Skip to main content
SpringerLink
Log in

Fast, compact, and expressive attribute-based encryption

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Attribute-based encryption (ABE) is an advanced cryptographic tool and useful to build various types of access control systems. Toward the goal of making ABE more practical, we propose key-policy (KP) and ciphertext-policy (CP) ABE schemes, which first support unbounded sizes of attribute sets and policies with negation and multi-use of attributes, allow fast decryption, and are adaptively secure under a standard assumption, simultaneously. Our schemes are more expressive than previous schemes and efficient enough. To achieve the adaptive security along with the other properties, we refine the technique introduced by Kowalczyk and Wee (Eurocrypt’19) so that we can apply the technique more expressive ABE schemes. Furthermore, we also present a new proof technique that allows us to remove redundant elements used in their ABE schemes. We implement our schemes in 128-bit security level and present their benchmarks for an ordinary personal computer and smartphones. They show that all algorithms run in one second with the personal computer when they handle any policy or attribute set with one hundred attributes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. Agrawal S., Chase M.: FAME: Fast attribute-based message encryption. In: Thuraisingham B.M., Evans D., Malkin T., Xu D. (eds.) ACM CCS 2017, pp. 665–682. ACM Press, New York (2017). https://doi.org/10.1145/3133956.3134014.

  2. Agrawal S., Chase M.: Simplifying design and analysis of complex predicate encryption schemes. In: Coron J.S., Nielsen J.B. (eds.) EUROCRYPT 2017, Part I, LNCS, vol. 10210, pp. 627–656. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-56620-7_22.

  3. Attrapadung N.: Unbounded dynamic predicate compositions in attribute-based encryption. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT 2019, Part I, LNCS, vol. 11476, pp. 34–67. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17653-2_2.

  4. Attrapadung N., Libert B., de Panafieu E.: Expressive key-policy attribute-based encryption with constant-size ciphertexts. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) PKC 2011, LNCS, vol. 6571, pp. 90–108. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_6 .

  5. Barbulescu R., Duquesne S.: Updating key size estimations for pairings. Cryptology ePrint Archive, Report 2017/334 (2017). http://eprint.iacr.org/2017/334.

  6. Bellare M., Rogaway P.: Optimal asymmetric encryption. In: Santis A.D. (ed.) EUROCRYPT 1994, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428.

  7. Bellare M., Rogaway P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Maure U.M. (ed.) EUROCRYPT 1996, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34.

  8. Bethencourt J., Sahai A., Waters B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Computer Society Press (2007). https://doi.org/10.1109/SP.2007.11.

  9. Boneh D., Boyen X.: Secure identity based encryption without random oracles. In: Franklin M. (ed.) CRYPTO 2004, LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_27.

  10. Boneh D., Franklin M.K.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003).

    Article  MathSciNet  Google Scholar 

  11. Boneh D., Katz J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes A. (ed.) CT-RSA 2005, vol. 3376, pp. 87–103. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_8.

  12. Canetti R., Goldreich O., Halevi S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004).

    Article  MathSciNet  Google Scholar 

  13. Canetti R., Halevi S., Katz J.: A forward-secure public-key encryption scheme. In: Biham E. (ed.) EUROCRYPT 2003, LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16.

  14. Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. In: Cachin C., Camenisch J. (eds.) EUROCRYPT 2004, LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13.

  15. Chen J., Gay R., Wee H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, Part II, LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_20.

  16. Chen J., Gong J., Kowalczyk L., Wee H.: Unbounded ABE via bilinear entropy expansion, revisited. In: Nielsen J.B., Rijmen V. (eds.) EUROCRYPT 2018, vol. 10820, pp. 503–534. (2018). https://doi.org/10.1007/978-3-319-78381-9_19.

  17. Escala A., Herold G., Kiltz E., Ràfols C., Villar J.L.: An algebraic framework for Diffie–Hellman assumptions. J. Cryptol. 30(1), 242–288 (2017). https://doi.org/10.1007/s00145-015-9220-6.

    Article  MathSciNet  MATH  Google Scholar 

  18. Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). https://doi.org/10.1007/s00145-011-9114-1.

    Article  MathSciNet  MATH  Google Scholar 

  19. Gong J., Dong X., Chen J., Cao Z.: Efficient IBE with tight reduction to standard assumption in the multi-challenge setting. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT 2016, Part II, LNCS, vol. 10032, pp. 624–654. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_21.

  20. Goyal V., Pandey O., Sahai A., Waters B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels A., Wright R.N., De Capitani di Vimercati S. (eds.) ACM CCS 2006, pp. 89–98. ACM Press (2006). https://doi.org/10.1145/1180405.1180418. Available as Cryptology ePrint Archive Report 2006/309.

  21. Jafargholi Z., Kamath C., Klein K., Komargodski I., Pietrzak K., Wichs D.: Be adaptive, avoid overcommitting. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part I, LNCS, vol. 10401, pp. 133–163. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63688-7_5.

  22. Katz J., Sahai A., Waters B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. J. Cryptol. 26(2), 191–224 (2013). https://doi.org/10.1007/s00145-012-9119-4.

    Article  MathSciNet  MATH  Google Scholar 

  23. Kim T., Barbulescu R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20.

  24. Kim T., Jeong J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr S. (ed.) PKC 2017, Part I, LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_16.

  25. Kowalczyk L., Wee H.: Compact adaptively secure ABE for \({\sf NC}^1\) from \(k\)-Lin. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT 2019, Part I, LNCS, vol. 11476, pp. 3–33. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17653-2_1.

  26. Lewko A., Waters B.: Decentralizing attribute-based encryption. Cryptology ePrint Archive, Report 2010/351 (2010). http://eprint.iacr.org/2010/351.

  27. Lewko A.B., Okamoto T., Sahai A., Takashima K., Waters B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert H. (ed.) EUROCRYPT 2010, LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4.

  28. Lewko A.B., Sahai A., Waters B.: Revocation systems with very small private keys. In: 2010 IEEE Symposium on Security and Privacy, pp. 273–285. IEEE Computer Society Press (2010). https://doi.org/10.1109/SP.2010.23.

  29. Lewko A.B., Waters B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio D. (ed.) TCC 2010, LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27.

  30. Okamoto T., Takashima K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin T. (ed.) CRYPTO 2010, LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_11.

  31. Okamoto T., Takashima K.: Fully secure unbounded inner-product and attribute-based encryption. In: Wang X., Sako K. (eds.) ASIACRYPT 2012, LNCS, vol. 7658, pp. 349–366. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_22.

  32. Ostrovsky R., Sahai A., Waters B.: Attribute-based encryption with non-monotonic access structures. In: Ning P., De Capitani di Vimercati S., Syverson P.F. (eds.) ACM CCS 2007, pp. 195–203. ACM Press (2007). https://doi.org/10.1145/1315245.1315270.

  33. Sahai A., Waters B.R.: Fuzzy identity-based encryption. In: Cramer R. (ed.) EUROCRYPT 2005, LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27.

  34. Tomida J., Kawahara Y., Nishimaki R.: Fast, compact, and expressive attribute-based encryption. In: Kiayias A., Kohlweiss M., Wallden P., Zikas V. (eds.) PKC 2020, Part I, LNCS vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27.

  35. Waters B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi S. (ed.) CRYPTO 2009, LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36.

  36. Wee H.: Dual system encryption via predicate encodings. In: Lindell Y. (ed.) TCC 2014, LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_26.

  37. Yamada S., Attrapadung N., Hanaoka G., Kunihiro N.: Generic constructions for chosen-ciphertext secure attribute based encryption. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) PKC 2011, vol. 6571, pp. 71–89. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_5.

  38. Yamada S., Attrapadung N., Hanaoka G., Kunihiro N.: A framework and compact constructions for non-monotonic attribute-based encryption. In: Krawczyk H. (ed.) PKC 2014, LNCS, vol. 8383, pp. 275–292. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_16.

Download references

Author information

Authors and Affiliations

  1. NTT Corporation, Tokyo, Japan

    Junichi Tomida, Yuto Kawahara & Ryo Nishimaki

Authors
  1. Junichi Tomida
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuto Kawahara
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ryo Nishimaki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Junichi Tomida.

Additional information

Communicated by M. Paterson.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

An extended abstract of this paper [34] appeared in PKC 2020. This is a full version of the paper. In more details, we add concrete CCA-secure ABE schemes (Sect. 6) and their performances (Sects. 7 and 8) as new results, while only CPA-schemes are considered in the extended abstract.

Appendix: CCA-secure ABE from delegatable CPA-secure ABE via the Boneh–Katz conversion

Appendix: CCA-secure ABE from delegatable CPA-secure ABE via the Boneh–Katz conversion

In this section, we present CCA-secure schemes obtained by applying the Boneh–Katz conversion to our CPA-secure schemes instead of the Canetti–Halevi–Katz transformation. We use the schemes for our implementation. Let \((\mathsf {MAC} , \mathsf {Verify} )\) be a message authentication code (MAC) scheme and \((\mathsf {Enc.Setup} , \mathsf {Enc.Send} , \mathsf {Enc.Rec} )\) be an encapsulation scheme (with the same requirements as those in [11]).

CCA-secure ABE scheme for \(R_{\mathsf {KP}}\) Let \((\mathsf {Setup} ', \mathsf {Enc} ', \mathsf {KeyGen} ', \mathsf {Dec} ', \mathsf {Delegate} ')\) be a delegatable ABE scheme for \(R'_{\mathsf {KP}}\). Our CCA-secure ABE scheme for \(R_{\mathsf {KP}}\) is constructed as follows.

  • \(\mathsf {Setup} (1^{\lambda })\) It takes a security parameter \(1^{\lambda }\) and outputs \(\mathsf {pk} \) and \(\mathsf {msk} \) as follows.

    $$\begin{aligned}&(\mathsf {pk} ', \mathsf {msk} ') \leftarrow \mathsf {Setup} '(1^{\lambda }), \; \mathsf {pub} \leftarrow \mathsf {Enc.Setup} (1^{\lambda }),\; (\mathsf {pk} , \mathsf {msk} ) = ((\mathsf {pk} ',\mathsf {pub} ), \mathsf {msk} '). \end{aligned}$$

  • \(\mathsf {Enc} (\mathsf {pk} , x, M)\) It takes \(\mathsf {pk} \), an attribute \(x=({\mathbf {{x}}} \in {\mathbb {Z}}_p^{m},\phi )\), and a message \(M \in G_{T}\) and outputs \(\mathsf {ct} _{x}\) as follows.

    $$\begin{aligned}&(r, \mathsf {com} , \mathsf {dec} ) \leftarrow \mathsf {Enc.Send} (\mathsf {pub} )\\&\mathbf{x}' = (\mathbf{x}||\mathsf {com} ), \; \phi (m+1)=\texttt {label.for.CCA} ,\; x' = ({\mathbf {{x}}}',\phi )\\&\mathsf {ct} '_{x'} \leftarrow \mathsf {Enc} '(\mathsf {pk} ', x',M||\mathsf {dec} ), \; \mathsf {tag} = \mathsf {MAC} _{r}( \mathsf {ct} '_{x'}), \;\mathsf {ct} _{x}=(\mathsf {com} , \mathsf {ct} '_{x'}, \mathsf {tag} ). \end{aligned}$$

  • \(\mathsf {KeyGen} (\mathsf {pk} , \mathsf {msk} , y)\) It takes \(\mathsf {pk} \), \(\mathsf {msk} \), and a predicate \(y = ({\mathbf {{y}}} \in {\mathbb {Z}}_p^{n},f, \psi , t)\) and outputs \(\mathsf {sk} _{y}\) as follows.

    $$\begin{aligned}&\mathbf{y}'=(\mathbf{y}||*), \; f'(b_{1} , \ldots ,b_{n+1}) = f(b_{1} , \ldots ,b_{n}) \wedge b_{n+1}, \; \psi (n+1) = \texttt {label.for.CCA} \\&t(n+1)=1, \;y'= ({\mathbf {{y}}}',f', \psi , t), \; \mathsf {sk} _{y}=\mathsf {sk} '_{y'} \leftarrow \mathsf {KeyGen} '(\mathsf {pk} ', \mathsf {msk} ', y'). \end{aligned}$$

  • \(\mathsf {Dec} (\mathsf {pk} , \mathsf {ct} _{x}, \mathsf {sk} _{y})\) It takes \(\mathsf {pk} \), \(\mathsf {ct} _{x}\), and \(\mathsf {sk} _{y}\) and output d as follows.

    $$\begin{aligned}&\mathbf{y}''= (\mathbf{y}||\mathsf {com} ), \; y''= ({\mathbf {{y}}}'',f', \psi , t), \; \mathsf {sk} '_{y''} \leftarrow \mathsf {Delegate} '(\mathsf {pk} ', \mathsf {sk} '_{y'}, y', y'')\\&M'||\mathsf {dec} ' = \mathsf {Dec} '(\mathsf {pk} ', \mathsf {ct} '_{x'},\mathsf {sk} '_{y''} ), \; r' \leftarrow \mathsf {Enc.Rec} (\mathsf {pub} , \mathsf {com} , \mathsf {dec} ')\\&d= {\left\{ \begin{array}{ll} M' &{} \mathsf {Verify} _{r'}( \mathsf {ct} '_{x'}, \mathsf {tag} )=1\\ \bot &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

CCA-secure ABE scheme for \(R_{\mathsf {CP}}\) Let \((\mathsf {Setup} ', \mathsf {Enc} ', \mathsf {KeyGen} ', \mathsf {Dec} ', \mathsf {Delegate} ')\) be a delegatable ABE scheme for \(R'_{\mathsf {CP}}\). Our CCA-secure ABE scheme for \(R_{\mathsf {CP}}\) is constructed as follows.

  • \(\mathsf {Setup} (1^{\lambda })\) It takes a security parameter \(1^{\lambda }\) and outputs \(\mathsf {pk} \) and \(\mathsf {msk} \) as follows.

    $$\begin{aligned}&(\mathsf {pk} ', \mathsf {msk} ') \leftarrow \mathsf {Setup} '(1^{\lambda }), \; \mathsf {pub} \leftarrow \mathsf {Enc.Setup} (1^{\lambda }),\; (\mathsf {pk} , \mathsf {msk} ) = ((\mathsf {pk} ',\mathsf {pub} ), \mathsf {msk} '). \end{aligned}$$

  • \(\mathsf {Enc} (\mathsf {pk} , x, M)\) It takes \(\mathsf {pk} \), an attribute \(x=({\mathbf {{x}}} \in {\mathbb {Z}}_p^{n}, f,\psi ,t)\), and a message \(M \in G_{T}\) and outputs \(\mathsf {ct} _{x}\) as follows.

    $$\begin{aligned}&(r, \mathsf {com} , \mathsf {dec} ) \leftarrow \mathsf {Enc.Send} (\mathsf {pub} ), \;\mathbf{x}' = (\mathbf{x}||\mathsf {com} )\\&f'(b_{1} , \ldots ,b_{n+1}) = f(b_{1} , \ldots ,b_{n}) \wedge b_{n+1}, \; \psi (n+1) = \texttt {label.for.CCA} \\&t(n+1) = 1,\; x' = (\mathbf{x}', f', \psi , t)\\&\mathsf {ct} '_{x'} \leftarrow \mathsf {Enc} '(\mathsf {pk} ', x',M||\mathsf {dec} ), \; \mathsf {tag} = \mathsf {MAC} _{r}( \mathsf {ct} '_{x'}), \;\mathsf {ct} _{x}=(\mathsf {com} , \mathsf {ct} '_{x'}, \mathsf {tag} ). \end{aligned}$$

  • \(\mathsf {KeyGen} (\mathsf {pk} , \mathsf {msk} , y)\) It takes \(\mathsf {pk} \), \(\mathsf {msk} \), and a predicate \(y = ({\mathbf {{y}}} \in {\mathbb {Z}}_p^{m}, \phi )\) and outputs \(\mathsf {sk} _{y}\) as follows.

    $$\begin{aligned}&\mathbf{y}'=(\mathbf{y}||*), \; \phi (n+1) = \texttt {label.for.CCA} \\&y'= ({\mathbf {{y}}}', \phi ), \; \mathsf {sk} _{y}=\mathsf {sk} '_{y'} \leftarrow \mathsf {KeyGen} '(\mathsf {pk} ', \mathsf {msk} ', y'). \end{aligned}$$

  • \(\mathsf {Dec} (\mathsf {pk} , \mathsf {ct} _{x}, \mathsf {sk} _{y})\) It takes \(\mathsf {pk} \), \(\mathsf {ct} _{x}\), and \(\mathsf {sk} _{y}\) and output d as follows.

    $$\begin{aligned}&\mathbf{y}''= (\mathbf{y}||\mathsf {com} ), \; y''= ({\mathbf {{y}}}'',\phi ), \; \mathsf {sk} '_{y''} \leftarrow \mathsf {Delegate} '(\mathsf {pk} ', \mathsf {sk} '_{y'}, y', y'')\\&M'||\mathsf {dec} ' = \mathsf {Dec} '(\mathsf {pk} ', \mathsf {ct} '_{x'},\mathsf {sk} '_{y''} ), \; r' \leftarrow \mathsf {Enc.Rec} (\mathsf {pub} , \mathsf {com} , \mathsf {dec} ')\\&d= {\left\{ \begin{array}{ll} M' &{} \mathsf {Verify} _{r'}( \mathsf {ct} '_{x'}, \mathsf {tag} )=1\\ \bot &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tomida, J., Kawahara, Y. & Nishimaki, R. Fast, compact, and expressive attribute-based encryption. Des. Codes Cryptogr. 89, 2577–2626 (2021). https://doi.org/10.1007/s10623-021-00939-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-021-00939-8

Keywords

Mathematics Subject Classification

Search

Navigation