficiently large.
However, it would have to be so large that 2 pairings plus |I| · |∆| multiplications dominates |∆|
pairings and |I| multiplications. As one benchmark, it required 8.22ms to compute a pairing for a
BN256 curve with the RELIC library on a modern PC while roughly 0.0034ms to compute a mod-
ular multiplication. Thus, in a setting where |I| = |∆| (the number of rows of the access matrix
touched during decryption is the same as the number of distinct attributes touched), the decryption
algorithm would need to touch over 2416 distinct attributes before GPSW would be faster. Should
this occur, however, it is worth noting that the above private keys actually contain a GPSW key;
thus, if this threshold was ever reached, one could revert back to doing GPSW decryption.
We summarize the comparison of GPSW and our construction in Figure ??. In Section 5, we
will provide a generalized construction for finer-grained tradeoff optimization.

3.3 Large Universe Realizations


The construction in Section 3.1 can be transformed so that any string can be a valid attribute; that
is, U = {0, 1}∗ , as follows: Assume that all parties have access to a hash function H : {0, 1}∗ → G,
which will be treated as a random oracle. Remove the values h1 , . . . , h|U | from the public parameters
PK. For any attribute x ∈ {0, 1}∗ , define the value hx = H(x). Otherwise, follow the construction
as written. Thus, the efficiency is the same, modulo additional hash function evaluations. Regarding
the proof of security, let q be the maximum number of unique queries made to the random oracle.

7
Then, this large universe construction is selectively, CPA-secure under the Decisional q-BDHE
assumption in the random oracle model. The proof will follow the outline of that in Section 4
except that Setup no longer outputs any hx values and instead B must simulate the random oracle
as follows. It should initialize an empty table TRO at the beginning of the experiment. On each
query for attribute x to the random oracle, B should first look to see if x is in TRO and if so, return
the value associated with it.
If x is not in TRO , B creates a new table entry (x, i, hx ) for it as follows. Let i be the number
of unique attributes queried to the random oracle (including x) at the time of this query. Let zx
be a random value in Zp . Then set
(
g zx if x ∈ S ∗ ;
hx := i
g zx g a if x 6∈ S ∗ .
An interesting question is whether one can achieve fast decryption for a large universe in the
standard model. Lewko and Waters [16] gave a large universe construction for KP-ABE in the
standard model. However, their technique requires that each attribute in the ciphertext have some
“local” randomness associated with it. This does not work with our methods here which leverage
the fact that there is only one random exponent that propagates through the ciphertext.

3.4 Short Ciphertext Realizations


In Section 3.1, we focused on optimizing decryption time. For some applications where bandwidth
or storage space is a practical concern, one might prefer to optimize on ciphertext size. In the small
universe construction, we can compress the ciphertext into only three group elements (as opposed
to 2 + |S| group elements in Section 3.1) plus the description of the attribute set S. The main
tradeoff is that private key sizes must scale by a factor of the size |U | of the universe (compared to
GPSW [13]), as opposed to scaling by only Γ as above.
We now sketch the main idea. During encryption, instead of including the Q set {Cx = hsx }x∈S
in the ciphertext, it now includes the product of these values, the “aggregate” x∈S Cx = f (S)s .
Thus, the ciphertext contains three group elements of the form:
Y
C = M · e(g, g)αs , Ĉ = g s , Cx = f (S)s .
x∈S

When generating the private key, replace Γ with U ; that is, instead of only having “helper values”
Qi,x for attributes x used in the access matrix, one now must include helpers for any attribute in
the universe. This will allow the decryptor to handle an aggregate of any set of attributes. Thus,
following the setup as before, the private keys are of the form:
PK, (D1 = g λ1 · hrρ(1)
1
, R1 = g r1 , ∀d ∈ U/ρ(1), Q1,d = hrd1 ), . . . ,
(D` = g λ` · hrρ(`)
`
, R` = g r` , ∀d ∈ U/ρ(`), Q`,d = hrd` ).

The key size is proportional to |U | · `, which is size of the attribute universe times the number of
rows in the matrix. Due to the dependence on |U |, this aggregation unfortunately only works for
small universes of attributes.
Finally, run the decryption algorithm as it is written, but understand that ∆ will always be S
due to the aggregate. This will increase the number of modular multiplications over Section 3.1,
but not the number of pairings.

8
3.5 CP-ABE Variants
One might consider trying to apply these techniques in the CP-ABE setting [5, 12] by analogously
modifying an “unrestricted” CP-ABE construction, such as Waters [20, Section 3]. A natural
analogy would arise in a CP-ABE system where the ciphertext size and encryption time blows
up by a factor of X, where X is the number of distinct attributes used in the ciphertext access
structure. In some applications, one might consider this to be a less palatable tradeoff. That is,
one might not be willing to increase the transmission costs (i.e., ciphertext size) and encryption
time, even if it meant faster decryption times.
We note, however, that if one is willing to consider “bounded” systems, where a value kmax can
be set system-wide as the maximum number of times a single attribute can appear in a particular
formula (or access structure), then one can achieve fast decryption without an increase in ciphertext
size or encryption time. One such example is the CP-ABE construction of Waters [20, Section 5].
The critical part of the decryption algorithm appears in that paper as
!
Y
e(C 0 , K)/ (e(Ci , L) · e(C 0 , Kρ(i) ))ωi
i∈I

which seems to require a non-constant (2|I| + 1) pairings. However, this equation is identical to:

e( Ci−ωi , L) · e(C 0 , K
Y Y −ω
Kρ(i)i )
i∈I i∈I

which requires only two pairings. The observation that this bounded scheme offers fast decryption
was previously made in its Charm [1] implementation.

4 Proof of the Base Construction


Theorem 4.1 (Security of the Small Universe KP-ABE) The KP-ABE scheme Π in Sec-
tion 3.1 for attribute universe U is selectively secure against chosen-plaintext attacks under the
Decisional |U |-BDHE assumption in G.

Proof. Let U be an attribute universe, where |U | is a polynomial in 1λ . For notational conve-


nience, we will assume each of the |U | attributes is a unique integer between 1 and |U |.2 Next
suppose there exists a PPT adversary A that causes the selective, CPA security experiment KP-
ABE-Expsel-CPA
A,Π (λ, U ) to output 1 with non-negligible probability. Then, we can construct a PPT
adversary B that violates the Decisional |U |-BDHE assumption in G as follows:

Init: A outputs a set S ∗ of attributes for the challenge ciphertext.


Setup: B receives the Decisional |U |-BDHE challenge input
|U | ) |U |+2 ) 2|U | )
(G, p, g, g s , g a , . . . , g (a , g (a , . . . , g (a ,P)
2
A more proper notation would define an injective function t() mapping attributes to integers from 1 to |U | and
then wherever we refer to an attribute x to instead refer to t(x). However, this is more cumbersome.

9
0
for security parameter λ. It chooses random α0 , z1 , . . . , z|U | ∈ Zp and sets e(g, g)α := e(g, g)α ·
|U |
e(g a , g a ) (implicitly defining α as (α0 + a|U |+1 )) and
(
g zx if x ∈ S ∗ ;
for x ∈ [1, |U |], sets hx := x
g zx g a 6 S∗.
if x ∈

It sets the public parameters PK as (G, p, g, e(g, g)α , h1 , . . . , h|U | ) and sends them to A. Note
that all parameters are well distributed due to the α0 and zx values.
Phase 1: B initializes an empty table T , an empty set D and a counter j = 0. B responds to A’s
queries as follows:
1. Create(A): B sets j := j + 1. It parses A as (W, ρ), where W is an ` × n matrix. B
will now work in two steps. First, it will create a valid private key, but not necessarily a
well-distributed one. Then, it will re-randomize the key to ensure it is well distributed.
Let K be the set of rows where the attributes are in S ∗ (i.e., for i ∈ K, ρ(i) ∈ S ∗ .) and K 0 be
the rows where attributes are not in S ∗ (i.e., K 0 = [1, `]/K). Define an n dimensional vector
~v over Zp . Let v1 = 1 (i.e., first element of ~v is 1) and for all i ∈ K, ~v · Wi = 0. (Here Wi
is the n-dimensional vector that is row i of the matrix W .) To see that this is well-defined,
consider that since S ∗ does not satisfy W , it must be the case that (1, 0, 0..., 0) is not in the
span of rows Wi for i ∈ K. It then follows from linear algebra that such a vector ~v exists.
Next, B will make a private key for secret sharing with the vector α~v (i.e., the vector ~v with
all the components scaled up by α.) This shares the secret α since v1 = 1, although the key
may not be well distributed. This will be addressed later through re-randomization. The
shares λi for i ∈ [1, `] are computed as (α~v ) · Wi .
For i ∈ K, we have that all components are just the identity element (recall that the key
is not re-randomized yet; we add the hx components in shortly with the randomization):
Di = Ri = Hi,x = g 0 for x ∈ Γ (recall Γ is the set of distinct attributes used in key
generation). This follows because for all i ∈ K, λi = 0.
For i ∈ K 0 , we first compute ci = ~v · Wi . Note that λi = ci · α = ci · (α0 + a|U |+1 ). To
(|U |+1)−ρ(i)
produce these key components, we need a cancellation technique. Set Ri = g −ci a ,
which implicitly defines ri = −ci · a(|U |+1)−ρ(i) . This is computable from B’s challenge input
since ρ(i) is between 1 and |U |. Set
0
Di = g ci α · Rizi
0 (|U |+1)−ρ(i)
= g ci α · g −zi ci a
0 |U |+1 (|U |+1)−ρ(i) |U |+1
= g ci α · g ci a · g −zi ci a · g −ci a
ρ(i)
= g ci α · (g zi )ri · (g a )ri
= g ci α · hrρ(i)
i

Next, we turn to computing the helper values. For all x ∈ Γ/ρ(i), set Qi,x = hrxi by computing
as follows:
( (|U |+1)−ρ(i)
ri (g zx )ri = g −zx ci a if x ∈ S ∗ ;
hx := x (|U |+1)−ρ(i) (|U |+1)−ρ(i)+x
(g zx )ri · (g a )ri = g −zx ci a · g −ci a if x 6∈ S ∗ .

This last part is computable since ρ(i) 6= x for the helper values and recall that the zx values
were chosen by B during Setup.

10
At this point, B has constructed the components of a valid private key. Next, we give a
public-key re-randomization algorithm that can be applied by B to any valid private key,
before it sends the key to A. To re-randomize, choose random y2 , ..., yn ∈ Zp . Consider the
vector (0, y2 , y3 , ..., yn ). This will be used to secret share 0 to re-randomize the key. Let
λ0i = (0, y2 , y3 , ..., yn ) · Wi for i ∈ [1, `].
0
For all i ∈ [1, `], the first step to re-randomization is to let Di# := Di · g λi . The next step is
to re-randomize all the ri values, which are used in all key components. To do this, choose a
fresh ri0 ∈ Zp and set
r0 0 r0
Di0 := Di# · hρ(i)
i
Ri0 := Ri · g ri Q0i,x := Qi,x · hxi , ∀x ∈ Γ/ρ(i)

We claim that the above re-randomization procedure correctly re-randomizes any “valid”
key. A valid key is one which is generated from some sharing of α, but not necessarily a well
distributed one. The above algorithm propagates new random values r10 , . . . , r`0 completely
through all key components, and then also generates a fresh secret sharing for α used in
D10 , . . . , D`0 . This properly redistributes the only variable parts of the key. That is the
distribution after applying this transformation to any valid key with policy (W, ρ) has the
same distribution as a fresh key generated by running KeyGen for (W, ρ).
2. Corrupt(i): If there exists an ith entry in table T , then B obtains the entry (i, A, SK) and
sets D := D ∪ {A}. It then sends SK to A. If no such entry exists, then it returns ⊥.
Challenge: A outputs two messages M0 , M1 and B chooses a random bit b. B then constructs
and sends to A the challenge ciphertext

CT∗ = (C ∗ := Mb · P, C 0 := g s , ∀x ∈ S ∗ , Cx∗ := (g s )zx ).

Phase 2: B responds to A’s queries in the same manner as in Phase 1, except that it refuses to
answer any Corrupt query that would result in an access structure A which S ∗ satisfies being
added to D.
|U |+1 s
Guess: Eventually, A outputs a bit b0 . If b = b0 , then B outputs 0 (guessing that P = e(g, g)a ),
else it outputs 1 (guessing that P is random.)

Thus, B’s responses to A are distributed identically as in the KP-ABE-Expsel-CPA


A,Π (λ, U ) experi-
ment. Whenever A causes the output of this experiment to be 1, B will also correctly answer its
Decisional BDHE challenge.


5 Exploring a Spectrum of Efficiency Tradeoffs


We now focus on the tradeoff between private key size and decryption time. We generalize the
construction ideas of the last section to give a spectrum of possible “unbounded” schemes, where
GPSW is one extreme and Section 3 (longer keys, faster decryption) is the other. We do this in
two steps. We first present a generalized decryption algorithm. We then show how the size of the
private key scales depending on how one chooses to take advantage of this generalized decryption
algorithm. We conclude with strategies for keeping both key size and decryption time low.

11
5.1 A Generalized Decryption Algorithm
To begin, we present a generalized decryption algorithm for the GPSW ciphertexts (which are the
same as the encryption algorithm presented in Section 3.1). The main idea is to break ∆ (the set of
distinct attributes associated with the rows of the access matrix used in one chosen way to decrypt
the ciphertext) into y disjoint subsets ∆1 , ∆2 , . . . , ∆y . Recall that we defined the function f as
Y
f (∆) = hx ∈ G.
x∈∆

Further, let us establish the notation for a function w that (informally) takes in a attribute and
outputs which set the attribute is in. More formally, let w : ∆ → [1, y] be a map such that w(x) = j
if and only if x ∈ ∆j .
The decryption algorithm then proceeds as follows. For each i ∈ I, it will compute the value
Y
D̂i = Di · Qi,x = g λi f (∆w(ρ(i)) )ri .
x∈∆w(ρ(i)) /ρ(i)

Next, for each j ∈ [1, y], it will compute the value


Y Y
Lj = Cx = hsx = f (∆j )s .
x∈∆j x∈∆j

The algorithm now recovers the value e(g, g)αs by computing


 
Y ω y
Y Y
e(Ĉ, D̂i i )/  e( Riωi , Lj ) .
i∈I j=1 i:ρ(i)∈∆i

The decryption algorithm can then divide out this value from C and obtain the message M .
We observe that this will take (1 + y) pairings and roughly |∆1 |2 + |∆2 |2 + · · · + |∆y |2 modular
multiplications. (Recall that the ωi values will be either 0 or 1 when the access structure is a
boolean formula, so no exponentiations come into play in this case.) Thus, when y = 1, we have
the scheme from Section 3.1 (which can be trivially extended to large universes in the random
oracle model as shown in Section 3.3) and when y = |∆|, this corresponds to GPSW.

5.2 Reducing Private Key Overhead


At this point, the private key still contains “helper” values such that each of the ` rows has helpers
for all other attributes in ∆. However, we can reduce the size of the private key by eliminating all
helper values Qi,x where where attribute ρ(i) ∈ ∆d , attribute x ∈ ∆d0 and d 6= d0 , i.e., where the two
attributes were separated into distinct subsets. This is because only helpers within subsets will be
used in the generalized decryption algorithm. We note that the security of the base system trivially
implies security of this system, since for each private key in this reduced setting the components
given out are a strict subset of the private key components in the base system.

12
5.3 Different Tradeoff Strategies
We now discuss how one might take advantage of the generalized algorithm and corresponding
private key reduction. The choice of y and the subsets ∆1 , . . . , ∆y is critical to the decryption
performance of a particular user. Roughly, one expects decryption time to increase with y, but the
size of the private key to decrease as the size of each ∆i decreases. However, a nice feature of this
approach is that each user can tune their own performance based on how they think they are likely
to use their private key. A user might choose to retain her entire private key on her PC, but upload
only a portion of her private key to her mobile device (where secure storage may be more limited.)

1. Group attributes by expected ciphertext attributes. Group together any attributes that are
likely to appear together in a ciphertext, such as attributes relating to a certain work project,
activity, role or time period. For instance, one might group together the attributes “cryptog-
raphy”, “encryption”, and “pairings” and form a distinct group for the attributes “audubon”,
“peregrine falcon”, “glaucous gull”. Of course, the subsets of ∆ need not be distinct3 and it
could be more efficient to place an attribute into two or more groups, but this should be done
with care or the decryption time will increase without reducing the private key size.

2. Group attributes by observing the private key. It may be possible to deduce from the access
structure which attributes are likely to be used together during decryption. For instance,
suppose the structure is a formula and the only time that attributes A and B appear, they
appear as “A AND B”. Then clearly one should place A and B into the same group ∆i .

3. Break into y equal sized subsets of attributes. One could also try the simple approach of
choosing a y and randomly creating y equal-sized subsets. In many practical applications,
the average overhead incurred on future ciphertexts would be dependent on the overhead
from past ciphertexts, so one could try a random setting and then observe performance.

4. Benchmark and set experimentally. One can also imagine starting with any combination of
the three above techniques and then applying machine learning tools to evolve to a good
balance point for any particular user.

We leave an evaluation of these strategies and their performance as an interesting open problem.

Acknowledgments
The authors thank Matthew Green for helpful input and discussions and the anonymous reviewers
for helpful comments. This work was performed while the authors were at Zeutro, LLC.

References
[1] J Ayo Akinyele, Gary Belvin, Christina Garman, Matthew Pagano, Michael Rushanan, Paul
Martin, Ian Miers, Matthew Green, and Avi Rubin. Charm: A tool for rapid cryptographic
prototyping. Available from http://www.charm-crypto.com/, 2012.
3
If the subsets are not distinct, then one needs to generalize the function w to output a subset of indices.

13
[2] Nuttapong Attrapadung, Javier Herranz, Fabien Laguillaumie, Benoı̂t Libert, Elie de Panafieu,
and Carla Ràfols. Attribute-based encryption schemes with constant-size ciphertexts. Theor.
Comput. Sci., 422:15–38, 2012.

[3] Nuttapong Attrapadung, Benoı̂t Libert, and Elie de Panafieu. Expressive key-policy attribute-
based encryption with constant-size ciphertexts. In Public Key Cryptography, pages 90–108,
2011.

[4] Amos Beimel. Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, Israel
Institute of Technology, Technion, Haifa, Israel, 1996.

[5] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy attribute-based encryp-
tion. In IEEE Symposium on Security and Privacy, pages 321–334, 2007.

[6] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with
constant size ciphertext. In EUROCRYPT, pages 440–456, 2005.

[7] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. In
CRYPTO, pages 213–229, 2001.

[8] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryption with
short ciphertexts and private keys. In CRYPTO, pages 258–275, 2005.

[9] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-key encryption scheme.
In EUROCRYPT, pages 255–271, 2003.

[10] Clifford Cocks. An identity based encryption scheme based on quadratic residues. In IMA Int.
Conf., pages 360–363, 2001.

[11] Craig Gentry and Alice Silverberg. Hierarchical id-based cryptography. In ASIACRYPT, pages
548–566, 2002.

[12] Vipul Goyal, Abishek Jain, Omkant Pandey, and Amit Sahai. Bounded ciphertext policy
attribute-based encryption. In ICALP, 2008.

[13] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. Attribute-based encryption for
fine-grained access control of encrypted data. In ACM Conference on Computer and Commu-
nications Security, pages 89–98, 2006.

[14] Jeremy Horwitz and Ben Lynn. Toward hierarchical identity-based encryption. In EURO-
CRYPT, pages 466–481, 2002.

[15] Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters.
Fuzzy identity-based encryption. In EUROCRYPT, 2010.

[16] Allison B. Lewko and Brent Waters. Unbounded HIBE and attribute-based encryption. In
EUROCRYPT, pages 547–567, 2011.

[17] Tatsuaki Okamoto and Katsuyuki Takashima. Fully secure functional encryption with general
relations from the decisional linear assumption. In CRYPTO, pages 191–208, 2010.

14
[18] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In EUROCRYPT, pages
457–473, 2005.

[19] Adi Shamir. Identity-based cryptosystems and signature schemes. In CRYPTO, pages 47–53,
1984.

[20] Brent Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and


provably secure realization. In PKC, pages 53–70, 2011.

A Access Structures and Notation


A.1 Access Structures
Definition 1 (Access Structure [4]) Let {P1 , P2 , . . ., Pn } be a set of parties. A collection
A ⊆ 2{P1 ,P2 ,...,Pn } is monotone if ∀B, C : if B ∈ A and B ⊆ C then C ∈ A. An access structure
(respectively, monotone access structure) is a collection (resp., monotone collection) A of non-empty
subsets of {P1 , P2 , . . . , Pn }, i.e., A ⊆ 2{P1 ,P2 ,...,Pn } \{∅}. The sets in A are called the authorized sets,
and the sets not in A are called the unauthorized sets.

In our context, the role of the parties is taken by the attributes. Thus, the access structure
A will contain the authorized sets of attributes. We restrict our attention to monotone access
structures. However, it is also possible to (inefficiently) realize general access structures using our
techniques by defining the “not” of an attribute as a separate attribute altogether. Thus, the
number of attributes in the system will be doubled. From now on, unless stated otherwise, by an
access structure we mean a monotone access structure.

A.2 Linear Secret Sharing Schemes


The construction will use linear secret sharing schemes, as slightly adapted from Beimel [4]:

Definition 2 (Linear Secret-Sharing Schemes (LSSS)) A secret-sharing


scheme Π over a set of parties P is called linear (over Zp ) if

1. The shares of the parties form a vector over Zp .

2. There exists a matrix M with ` rows and n columns called the share-generating matrix for
Π. There exists a function ρ which maps each row of the matrix to an associated party. That
is for i = 1, . . . , `, the value ρ(i) is the party associated with row i. When we consider the
column vector v = (s, r2 , . . . , rn ), where s ∈ Zp is the secret to be shared, and r2 , . . . , rn ∈ Zp
are randomly chosen, then M v is the vector of ` shares of the secret s according to Π. The
share (M v)i belongs to party ρ(i).

It is shown in [4] that every linear secret sharing-scheme according to the above definition also
enjoys the linear reconstruction property, defined as follows: Suppose that Π is an LSSS for the
access structure A. Let S ∈ A be any authorized set, and let I ⊆ {1, 2, . . . , `} be defined as
I = {i : ρ(i) ∈ S}. Then, there existP constants {ωi ∈ Zp }i∈I such that, if {λi } are valid shares of
any secret s according to Π, then i∈I ωi λi = s. It is shown in [4] that these constants {ωi } can
be found in time polynomial in the size of the share-generating matrix M .

15
Like any secret sharing scheme, it has the property that for any unauthorized set S ∈
/ A, the
secret s should be information theoretically hidden from the parties in S.
Note on Convention. We use the convention that vector (1, 0, 0, . . . , 0) is the “target” vector for
any linear secret sharing scheme. For any satisfying set of rows I in M , we will have that the target
vector is in the span of I.
For any unauthorized set of rows I the target vector is not in the span of the rows of the set I.
Moreover, there will exist a vector w such that w · (1, 0, 0 . . . , 0) = −1 and w · Mi = 0 for all i ∈ I.
Using Access Trees. Some prior ABE works (e.g., [13]) described access formulas in terms of
binary trees. Using standard techniques [4] one can convert any monotonic boolean formula into
an LSSS representation. An access tree of ` nodes will result in an LSSS matrix of ` rows.

16

You might also like