Dual System Encryption Framework in Prime-Order Groups via Computational Pair Encodings

We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in prime-order bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in composite-order bilinear groups, of which operations are known to be much less efficient than in prime-order ones for the same security level. These consist of the frameworks by Wee (TCC’14) and Attrapadung (Eurocrypt’14). Both provide abstractions of dual-system encryption techniques introduced by Waters (Crypto’09). Our framework can be considered as a prime-order version of Attrapadung’s framework and works in a similar manner: it relies on a main component called pair encodings, and it generically compiles any secure pair encoding scheme for a predicate in consideration to a fully secure ABE scheme for that predicate. One feature of our new compiler is that although the resulting ABE schemes will be newly defined in prime-order groups, we require essentially the same security notions of pair encodings as before. Beside the security of pair encodings, our framework assumes only the Matrix Diffie-Hellman assumption (Escala et al., Crypto’13), which is a weak assumption that includes the Decisional Linear assumption as a special case. As for its applications, we can plug in available pair encoding schemes and automatically obtain the first fully secure ABE realizations in prime-order groups for predicates of which only fully secure schemes in composite-order groups were known. These include ABE for regular languages, ABE for monotone span programs (and hence Boolean formulae) with short ciphertexts or keys, and completely unbounded ABE for monotone span programs. As a side result, we establish the first generic implication from ABE for monotone span programs to ABE for branching programs. This implies fully-secure ABE for branching programs in some new variants, namely, unbounded, short-ciphertext, and short-key. Previous schemes are bounded and require linear-size ciphertexts and keys.

[1]  Tatsuaki Okamoto,et al.  Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption , 2010, IACR Cryptol. ePrint Arch..

[2]  Hoeteck Wee,et al.  Déjà Q: Encore! Un Petit IBE , 2016, TCC.

[3]  Yuval Ishai,et al.  Partial Garbling Schemes and Their Applications , 2014, ICALP.

[4]  Nuttapong Attrapadung,et al.  Expressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts , 2011, Public Key Cryptography.

[5]  Allison Bishop,et al.  A Profitable Sub-prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups , 2015, Public Key Cryptography.

[6]  Hovav Shacham,et al.  Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures , 2010, ASIACRYPT.

[7]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[8]  Melissa Chase,et al.  Deja Q: Using Dual Systems to Revisit q-Type Assumptions , 2014, IACR Cryptol. ePrint Arch..

[9]  Avi Wigderson,et al.  On span programs , 1993, [1993] Proceedings of the Eigth Annual Structure in Complexity Theory Conference.

[10]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[11]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[12]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[13]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[14]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[15]  Hoeteck Wee,et al.  Semi-adaptive Attribute-Based Encryption and Improved Delegation for Boolean Formula , 2014, SCN.

[16]  Hoeteck Wee,et al.  Fully, (Almost) Tightly Secure IBE and Dual System Groups , 2013, CRYPTO.

[17]  Nuttapong Attrapadung,et al.  Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings , 2015, CT-RSA.

[18]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[19]  Allison Bishop,et al.  Bilinear Entropy Expansion from the Decisional Linear Assumption , 2015, CRYPTO.

[20]  Goichiro Hanaoka,et al.  Conversions Among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs , 2015, International Conference on the Theory and Application of Cryptology and Information Security.

[21]  Goichiro Hanaoka,et al.  Attribute-Based Encryption for Range Attributes , 2016, SCN.

[22]  Jung Hee Cheon,et al.  Beyond the Limitation of Prime-Order Bilinear Groups, and Round Optimal Blind Signatures , 2012, TCC.

[23]  Allison Bishop,et al.  Witness Encryption from Instance Independent Assumptions , 2014, IACR Cryptol. ePrint Arch..

[24]  Hoeteck Wee,et al.  Fully, (Almost) Tightly Secure IBE from Standard Assumptions , 2013, IACR Cryptol. ePrint Arch..

[25]  Brent Waters,et al.  Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions , 2009, IACR Cryptol. ePrint Arch..

[26]  Dan Boneh,et al.  Generalized Identity Based and Broadcast Encryption Schemes , 2008, ASIACRYPT.

[27]  Nuttapong Attrapadung,et al.  Functional Encryption for Inner Product: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation , 2010, Public Key Cryptography.

[28]  Melissa Chase,et al.  A Study of Pair Encodings: Predicate Encryption in Prime Order Groups , 2016, TCC.

[29]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[30]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[31]  Aurore Guillevic,et al.  Comparing the Pairing Efficiency over Composite-Order and Prime-Order Elliptic Curves , 2013, ACNS.

[32]  Jens Groth,et al.  Converting Cryptographic Schemes from Symmetric to Asymmetric Bilinear Groups , 2014, CRYPTO.

[33]  Allison Bishop,et al.  Unbounded HIBE and Attribute-Based Encryption , 2011, IACR Cryptol. ePrint Arch..

[34]  Brent Waters,et al.  Witness encryption and its applications , 2013, STOC '13.

[35]  Dennis Hofheinz,et al.  Polynomial Spaces: A New Framework for Composite-to-Prime-Order Transformations , 2014, IACR Cryptol. ePrint Arch..

[36]  Allison Bishop,et al.  Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption , 2010, EUROCRYPT.

[37]  Yael Tauman Kalai,et al.  How to Run Turing Machines on Encrypted Data , 2013, CRYPTO.

[38]  Brent Waters,et al.  Functional Encryption for Regular Languages , 2012, CRYPTO.

[39]  Nuttapong Attrapadung,et al.  Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More , 2014, IACR Cryptol. ePrint Arch..

[40]  Hideki Imai,et al.  Dual-Policy Attribute Based Encryption , 2009, ACNS.

[41]  Tatsuaki Okamoto,et al.  Hierarchical Predicate Encryption for Inner-Products , 2009, ASIACRYPT.

[42]  Tsutomu Matsumoto,et al.  Attribute Based Encryption with Direct Efficiency Tradeoff , 2016, ACNS.

[43]  Brent Waters,et al.  Practical constructions and new proof methods for large universe attribute-based encryption , 2013, CCS.

[44]  Tatsuaki Okamoto,et al.  Fully Secure Unbounded Inner-Product and Attribute-Based Encryption , 2012, ASIACRYPT.

[45]  Brent Waters,et al.  Attribute-Based Encryption for Circuits from Multilinear Maps , 2012, CRYPTO.

[46]  Jean-Sébastien Coron,et al.  New Multilinear Maps Over the Integers , 2015, CRYPTO.

[47]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization , 2011, Public Key Cryptography.

[48]  Michael Hamburg,et al.  Spatial Encryption , 2011, IACR Cryptol. ePrint Arch..

[49]  Nuttapong Attrapadung,et al.  Fully Secure and Succinct Attribute Based Encryption for Circuits from Multi-linear Maps , 2014, IACR Cryptol. ePrint Arch..

[50]  A. Lewko,et al.  Fully Secure HIBE with Short Ciphertexts , 2009 .

[51]  Allison Bishop,et al.  Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting , 2012, EUROCRYPT.

[52]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[53]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[54]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[55]  Craig Gentry,et al.  Fully Secure Attribute Based Encryption from Multilinear Maps , 2014, IACR Cryptol. ePrint Arch..

[56]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[57]  Hoeteck Wee,et al.  Dual System Encryption via Predicate Encodings , 2014, TCC.

[58]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[59]  David Mandell Freeman,et al.  Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups , 2010, EUROCRYPT.

[60]  Hoeteck Wee,et al.  Improved Dual System ABE in Prime-Order Groups via Predicate Encodings , 2015, EUROCRYPT.

[61]  Vinod Vaikuntanathan,et al.  Attribute-based encryption for circuits , 2013, STOC '13.

[62]  Allison Bishop,et al.  New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques , 2012, CRYPTO.

[63]  Dhinakaran Vinayagamurthy,et al.  Riding on Asymmetry: Efficient ABE for Branching Programs , 2015, ASIACRYPT.

[64]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[65]  Katsuyuki Takashima,et al.  Expressive Attribute-Based Encryption with Constant-Size Ciphertexts from the Decisional Linear Assumption , 2020, SCN.