Targeted Homomorphic Attribute-Based Encryption

Zvika Brakerski; David Cash; Rotem Tsabary; Hoeteck Wee

doi:10.1007/978-3-662-53644-5_13

Theory of Cryptography Conference

TCC 2016: Theory of Cryptography pp 330-360 | Cite as

Targeted Homomorphic Attribute-Based Encryption

Authors
Authors and affiliations

Zvika BrakerskiEmail author
David Cash
Rotem Tsabary
Hoeteck Wee

Conference paper

First Online: 21 October 2016

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9986)

Abstract

In (key-policy) attribute-based encryption (ABE), messages are encrypted respective to attributes x, and keys are generated respective to policy functions f. The ciphertext is decryptable by a key only if \(f(x)=0\). Adding homomorphic capabilities to ABE is a long standing open problem, with current techniques only allowing compact homomorphic evaluation on ciphertext respective to the same x. Recent advances in the study of multi-key FHE also allow cross-attribute homomorphism with ciphertext size growing (quadratically) with the number of input ciphertexts.

We present an ABE scheme where homomorphic operations can be performed compactly across attributes. Of course, decrypting the resulting ciphertext needs to be done with a key respective to a policy f with \(f(x_i)=0\) for all attributes involved in the computation. In our scheme, the target policy f needs to be known to the evaluator, we call this targeted homomorphism. Our scheme is secure under the polynomial hardness of learning with errors (LWE) with sub-exponential modulus-to-noise ratio.

We present a second scheme where there needs not be a single target policy. Instead, the decryptor only needs a set of keys representing policies \(f_j\) s.t. for any attribute \(x_i\) there exists \(f_j\) with \(f_j(x_i)=0\). In this scheme, the ciphertext size grows (quadratically) with the size of the set of policies (and is still independent of the number of inputs or attributes). Again, the target set of policies needs to be known at evaluation time. This latter scheme is secure in the random oracle model under the polynomial hardness of LWE with sub-exponential noise ratio.

This is a preview of subscription content, to check access

Notes

Acknowledgments

We thank Vadim Lyubashevsky for numerous insightful discussions.

A A Generic (Non-compact) Homomorphic ABE Construction

We show how to construct a non-targeted homomorphic ABE (HABE) given any ABE scheme and Multi-Key FHE scheme as building blocks. The main disadvantage of this construction is that the ciphertext’s size grows at least linearly with the number of participants in the homomorphic evaluation. Interestingly, our method is very similar to the one presented in [17], despite the difference in the scheme’s goal. Their construction relies on a leveled homomorphic ABE and uses it to create a non-leveled HABE scheme.

Below are definitions of \(\mathsf {ABE}\), \(\mathsf {MFHE}\) and \(\mathsf {HABE}\), followed by our \(\mathsf {HABE}\) construction and a brief proof of its correctness and security.

Definition 7

(ABE). An Attribute Based Encryption (ABE) scheme is a tuple of \(\text {{ppt}}\) algorithms \(\mathsf {ABE}= (\mathsf {Setup}, \mathsf {Enc}, {\mathsf {Keygen}}, \mathsf {Dec})\) with the following syntax:

\(\mathsf {ABE}.\mathsf {Setup}(1^\lambda )\) takes as input the security parameter and outputs a master secret key \(\mathsf {msk}\) and a set of public parameters \(\mathsf {pp}\).
\(\mathsf {ABE}.\mathsf {Enc}_\mathsf {pp}(\mu ,x)\) uses the public parameters \(\mathsf {pp}\) and takes as input a message \(\mu \in \{0,1\}\) and an attribute \(x\in \{0,1\}^\ell \). It outputs a ciphertext \(\mathsf {ct}\).
\(\mathsf {ABE}.{\mathsf {Keygen}}_\mathsf {msk}(f)\) uses the master secret key \(\mathsf {msk}\) and takes as input a function \(f \in \mathcal {F}\). It outputs a secret key \(\mathsf {sk}_f\).
\(\mathsf {ABE}.\mathsf {Dec}(\mathsf {sk}_f, \mathsf {ct})\) takes as input a secret key \(\mathsf {sk}_f\) for a policy f, and a ciphertext \(\mathsf {ct}\). It outputs a message \(\mu \in \{0,1\}\).

Definition 8

(MK-FHE). A Multi-Key Fully Homomorphic Encryption (MK-FHE) scheme is a tuple of \(\text {{ppt}}\) algorithms \(\mathsf {MFHE}= (\mathsf {Setup}, \mathsf {Enc}, {\mathsf {Keygen}}, \mathsf {Eval}, \mathsf {Dec})\) with the following syntax:

\(\mathsf {MFHE}.\mathsf {Setup}(1^\lambda )\) takes as input the security parameter and generates public parameters \(\mathsf {pp}\).
\(\mathsf {MFHE}.{\mathsf {Keygen}}_\mathsf {pp}(1^\lambda )\) uses the public parameters \(\mathsf {pp}\) and outputs a pair of public key and secret key \((\mathsf {pk}, \mathsf {sk})\).
\(\mathsf {MFHE}.\mathsf {Enc}_\mathsf {pp}(\mathsf {pk},\mu )\) uses the public parameters \(\mathsf {pp}\) and takes as input a message \(\mu \in \{0,1\}\) and a public key \(\mathsf {pk}\). It outputs a ciphertext \(\mathsf {ct}\).
\(\mathsf {MFHE}.\mathsf {Eval}_\mathsf {pp}((\mathsf {ct}^{(1)},\dots ,\mathsf {ct}^{(k)}), (\mathsf {pk}^{(1)},\dots ,\mathsf {pk}^{(k)}), g)\) uses the public parameters \(\mathsf {pp}\) and takes as input k ciphertexts along with their respective public keys \((\mathsf {pk}^{(1)},\dots ,\mathsf {pk}^{(k)})\) and a function g. It outputs a ciphertext \(\mathsf {ct}_g\).
\(\mathsf {MFHE}.\mathsf {Dec}_\mathsf {pp}(\mathsf {sk}^{(1)},\dots ,\mathsf {sk}^{(k)}, \mathsf {ct}_g)\) uses the public parameters and takes as input a sequence of k secret keys \(\mathsf {sk}^{(1)},\dots ,\mathsf {sk}^{(k)}\) and a ciphertext \(\mathsf {ct}_g\). It outputs a message \(\mu \in \{0,1\}\).

Definition 9

(HABE). An Homomorphic ABE (HABE) scheme is a tuple of \(\text {{ppt}}\) algorithms \(\mathsf {HABE}= (\mathsf {Setup}, \mathsf {Enc}, {\mathsf {Keygen}}, \mathsf {Eval}, \mathsf {Dec})\) with the following syntax:

\(\mathsf {HABE}.\mathsf {Setup}(1^\lambda )\) takes as input the security parameter and outputs a master secret key \(\mathsf {msk}\) and a set of public parameters \(\mathsf {pp}\).
\(\mathsf {HABE}.\mathsf {Enc}_\mathsf {pp}(\mu ,x)\) uses the public parameters \(\mathsf {pp}\) and takes as input a message \(\mu \in \{0,1\}\) and an attribute \(x\in \{0,1\}^\ell \). It outputs a ciphertext \(\mathsf {ct}\).
\(\mathsf {HABE}.{\mathsf {Keygen}}_\mathsf {msk}(f)\) uses the master secret key \(\mathsf {msk}\) and takes as input a function \(f \in \mathcal {F}\). It outputs a secret key \(\mathsf {sk}_f\).
\(\mathsf {HABE}.\mathsf {Eval}(\mathsf {ct}^{(1)},\dots ,\mathsf {ct}^{(k)}, g)\) takes as input k ciphertexts \(\mathsf {ct}^{(1)},\dots ,\mathsf {ct}^{(k)}\) and a function \(g \in \mathcal {G}\). It outputs a ciphertext \(\mathsf {ct}^g\).
\(\mathsf {HABE}.\mathsf {Dec}(\mathsf {sk}_F, \mathsf {ct}^g)\) takes as input a set of secret keys \(\mathsf {sk}_{F}\) for a set of policies F, with \(\mathsf {sk}_{F} = \{\mathsf {sk}_f : f \in F\}\), and a ciphertext \(\mathsf {ct}^g\). It outputs a message \(\mu \in \{0,1\}\).

Correctness. The correctness guarantee is that given a set of keys for a policy set F and a ciphertext that was evaluated from ciphertexts respective to attributes covered by F, the ciphertext decrypts correctly to the intended value.

Security. Security is defined using the same experiment as standard ABE (see Definition 3).

Construction of HABE. Consider an \(\mathsf {ABE}\) black box and a \(\mathsf {MFHE}\) black box. The construction works as follows:

\(\mathsf {HABE}.\mathsf {Setup}(1^\lambda )\)

Let \((\mathsf {pp}_\mathsf {ABE}, \mathsf {msk}_\mathsf {ABE}) \leftarrow \mathsf {ABE}.\mathsf {Setup}(1^\lambda )\) and \(\mathsf {pp}_\mathsf {MFHE}\leftarrow \mathsf {MFHE}.\mathsf {Setup}(1^\lambda )\). Output \(\mathsf {pp}= (\mathsf {pp}_\mathsf {ABE},\mathsf {pp}_\mathsf {MFHE}), \mathsf {msk}= \mathsf {msk}_\mathsf {ABE}\).
\(\mathsf {HABE}.\mathsf {Enc}_\mathsf {pp}(\mu ,x)\). Let \((\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {MFHE}.{\mathsf {Keygen}}_\mathsf {pp}\), where \(\mathsf {sk}\in \{0,1\}^{t}\). Compute \(\mathsf {ct}_\mu \leftarrow \mathsf {MFHE}.\mathsf {Enc}_\mathsf {pp}(\mathsf {pk},\mu )\) and \(\mathsf {ct}_\mathsf {sk}= \{\mathsf {ct}_{\mathsf {sk}_i} = \mathsf {ABE}.\mathsf {Enc}_\mathsf {pp}(\mathsf {sk}_i,x)\}_{i\in [t]}\). Output \(\mathsf {ct}= (\mathsf {ct}_\mu , \mathsf {ct}_\mathsf {sk}, \mathsf {pk}, x)\).
\(\mathsf {HABE}.{\mathsf {Keygen}}_\mathsf {msk}(f)\). Output \(\mathsf {ABEk}_f \leftarrow \mathsf {ABE}.{\mathsf {Keygen}}_\mathsf {msk}(f)\).
\(\mathsf {HABE}.\mathsf {Eval}(\mathsf {ct}^{(1)},\dots ,\mathsf {ct}^{(k)}, g)\)

Let \(\mathsf {ct}_g \leftarrow \mathsf {MFHE}.\mathsf {Eval}_\mathsf {pp}((\mathsf {ct}^{(1)}_\mu ,\dots ,\mathsf {ct}^{(k)}_\mu ),(\mathsf {pk}^{(1)},\dots ,\mathsf {pk}^{(k)}), g)\). Output \(\mathsf {ct}^g = (\mathsf {ct}_g, \mathsf {ct}_\mathsf {sk}^{(1)},\dots , \mathsf {ct}_\mathsf {sk}^{(k)})\).
\(\mathsf {HABE}.\mathsf {Dec}(\mathsf {ABEk}_F, \mathsf {ct}^g)\).

For all \(i \in [k], j\in [t]\) compute \(\mathsf {sk}^{(i)}_j = \mathsf {ABE}.\mathsf {Dec}_\mathsf {pp}(\mathsf {ct}_{\mathsf {sk}_j}^{(i)}, \mathsf {ABEk}_f)\), where \(f\in F\) such that \(f(x^{(i)}) = 0\). Compute and Output \(\mathsf {MFHE}.\mathsf {Dec}_\mathsf {pp}(\mathsf {sk}^{(1)},\dots ,\mathsf {sk}^{(k)}, \mathsf {ct}_g)\).

Correctness Proof Sketch. Consider the execution of \(\mathsf {HABE}.\mathsf {Dec}(\mathsf {ABEk}_F, \mathsf {ct}^g)\). By the correctness of the \(\mathsf {ABE}\) scheme we get correct decryptions of \(\{\mathsf {sk}^{(i)}\}_{i\in [k]}\), and by the correctness of the \(\mathsf {MFHE}\) scheme we get a correct decryption of \(g(\mu ^{(1)},\dots ,\mu ^{(k)})\).

Security Proof Sketch. Consider the ABE selective security game, and assume that in \(\mathsf {HABE}.\mathsf {Enc}_\mathsf {pp}\) the challenger generates \(\mathsf {ABE}\) encryptions of 0s instead of \(\mathsf {ABE}\) encryptions of the bits of \(\mathsf {sk}\). By the security of the \(\mathsf {ABE}\) scheme this change is indistinguishable to the adversarys, therefore in this case the ciphertext gives no information other than the \(\mathsf {MFHE}\) encryption of the message \(\mu \). Hence by the security of the \(\mathsf {MFHE}\) scheme the security of our construction follows.

References

1.
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)CrossRefGoogle Scholar
2.
Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010)CrossRefGoogle Scholar
3.
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Miller, G.L. (ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 99–108. ACM (1996)Google Scholar
4.
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014)CrossRefGoogle Scholar
5.
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Advances in Cryptology - EUROCRYPT –33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May 2014, Proceedings, pp. 533–556 (2014)Google Scholar
6.
Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.): Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013. ACM (2013)Google Scholar
7.
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012)CrossRefGoogle Scholar
8.
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS (2012)Google Scholar
9.
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., et al. (eds.) [6], pp. 575–584Google Scholar
10.
Brakerski, Z., Perlman, R.: Lattice-based fully dynamic multi-key FHE withshort ciphertexts. IACR Cryptology ePrint Archive, 2016:339 (2016, to appear)Google Scholar
11.
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS (2011)Google Scholar
12.
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Naor, M. (ed.) Innovations in Theoretical Computer Science, ITCS 2014, Princeton, NJ, USA, 12–14 January 2014, pp. 1–12. ACM (2014)Google Scholar
13.
Brakerski, Z., Vaikuntanathan, V.: Circuit-abe from LWE: unbounded attributesand semi-adaptive security. IACR Cryptology ePrint Archive, 2016:118 (2016, to appear)Google Scholar
14.
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptology 25(4), 601–639 (2012)MathSciNetCrossRefMATHGoogle Scholar
15.
Clear, M., McGoldrick, C.: Bootstrappable identity-based fully homomorphic encryption. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 1–19. Springer, Heidelberg (2014)Google Scholar
16.
Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) [19], pp. 630–656Google Scholar
17.
Clear, M., McGoldrick, C.: Attribute-based fully homomorphic encryption with a bounded number of inputs. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 307–324. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-31517-1_16 CrossRefGoogle Scholar
18.
Fischlin, M., Coron, J.-S. (eds.): EUROCRYPT 2016. LNCS, vol. 9666. Springer, Heidelberg (2016)MATHGoogle Scholar
19.
Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015. LNCS, vol. 9216. Springer, Heidelberg (2015)MATHGoogle Scholar
20.
Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009)Google Scholar
21.
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Dwork, C. (ed.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 197–206. ACM (2008)Google Scholar
22.
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)CrossRefGoogle Scholar
23.
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh, D., et al. (eds.) [6], pp. 545–554Google Scholar
24.
Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: Servedio, R.A., Rubinfeld, R. (eds.) Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, 14–17 June 2015, pp. 469–477. ACM (2015)Google Scholar
25.
Goyal, R., Koppula, V., Waters, B.: Semi-adaptive security and bundling functionalities made generic and easy. Cryptology ePrint Archive, Report 2016/317 (2016). http://eprint.iacr.org/2016/317
26.
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, 30 October–3 November 2006, pp. 89–98. ACM (2006)Google Scholar
27.
López-Alt, A., Tromer, E., Vaikuntanathan, V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: Karloff, H.J., Pitassi, T. (eds.) Proceedings of the 44th Symposium on Theory of Computing Conference, STOC 2012, New York, NY, USA, 19–22 May 2012, pp. 1219–1234. ACM (2012)Google Scholar
28.
Lyubashevsky, V., Wichs, D.: Simple lattice trapdoor sampling from a broad class of distributions. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 716–730. Springer, Heidelberg (2015)Google Scholar
29.
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011)CrossRefGoogle Scholar
30.
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
31.
Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J. (eds.) [18], pp. 735–763Google Scholar
32.
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May – 2 June 2009, pp. 333–342 (2009)Google Scholar
33.
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005)Google Scholar
34.
Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Found. Secure Comput. (1978)Google Scholar
35.
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)CrossRefGoogle Scholar
36.
Schnorr, C.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefMATHGoogle Scholar

Copyright information

Authors and Affiliations

Zvika Brakerski
- 1
Email author
David Cash
- 2
Rotem Tsabary
- 1
Hoeteck Wee
- 3

1.Weizmann Institute of ScienceRehovotIsrael
2.Rutgers UniversityNew BrunswickUSA
3.ENS, CNRS and Columbia UniversityParisFrance

Targeted Homomorphic Attribute-Based Encryption

Abstract

Notes

Acknowledgments

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper

Cookies