Key-policy Attribute-based Encryption for General Boolean Circuits from Secret Sharing and Multi-linear Maps agan 1 and Ferucio Laurent ¸iplea 2 Constantin C˘ at˘ alin Dr˘ ¸iu T 1 CNRS, LORIA, 54506 Vandoeuvre-l` es-Nancy Cedex France e-mail: catalin.dragan@loria.fr 2 Department of Computer Science, “Alexandru Ioan Cuza” University of Ia¸ si 700506 Ia¸ si, Romania, e-mail: fltiplea@info.uaic.ro Abstract. We propose a Key-policy Attribute-based Encryption (KP-ABE) scheme for gen- eral Boolean circuits, based on secret sharing and on a very particular and simple form of leveled multi-linear maps, called chained multi-linear maps . The number of decryption key components is substantially reduced in comparison with the scheme in [7], and the size of the multi-linear map (in terms of bilinear map components) is less than the Boolean circuit depth, while it is quadratic in the Boolean circuit depth for the scheme in [7]. Moreover, the multi- plication depth of the chained multi-linear map in our scheme can be significantly less than the multiplication depth of the leveled multi-linear map in the scheme in [7]. Selective security of the proposed scheme in the standard model is proved, under the decisional multi-linear Diffie-Hellman assumption. Keywords attribute-based encryption, multi-linear map 1 Introduction Attribute-based encryption (ABE) was introduced in [11] as a generalization of identity-based encryption [12]. There are two forms of ABE: key-policy ABE (KP-ABE) and ciphertext- policy ABE (CP-ABE) [9, 2]. A KP-ABE scheme encrypts messages taking into considera- tion specific sets of attributes; decryption keys are distributed for an entire access structure build over the set of attributes so that correct decryption is allowed only to authorized sets of attributes (defined by the access structure). A CP-ABE scheme proceeds somehow vice-versa than a KP-ABE scheme: messages are encrypted together with access structures while decryption keys are given for specific sets of attributes. In all these cases, the access structures are defined by Boolean circuits [13]. This paper focuses on KP-ABE. The first KP-ABE scheme was proposed in [9], where the access structures were specified by monotone Boolean formulas (Boolean circuits of fan-out one with no negation gates). An extension to non-monotonic Boolean formulas has later been proposed [10]. A direct extension of these schemes to the general case (access structures defined by general Boolean circuits) faces the backtracking attack [7, 5]. The first KP-ABE scheme for general Boolean circuits was proposed [7], based on leveled multi-linear maps. Later soon, another KP-ABE scheme for general Boolean circuits has been proposed [8]; its construction is based on lattices and on the Learning With Errors (LWE) problem. Inspired by [8], Boneh et.al. [3] have proposed a KP-ABE scheme for functions that can be represented as (polynomial-size) arithmetic circuits. The scheme is based on the LWE problem as well. Its decryption key size is quadratic in the circuit depth, while for the schemes proposed in [7, 8] it is linear in the number of Boolean gates or wires in the circuit. On the other side, the size of its public parameters is quadratic, while for the schemes in [7, 8] is linear, in the number of input wires. In this paper we propose a new KP-ABE scheme for general Boolean Contribution circuits based on secret sharing and a very particular and simple form of leveled multi-linear
maps, called chained multi-linear maps . We can think of our approach as a bridge between the simple and elegant approach in [9] based on secret sharing and just one bilinear map (but limited to Boolean formulas), and the more complex one in [7] based only on leveled multi-linear maps (which works for general Boolean circuits). This novel approach leads to a scheme more efficient than the one in [7], both in terms of the decryption key size and of the multi-linear map size and graded encoding multiplication depth. The size of the chained multi-linear maps we use is less than the circuit depth, while the leveled multi-linear maps used in [7] have a quadratic size in the circuit depth. To define a chained multi-linear map one has just to define k bilinear maps from G i × G 1 into G i +1 , 1 ≤ i ≤ k , and a generator of the group G 1 . In the case of leveled multi-linear maps, supplementary constraints regarding the groups generators, are needed. Our construction works for general Boolean circuits. For a clear understanding of the construction, the logic gates of fan-out two or more are split into logics gates of fan-out one and fanout-gates (FO-gates) whose role is to multiply the output of the logic gates (we emphasize that this splitting is just for the easiness of the presentation and has no technical reasons). Then, a secret sharing procedure works top-down to share some secret, and a bottom-up procedure reconstructs a “hidden” form of the secret by using chained multi-linear maps. The generator of the chained multi-linear map is changed each time a FO-level (level that contains FO-gates) is reached. Decryption key components are assigned to input wires, FO-gates, and circuit FO-levels. The size of the decryption key is at most a third of the size of the decryption key in the construction in [7]. Using graded encoding systems [6] to define multi-linear maps as in [7], the multiplication depth of the chained multi-linear maps in our scheme is exactly the number of FO-levels (and does not depend on the circuit depth). As the number of FO-levels can be significantly less than or equal to the circuit depth minus three, we conclude that the multiplication depth of the chained multi-linear maps in our scheme can be significantly less than the multiplication depth of the leveled multi-linear maps in [7] (where it is given by the circuit depth). In other words, a chained multi-linear map of multiplication depth r can be used with any Boolean circuit with r FO-levels, no matter its depth. This is not possible for the construction in [7]. The selective security of our KP-ABE scheme is proved in the standard model under the decisional multi-linear Diffie-Hellman assumption. Paper organization The paper is organized into eight sections. The next section fixes the basic terminology and notation used throughout the paper. The third section discusses the scheme in [7] and how it thwarts the backtracking attack, and gives an informal overview of our solution. Our construction is presented in the fourth section, its security is discussed in the fifth one, while the sixth section presents some comparisons between our scheme and the one in [7]. Section seven proposes some extensions of our scheme, and the last one concludes the paper. 2 Preliminaries Access structures It is customary to represent access structures [13] by Boolean circuits [1]. A Boolean circuit consists of a number of input wires (which are not gate output wires), a number of output wires (which are not gate input wires), and a number of OR-, AND-, and NOT-gates. The OR- and AND-gates have two input wires, while NOT-gate has one input wire. All of them may have more than one output wire. That is, the fan-in of the circuit is at most two, while the fan-out may be arbitrarily large but at least one. A Boolean circuit is monotone if it does not have NOT-gates, and it is of fan-out one if all gates have 2
Recommend
More recommend
