Fully Secure Hidden Vector Encryption

Predicate encryption is an important cryptographic primitive (see [3,5,9,11]) that enables fine-grained control on the decryption keys. Roughly speaking, in a predicate encryption scheme the owner of the master secret key Msk can derive secret key SkP, for any predicate P from a specified class of predicates ℙ. In encrypting a message M, the sender can specify an attribute vector ${\ensuremath{\vec x}}$ and the resulting ciphertext $\tilde X$ can be decrypted only by using keys SkP such that $P({\ensuremath{\vec x}})=1$. Security is modeled by means of a game between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$ that sees the public key, is allowed to ask for keys of predicates P of his choice and gives two challenge vectors${\ensuremath{\vec x}}_0$ and ${\ensuremath{\vec x}}_1$. $\mathcal{A}$ then receives a challenge ciphertext (an encryption of a randomly chosen challenge vector) and has to guess which of the two challenge vectors has been encrypted. The adversary $\mathcal{A}$ is allowed to ask queries even after seeing the challenge ciphertext. In the unrestricted queries model, it is required the adversary $\mathcal{A}$ to ask for keys of predicates P that do not discriminate the two challenge vectors; that is, for which $P({\ensuremath{\vec x}}_0)=P({\ensuremath{\vec x}}_1)$. It can be readily seen that this condition is necessary. In this paper, we consider hidden vector encryption (HVE in short), a notable case of predicate encryption introduced by Boneh and Waters [5] and further developed in [16,10,15]. In a HVE scheme, the ciphertext attributes are vectors ${\ensuremath{\vec x}}=\langle x_1,\ldots,x_\ell\rangle$ of length l over alphabet Σ, keys are associated with vectors ${\ensuremath{\vec y}}=\langle y_1,\ldots,y_\ell\rangle$ of length l over alphabet Σ∪{⋆} and we consider the ${\sf Match}({\ensuremath{\vec x}},{\ensuremath{\vec y}})$ predicate which is true if and only if, for all i, yi≠⋆ implies xi=yi. In [5], it is shown that HVE implies predicate encryption schemes for conjunctions, comparison, range queries and subset queries. We describe also constructions of secure predicate encryption for Boolean predicates that can be expressed as k-CNF and k-DNF (for any constant k) over binary variables. Our main contribution is a very simple, in terms of construction and security proof, implementation of the HVE primitive that can be proved fully secure against probabilistic polynomial-time adversaries in the unrestricted queries model under non-interactive constant sized (that is independent of l) hardness assumptions on bilinear groups of composite order. Our proof employs the dual system methodology of Waters [18], that gave one of the first fully secure construction in this area, blended with a careful design of intermediate security games that keep into account the relationship between challenge ciphertext and key queries.

[1]  Craig Gentry,et al.  Hierarchical Identity Based Encryption with Polynomially Many Levels , 2009, TCC.

[2]  Vincenzo Iovino,et al.  Hidden-Vector Encryption with Groups of Prime Order , 2008, Pairing.

[3]  Elaine Shi,et al.  Delegating Capabilities in Predicate Encryption Systems , 2008, ICALP.

[4]  Steven D. Galbraith,et al.  Pairing-Based Cryptography - Pairing 2008, Second International Conference, Egham, UK, September 1-3, 2008. Proceedings , 2008, Pairing.

[5]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[6]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[7]  Dan Boneh,et al.  Secure Identity Based Encryption Without Random Oracles , 2004, CRYPTO.

[8]  Tsuyoshi Takagi,et al.  Pairing-Based Cryptography - Pairing 2007, First International Conference, Tokyo, Japan, July 2-4, 2007, Proceedings , 2007, Pairing.

[9]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[10]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[11]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[12]  Pieter H. Hartel,et al.  Searching Keywords with Wildcards on Encrypted Data , 2010, SCN.

[13]  Allison Bishop,et al.  New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts , 2010, IACR Cryptol. ePrint Arch..

[14]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[15]  Dan Boneh Bilinear Groups of Composite Order , 2007, Pairing.

[16]  Adam O'Neill,et al.  Definitional Issues in Functional Encryption , 2010, IACR Cryptol. ePrint Arch..

[17]  David Pointcheval,et al.  Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption Keys , 2007, Pairing.

[18]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[19]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[20]  Brent Waters,et al.  Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions , 2009, IACR Cryptol. ePrint Arch..

[21]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[22]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[23]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[24]  Brent Waters,et al.  Conjunctive, Subset, and Range Queries on Encrypted Data , 2007, TCC.

[25]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[26]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.