Attribute-Based Encryption for Finite Automata from LWE

Abstract

We propose a construction of Attribute-Based Encryption for deterministic finite automata with bounded input length from lattices. The security of our construction can be reduced to the hardness of learning with errors (LWE) problem in the selective security model.

The main technique in our scheme is a novel way to securely encode the deterministic finite automata and the input string as a “matrix ribbon” that closely mimics the structure of the tape and supports simple operations that rely only on traditional preimage sampling on lattices.

Our result is the first direct construction of key-policy attribute-based encryption for deterministic finite automata. Comparing with the existing indirect constructions from lattices, our scheme is conceptually simpler and also more efficient.

Q. Li—Research conducted with generous support from the Australian Research Council under Discovery Project grant ARC DP-140103885.

A Parameters and Correctness of Construction

By applying the decryption algorithm, we have \(\mathrm {\Delta } = \textsf {Msg}\cdot \lfloor q/2\rfloor + \nu _0- \mathbf \nu _1^{\top }\cdot \mathbf d\). Let \(\textsf {Error} = \nu _0- \mathbf \nu _1^{\top }\cdot \mathbf d \). In order to correctly recover the message, we must ensure that the noise term \(|\textsf {Error}| < q/4\). The following lemma states this fact.

Lemma 5

Suppose the parameters \(\alpha \) and q are set as:

$$\begin{aligned}\alpha \le \left( \omega (\sqrt{\log m}) \sigma ^{\eta +2} m^{(\eta +2)/2} \right) ^{-1},\quad q = \varOmega \left( \sigma ^{\eta +2} m^{(\eta +3)/2} \right) ,\end{aligned}$$

the quantity \(|\textsf {Error}|\) is bounded by q / 4 with overwhelming probability.

Proof

Notice that all the transition matrices used to construct the decryption vector \(\mathbf d\) have discrete Gaussian distribution in \(\mathbb {Z}^{2m\times m}\) with parameter \(\sigma \). The norm of those are all bounded by \(\sigma \sqrt{m}\) according to the fact 1 of Lemma 1. Likewise, since the vector \(\mathbf d_{s_x}\sim \mathcal D_{\mathrm {\Lambda }_q^{\mathbf u}( \mathbf A_{s_x}^{(0)} ),\sigma }\), by the fact 1 of Lemma 1, we also have \(\Vert \mathbf d_{s_x} \Vert \le \beta = \sigma \sqrt{m}.\)

Therefore, by using Lemma 4,

$$\begin{aligned} |\textsf {Error}|= & {} |\nu _0- \mathbf \nu _1^{\top }\cdot \mathbf d| \le |\nu _0|+ |\mathbf \nu _1^{\top }\cdot \mathbf d|\\\le & {} \left( |\nu _0| \le q\alpha \omega (\sqrt{\log m})+ 1/2 \right) + \left( \Vert \mathbf d\Vert q\alpha \omega (\sqrt{\log m})+ \Vert \mathbf d\Vert \sqrt{m}/2 \right) \end{aligned}$$

It now suffices to bound \(\mathbf d\). We have \(\Vert \mathbf d\Vert ^2 \le \sum _{i=1}^{\ell +1} (\beta ^i)^2 \cdot \Vert \mathbf d_{s_x}\Vert ^2 \le (\eta +~1)(\sigma ^2 m)^{\eta +2}\). Thus \(\Vert \mathbf d\Vert \le \sqrt{(\eta +1)} \sigma ^{\eta +2} m^{(\eta +2)/2} \le O(\sigma ^{\eta +2} m^{(\eta +2)/2})\).

Summing up, we have

$$\begin{aligned} |\textsf {Error}|\le & {} \left( q\alpha \omega (\sqrt{\log m})+ 1/2 \right) \\&+\, \left( q\alpha \omega (\sqrt{\log m})+ \sqrt{m}/2 \right) \sqrt{(\eta +1)} \sigma ^{\eta +2} m^{(\eta +2)/2}\\\le & {} q\alpha \omega (\sqrt{\log m}) O(\sigma ^{\eta +2} m^{(\eta +2)/2}) + O(\sigma ^{\eta +2} m^{(\eta +3)/2}) \end{aligned}$$

To make \(|\textsf {Error}| < q/4\), it is sufficient to set \(\alpha \le \left( \omega (\sqrt{\log m}) \sigma ^{\eta +2} m^{(\eta +2)/2} \right) ^{-1}\) and \(q = \varOmega \left( \sigma ^{\eta +2} m^{(\eta +3)/2} \right) \).    \(\square \)

To set the remaining parameters, we need to ensure the conditions:

1. 1.

   we be able to run the algorithm \(\textsf {TrapGen}\) (i.e. \(m > 6n\log q\));

2. 2.

   the Gaussian parameter \(\sigma \) be large enough for \(\textsf {SamplePre}\) and \(\textsf {SampleLeft}\) (i.e. \(\sigma > \Vert \tilde{\mathbf B} \Vert \cdot \omega (\sqrt{\log m})\) where \(\mathbf B\) is a basis output by \(\textsf {TrapGen}\));

3. 3.

   the LWE average-case to worst-case reduction apply (i.e. \(q > 2\sqrt{n}/\alpha \)).

One consistent selection is to set the parameters as follows:

• The maximum length of input: \(\eta =O(\lambda )\)

• The lattice dimensions: \(m = 6n^{1+\delta }\), where \(n^{\delta } > \lceil \log q \rceil \)

• The Gaussian parameter \(\sigma = m \cdot \omega (\sqrt{\log n})\)

• The prime modulus \(q= m^{(3\eta +5)/2} \cdot \omega (\sqrt{\log n})\)

• The LWE parameter \(\alpha = \left( m^{3(\eta +2)/2} \cdot \omega (\sqrt{\log n}) \right) ^{-1}\)