1 Introduction

In traditional public-key encryption, data is encrypted for an individual user whose public key is known at the time of encryption, and only the target user is able to decrypt the resulting ciphertext. However, many applications require encryption with more expressive access control capabilities. For example, electronic medical records contain a wealth of sensitive patient information that should be accessible only to medical administrators (e.g., doctors, nurses, pharmacists, and researchers) whose credentials satisfy complex access policies based on their roles and relationships to the patient [2].

For these applications, straightforward encryption solutions are inadequate for two reasons. First, the ciphertext must be decryptable by potentially many users with distinct keys. The trivial solution of encrypting the data separately to each user results in long ciphertexts. A long line of work on broadcast encryption (e.g., [5, 11, 23]) aims to reduce the ciphertext size for this problem. Second, the identities of the authorized users may not be known to the encryptor; instead of encrypting to individual users we wish to encrypt to access policies so that only users whose credentials satisfy the policy can decrypt. The trivial solution of providing a separate key for each group of attributes results in long keys for the recipients of messages.

Attribute-based encryption (ABE), introduced by Sahai and Waters [26], addresses both of these issues. In ABE, each secret key corresponds to a predicate f, and each ciphertext corresponds to a message and an index \(\mathsf {ind}\). Decryption returns the message if and only if \(f(\mathsf {ind}) = 1\). Thus, ABE allows automatic enforcement of any access policy that can be expressed as the evaluation of \(f(\mathsf {ind})\). Two commonly considered special cases of ABE are ciphertext-policy ABE (CP-ABE) [4], where the secret key predicate is a set of attributes and the ciphertext index is an access policy over attributes, and key-policy ABE (KP-ABE) [18], where the roles of the index and the predicate are reversed.

Since the introduction of ABE, many constructions and related primitives have appeared in the literature (e.g., [4, 12, 16, 18, 22, 24, 28]). ABE has also been implemented in some applications, including the protection of electronic medical records [2]; we refer readers to [19, Sect. 3.2] for a longer overview of the history of ABE.

However, all known constructions of ABE rely on concrete assumptions such as the hardness of certain problems over bilinear maps or integer lattices rather than generic assumptions such as the existence of CPA-secure public-key encryption. In fact, it is known that, when using black-box techniques, the security of ABE cannot be based on such generic assumptions [6, 21].

The difficulty of building ABE from generic assumptions stems from its collusion resistance requirement, which states that two or more users, neither of whose attributes satisfy the policy embedded in a ciphertext, should not be able to decrypt the message using their joint key material. Intuitively, for CP-ABE this requires the secret key corresponding to a set of attributes to be “bound” together so that the contribution that each attribute makes to the key cannot be detached and re-purposed toward decrypting a message requiring a different combination of attributes. ABE typically requires security against unbounded collusion. That is, even if a very large and a priori unbounded number of users collude, they should fail to decrypt any ciphertexts that none of them can decrypt individually.

In this work, we consider a relaxation of the unbounded collusion requirement and instead consider schemes that are secure against an a priori bounded number of colluders. Positive results have recently been shown in constructing bounded-collusion ABE (BC-ABE) schemes assuming only the existence of public-key encryption [15, 25].Footnote 1 We stress that this relaxation does not limit the number of keys that may be issued, but rather only the number of colluders that the scheme can withstand.

Such generic constructions of ABE based on public-key encryption have several benefits. First, they can be instantiated from a number of standard cryptographic hardness assumptions. Second, by replacing CPA-secure public-key encryption with its symmetric-key counterpart, these schemes directly yield a construction of symmetric-key ABE schemes that require the secret key for encryption as well.Footnote 2 In particular, this implies that bounded-collusion symmetric-key ABE can be constructed from the minimal assumption of the existence of one-way functions. By contrast, constructions of ABE based on specific assumptions lack a clear transformation into symmetric-key ABE without still relying on “public-key” assumptions.

However, the only known constructions of BC-ABE from public-key encryption [15] require keys and ciphertexts that grow very quickly with the collusion bound (see Table 1). Thus, it remains worthwhile to reduce the key and ciphertext length in constructions of bounded-collusion ABE to understand what can be achieved using these minimal assumptions.

1.1 Our Results

In this paper we address exactly this problem, showing two different constructions of bounded-collusion ABE based only on the existence of public-key encryption, achieving shorter key sizes, public parameters, and ciphertexts. We adopt the two-step procedure taken by Gorbunov et al. [15]: first design an ABE scheme that is secure against an adversary with only a single key (which we call a 1-ABE scheme), and then design a bootstrapping procedure that yields a BC-ABE scheme secure against a larger number of collusions q (which we call a q-ABE scheme). Indeed, we retain the 1-ABE scheme of [15], which can be instantiated based only on CPA-secure public-key encryption. Therefore, the focus of our work is to reduce the dependence on q in the construction of q-ABE from 1-ABE. Specifically, we show a construction satisfying the following theorem:

Theorem 1

(Informal). Suppose there exists a public-key (resp., symmetric-key) 1-ABE scheme for a class of access policies. Then there exists a public-key (resp., symmetric-key) BC-ABE scheme for the same class of access policies tolerating collusions of size at most q with the following characteristics: public parameters consisting of \(O(\frac{q^2}{\log {q}}\lambda )\) 1-ABE encryption keys, secret keys consisting of \(O(\frac{1}{\log {q}}\lambda )\) 1-ABE keys, and ciphertexts consisting of \(O(\frac{q^2}{\log {q}}\lambda )\) 1-ABE ciphertexts, where \(\lambda \) is the security parameter.

We formalize and prove this theorem in Sect. 5. We then instantiate the 1-ABE scheme with the construction of Sahai and Seyalioglu [25] (subsequently improved to handle full, adaptive security by Gorbunov et al. [15]), which gives 1-ABE for the access policies expressed by arbitrary Boolean circuits from CPA-secure encryption. This immediately yields the following result:

Corollary 1

If public-key (respectively, symmetric-key) encryption exists, then there exist public-key (resp., symmetric-key) ABE schemes for access policies expressed by boolean circuits tolerating collusion of size at most q. The sizes of the public parameters, secret keys, and ciphertexts in the resulting BC-ABE scheme come from two sources: (1) the use of CPA-secure encryption to construct 1-ABE (e.g., in [15, 25]) and (2) the use of 1-ABE to construct q-ABE in Theorem 1. In particular, the only dependencies of these parameters on q come from Theorem 1, since any 1-ABE construction from CPA-secure encryption is clearly independent of q.

1.2 Comparison to Prior Work

We construct two schemes in this paper: a basic scheme in Sect. 4 that is easier to analyze but whose bounds are slightly weaker than those in Theorem 1, and then an improved scheme that fully meets the theorem. This section and Table 1 compare the parameters of our schemes with two related works: Dodis et al.’s bounded-collusion identity-based encryption (IBE) scheme [10] and Gorbunov et al.’s bounded-collusion ABE scheme [15].

Our basic scheme has asymptotic dependence on q that is roughly comparable to the Dodis et al. [10] construction of bounded-collusion IBE, a weaker primitive than ABE, from public-key encryption, while avoiding the need for cover-free sets used by that construction. Specifically, our scheme has shorter secret keys but larger ciphertexts; the asymptotic size of the public parameters is the same in both constructions.

Our basic scheme is also a significant improvement over the bounded-collusion ABE scheme of [15], in which both the public parameters and the ciphertext grow as \(O(q^4)\). Indeed, the secret key size in our basic scheme does not grow with the collusion bound. This is a significant improvement allowing us to keep secret key sizes short even when tolerating a high collusion bound. Also, the dependence on q of the ciphertext size of our basic scheme matches that of the best known constructions of bounded-collusion functional encryption (which implies ABE) from lattice assumptions [1].

Our improved scheme further reduces the size of public parameters, secret keys, and ciphertexts each by a factor of \(\log q\). This leads to the somewhat counterintuitive property that the size of secret keys decreases as the collusion bound increases!

Table 1. Comparison of bounded-collusion ABE schemes tolerating collusions of size at most q (note: DKXY only provides IBE). Sizes are given in terms of number of 1-ABE keys or 1-ABE ciphertexts. Here \(\lambda \) is a security parameter.
Full size table

1.3 Our Techniques

Our main technique follows the same high-level approach taken by Gorbunov et al. [15]. Specifically, during setup, N key pairs for a 1-ABE scheme are generated. The secret keys become the master secret key of the BC-ABE scheme while the public keys become the public parameters. Then, every BC-ABE secret key consists of a subset of the secret keys. To encrypt a message m with an index \(\mathsf {ind}\), the message is first secret-shared and then each share is encrypted under \(\mathsf {ind}\) using a different 1-ABE public key. To make this work, the subset of keys included in a BC-ABE secret key and the secret sharing are chosen in such a way that if \(f(\mathsf {ind}) = 1\) for the predicate f encoded in a secret key, then that key will allow the recovery of sufficiently many shares of m so decryption will succeed. However, any set of q keys not satisfying \(\mathsf {ind}\) reveals no information about m. In particular, such a set of keys cannot be combined to recover the appropriate shares to reconstruct m.

In [15] this property is achieved by using a t-out-of-n secret sharing of the message and then partitioning the secret keys in such a way that sets of keys included in different BC-ABE secret keys have small pairwise intersections. Since at least t key intersections are needed to recover the message (each intersection allows the attacker to recover one share), this guarantees that a large number of keys is needed.

Our basic scheme improves on this technique by (1) using an n-out-of-n secret sharing of the message and encrypting each share under l independent 1-ABE keys and then (2) for each BC-ABE secret key giving 1 out of the l possible keys to recover each share to reduce the probability of key intersection. This requires an adversary to be able to reconstruct all of the n top level shares by getting enough intersections for each of them. We show that this approach allows us to reduce the size of the public parameters and the ABE secret keys while still guaranteeing resistance against q bounded-collusions with overwhelming probability.

Our improved scheme uses a multi-dimensional secret-sharing algorithm, which has the properties that (1) there exist small sets of shares that suffice to reconstruct the message and (2) such small sets of shares are rare, so for shares chosen at random a large number of shares is needed to reconstruct the message. By using multi-dimensional secret-sharing, the secret keys of our ABE scheme only need to include keys allowing decryption of such a small set of shares, whereas an adversary who only learns shares at random must recover a large number of shares in order to reconstruct the message. This allows us to further reduce the size of public parameters, keys, and ciphertexts by an additional logarithmic factor in the collusion bound q.

1.4 Paper Organization

The rest of the paper is organized as follows. In Sect. 2, we provide more details on related work. In Sect. 3, we give some necessary background and define bounded-collusion ABE. In Sect. 4, we present our basic construction. Then, in Sect. 5, we present our improved construction. Finally, in Sect. 6 we briefly discuss how to instantiate 1-ABE.

2 Related Work

Impossibility of Unbounded Collusion From Generic Assumptions.

Several prior works have aimed to understand the difficulty of building ABE and related primitives from generic assumptions such as CPA-secure encryption. Evidence that such constructions are unlikely was first given by Boneh et al. [6], who showed that there is no black-box construction of IBE from CPA-secure encryption or trapdoor permutations. This result was subsequently extended by Katz and Yerukhimovich [21], who also ruled out constructions of ABE for several classes of access policies. Finally, Goyal et al. [17] showed that for certain classes of access policies, ABE cannot be even constructed from the much stronger assumption that IBE exists. Note that the latter two works prove impossibility of public-index predicate encryption, a construct that is equivalent to ABE and that we will use in this paper as well (cf. Definition 3).

Bounded Collusion Constructions.

Our restriction to tolerating collusions of bounded size has been used before to build ABE and related primitives from (somewhat) standard assumptions. Early works [9, 10] showed how to construct bounded-collusion identity-based encryption (IBE), a special case of ABE where the only formulas allowed are equalities over the set of attributes, from standard public-key encryption. Later, Goldwasser et al. [14] showed a more efficient construction of bounded-collusion IBE if the underlying encryption scheme satisfied a key-homomorphism property and had an associated hash-proof system. This latter requirement of hash-proof systems was subsequently removed by Tessaro and Wilson [27].

Going beyond IBE, Sahai and Seyalioglu [25] showed that standard public-key secure encryption can be used to achieve 1-query security for functional encryption, a powerful generalization of ABE. This construction was then leveraged and improved by Gorbunov et al. [15] to achieve bounded-collusion security for functional encryption under the assumption that a low-depth pseudorandom number generator exists. However, their construction can be used to realize bounded-collusion ABE without this latter assumption.

Additionally, the bounded-collusion relaxation has also been used for several constructions relying on stronger computational assumptions. For example, Goldwasser et al. [13] show how to build a 1-key succinct functional encryption scheme based on any fully-homomorphic encryption and attribute-based encryption for circuits, both of which can be realized from lattice assumptions. More recently, Agrawal and Rosen [1] showed how to build a bounded-collusion functional encryption scheme achieving online/offline encryption, allowing much of the encryption procedure to be precomputed before the message is known, from a specific lattice-based functional encryption scheme for inner product functions.

3 Definitions

In this section, we provide notation and definitions of the primitives we will use.

3.1 Preliminaries

For \(n \in \mathbb {N} \), we let [n] denote the set of integers \(\{1,\ldots , n\}\). Let \(\mathsf {negl}\) denote a negligible function. Let ppt denote the class of algorithms that run in probabilistic polynomial time. Additionally, we assume in this work that all sets are ordered.

We first define public- and symmetric-key encryption.

Definition 1

(Encryption scheme). A public-key (respectively, symmetric-key) encryption scheme \(\mathrm {\varSigma } \) for the message space \(\mathcal {M}\) consist of three ppt algorithms \(\mathsf {KeyGen} \), \(\mathsf {Enc} \), and \(\mathsf {Dec} \) defined as follows.

  • \(\mathsf {KeyGen} (1^\lambda )\) takes as input the unary representation of the security parameter \(\lambda \) and outputs the public and private keys \((\mathsf {pk}, \mathsf {sk})\). (For a symmetric-key encryption scheme, \(\mathsf {pk} \) must be the empty string.)

  • \(\mathsf {Enc} (\mathsf {ek}, m)\) takes as input an encryption key \(\mathsf {ek} \) and a message \(m \in \mathcal {M}\) and outputs a ciphertext \(\mathsf {ct} \), where \(\mathsf {ek} = \mathsf {pk} \) (resp., \(\mathsf {ek} = \mathsf {sk} \)).

  • \(\mathsf {Dec} (\mathsf {sk}, \mathsf {ct})\) takes as input the secret key \(\mathsf {sk} \) and a ciphertext \(\mathsf {ct} \) and outputs either a message \(m \in \mathcal {M}\) or the distinguished symbol \(\bot \).

For correctness we require the following condition: for all \(\lambda \) and \(m \in \mathcal {M}\), if we compute \((\mathsf {pk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen} (1^\lambda )\) and \(\mathsf {ct} \leftarrow \mathsf {Enc} (\mathsf {ek}, m)\), then \(\mathsf {Dec} (\mathsf {sk}, \mathsf {ct}) = m \).

We use a standard notion of security against chosen plaintext attacks defined in terms of a left-or-right oracle. For \(b \in \{0,1\} \), we define \(\mathsf {Enc} _b(\mathsf {ek}, m_0, m_1) = \mathsf {Enc} (\mathsf {ek}, m_b)\).

Definition 2

(CPA-security for encryption). An encryption scheme \(\mathrm {\varSigma } = (\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) is \(CPA-secure \) if for all valid ppt adversaries \(\mathcal {A} \),

$$ |\Pr [\mathcal {A} ^{\mathsf {Enc} _0(\mathsf {ek}, \cdot , \cdot )}(1^\lambda , \mathsf {pk}) = 1]- \Pr [\mathcal {A} ^{\mathsf {Enc} _1(\mathsf {ek}, \cdot , \cdot )}(1^\lambda , \mathsf {pk}) = 1]| \le \mathsf {negl}(\lambda ), $$

where the probability is taken over the randomness of \((\mathsf {pk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen} (1^\lambda )\), \(\mathsf {Enc} \), and \(\mathcal {A} \). An adversary \(\mathcal {A} \) is valid if \(|m_0| = |m_1|\) for all \(\mathsf {Enc} _b\) queries \((m_0, m_1)\).

3.2 Attribute-Based Encryption with Bounded-Collusion Security

We now define attribute-based encryption (ABE) (also called predicate encryption with public index). This definition encompasses both ciphertext-policy ABE and key-policy ABE.

Definition 3

(Attribute-based encryption scheme). A public-key, (respectively, symmetric-key) attribute-based encryption scheme \(\varPi \) for a message space \(\mathcal {M}\), an index space \(\mathcal {I}\), and a predicate space \(\mathcal {F}\) consists of four ppt algorithms \((\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})\) defined as follows.

  • \(\mathsf {Setup} (1^\lambda , q)\) takes as input the unary representation of the security parameter \(\lambda \) and (optionally) a collusion bound q, and outputs the master public and secret keys \((\mathsf {MPK}, \mathsf {MSK})\). (For a symmetric-key attribute-based encryption scheme, \(\mathsf {MPK} \) must be the empty string.)

  • \(\mathsf {KeyGen} (\mathsf {MSK}, f)\) takes as input the master secret key \(\mathsf {MSK} \) and a predicate \(f \in \mathcal {F}\), and outputs a secret key \(\mathsf {sk} _f\).

  • \(\mathsf {Enc} (\mathsf {EK}, m, \mathsf {ind})\) takes as input an encryption key \(\mathsf {EK} \), a message \(m \in \mathcal {M}\), and an index \(\mathsf {ind}\in \mathcal {I}\), and outputs a ciphertext \(\mathsf {ct} \), where \(\mathsf {EK} = \mathsf {MPK} \) (resp., \(\mathsf {EK} = \mathsf {MSK} \)).

  • \(\mathsf {Dec} (\mathsf {sk} _f, \mathsf {ct})\) takes as input a secret key \(\mathsf {sk} _f\) and a ciphertext \(\mathsf {ct} \), and outputs either a message \(m \in \mathcal {M}\) or the distinguished symbol \(\bot \).

For correctness we require the following: for all \(\lambda \), \(q \in \mathbb {N} \), \(m \in \mathcal {M}\), \(\mathsf {ind}\in \mathcal {I}\), and \(f \in \mathcal {F}\) such that \(f(\mathsf {ind}) = 1\), if we compute \((\mathsf {MPK}, \mathsf {MSK}) \leftarrow \mathsf {Setup} (1^\lambda , q)\), \(\mathsf {sk} _f \leftarrow \mathsf {KeyGen} (\mathsf {MSK}, f)\), and \(\mathsf {ct} \leftarrow \mathsf {Enc} (\mathsf {EK}, m, \mathsf {ind})\), then we require \(\mathsf {Dec} (\mathsf {sk} _f, \mathsf {ct}) = m\).

We stress that in the above definition \(\mathsf {Setup} \) takes the query bound q as a parameter; therefore, \(\mathsf {MPK} \) and \(\mathsf {MSK} \) may depend on q.

We now define bounded-collusion security for attribute-based encryption. Our definitions follow the functional encryption definitions of Brakerski and Segev [7]. We define security in terms of left-or-right indistinguishability. For \(b \in \{0,1\} \), we define \(\mathsf {Enc} _b(\mathsf {EK}, (m_0,m_1), \mathsf {ind}) = \mathsf {Enc} (\mathsf {EK}, m_b, \mathsf {ind})\).

Definition 4

( q -query security for ABE). An attribute-based encryption scheme \(\varPi = (\mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Enc}, \mathsf {Dec})\) is q-query secure if for all valid ppt adversaries \(\mathcal {A} \) making at most q key queries,

$$\begin{aligned} \text {Adv} _{\varPi , \mathcal {A}, q}(\lambda ) = |\Pr&[\mathcal {A} ^{\mathsf {KeyGen} (\mathsf {MSK}, \cdot ), \mathsf {Enc} _0(\mathsf {EK}, \cdot , \cdot )}(1^\lambda , q, \mathsf {MPK}) = 1] \\&- \Pr [\mathcal {A} ^{\mathsf {KeyGen} (\mathsf {MSK}, \cdot ), \mathsf {Enc} _1(\mathsf {EK}, \cdot , \cdot )}(1^\lambda , q, \mathsf {MPK}) = 1]| \le \mathsf {negl}(\lambda )\text {.} \end{aligned}$$

In the definition of advantage, the probabilities are taken over the randomness of \((\mathsf {MPK}, \mathsf {MSK}) \leftarrow \mathsf {Setup} (1^\lambda , q)\), \(\mathsf {KeyGen} \), \(\mathsf {Enc} \), and \(\mathcal {A} \). An adversary \(\mathcal {A} \) is valid if for all \(\mathsf {Enc} _b\) queries \(((m_0, m_1), \mathsf {ind})\), \(|m_0| = |m_1|\); furthermore, if there exists any \(\mathsf {KeyGen} \) query f such that \(f(\mathsf {ind}) = 1\), then \(m_0 = m_1\).

4 Basic BC-ABE Construction

We now present our basic bounded-collusion construction that builds a q-query secure attribute-based encryption scheme from a 1-query secure attribute-based encryption scheme.

For intuition, consider an encryption algorithm that encrypts the message with its associated index many times under independent instances of a 1-query attribute-based encryption scheme. Let the secret key for a predicate be generated as the secret key for that predicate for one of the 1-query schemes, chosen at random. Then an authorized user (a user with a predicate satisfied by the index) can decrypt the message using the 1-query scheme for which she has a key. If two unauthorized users collude, as long as their keys are from different instances of the 1-query ABE scheme, the 1-query security property suffices to ensure that they cannot learn anything about the message.

However, this simple parallel encryption approach does not scale well. If the total number of users exceeds the number of 1-query ABE instances, there will necessarily be two users with keys from the same instance, exceeding the collusion bound for that instance.

Instead, in our construction, we first additively secret-share the message, then perform parallel encryptions as described above on each additive share. Each user is given for each additive share a key from a random 1-query ABE instance. This approach allows us to make a combinatorial argument about the number of unauthorized colluders necessary to reconstruct the message with non-negligible probability.

Note, however, that unlike the message, the index is not secret shared and is included in each of the 1-query ABE ciphertexts. For this reason our construction cannot be used to achieve q-query security for the stronger primitive of predicate encryption with private index, even if the 1-query scheme has this stronger property. Specifically, the index will be revealed any time an adversary receives two keys for any of the component 1-query schemes, thus breaking index privacy.

Fig. 1.
figure 1

Overview of our basic construction. A user with predicate \(f \in \mathcal {F}\) receives w \(\mathsf {1\text {-}ABE} \) secret keys, one from each column, where \(\mathsf {sk} _{i,j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {KeyGen} (\mathsf {MSK} _{i,j}, f)\). A ciphertext for a message m contains \(\ell \cdot w\) \(\mathsf {1\text {-}ABE} \) ciphertexts, formed by using each of the \(\ell \) keys in the \(j^\text {th}\) column, individually, to encrypt secret share \(z_j\), where \(m = \sum _{j=1}^{w}{z_j}\). One key from each column is required for decryption.

Full size image

4.1 Construction

Let \(\mathsf {1\text {-}ABE} \) be a 1-query secure attribute-based encryption scheme with message space \(\mathcal {M}\), index space \(\mathcal {I}\), and predicate space \(\mathcal {F}\); we require that \(\mathcal {M}\) have the property that the set of elements of each length form a finite group, so that we may perform additive secret sharing. Additionally, let \(\ell \) and w be integers; we will explain later how to set these parameters based on the security parameter \(\lambda \) and the collusion bound q. We define the scheme \(\mathsf {q\text {-}ABE} \) for message space \(\mathcal {M}\), index space \(\mathcal {I}\), and predicate space \(\mathcal {F}\) formally below; we also refer readers to Fig. 1 for an informal visual depiction.

 

\(\mathsf {Setup} (1^\lambda , q)\)::

For each row \(i\in [\ell ]\) and column \(j\in [w]\), independently sample \((\mathsf {MPK} _{i,j}, \mathsf {MSK} _{i,j}) \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Setup} (1^\lambda )\). Output \(\mathsf {MPK} = \{\mathsf {MPK} _{i,j}\}_{i\in [\ell ], j\in [w]}\) and \(\mathsf {MSK} = \{\mathsf {MSK} _{i,j}\}_{i\in [\ell ], j\in [w]}\).

\(\mathsf {KeyGen} (\mathsf {MSK}, f \in \mathcal {F})\)::

Choose one cell from each column uniformly at random; formally, choose a set \(\{r_1,\ldots ,r_w\} \overset{R}{\leftarrow }[\ell ]^w\). Next, for each column \(j \in [w]\), set \(\mathsf {sk} _{r_j, j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {KeyGen} (\mathsf {MSK} _{r_j,j}, f)\). Output \(\mathsf {sk} _f = \{r_j, \mathsf {sk} _{r_j,j}\}_{j \in [w]}\).

\(\mathsf {Enc} (\mathsf {EK}, m \in \mathcal {M}, \mathsf {ind}\in \mathcal {I})\)::

Perform the following steps:

1.:

Perform a w-of-w secret sharing of \(m \); formally, choose \(z_1,\ldots ,z_w \overset{R}{\leftarrow }\mathcal {M} \) uniformly such that \(\sum _{j=1}^{w} z_j = m \). (Note that due to the finite group requirement described above, \(|z_j| = |m|\) for all j.)

2.:

Compute the set of ciphertexts \(\mathsf {ct} _{i,j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j},z_j,\mathsf {ind})\) for each row \(i \in [\ell ]\) and column \(j \in [w]\),

3.:

Output the concatenation of \(\ell \cdot w\) ciphertexts \(\mathsf {ct} = \{\mathsf {ct} _{i,j} \}_{i \in [\ell ], j \in [w]}\).

\(\mathsf {Dec} (\mathsf {sk} _f, \mathsf {ct})\)::

Perform the following steps:

1.:

Parse \(\mathsf {sk} _f\) as \(\{r_j, \mathsf {sk} _{r_j,j}\}_{j \in [w]}\) and parse \(\mathsf {ct} \) as \(\{\mathsf {ct} _{i,j} \}_{i \in [\ell ], j \in [w]}\).

2.:

For each column \(j \in [w]\), let \(z_j \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Dec} (\mathsf {sk} _{r_j,j}, \mathsf {ct} _{r_j,j})\).

3.:

If any \(z_j = \bot \), then output \(\bot \). Otherwise, output \(m = \sum _{j=1}^{w} z_j\).

 

Correctness. Suppose that a user receives a ciphertext \(\mathsf {ct} = \mathsf {Enc} (\mathsf {EK}, m, \mathsf {ind})\) and she possesses a secret key \(\mathsf {sk} \leftarrow \mathsf {KeyGen} (\mathsf {MSK}, f)\) for a predicate f such that \(f(\mathsf {ind}) = 1\). For each column \(j \in [w]\), the user possesses some secret key \(\mathsf {sk} _{r_j,j}\); by the correctness of the underlying \(\mathsf {1\text {-}ABE} \) scheme, this key suffices to decrypt the message \(z_j\) contained in the ciphertext \(\mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j},z_j,\mathsf {ind})\). Finally, from all of the secret shares, the user may recover the original message \(m = \sum _{j=1}^{w} z_j\).

As the scheme is written, repeated key queries would count as separate queries towards the bound q. In order to avoid this, the values \(\{r_1,\ldots ,r_w\}\) in \(\mathsf {KeyGen} \) can be chosen pseudorandomly based on the predicate f so that the same key is issued for repeated key queries. This conversion is straightforward and we omit the details.

4.2 Setting the Parameters

The following combinatorial lemma provides a good setting of the parameters \(\ell \) and w. We first define two probabilistic events about any set of up to q key queries made to the \(\mathsf {q\text {-}ABE} \) scheme. Let \(\mathsf {Bad}_j\) denote the event that there exists a row \(i \in [\ell ]\) such that the key query responses include two or more keys corresponding to \(\mathsf {MSK} _{i,j}\). Additionally, let \(\mathsf {Bad}\) denote the event that \(\mathsf {Bad}_j\) occurs for all columns \(j \in [w]\).

Lemma 1

Let the \(\mathsf {q\text {-}ABE} \) scheme be instantiated with \(\ell = q^2\) and \(w = \lambda \), and suppose at most q \(\mathsf {KeyGen} \) queries are made. Then \(\Pr [\mathsf {Bad} ] \le \mathsf {negl}(\lambda )\).

Proof

Consider a single column \(j \in [w]\). Note that each \(\mathsf {sk} _f\) contains exactly one \(\mathsf {1\text {-}ABE} \) key \(\mathsf {sk} _{r_j, j}\) for that value of j, where \(r_j\) is chosen randomly. Thus, the probability that q such values are all distinct is

$$ 1 \cdot \left( 1-\frac{1}{\ell }\right) \cdot \left( 1 - \frac{2}{\ell }\right) \cdot \ldots \cdot \left( 1 - \frac{q-1}{\ell }\right) \ge \left( 1 - \frac{q-1}{\ell }\right) ^{q} \text {.} $$

Thus, for a given column j, the event \(\mathsf {Bad}_j\) holds with probability at most \((1 - (1 - \frac{q-1}{\ell })^q)\). The probability of \(\mathsf {Bad}_j \) is independent for each j, so the probability that \(\mathsf {Bad}_j \) holds for all w columns is at most \((1-(1-\frac{q-1}{\ell })^q)^w\). Letting \(\ell = q^2\) and \(w = \lambda \), we find that \(\mathsf {Bad}\) occurs with probability at most

$$ \left( 1-\left( 1-\frac{q-1}{q^2}\right) ^q\right) ^{\lambda } = \left( 1-\left( 1-\frac{1}{q}+\frac{1}{q^2}\right) ^q\right) ^{\lambda } < \left( 1-e^{-1}\right) ^{\lambda } \le \mathsf {negl}(\lambda ) \text {,} $$

where the first inequality follows from the fact that \((1-\frac{1}{x}+\frac{1}{x^2})^x > 1/e\) for all \(x > 0\).

Setting \(\ell \) and w as indicated in Lemma 1, we arrive at the following performance characteristics for our \(\mathsf {q\text {-}ABE} \) construction.

  • \(\mathsf {MPK} \) and \(\mathsf {MSK} \) consist of \(O(q^2\lambda )\) \(\mathsf {1\text {-}ABE} \) keys.

  • The ciphertext size is \(O(q^2\lambda )\) \(\mathsf {1\text {-}ABE} \) ciphertexts.

  • Each decryption key has \(O(\lambda )\) \(\mathsf {1\text {-}ABE} \) secret keys.

4.3 Security

We now prove that the \(\mathsf {q\text {-}ABE} \) scheme defined in Sect. 4.1 is q-query secure if the underlying \(\mathsf {1\text {-}ABE} \) scheme is 1-query secure.

Theorem 2

Let \(\mathsf {1\text {-}ABE} \) be any public-key (respectively, symmetric-key) ABE scheme that is 1-query secure. For any valid ppt ABE adversary \(\mathcal {A} \) for the resulting public-key (resp., symmetric-key) scheme \(\mathsf {q\text {-}ABE} \) making at most q key queries, there exists a valid ppt ABE adversary \(\mathcal {B} \) for \(\mathsf {1\text {-}ABE} \) making at most 1 key query, with advantage \(\text {Adv} _{\mathsf {1\text {-}ABE}, \mathcal {B}, 1}(\lambda ) \ge \frac{1}{q^2 \lambda } \text {Adv} _{\mathsf {q\text {-}ABE}, \mathcal {A}, q}(\lambda )-\mathsf {negl}(\lambda )\).

Proof

Let \(\mathcal {A} \) be an adversary against our \(\mathsf {q\text {-}ABE} \) construction that makes at most q key queries. We begin with the observation that the event \(\mathsf {Bad} \) (and also all \(\mathsf {Bad} _j\) events) depends only on the randomness tape of \(\mathsf {q\text {-}ABE}.\mathsf {KeyGen} \) (which chooses the random values \(r_j\)), and not on the values fed in as input. For the rest of this proof, we restrict \(\mathsf {KeyGen} \) only to use randomness tapes that will not lead to the event \(\mathsf {Bad} \) within the first q key oracle queries, so that in particular adversary \(\mathcal {A} \) never causes the event \(\mathsf {Bad} \). Denote \(\mathcal {A} \)’s advantage in this modified security game as \(\text {Adv} '_{\mathsf {q\text {-}ABE}, \mathcal {A}, q}\). Since \(\Pr [\mathsf {Bad} ]\) is negligible by Lemma 1, our restriction causes at most negligible change to our distinguishing advantage by a standard reasoning up to failure argument:

$$\begin{aligned} \text {Adv} '_{\mathsf {q\text {-}ABE}, \mathcal {A}, q}(\lambda ) \ge \text {Adv} _{\mathsf {q\text {-}ABE}, \mathcal {A}, q}(\lambda ) - 2 \cdot \Pr [\mathsf {Bad} ] \text {.} \end{aligned}$$
(1)

Given some column \(j^* \in [w]\), we consider a series of hybrid experiments \(\mathcal {H}_0^{j^*}, \mathcal {H}_1^{j^*}, \ldots , \mathcal {H}_\ell ^{j^*}\). Each experiment \(\mathcal {H}_k^{j^*}\) is defined to use the same \(\mathsf {Setup} \) and \(\mathsf {KeyGen} \) as the modified \(\mathsf {q\text {-}ABE} \) game, but it responds to \(\mathsf {Enc} _b\) oracle queries \(((m_0, m_1), \mathsf {ind})\) by forming the ciphertext in a special way:

Choose \(z_j\) uniformly at random for all \(j \in [w], j \ne j^*\). Let \(z_{j^*, 0} = m_0 - \sum _{j \ne j^*} z_j\) and \(z_{j^*, 1} = m_1 - \sum _{j \ne j^*} z_j\).

  • For \(j \ne j^*\), for all i let \(\mathsf {ct} _{i,j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j}, z_{j}, \mathsf {ind})\).

  • For \(i > k\), let \(\mathsf {ct} _{i, j^*} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j^*}, z_{j^*, 0}, \mathsf {ind})\).

  • For \(i \le k\), let \(\mathsf {ct} _{i, j^*} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j^*}, z_{j^*, 1}, \mathsf {ind})\).

Finally, the modified \(\mathsf {Enc} _b\) oracle outputs \(\mathsf {ct} = \{\mathsf {ct} _{i,j} \}_{i \in [\ell ], j \in [w]}\).

Note that for all \(j^*\), \(\mathcal {H}_0^{j^*}\) corresponds exactly to the modified ABE security game with the encryption oracle being \(\mathsf {Enc} _0\), and \(\mathcal {H}_\ell ^{j^*}\) corresponds exactly to the modified ABE security game with the encryption oracle being \(\mathsf {Enc} _1\). Let \(\varepsilon = \text {Adv} '_{\mathsf {q\text {-}ABE}, \mathcal {A}, q}(\lambda )\), and let \(p_k\) denote the probability that \(\mathcal {A} \) outputs 1 in experiment \(\mathcal {H}_k^{j^*}\). Then \(\varepsilon = |p_{\ell } - p_{0}| \le \sum _{k = 1}^{\ell } |p_{k} - p_{k-1}|\), so there must exist some k such that \(|p_{k} - p_{k-1}| \ge \varepsilon / \ell \).

We now construct an adversary \(\mathcal {B} \) for \(\mathsf {1\text {-}ABE} \) that breaks 1-query security. \(\mathcal {B} \) first samples \(j^* \in [w]\) uniformly at random, and chooses row \(i^* \in [\ell ]\) such that \(|p_{i^*} - p_{i^*-1}| \ge \varepsilon / \ell \) for the chosen \(j^{*}\). \(\mathcal {B} \) then plays its game and interacts with \(\mathcal {A} \) as follows.

 

\(\mathsf {Setup} \).:

\(\mathcal {B} \) sets \(\mathsf {MPK} _{i^*,j^*}\) as the public key it receives from its \(\mathsf {1\text {-}ABE} \) game. For all ij such that \(i \ne i^*\) or \(j \ne j^*\), \(\mathcal {B} \) sets \((\mathsf {MPK} _{i, j}, \mathsf {MSK} _{i, j}) \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Setup} (1^\lambda )\).

Simulating the \(\mathsf {KeyGen} \) oracle.:

When \(\mathcal {A} \) makes a query to \(\mathsf {KeyGen} \) for predicate f, \(\mathcal {B} \) honestly runs \(\mathsf {q\text {-}ABE}.\mathsf {KeyGen} \), with two exceptions. First, if the value \(r_{j^*}\) randomly chosen within \(\mathsf {q\text {-}ABE}.\mathsf {KeyGen} \) returns the value \(i^*\), then \(\mathcal {B} \) queries f to its \(\mathsf {1\text {-}ABE} \) \(\mathsf {KeyGen} \) oracle and sets \(\mathsf {sk} _{i^*,j^*}\) to be the result. Second, if the event \(\mathsf {Bad} _{j^*}\) occurs, then \(\mathcal {B} \) aborts execution of \(\mathcal {A} \) and outputs a random guess in its game.

Simulating the \(\mathsf {Enc} _b\) oracle.:

\(\mathcal {B} \) responds to any encryption oracle query by \(\mathcal {A} \) of the form \(((m_0, m_1),\mathsf {ind})\) as follows. First, \(\mathcal {B} \) chooses \(z_j\) uniformly at random for all \(j \in [w], j \ne j^*\). Let \(z_{j^*, 0} = m_0 - \sum _{j \ne j^*} z_j\) and \(z_{j^*, 1} = m_1 - \sum _{j \ne j^*} z_j\). \(\mathcal {B} \) constructs the oracle response as follows:

–:

For \(j \ne j^*\), for all i let \(\mathsf {ct} _{i,j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j}, z_{j}, \mathsf {ind})\).

–:

For \(i > i^*\), let \(\mathsf {ct} _{i, j^*} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j^*}, z_{j^*, 0}, \mathsf {ind})\).

–:

For \(i < i^*\), let \(\mathsf {ct} _{i, j^*} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{i,j^*}, z_{j^*, 1}, \mathsf {ind})\).

–:

Query \(((z_{j^*, 0}, z_{j^*, 1}), \mathsf {ind})\) to the \(\mathsf {Enc} _b\) oracle of the \(\mathsf {1\text {-}ABE} \) game, and set \(\mathsf {ct} _{i^*, j^*}\) to be the result.

Output \(\mathsf {ct} = \{\mathsf {ct} _{i,j} \}_{i \in [\ell ], j \in [w]}\).

Guess.:

\(\mathcal {B} \) outputs the same guess as \(\mathcal {A} \).

 

We argue that since \(\mathcal {A} \) is a valid ABE adversary, \(\mathcal {B} \) is also a valid ABE adversary. Since \(\mathcal {A} \) is valid, for all \(((m_0, m_1), \mathsf {ind})\) queried to \(\mathsf {Enc} _b\) and f queried to \(\mathsf {KeyGen} \), we have that \(|m_0| = |m_1|\) and that if \(f(\mathsf {ind}) = 1\), then \(m_0 = m_1\). It follows that \(\mathcal {B} \) is a valid ABE adversary: all shares are generated to be the same length as the secret-shared message, so \(|z_{j^*, 0}| = |z_{j^*, 1}|\). The same f and \(\mathsf {ind}\) are passed through to \(\mathcal {B} \)’s game, so if \(f(\mathsf {ind}) = 1\) in \(\mathcal {B} \)’s queries, then \(f(\mathsf {ind}) = 1\) in \(\mathcal {A} \)’s queries and \(m_0 = m_1\), which means that the same shares are generated for the two messages, i.e., \(z_{j^*, 0} = z_{j^*, 1}\). Furthermore, by construction, \(\mathcal {B} \) queries its \(\mathsf {1\text {-}ABE} \) \(\mathsf {KeyGen} \) oracle at most once.

Next, we return to the assumption from the beginning of this proof: by construction of the \(\mathsf {KeyGen} \) oracle, the event \(\mathsf {Bad} \) cannot occur for \(\mathcal {A} \), i.e., there exists at least one column that is not bad. As a result, with probability at least 1 / w the event \(\mathsf {Bad} _{j^*}\) does not occur. Additionally, because the event \(\mathsf {Bad} _{j^*}\) is independent of the specific calls made to \(\mathsf {KeyGen} \), it is equally likely to occur in experiments \(\mathcal {H}_{i^*-1}^{j^*}\) and \(\mathcal {H}_{i^*}^{j^*}\).

If the event \(\mathsf {Bad} _{j^*}\) occurs, then \(\mathcal {B} \) has no distinguishing advantage in its game by construction. Conversely, if the event \(\mathsf {Bad} _{j^*}\) does not occur, then \(\mathcal {B} \)’s simulation of all oracles is faithful since \(\mathcal {B} \) does not abort. Furthermore, when \(b = 0\), \(\mathcal {B} \) perfectly simulates \(\mathcal {H}^{j^*}_{i^*-1}\), and when \(b=1\), \(\mathcal {B} \) perfectly simulates \(\mathcal {H}^{j^*}_{i^*}\). Putting everything together, we have

$$\begin{aligned} \text {Adv} _{\mathsf {1\text {-}ABE}, \mathcal {B}, 1}(\lambda ) \ge \frac{1}{w} \cdot |p_{i^*} - p_{i^*-1}| \ge \frac{1}{\ell w} \text {Adv} '_{\mathsf {q\text {-}ABE}, \mathcal {A}, q}(\lambda )\text {,} \end{aligned}$$

which, combined with inequality (1) and using the values of \(\ell \) and w from Lemma 1, completes the proof.

5 Improved BC-ABE Construction

We can improve the asymptotic parameters of the above construction by performing another level of secret-sharing of each \(z_j\). Instead of simply performing \(\ell \) independent \(\mathsf {1\text {-}ABE} \) encryptions, we can reshare the \(z_j\) values once more, and then encrypt those shares using the \(\mathsf {1\text {-}ABE} \) scheme. If this new resharing were a simple linear scheme it would be equivalent to the first construction; instead, we will arrange these shares in a multidimensional structure.

This multidimensional secret-sharing will be created to satisfy the following two properties. First, there exist small sets of shares that are able to reconstruct. Second, such sets of shares are rare, such that any party who only possesses the ability to obtain random shares will need to collect many shares to reconstruct.

When we use the multidimensional secret-sharing inside of our BC-ABE construction, the small sets of shares will correspond to the secret keys, yielding very short secret keys. Intuitively, security will be achieved by ensuring that the set of shares revealed when the adversary exceeds the collusion bound of the underlying \(\mathsf {1\text {-}ABE} \) schemes is effectively distributed randomly.

5.1 Multidimensional Secret-Sharing

In this section, we provide a multidimensional secret-sharing system. While we only use the scheme toward an improved BC-ABE construction, we codify it separately in this section because it may be of independent interest.

Definition 5

(Multidimensional secret-sharing). Given a message y, we construct a multidimensional secret sharing scheme \({\mathsf {MultiSS}} _{s,d}(y)\) that outputs \(s^d\) shares \(\sigma _{[1,1,...,1]}, \ldots , \sigma _{[s,s,...,s]}\) produced as follows.

  1. 1.

    Choose \(s \cdot d\) “intermediate” shares \(\rho _{1,1}, \ldots , \rho _{d,s}\) uniformly at random such that \(\sum _{h \in [d],i\in [s]}\rho _{h,i}=y\). That is, the \(\rho \)’s form a sd-of-sd secret sharing of y.

  2. 2.

    For each \(\mathbf {v} \in [s]^d\), form the share \(\sigma _{\mathbf {v}} = \sum _{i=1}^d \rho _{i, \mathbf {v} [i]}\).

We can visualize the sharing in terms of a d-dimensional hypercube of side length s, where the shares \(\sigma _{\mathbf {v}}\) are points whose coordinates are given by their subscript \(\mathbf {v} \). Each value \(\rho _{h,i}\) influences a \((d-1)\)-dimensional slice of the hypercube—namely, it is a summand in the computation of the \(\sigma \) values whose h-th coordinate equals i. See Fig. 2 for a graphical representation of a three-dimensional secret-sharing scheme (i.e., \(d = 3\)).

Fig. 2.
figure 2

Visualization of a three-dimensional secret-sharing scheme \({\mathsf {MultiSS}} _{s,3}(y)\). The input value y is additively secret-shared into 3s values \(\rho _{1,1}, \ldots , \rho _{3,s}\). Each intermediate value \(\rho \) contributes to a 2-dimensional planar face of the 3-dimensional cube in which one of the dimensions is fixed to a given value (as specified by the indices to \(\rho \)). Concretely, we construct each of the \(s^3\) shares as .

Full size image

We observe that a carefully-chosen set of s shares suffice to recover the original message y.

Definition 6

Let \(V = \{\mathbf {v} _1, \ldots , \mathbf {v} _{\left| V\right| }\}\) be a set containing vectors in \( [s]^d\). We call this set spanning if it has the property that for each dimension \(h \in [d]\), the list \((\mathbf {v} _1[h],\ldots ,\mathbf {v} _{\left| V\right| }[h])\) contains all elements in [s].

If \(\left| V\right| = s\), then we call this set minimally spanning. In this case, the list \((\mathbf {v} _1[h],\ldots ,\mathbf {v} _{\left| V\right| }[h])\) is a permutation of [s].

Lemma 2

(Correctness of \({\mathsf {MultiSS}} \) ). Let \(\{\sigma _{\mathbf {v}}\}_{\mathbf {v} \in [s]^d} \leftarrow {\mathsf {MultiSS}} _{s,d}(y)\) be a multidimensional secret-sharing of y, and let V be any minimally spanning set. Then, the message y may be recovered from the s shares \(\{\sigma _{\mathbf {v}}\}_{\mathbf {v} \in V}\).

Proof

The sum \(\sum _{\mathbf {v} \in V}\sigma _{\mathbf {v}}\) includes each \(\rho _{h,i}\) term exactly once, so it sums to y.

Security provided by a multidimensional secret-sharing of y is captured in the following lemma.

Lemma 3

(Security of \({\mathsf {MultiSS}} \) ). Let \(\{\sigma _{\mathbf {v}}\}_{\mathbf {v} \in [s]^d} \leftarrow {\mathsf {MultiSS}} _{s,d}(y)\) be a multidimensional secret-sharing of y, and let \(V^* \subseteq [s]^d\) be any set of vectors that is not spanning. Then, the set of shares \(\{\sigma _{\mathbf {v} ^*} : \mathbf {v} ^* \in V^*\}\) information-theoretically reveals no information about y.

Proof

Because \(\mathbf {v} ^*\) is not spanning, there exist a dimension \(h \in [d]\) and value \(i \in [s]\) such that \(\mathbf {v} ^*[h] \ne i\) for all vectors \(\mathbf {v} ^* \in V^*\). Thus, none of the shares \(\{\sigma _{\mathbf {v} ^*} : \mathbf {v} ^* \in V^*\}\) depend on the “intermediate” share \(\rho _{h,i}\), implying that \(\{\sigma _{\mathbf {v} ^*}\}\) reveals no information about y.

5.2 Construction

This construction uses similar ideas to the basic construction, with the addition of multidimensional secret-sharing. Essentially,

  • The message m is additively secret-shared into \(m = \sum _j z_j\), as before.

  • Each of the shares \(z_j\) is multidimensionally secret-shared to form a series of \(s^d\) shares denoted by \(\sigma _{\mathbf {v}}^j\) for \(\mathbf {v} \in [s]^d\).

  • Each \(\sigma _{\mathbf {v}}^j\) share is encrypted using a 1-query ABE scheme in a black-box manner, producing a total of \(s^d w\) resulting \(\mathsf {1\text {-}ABE} \) ciphertexts.

Users are given a set of keys that enable them to recover a specifically-crafted subset of the shares. If the predicate is satisfied by the index, that subset will be sufficient to reconstruct the original value at each stage of the sharing, ultimately recovering the message. On the other hand, the multidimensional sharing step ensures that a random subset of the shares will likely need to be very large in order to recover the message. We thus gain additional collusion resistance, since the locations where collisions occur are effectively random.

Formally, let \(\mathsf {1\text {-}ABE} \) be a 1-query ABE scheme whose message space \(\mathcal {M}\) is a finite group represented additively; we again require that \(\mathcal {M}\) have the property that the set of elements of each length form a finite group. Our improved q-query secure CP-ABE scheme \(\mathsf {q\text {-}ABE}^* \) is defined below; it uses \(s^d w\) independent instances of the \(\mathsf {1\text {-}ABE} \) scheme, where \(s(\lambda )\), \(d(\lambda )\), and \(w(\lambda )\) are parameters that are specified later in Sect. 5.3.

 

\(\mathsf {Setup} (1^\lambda , q)\)::

For \(\mathbf {v} \in [s]^d\) and \(j \in [w]\), let \((\mathsf {MPK} _{\mathbf {v}}^{j}, \mathsf {MSK} _{\mathbf {v}}^{j}) \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Setup} (1^\lambda )\). Output \(\mathsf {MPK} = \{\mathsf {MPK} _{\mathbf {v}}^{j}\}_{\mathbf {v} \in [s]^d, j \in [w]}\) and \(\mathsf {MSK} = \{\mathsf {MSK} _{\mathbf {v}}^{j}\}_{\mathbf {v} \in [s]^d, j \in [w]}\).

\(\mathsf {KeyGen} (\mathsf {MSK}, f \in \mathcal {F})\)::

For each \(j \in [w]\), choose a set of d permutations of [s] uniformly at random. Transpose them to produce a minimally spanning set of s vectors \(V^j\). Sample a \(\mathsf {1\text {-}ABE} \) key \(\mathsf {sk} _{\mathbf {v}}^{j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {KeyGen} (\mathsf {MSK} _{\mathbf {v}}^{j},f)\) for each \(j \in [w]\) and \(\mathbf {v} \in V^j\). Finally, output \(\mathsf {sk} _f = \{V^j, \{\mathsf {sk} _{\mathbf {v}}^{j}\}_{\mathbf {v} \in V^j}\}_{j \in [w]}\).

\(\mathsf {Enc} (\mathsf {EK}, m \in \mathcal {M}, \mathsf {ind} \in \mathcal {I})\)::

Perform the following steps:

1.:

Perform a w-of-w additive secret-sharing of \(m \) to get shares \(z_1, \ldots , z_{w}\) such that \(\sum _{j \in [w]} z_j = m \).

2.:

Multidimensionally secret-share each \(z_j\) with d dimensions and s values in each dimension to create \(s^d\) shares \(\{\sigma _{\mathbf {v}}^{j}\}_{\mathbf {v} \in [s]^d} \leftarrow {\mathsf {MultiSS}} _{s,d}(z_j)\).

3.:

For each \(\mathbf {v} \in [s]^d\), \(j \in [w]\), set \(\mathsf {ct} _{\mathbf {v}}^{j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Enc} (\mathsf {EK} _{\mathbf {v}}^{j},\sigma _{\mathbf {v}}^{j},\mathsf {ind})\).

4.:

Output \(\mathsf {ct} =\{\mathsf {ct} _{\mathbf {v}}^{j}\}_{\mathbf {v} \in [s]^d, j \in [w]}\).

\(\mathsf {Dec} (\mathsf {sk} _f, \mathsf {ct})\)::

Perform the following steps:

1.:

Parse \(\mathsf {sk} _f\) as \(\{V^j, \{\mathsf {sk} _{\mathbf {v}}^{j}\}_{\mathbf {v} \in V^j}\}_{j \in [w]}\) and parse \(\mathsf {ct} \) as \(\{\mathsf {ct} _{\mathbf {v}}^{j}\}_{\mathbf {v} \in [s]^d, j \in [w]}\).

2.:

For each \(j \in [w]\) and each \(\mathbf {v} \in V^j\), let \(\sigma _{\mathbf {v}}^{j} \leftarrow \mathsf {1\text {-}ABE}.\mathsf {Dec} (\mathsf {sk} _{\mathbf {v}}^{j}, \mathsf {ct} _{\mathbf {v}}^{j})\).

3.:

Output \(m = \sum _{j \in [w], \mathbf {v} \in V^j}\sigma _{\mathbf {v}}^{j}\).

 

Correctness. Suppose that a user receives a ciphertext \(\mathsf {ct} = \mathsf {Enc} (\mathsf {EK}, m, \mathsf {ind})\) and she possesses a secret key \(\mathsf {sk} \leftarrow \mathsf {KeyGen} (\mathsf {MSK}, f)\) for a predicate f such that \(f(\mathsf {ind}) = 1\). By the correctness of the underlying \(\mathsf {1\text {-}ABE} \) scheme, each \(\mathsf {1\text {-}ABE}.\mathsf {Dec} \) in step 2 of \(\mathsf {q\text {-}ABE}^*.\mathsf {Dec} \) successfully returns \(\sigma _{\mathbf {v}}^{j}\). For each \(j \in [w]\), we may reconstruct \(z_j = \sum _{\mathbf {v} \in V^j} \sigma _{\mathbf {v}}\) since \(\mathsf {KeyGen} \) produces a minimally spanning set \(V^j\) (cf. Lemma 2), and the sum of all \(z_j\)’s equals the original message \(m \) due to the w-of-w additive secret sharing.

5.3 Setting the Parameters

The combinatorial lemma in this section provides a good setting of the parameters s, d, and w. Recall that each key query yields \(\mathsf {1\text {-}ABE} \) keys for a minimally spanning set of vectors in each coordinate \(j \in [w]\). Intuitively, we must choose s and d to be large enough that there are several minimally spanning sets, so that \(\mathsf {KeyGen} \) rarely chooses the same vector twice. Specifically, the set of replicated vectors across q key queries must not be spanning.

Formally, fix some index \(j \in [w]\) and consider \(\mathcal {A} \)’s ability to learn the \(j^\text {th}\) secret share \(z_j = \sum _{h \in [d], i \in [s]} \rho ^j_{h,i}\). The adversary \(\mathcal {A} \) makes up to q queries, each of which returns s keys \(\mathsf {sk} _{\mathbf {v}}^{j}\) for vectors \(\mathbf {v} \) in a randomly-chosen minimally spanning set \(V^j\) (independent of the index queried). If \(\mathcal {A} \) ever receives two keys for the same \(\mathbf {v} \), then we no longer have any security against \(\sigma _{\mathbf {v}}\), and therefore we assume the worst-case outcome that all of the shares \(\rho ^j_{h,i}\) with \(\mathbf {v} [h] = i\) have been compromised. Let \(\bar{V}^j\) denote the set of all vectors that are returned in two or more key queries.

Let \(\mathsf {Good}^j\) denote the event that there exists some \(\rho ^j_{h,i}\) that remains uncompromised after \(\mathcal {A} \)’s queries. Observe that this is precisely the event that \(\bar{V}^j\) is not spanning! In this case, the additive secret sharing protects \(z_j\) and thus \(m \) as well. Finally, let \(\mathsf {Good}\) denote the event that there exists some \(j \in [w]\) for which \(\mathsf {Good}^j\) holds.

Lemma 4

Let s be any constant, and instantiate the \(\mathsf {q\text {-}ABE}^* \) scheme with \(d = \lceil 2 \log _s{q} + 1 \rceil \) and \(w = \lceil \frac{\lambda }{d \cdot s} \rceil \). For any adversary \(\mathcal {A} \) who makes at most q \(\mathsf {KeyGen} \) queries, the event \(\mathsf {Good} \) holds with overwhelming probability in \(\lambda \).

Proof

First, consider a fixed \(h \in [d]\), \(i \in [s]\), and \(j \in [w]\). We consider \(\mathcal {A} \)’s ability to learn \(\rho ^j_{h,i}\). By construction, each of \(\mathcal {A} \)’s key queries yields exactly one \(\mathsf {1\text {-}ABE} \) key \(\mathsf {sk} _{\mathbf {v}}^{j}\) where \(\mathbf {v} \) is randomly chosen subject to the constraint that \(\mathbf {v} [h]=i\). The probability that all of these vectors \(\mathbf {v} \) are distinct (and thus \(\rho ^j_{h,i}\) is uncompromised) is therefore

$$ 1 \times \left( 1-\frac{1}{s^{d-1}}\right) \times \left( 1 - \frac{2}{s^{d-1}}\right) \times \cdots \times \left( 1 - \frac{q-1}{s^{d-1}}\right) \ge \left( 1 - \frac{q-1}{s^{d-1}}\right) ^{q}\text {.} $$

This probability holds independently for all \(h \in [d]\), \(i \in [s]\), and \(j \in [w]\). Hence, Pr[Good] \(\ge 1 - [1 - (1 - \frac{q-1}{s^{d-1}})^{q}]^{sdw}\).

Next, if we instantiate s, d, and w with the values provided in the lemma, we find that \(1 -\) Pr[Good] is negligible:

We list below the key and ciphertext lengths produced by our construction, when instantiated with the parameters specified in Lemma 4.

  • The \(\mathsf {MPK} \) and \(\mathsf {MSK} \) consist of \(s^d \cdot w = O(\frac{q^2 \lambda }{\log q})\) \(\mathsf {1\text {-}ABE}\) public keys.

  • A secret key consists of \(s \cdot w = O(\frac{\lambda }{\log q})\) \(\mathsf {1\text {-}ABE} \) keys.

  • A single ciphertext consists of \(s^d\cdot w=O(\frac{q^2\lambda }{\log {q}})\) \(\mathsf {1\text {-}ABE} \) ciphertexts.

5.4 Security

We now prove that the \(\mathsf {q\text {-}ABE}^* \) scheme defined above is q-query secure if the underlying \(\mathsf {1\text {-}ABE} \) scheme is 1-query secure.

Theorem 1

(Formal). Let \(\mathsf {1\text {-}ABE} \) be any public-key (respectively, symmetric-key) ABE scheme that is 1-query secure. For any valid ppt adversary \(\mathcal {A} \) for the resulting public-key (resp., symmetric-key) \(\mathsf {q\text {-}ABE}^* \) construction instantiated with the parameters given in Lemma 4, there exists a valid ppt adversary \(\mathcal {B} \) for \(\mathsf {1\text {-}ABE} \) making at most 1 key query, with advantage \(\text {Adv} _{\mathsf {1\text {-}ABE},\mathcal {B},1}(\lambda ) \ge \frac{1}{q^2 \lambda } \text {Adv} _{\mathsf {q\text {-}ABE}^*,\mathcal {A},q}(\lambda ) - \mathsf {negl}(\lambda )\).

Proof

(sketch). Here, we provide a high-level description of the reduction to the security of \(\mathsf {1\text {-}ABE} \). The details mostly follow the same pattern as the proof of Theorem 2, so here we highlight the differences. Lemma 4 provides the reasoning up to failure argument analogous to that of Lemma 1.

Recall that in the proof of Theorem 2 we change a valid encryption of \(m _0\) into a valid encryption of \(m _1\) by changing one of the additive shares (\(z_j\) values) of the final message. Since this value is encrypted using the underlying \(\mathsf {1\text {-}ABE} \) scheme \(\ell \) times, we perform this change via a sequence of hybrids. Our reduction decreases the advantage of the \(\mathsf {1\text {-}ABE} \) adversary by a factor of \(\ell \) due to the selection of a hybrid step and a factor of w due to the selection of a secret share \(z_{j^*}\) to target.

In the \(\mathsf {q\text {-}ABE}^* \) construction, note that the message is effectively additively shared among sdw different values \(\rho ^j_{h,i}\). We can thus change an encryption of \(m _0\) into an encryption of \(m _1\) by changing a single one of the \(\rho ^j_{h,i}\) values. In this case, this value is a summand in \(s^{d-1}\) of the \(\sigma \) values that are encrypted using the underlying \(\mathsf {1\text {-}ABE} \) scheme (specifically, \(\sigma _{\mathbf {v}}^j\) where \(\mathbf {v} [h] = i\)).

We thus require a hybrid step to change each of these encryptions to an encryption of a new value reflecting the changed \(\rho ^j_{h,i}\); the proof is otherwise the same. The advantage of the \(\mathsf {1\text {-}ABE} \) adversary decreases by a factor of \(s^{d-1}\) due to the selection of a hybrid step and a factor of sdw due to the selection of \(\rho ^j_{h,i}\); we omit the details. Thus, \(\text {Adv} _{\mathsf {1\text {-}ABE},\mathcal {B},1}(\lambda ) \ge \frac{1}{s^d d w} \text {Adv} ^{*}_{\mathsf {q\text {-}ABE}^*,\mathcal {A},q}(\lambda ) - \mathsf {negl}(\lambda )\), and instantiating this formula with the parameters from Lemma 4 completes the proof.

6 Instantiating 1-ABE

Thus far, we have presented two schemes for transforming any 1-ABE scheme into a q-ABE scheme. To obtain a construction of bounded-collusion ABE from CPA-secure encryption, we need to instantiate 1-ABE from CPA-secure encryption. To do so, we can use the construction of Gorbunov et al. [15] and Sahai-Seyalioglu [25] for 1-query-secure functional encryption, restricting its functionality to that of attribute-based encryption.

In this section, we briefly sketch the resulting 1-ABE scheme. We assume that it has predicates describable using \(n\) bits, that is \(\mathcal {F} \subseteq \{0,1\}^n\). Note that the 1-FE from Gorbunov et al. [15] and Sahai-Seyalioglu [25] uses randomized encodings [3, 20], which can be instantiated using garbled circuits. For simplicity, we will use the language of garbled circuits in this section. Given a CPA-secure encryption scheme \(\varSigma \), the 1-ABE scheme operates as follows.

 

\(\mathsf {Setup} (1^\lambda )\)::

Generate \(2 n\) key pairs for the public-key encryption scheme \(\varSigma \) to get \((\mathsf {pk} _{i, 0}, \mathsf {sk} _{i, 0})\) and \((\mathsf {pk} _{i,1}, \mathsf {sk} _{i,1})\) for \(i \in [n]\). Output \(\mathsf {MPK} \leftarrow \{\mathsf {pk} _{i,b}\}_{i \in [n], b \in \{0,1\}}\) and \(\mathsf {MSK} \leftarrow \{\mathsf {sk} _{i,b}\}_{i \in [n], b \in \{0,1\}}\)

\(\mathsf {KeyGen} (\mathsf {MSK}, f)\)::

Let f[i] denote the i-th bit of f for \(i \in [n]\). Output \(\mathsf {sk} _f \leftarrow \{\mathsf {sk} _{i, f[i]}\}_{i \in [n]}\).

\(\mathsf {Enc} (\mathsf {MPK}, M, \mathsf {ind})\)::

Let \(U_{M,\mathsf {ind}}(f)\) be a universal circuit that takes a predicate \(f\in \{0,1\}^n\) and outputs M if \(f(\mathsf {ind}) = 1\) and 0 otherwise. Build a garbled circuit for \(U_{M,\mathsf {ind}}\). Encrypt the two labels for each wire corresponding to the predicate f: for the i-th bit of f, encrypt the 0-label under \(\mathsf {pk} _{i, 0}\) and the 1-label under \(\mathsf {pk} _{i, 1}\). Output the garbled circuit and the encrypted wire labels.

\(\mathsf {Dec} (\mathsf {sk} _f, \mathsf {ct})\)::

Use \(\mathsf {sk} _f\) to decrypt the wire labels corresponding to f. Evaluate the garbled circuit and output the result.

 

As Sahai and Seyalioglu [25] show, the above scheme achieves selective security for one query. Gorbunov et al. [15] show how to modify this scheme to achieve adaptive security by using a variant of non-committing encryption [8]. This increases the number of underlying PKE components of the public parameters, keys, and the label encryptions by a factor of \(O(\lambda )\) due to having to encrypt \(\lambda \)-bit long messages.

Thus, for a predicate description of size n and using a universal circuit U, the 1-ABE scheme has the following parameters:

  • The public parameters consist of \(O(n\lambda )\) PKE public keys.

  • Secret keys consist of \(O(n\lambda )\) PKE secret keys.

  • Ciphertexts consist of \(O(|U| \lambda )\) bits for the garbled gates and \(O(n\lambda )\) PKE ciphertexts for the encrypted wire labels.

Putting this construction together with the parameters of our improved transformation from any 1-ABE scheme to a q-ABE scheme, we arrive at the following result that crystallizes Corollary 1.

Corollary 2

If public-key (respectively, symmetric-key) CPA-secure encryption exists, then there exists a public-key (resp., symmetric-key) q-query secure ABE scheme for predicates that are expressible using \(n\) bits and can be evaluated by a universal circuit U with the following characteristics: public parameters (resp., \(\mathsf {MSK} \)) consisting of \(O(\frac{q^2}{\log {q}} n\lambda ^2)\) PKE public keys (resp., secret keys), secret keys consisting of \(O(\frac{n}{\log {q}} \lambda ^2)\) PKE secret keys, and ciphertexts consisting of \(O(\frac{q^2}{\log {q}} |U| \lambda ^2)\) bits plus \(O(\frac{q^2}{\log {q}} n\lambda ^2)\) PKE ciphertexts.