Attribute-based encryption schemes with constant-size ciphertexts

Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exception only supports restricted forms of access policies. This paper proposes the first attribute-based encryption (ABE) schemes allowing for truly expressive access structures and with constant ciphertext size. Our first result is a ciphertext-policy attribute-based encryption (CP-ABE) scheme with O(1)-size ciphertexts for threshold access policies and where private keys remain as short as in previous systems. As a second result, we show that a certain class of identity-based broadcast encryption schemes generically yields monotonic key-policy attribute-based encryption (KP-ABE) systems in the selective set model. Our final contribution is a KP-ABE realization supporting non-monotonic access structures (i.e., that may contain negated attributes) with short ciphertexts. As an intermediate step toward this result, we describe a new efficient identity-based revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the most expressive KP-ABE realization with constant-size ciphertexts. The downside of our second and third constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KP-ABE schemes.

[1]  Nuttapong Attrapadung,et al.  Functional Encryption for Inner Product: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation , 2010, Public Key Cryptography.

[2]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[3]  Goichiro Hanaoka,et al.  Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption , 2011, Public Key Cryptography.

[4]  Xavier Boyen,et al.  General Ad Hoc Encryption from Exponent Inversion IBE , 2007, EUROCRYPT.

[5]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[6]  Tatsuaki Okamoto,et al.  Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption , 2010, IACR Cryptol. ePrint Arch..

[7]  Nuttapong Attrapadung,et al.  Expressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts , 2011, Public Key Cryptography.

[8]  Hideki Imai,et al.  Conjunctive Broadcast and Attribute-Based Encryption , 2009, Pairing.

[9]  Sherman S. M. Chow,et al.  Improving privacy and security in multi-authority attribute-based encryption , 2009, CCS.

[10]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[11]  Ran Canetti,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[12]  Yuan Zhou,et al.  Efficient ID-based Broadcast Threshold Decryption in Ad Hoc Network , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[13]  Allison Bishop,et al.  Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption , 2010, EUROCRYPT.

[14]  Rafail Ostrovsky,et al.  Attribute-based encryption with non-monotonic access structures , 2007, CCS '07.

[15]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[16]  David Pointcheval,et al.  Dynamic Threshold Public-Key Encryption , 2008, CRYPTO.

[17]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[18]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[19]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[20]  Amit Sahai,et al.  Bounded Ciphertext Policy Attribute Based Encryption , 2008, ICALP.

[21]  Jung Hee Cheon,et al.  Security Analysis of the Strong Diffie-Hellman Problem , 2006, EUROCRYPT.

[22]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[23]  Ran Canetti,et al.  An Efficient Threshold Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack , 1999, EUROCRYPT.

[24]  Dan Boneh,et al.  Generalized Identity Based and Broadcast Encryption Schemes , 2008, ASIACRYPT.

[25]  Atsuko Miyaji,et al.  A ciphertext-policy attribute-based encryption scheme with constant ciphertext length , 2009, Int. J. Appl. Cryptogr..

[26]  Masao Kasahara,et al.  ID based Cryptosystems with Pairing on Elliptic Curve , 2003, IACR Cryptol. ePrint Arch..

[27]  Allison Bishop,et al.  Revocation Systems with Very Small Private Keys , 2010, 2010 IEEE Symposium on Security and Privacy.

[28]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[29]  Eike Kiltz,et al.  Generalized Key Delegation for Hierarchical Identity-Based Encryption , 2007, ESORICS.

[30]  Nigel P. Smart,et al.  Escrow-free encryption supporting cryptographic workflow , 2006, International Journal of Information Security.

[31]  Moni Naor,et al.  Efficient trace and revoke schemes , 2000, International Journal of Information Security.

[32]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[33]  Jonathan Katz,et al.  Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products , 2008, Journal of Cryptology.

[34]  Paz Morillo,et al.  CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts , 2007, ProvSec.

[35]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[36]  Javier Herranz,et al.  Constant Size Ciphertexts in Threshold Attribute-Based Encryption , 2010, Public Key Cryptography.

[37]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[38]  Ling Cheung,et al.  Provably secure ciphertext policy ABE , 2007, CCS '07.

[39]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization , 2011, Public Key Cryptography.

[40]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[41]  Melissa Chase,et al.  Multi-authority Attribute Based Encryption , 2007, TCC.

[42]  David Pointcheval,et al.  Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption Keys , 2007, Pairing.

[43]  Hideki Imai,et al.  Dual-Policy Attribute Based Encryption , 2009, ACNS.