Theory of Cryptography Conference

TCC 2016: Theory of Cryptography pp 330-360

Targeted Homomorphic Attribute-Based Encryption

  • Zvika Brakerski
  • David Cash
  • Rotem Tsabary
  • Hoeteck Wee
Conference paper

DOI: 10.1007/978-3-662-53644-5_13

Volume 9986 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Brakerski Z., Cash D., Tsabary R., Wee H. (2016) Targeted Homomorphic Attribute-Based Encryption. In: Hirt M., Smith A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science, vol 9986. Springer, Berlin, Heidelberg

Abstract

In (key-policy) attribute-based encryption (ABE), messages are encrypted respective to attributes x, and keys are generated respective to policy functions f. The ciphertext is decryptable by a key only if \(f(x)=0\). Adding homomorphic capabilities to ABE is a long standing open problem, with current techniques only allowing compact homomorphic evaluation on ciphertext respective to the same x. Recent advances in the study of multi-key FHE also allow cross-attribute homomorphism with ciphertext size growing (quadratically) with the number of input ciphertexts.

We present an ABE scheme where homomorphic operations can be performed compactly across attributes. Of course, decrypting the resulting ciphertext needs to be done with a key respective to a policy f with \(f(x_i)=0\) for all attributes involved in the computation. In our scheme, the target policyf needs to be known to the evaluator, we call this targeted homomorphism. Our scheme is secure under the polynomial hardness of learning with errors (LWE) with sub-exponential modulus-to-noise ratio.

We present a second scheme where there needs not be a single target policy. Instead, the decryptor only needs a set of keys representing policies \(f_j\) s.t. for any attribute \(x_i\) there exists \(f_j\) with \(f_j(x_i)=0\). In this scheme, the ciphertext size grows (quadratically) with the size of the set of policies (and is still independent of the number of inputs or attributes). Again, the target set of policies needs to be known at evaluation time. This latter scheme is secure in the random oracle model under the polynomial hardness of LWE with sub-exponential noise ratio.

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Zvika Brakerski
    • 1
  • David Cash
    • 2
  • Rotem Tsabary
    • 1
  • Hoeteck Wee
    • 3
  1. 1.Weizmann Institute of ScienceRehovotIsrael
  2. 2.Rutgers UniversityNew BrunswickUSA
  3. 3.ENS, CNRS and Columbia UniversityParisFrance