Tag-based ABE in prime-order groups via pair encoding

Abstract

Predicate/pair encodings are simple frameworks for designing attribute-based encryption (\(\textsf {ABE}\)) for complex predicates, with pair encodings being able to handle more complex predicates. Thus far, several generic constructions of prime-order \(\textsf {ABE}\) schemes have been proposed with these encodings. Chen, Gay, and Wee (\(\textsf {CGW}\)) (Eurocrypt’15) and Chen and Gong \((\textsf {CG})\) (Asiacrypt’17) proposed generic constructions with predicate encodings with a trade-off in efficiency. In particular, the former construction (\(\textsf {CGW}\) \(\textsf {ABE}\)) has the shorter secret keys, whereas the latter construction (\(\textsf {CG}\) \(\textsf {ABE}\)) has the shorter master public keys and ciphertexts. Moreover, \(\textsf {CG}\) \(\textsf {ABE}\) requires three pairing operations during decryption, while \(\textsf {CGW}\) \(\textsf {ABE}\) requires four. Agrawal and Chase (\(\textsf {AC}\)) (TCC’16) proposed a generic construction with pair encodings that is an extension of \(\textsf {CGW}\) \(\textsf {ABE}\) and can handle more complex predicates. Specifically, if pair encoding schemes satisfy perfect security (resp. relaxed perfect security), then \(\textsf {AC}\) \(\textsf {ABE}\) satisfies full security (resp. semi-adaptive security) from the standard k-linear assumption. However, there is no extension of \(\textsf {CG}\) \(\textsf {ABE}\) with pair encodings. In this paper, we construct this extension. As with the trade-off between \(\textsf {CGW}\) \(\textsf {ABE}\) and \(\textsf {CG}\) \(\textsf {ABE}\), our proposed \(\textsf {ABE}\) has shorter master public keys and ciphertexts and larger secret keys, requires less pairing operations during decryption than \(\textsf {AC}\) \(\textsf {ABE}\). Furthermore, as with \(\textsf {AC}\) \(\textsf {ABE}\), our proposed \(\textsf {ABE}\) satisfies full security (resp. semi-adaptive security) if pair encoding schemes satisfy perfect security (resp. relaxed perfect security) from the standard k-linear assumption. As an application, we propose a ciphertext-policy \(\textsf {ABE}\) scheme for non-monotone span programs with compact ciphertexts satisfying semi-adaptive security.

A Note on [12]

Recently, Blazy and Mukherjee [12] proposed a generic construction of prime-order tag-based \(\textsf {ABE}\) from \(\textsf {PES}\).³ In this work, they first introduced a variant of perfect security. Then, they constructed a tag-based \(\textsf {ABE}\) from \(\textsf {PES}\) satisfying the variant of perfect security. Although the research direction is similar to ours, their handling of perfect security is inadequate in the sense that their variant of perfect security can capture much less expressive predicates than the original perfect security. To observe the fact, we show that their variant of perfect security does not capture inner product encryption (\(\textsf {IPE}\)) that is captured even by predicate encoding.

Blazy and Mukherjee defined the variant of perfect security as follows.

[12]’s Variant of Perfect Security. A pair encoding scheme \(\textsf {PES}= (\textsf {Param}, \textsf {EncC}, \textsf {EncK}, \textsf {Pair})\) for a predicate family \({\textsf {P}}_\kappa = \{ {\textsf {P}}_\kappa \}_{\kappa \in \mathbb {N}^c}\) satisfies [12]’s variant of perfect security if for all \(\kappa = (N, \textsf {par})\), \(x \in {\mathcal {X}}_\kappa \) and \(y \in {\mathcal {Y}}_\kappa \) such that \({\textsf {P}}_\kappa (x, y) = 0\),

$$\begin{aligned} ({\mathbf {s}}, {\mathbf {r}}, {\mathbf {c}}({\mathbf {s}}, {\mathbf {0}}, {\mathbf {b}}), {\mathbf {k}}(0, {\mathbf {r}}, {\mathbf {0}}, {\mathbf {b}})) \equiv ({\mathbf {s}}, {\mathbf {r}}, {\mathbf {c}}({\mathbf {s}}, {\mathbf {0}}, {\mathbf {b}}), {\mathbf {k}}(\alpha , {\mathbf {r}}, {\mathbf {0}}, {\mathbf {b}})), \end{aligned}$$

where \({\mathbf {s}}\leftarrow _R\mathbb {Z}_N^{w_1 + 1}\), \({\mathbf {b}}\leftarrow _R\mathbb {Z}_N^n\), \({{\hat{{\mathbf {r}}}}} \leftarrow _R\mathbb {Z}_N^{m_2}\), and \(\alpha \leftarrow _R\mathbb {Z}_N\).

Compared with perfect security in Sect. 3, both the left and the right distributions do not depend on lone variables \({{\hat{{\mathbf {s}}}}}\) and \({{\hat{{\mathbf {r}}}}}\) except for \(\alpha \). Blazy and Mukherjee considered that lone variables are not essential to formulate \(\textsf {PES}\). However, lone variables are essential ingredients to formulate expressive \(\textsf {PES}\). To explain the reason, we show \(\textsf {PES}\) for \(\textsf {IPE}\) with short secret keys based on [15].

\(\textsf {PES}\) for \(\textsf {IPE}\). Here, \({\mathcal {X}}_{\textsf {IPE}} = {\mathcal {Y}}_{\textsf {IPE}} = \mathbb {Z}_p^n\) and \({\textsf {P}}_{\textsf {IPE}}({\mathbf {x}}, {\mathbf {y}}) = 1\) holds iff \({\mathbf {x}}^\top {\mathbf {y}}= 0\) for \({\mathbf {x}}\in {\mathcal {X}}_{\textsf {IPE}}\) and \({\mathbf {y}}\in {\mathcal {Y}}_{\textsf {IPE}}\).

Syntax. \(\textsf {PES}\) for an \(\textsf {IPE}\) predicate \({\textsf {P}}_{\textsf {IPE}}\) with short secret keys consists of the following four polynomial time algorithms \((\textsf {Param}, \textsf {EncC}, \textsf {EncK}, \textsf {Pair})\) defined as follows:

• \(\textsf {Param}() \rightarrow n\):  

• \(\textsf {EncC}({\mathbf {x}}, n) \rightarrow (1, 1, {\mathbf {c}}(s, {{\hat{s}}}, {\mathbf {b}}))\): On input \({\mathbf {x}}= (x_1, \ldots , x_n) \in {\mathcal {X}}_{\textsf {IPE}}\), \(\textsf {EncC}\) outputs a vector of n ciphertext-encoding polynomials \({\mathbf {c}}= (c_1, \ldots , c_n)\) in a non-lone ciphertext-encoding variable s and a lone ciphertext-encoding variable \({\hat{s}}\). The \(\ell \)-th polynomial is given by

  $$\begin{aligned} c_\ell :=&~ x_\ell {\hat{s}} + sb_\ell \end{aligned}$$

  for \(\ell \in [n]\). In other words, \({\mathbf {c}}= {{\hat{s}}} {\mathbf {x}}+ s {\mathbf {b}}\).

• \(\textsf {EncK}({\mathbf {y}}, n) \rightarrow (1, 0, k(\alpha , r, 0, {\mathbf {b}}))\): On input \({\mathbf {y}}= (y_1, \ldots , y_n) \in {\mathcal {Y}}_{\textsf {IPE}}\), \(\textsf {EncK}\) outputs a key-encoding polynomial k in a non-lone key-encoding variable r and a lone key-encoding variable \(\alpha \), where

  $$\begin{aligned} k :=&~ \alpha + (y_1b_1 + \cdots + y_nb_n)r\\ =&~ \alpha + r {\mathbf {y}}^\top {\mathbf {b}}. \end{aligned}$$

• \(\textsf {Pair}({\mathbf {x}}, {\mathbf {y}}, n) \rightarrow ({\mathbf {E}}, {\overline{{\mathbf {E}}}})\): On input \(x \in {\mathcal {X}}_{\textsf {IPE}}\), \(y \in {\mathcal {Y}}_{\textsf {IPE}}\), and \(n \in {\mathbb {N}}\), \(\textsf {Pair}\) outputs \(E = 1\) and \({{\overline{{\mathbf {E}}}}} = ({\overline{E}}_1, \ldots , {\overline{E}}_n)\), where \({\overline{E}}_\ell = -y_\ell \) for \(\ell \in [n]\).

Correctness. The above \(\textsf {PES}\) for an inner product predicate \({\textsf {P}}_{\textsf {IPE}}\) is correct if for all \({\mathbf {x}}\in {\mathcal {X}}_{\textsf {IPE}}\) and \({\mathbf {y}}\in {\mathcal {Y}}_{\textsf {IPE}}\) such that \({\textsf {P}}_{\textsf {IPE}}({\mathbf {x}}, {\mathbf {y}}) = 1\), i.e., \({\mathbf {x}}^\top {\mathbf {y}}= 0\), it holds that

$$\begin{aligned} sk + {\mathbf {c}}^\top {{\overline{{\mathbf {E}}}}} r =&~s\left( \alpha + (y_1b_1 + \cdots + y_nb_n)r\right) - \sum _{\ell \in [n]}\left( x_\ell {\hat{s}} + sb_\ell \right) y_\ell r\\ =&~\alpha s - ({\mathbf {x}}^\top {\mathbf {y}}){\hat{s}}r\\ =&~\alpha s. \end{aligned}$$

Next, we show that the above \(\textsf {PES}\) for \(\textsf {IPE}\) does not satisfy [12]’s variant of perfect security. The security requirement is written by

$$\begin{aligned}&~(s, r, s {\mathbf {b}}, r {\mathbf {y}}^\top {\mathbf {b}}) \equiv (s, r, s {\mathbf {b}}, \alpha /r + r {\mathbf {y}}^\top {\mathbf {b}})\\&\quad \Leftrightarrow ~ ({\mathbf {b}}, {\mathbf {y}}^\top {\mathbf {b}}) \equiv ({\mathbf {b}}, \alpha + {\mathbf {y}}^\top {\mathbf {b}}). \end{aligned}$$

Unfortunately, the requirement does not hold. In particular, by checking whether an inner product of the first element and \({\mathbf {y}}\) equals to the second element, we can distinguish whether the left or the right distribution.

On the other hand, the above \(\textsf {PES}\) for \(\textsf {IPE}\) satisfies the original perfect security. The security requirement is written by

$$\begin{aligned}&~(s, r, {{\hat{s}}} {\mathbf {x}}+ s {\mathbf {b}}, r {\mathbf {y}}^\top {\mathbf {b}}) \equiv (s, r, {{\hat{s}}} {\mathbf {x}}+ s {\mathbf {b}}, \alpha /r + r {\mathbf {y}}^\top {\mathbf {b}})\\&\quad \Leftrightarrow ~ ({{\hat{s}}} {\mathbf {x}}+ {\mathbf {b}}, {\mathbf {y}}^\top {\mathbf {b}}) \equiv ({{\hat{s}}} {\mathbf {x}}+ {\mathbf {b}}, \alpha + {\mathbf {y}}^\top {\mathbf {b}}). \end{aligned}$$

Here, since \({\mathbf {x}}^\top {\mathbf {y}}\ne 0\) holds, checking whether an inner product of the first element and \({\mathbf {y}}\) equals to the second element does not tell us whether the left or the right distribution. In other words, the random lone variable \({{\hat{s}}}\) hides the information.