Abstract
Attribute-based encryption (ABE) is an advanced cryptographic tool and useful to build various types of access control systems. Toward the goal of making ABE more practical, we propose key-policy (KP) and ciphertext-policy (CP) ABE schemes, which first support unbounded sizes of attribute sets and policies with negation and multi-use of attributes, allow fast decryption, and are adaptively secure under a standard assumption, simultaneously. Our schemes are more expressive than previous schemes and efficient enough. To achieve the adaptive security along with the other properties, we refine the technique introduced by Kowalczyk and Wee (Eurocrypt’19) so that we can apply the technique more expressive ABE schemes. Furthermore, we also present a new proof technique that allows us to remove redundant elements used in their ABE schemes. We implement our schemes in 128-bit security level and present their benchmarks for an ordinary personal computer and smartphones. They show that all algorithms run in one second with the personal computer when they handle any policy or attribute set with one hundred attributes.
Similar content being viewed by others
References
Agrawal S., Chase M.: FAME: Fast attribute-based message encryption. In: Thuraisingham B.M., Evans D., Malkin T., Xu D. (eds.) ACM CCS 2017, pp. 665–682. ACM Press, New York (2017). https://doi.org/10.1145/3133956.3134014.
Agrawal S., Chase M.: Simplifying design and analysis of complex predicate encryption schemes. In: Coron J.S., Nielsen J.B. (eds.) EUROCRYPT 2017, Part I, LNCS, vol. 10210, pp. 627–656. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-56620-7_22.
Attrapadung N.: Unbounded dynamic predicate compositions in attribute-based encryption. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT 2019, Part I, LNCS, vol. 11476, pp. 34–67. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17653-2_2.
Attrapadung N., Libert B., de Panafieu E.: Expressive key-policy attribute-based encryption with constant-size ciphertexts. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) PKC 2011, LNCS, vol. 6571, pp. 90–108. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_6 .
Barbulescu R., Duquesne S.: Updating key size estimations for pairings. Cryptology ePrint Archive, Report 2017/334 (2017). http://eprint.iacr.org/2017/334.
Bellare M., Rogaway P.: Optimal asymmetric encryption. In: Santis A.D. (ed.) EUROCRYPT 1994, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428.
Bellare M., Rogaway P.: The exact security of digital signatures: how to sign with RSA and Rabin. In: Maure U.M. (ed.) EUROCRYPT 1996, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34.
Bethencourt J., Sahai A., Waters B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Computer Society Press (2007). https://doi.org/10.1109/SP.2007.11.
Boneh D., Boyen X.: Secure identity based encryption without random oracles. In: Franklin M. (ed.) CRYPTO 2004, LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_27.
Boneh D., Franklin M.K.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003).
Boneh D., Katz J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes A. (ed.) CT-RSA 2005, vol. 3376, pp. 87–103. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_8.
Canetti R., Goldreich O., Halevi S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004).
Canetti R., Halevi S., Katz J.: A forward-secure public-key encryption scheme. In: Biham E. (ed.) EUROCRYPT 2003, LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16.
Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. In: Cachin C., Camenisch J. (eds.) EUROCRYPT 2004, LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13.
Chen J., Gay R., Wee H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald E., Fischlin M. (eds.) EUROCRYPT 2015, Part II, LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_20.
Chen J., Gong J., Kowalczyk L., Wee H.: Unbounded ABE via bilinear entropy expansion, revisited. In: Nielsen J.B., Rijmen V. (eds.) EUROCRYPT 2018, vol. 10820, pp. 503–534. (2018). https://doi.org/10.1007/978-3-319-78381-9_19.
Escala A., Herold G., Kiltz E., Ràfols C., Villar J.L.: An algebraic framework for Diffie–Hellman assumptions. J. Cryptol. 30(1), 242–288 (2017). https://doi.org/10.1007/s00145-015-9220-6.
Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013). https://doi.org/10.1007/s00145-011-9114-1.
Gong J., Dong X., Chen J., Cao Z.: Efficient IBE with tight reduction to standard assumption in the multi-challenge setting. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT 2016, Part II, LNCS, vol. 10032, pp. 624–654. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_21.
Goyal V., Pandey O., Sahai A., Waters B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels A., Wright R.N., De Capitani di Vimercati S. (eds.) ACM CCS 2006, pp. 89–98. ACM Press (2006). https://doi.org/10.1145/1180405.1180418. Available as Cryptology ePrint Archive Report 2006/309.
Jafargholi Z., Kamath C., Klein K., Komargodski I., Pietrzak K., Wichs D.: Be adaptive, avoid overcommitting. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part I, LNCS, vol. 10401, pp. 133–163. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63688-7_5.
Katz J., Sahai A., Waters B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. J. Cryptol. 26(2), 191–224 (2013). https://doi.org/10.1007/s00145-012-9119-4.
Kim T., Barbulescu R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw M., Katz J. (eds.) CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_20.
Kim T., Jeong J.: Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. In: Fehr S. (ed.) PKC 2017, Part I, LNCS, vol. 10174, pp. 388–408. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54365-8_16.
Kowalczyk L., Wee H.: Compact adaptively secure ABE for \({\sf NC}^1\) from \(k\)-Lin. In: Ishai Y., Rijmen V. (eds.) EUROCRYPT 2019, Part I, LNCS, vol. 11476, pp. 3–33. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17653-2_1.
Lewko A., Waters B.: Decentralizing attribute-based encryption. Cryptology ePrint Archive, Report 2010/351 (2010). http://eprint.iacr.org/2010/351.
Lewko A.B., Okamoto T., Sahai A., Takashima K., Waters B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert H. (ed.) EUROCRYPT 2010, LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4.
Lewko A.B., Sahai A., Waters B.: Revocation systems with very small private keys. In: 2010 IEEE Symposium on Security and Privacy, pp. 273–285. IEEE Computer Society Press (2010). https://doi.org/10.1109/SP.2010.23.
Lewko A.B., Waters B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio D. (ed.) TCC 2010, LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27.
Okamoto T., Takashima K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin T. (ed.) CRYPTO 2010, LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_11.
Okamoto T., Takashima K.: Fully secure unbounded inner-product and attribute-based encryption. In: Wang X., Sako K. (eds.) ASIACRYPT 2012, LNCS, vol. 7658, pp. 349–366. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_22.
Ostrovsky R., Sahai A., Waters B.: Attribute-based encryption with non-monotonic access structures. In: Ning P., De Capitani di Vimercati S., Syverson P.F. (eds.) ACM CCS 2007, pp. 195–203. ACM Press (2007). https://doi.org/10.1145/1315245.1315270.
Sahai A., Waters B.R.: Fuzzy identity-based encryption. In: Cramer R. (ed.) EUROCRYPT 2005, LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27.
Tomida J., Kawahara Y., Nishimaki R.: Fast, compact, and expressive attribute-based encryption. In: Kiayias A., Kohlweiss M., Wallden P., Zikas V. (eds.) PKC 2020, Part I, LNCS vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27.
Waters B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi S. (ed.) CRYPTO 2009, LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36.
Wee H.: Dual system encryption via predicate encodings. In: Lindell Y. (ed.) TCC 2014, LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_26.
Yamada S., Attrapadung N., Hanaoka G., Kunihiro N.: Generic constructions for chosen-ciphertext secure attribute based encryption. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) PKC 2011, vol. 6571, pp. 71–89. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_5.
Yamada S., Attrapadung N., Hanaoka G., Kunihiro N.: A framework and compact constructions for non-monotonic attribute-based encryption. In: Krawczyk H. (ed.) PKC 2014, LNCS, vol. 8383, pp. 275–292. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_16.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Paterson.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
An extended abstract of this paper [34] appeared in PKC 2020. This is a full version of the paper. In more details, we add concrete CCA-secure ABE schemes (Sect. 6) and their performances (Sects. 7 and 8) as new results, while only CPA-schemes are considered in the extended abstract.
Appendix: CCA-secure ABE from delegatable CPA-secure ABE via the Boneh–Katz conversion
Appendix: CCA-secure ABE from delegatable CPA-secure ABE via the Boneh–Katz conversion
In this section, we present CCA-secure schemes obtained by applying the Boneh–Katz conversion to our CPA-secure schemes instead of the Canetti–Halevi–Katz transformation. We use the schemes for our implementation. Let \((\mathsf {MAC} , \mathsf {Verify} )\) be a message authentication code (MAC) scheme and \((\mathsf {Enc.Setup} , \mathsf {Enc.Send} , \mathsf {Enc.Rec} )\) be an encapsulation scheme (with the same requirements as those in [11]).
CCA-secure ABE scheme for \(R_{\mathsf {KP}}\) Let \((\mathsf {Setup} ', \mathsf {Enc} ', \mathsf {KeyGen} ', \mathsf {Dec} ', \mathsf {Delegate} ')\) be a delegatable ABE scheme for \(R'_{\mathsf {KP}}\). Our CCA-secure ABE scheme for \(R_{\mathsf {KP}}\) is constructed as follows.
-
\(\mathsf {Setup} (1^{\lambda })\) It takes a security parameter \(1^{\lambda }\) and outputs \(\mathsf {pk} \) and \(\mathsf {msk} \) as follows.
$$\begin{aligned}&(\mathsf {pk} ', \mathsf {msk} ') \leftarrow \mathsf {Setup} '(1^{\lambda }), \; \mathsf {pub} \leftarrow \mathsf {Enc.Setup} (1^{\lambda }),\; (\mathsf {pk} , \mathsf {msk} ) = ((\mathsf {pk} ',\mathsf {pub} ), \mathsf {msk} '). \end{aligned}$$ -
\(\mathsf {Enc} (\mathsf {pk} , x, M)\) It takes \(\mathsf {pk} \), an attribute \(x=({\mathbf {{x}}} \in {\mathbb {Z}}_p^{m},\phi )\), and a message \(M \in G_{T}\) and outputs \(\mathsf {ct} _{x}\) as follows.
$$\begin{aligned}&(r, \mathsf {com} , \mathsf {dec} ) \leftarrow \mathsf {Enc.Send} (\mathsf {pub} )\\&\mathbf{x}' = (\mathbf{x}||\mathsf {com} ), \; \phi (m+1)=\texttt {label.for.CCA} ,\; x' = ({\mathbf {{x}}}',\phi )\\&\mathsf {ct} '_{x'} \leftarrow \mathsf {Enc} '(\mathsf {pk} ', x',M||\mathsf {dec} ), \; \mathsf {tag} = \mathsf {MAC} _{r}( \mathsf {ct} '_{x'}), \;\mathsf {ct} _{x}=(\mathsf {com} , \mathsf {ct} '_{x'}, \mathsf {tag} ). \end{aligned}$$ -
\(\mathsf {KeyGen} (\mathsf {pk} , \mathsf {msk} , y)\) It takes \(\mathsf {pk} \), \(\mathsf {msk} \), and a predicate \(y = ({\mathbf {{y}}} \in {\mathbb {Z}}_p^{n},f, \psi , t)\) and outputs \(\mathsf {sk} _{y}\) as follows.
$$\begin{aligned}&\mathbf{y}'=(\mathbf{y}||*), \; f'(b_{1} , \ldots ,b_{n+1}) = f(b_{1} , \ldots ,b_{n}) \wedge b_{n+1}, \; \psi (n+1) = \texttt {label.for.CCA} \\&t(n+1)=1, \;y'= ({\mathbf {{y}}}',f', \psi , t), \; \mathsf {sk} _{y}=\mathsf {sk} '_{y'} \leftarrow \mathsf {KeyGen} '(\mathsf {pk} ', \mathsf {msk} ', y'). \end{aligned}$$ -
\(\mathsf {Dec} (\mathsf {pk} , \mathsf {ct} _{x}, \mathsf {sk} _{y})\) It takes \(\mathsf {pk} \), \(\mathsf {ct} _{x}\), and \(\mathsf {sk} _{y}\) and output d as follows.
$$\begin{aligned}&\mathbf{y}''= (\mathbf{y}||\mathsf {com} ), \; y''= ({\mathbf {{y}}}'',f', \psi , t), \; \mathsf {sk} '_{y''} \leftarrow \mathsf {Delegate} '(\mathsf {pk} ', \mathsf {sk} '_{y'}, y', y'')\\&M'||\mathsf {dec} ' = \mathsf {Dec} '(\mathsf {pk} ', \mathsf {ct} '_{x'},\mathsf {sk} '_{y''} ), \; r' \leftarrow \mathsf {Enc.Rec} (\mathsf {pub} , \mathsf {com} , \mathsf {dec} ')\\&d= {\left\{ \begin{array}{ll} M' &{} \mathsf {Verify} _{r'}( \mathsf {ct} '_{x'}, \mathsf {tag} )=1\\ \bot &{} \text {otherwise} \end{array}\right. } \end{aligned}$$
CCA-secure ABE scheme for \(R_{\mathsf {CP}}\) Let \((\mathsf {Setup} ', \mathsf {Enc} ', \mathsf {KeyGen} ', \mathsf {Dec} ', \mathsf {Delegate} ')\) be a delegatable ABE scheme for \(R'_{\mathsf {CP}}\). Our CCA-secure ABE scheme for \(R_{\mathsf {CP}}\) is constructed as follows.
-
\(\mathsf {Setup} (1^{\lambda })\) It takes a security parameter \(1^{\lambda }\) and outputs \(\mathsf {pk} \) and \(\mathsf {msk} \) as follows.
$$\begin{aligned}&(\mathsf {pk} ', \mathsf {msk} ') \leftarrow \mathsf {Setup} '(1^{\lambda }), \; \mathsf {pub} \leftarrow \mathsf {Enc.Setup} (1^{\lambda }),\; (\mathsf {pk} , \mathsf {msk} ) = ((\mathsf {pk} ',\mathsf {pub} ), \mathsf {msk} '). \end{aligned}$$ -
\(\mathsf {Enc} (\mathsf {pk} , x, M)\) It takes \(\mathsf {pk} \), an attribute \(x=({\mathbf {{x}}} \in {\mathbb {Z}}_p^{n}, f,\psi ,t)\), and a message \(M \in G_{T}\) and outputs \(\mathsf {ct} _{x}\) as follows.
$$\begin{aligned}&(r, \mathsf {com} , \mathsf {dec} ) \leftarrow \mathsf {Enc.Send} (\mathsf {pub} ), \;\mathbf{x}' = (\mathbf{x}||\mathsf {com} )\\&f'(b_{1} , \ldots ,b_{n+1}) = f(b_{1} , \ldots ,b_{n}) \wedge b_{n+1}, \; \psi (n+1) = \texttt {label.for.CCA} \\&t(n+1) = 1,\; x' = (\mathbf{x}', f', \psi , t)\\&\mathsf {ct} '_{x'} \leftarrow \mathsf {Enc} '(\mathsf {pk} ', x',M||\mathsf {dec} ), \; \mathsf {tag} = \mathsf {MAC} _{r}( \mathsf {ct} '_{x'}), \;\mathsf {ct} _{x}=(\mathsf {com} , \mathsf {ct} '_{x'}, \mathsf {tag} ). \end{aligned}$$ -
\(\mathsf {KeyGen} (\mathsf {pk} , \mathsf {msk} , y)\) It takes \(\mathsf {pk} \), \(\mathsf {msk} \), and a predicate \(y = ({\mathbf {{y}}} \in {\mathbb {Z}}_p^{m}, \phi )\) and outputs \(\mathsf {sk} _{y}\) as follows.
$$\begin{aligned}&\mathbf{y}'=(\mathbf{y}||*), \; \phi (n+1) = \texttt {label.for.CCA} \\&y'= ({\mathbf {{y}}}', \phi ), \; \mathsf {sk} _{y}=\mathsf {sk} '_{y'} \leftarrow \mathsf {KeyGen} '(\mathsf {pk} ', \mathsf {msk} ', y'). \end{aligned}$$ -
\(\mathsf {Dec} (\mathsf {pk} , \mathsf {ct} _{x}, \mathsf {sk} _{y})\) It takes \(\mathsf {pk} \), \(\mathsf {ct} _{x}\), and \(\mathsf {sk} _{y}\) and output d as follows.
$$\begin{aligned}&\mathbf{y}''= (\mathbf{y}||\mathsf {com} ), \; y''= ({\mathbf {{y}}}'',\phi ), \; \mathsf {sk} '_{y''} \leftarrow \mathsf {Delegate} '(\mathsf {pk} ', \mathsf {sk} '_{y'}, y', y'')\\&M'||\mathsf {dec} ' = \mathsf {Dec} '(\mathsf {pk} ', \mathsf {ct} '_{x'},\mathsf {sk} '_{y''} ), \; r' \leftarrow \mathsf {Enc.Rec} (\mathsf {pub} , \mathsf {com} , \mathsf {dec} ')\\&d= {\left\{ \begin{array}{ll} M' &{} \mathsf {Verify} _{r'}( \mathsf {ct} '_{x'}, \mathsf {tag} )=1\\ \bot &{} \text {otherwise} \end{array}\right. } \end{aligned}$$
Rights and permissions
About this article
Cite this article
Tomida, J., Kawahara, Y. & Nishimaki, R. Fast, compact, and expressive attribute-based encryption. Des. Codes Cryptogr. 89, 2577–2626 (2021). https://doi.org/10.1007/s10623-021-00939-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-021-00939-8