FE for Inner Products and Its Application to Decentralized ABE

Wang, Zhedong; Fan, Xiong; Liu, Feng-Hao

doi:10.1007/978-3-030-17259-6_4

Zhedong Wang^16,17,
Xiong Fan¹⁸ &
Feng-Hao Liu¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11443))

Included in the following conference series:

IACR International Workshop on Public Key Cryptography

1615 Accesses
14 Citations

Abstract

In this work, we revisit the primitive functional encryption (FE) for inner products and show its application to decentralized attribute-based encryption (ABE). Particularly, we derive an FE for inner products that satisfies a stronger notion, and show how to use such an FE to construct decentralized ABE for the class $\{0,1\}$-$\mathsf {LSSS} $ against bounded collusions in the plain model. We formalize the FE notion and show how to achieve such an FE under the LWE or DDH assumption. Therefore, our resulting decentralized ABE can be constructed under the same standard assumptions, improving the prior construction by Lewko and Waters (Eurocrypt 2011). Finally, we also point out challenges to construct decentralized ABE for general functions by establishing a relation between such an ABE and witness encryption for general NP statements.

Z. Wang—This work was done when the author was visiting Florida Atlantic University.

Access provided by Autonomous University of Puebla. Download conference paper PDF

Inner-Product Functional Encryption with Fine-Grained Access Control

Decentralized Multi-Authority Attribute-Based Inner-Product FE: Large Universe and Unbounded

Hierarchical Functional Encryption for Linear Transformations

1 Introduction

In this work, we revisit the functional encryption (FE) for inner products [6] and show its application to decentralized attribute-based encryption [22]. In particular, we identify a stronger notion for FE required in this application, and show how to build such a scheme under the LWE or DDH assumption. Our new analysis improves the parameters of the LWE-based scheme (over [6]) substantially. Next, we show how to build a decentralized ABE against bounded collusion from FE for inner products that satisfies the stronger notion. By combining the instantiation of the FE, we can derive a decentralized ABE against bounded collusion from LWE or DDH, improving the prior work [41] in the perspective of weaker assumptions. Below, we briefly review the contexts and motivation of our study.

1.1 A Brief History and Motivation

We start with the application of decentralized ABE, and then discuss our central tool – FE for inner products.

Attribute-based Encryption. Attribute-based Encryption (ABE) [11, 34] generalizes public key encryption to allow fine grained access control on encrypted data. In (ciphertext-policy) attribute-based encryption, a ciphertext $\mathsf {ct} $ for message $\mu $ is associated with a policy function f, and a secret key $\mathsf {sk} $ corresponds to an attribute x. The functionality requires that decryptor learns the underlying message $\mu $ if attribute x satisfies the policy function f, and if not, security guarantees that nothing about $\mu $ can be learned. In the past decade, significant progress has been made towards constructing attribute-based encryption for advanced functionalities based on various assumptions [5, 8, 14, 17, 18, 20, 26, 29, 32, 33, 35, 39, 42, 49, 51, 54, 55].

In 2007, Chase [22] considered an extension called multi-authority (or decentralized) ABE. In almost all ABE proposals listed above, the secret keys are generated by one central authority, who has the ability to verify all attributes for the secret keys it generated. These systems can be utilized to share information according to a policy within a domain or organization, where the central authority is in charge of issuing secret keys. However, in many applications, we wish to share some confidential information associated with a policy function across several different trusted organizations. For instance, in a joint project by two corporations, like Google and Facebook, they both may issue secret keys associated with attributes within their own organizations. This setting is outside the scope of the single authority ABE, as the single authority is not capable to verify attributes from different organizations. In [41], the authors show how to construct a decentralized ABE that captures the desired properties, for a large class of functions. Their solutions are secure against unbounded collusion in the random oracle model, or against bounded collusion in the standard model. For both cases, their proofs of security however, rely on several new computational assumptions on bilinear groups. Moreover, their security model only captures a static corruption where the adversary must commit to a set of corrupted parties at the beginning of the security game. To our knowledge, there is no construction that is based on better studied computational assumptions, such as DDH or LWE, even for the setting of bounded collusion. Thus, we ask:

Along the way to answer this question, we identify an interesting connection between decentralized ABE and functional encryption for inner products [6]. We first review the context of functional encryption (for inner products), and then elaborate on the connection in the technical overview section below.

Functional Encryption (for Inner Products). In a Functional Encryption (FE) scheme [16, 48], a secret key $\mathsf {sk} _g$ is associated with a function g, and a ciphertext $\mathsf {ct} _x$ is associated with some input x from the domain of g. The functionality of FE requires that the decryption procedure outputs g(x), while security guarantees that nothing more than than g(x) can be learned. Constructing FE for general functions is quite challenging – the only known solutions (supporting unbounded key queries) either rely on indistinguishability obfuscation [25] or multilinear maps [27]. On the other hand, researchers have identified some special classes of functions that already suffice for many interesting applications [3, 7]. One of them is the inner products, where a ciphertext $\mathsf {ct} $ encrypts a vector $\varvec{y} \in D^\ell $ for some domain D, and a secret key for vector $\varvec{x} \in D^\ell $ allows computing $\langle \varvec{x}, \varvec{y} \rangle $ but nothing else. Abdalla et al. [1] constructed a scheme and prove security against selective adversaries, who have to declare the challenge messages $(\varvec{y}_0, \varvec{y}_1)$ at the beginning before seeing the master public key $\mathsf {mpk} $. More recently, Agrawal et al. [6] constructed an adaptively secure FE for inner products that removes this restriction, and in particular, their scheme guarantees the indistinguishability-based (IND) security for key queries both before and after the challenge ciphertext. Moreover, Agrawal et al. [6] pointed out that the IND-based security achieves “almost” the best possible security, as it implies the simulation-based (SIM) security (for the case of inner products) without post-challenge-ciphertext key queries. On the other hand, the SIM-based security is in general impossible to achieve even for one post-challenge-ciphertext key query [6, 16].

In this work, we observe that the IND-based security does not suffice for our task of constructing decentralized ABE with a stronger security guarantee. Furthermore, the efficiency of the currently best known lattice-based construction (FE for inner products) [6] degrades exponentially with the dimension of the vector $\varvec{y}$. A subsequent work [4] improved the parameters significantly, yet with a tradeoff of weaker security where the adversary can only receive $\mathsf {sk} _{\varvec{x}} $ for random $\varvec{x}$’s before the challenge ciphertext and cannot issue more key queries afterwards. Their scheme [4] is useful in the setting of designing trace-and-revoke systems, but cannot be applied to the decentralized ABE where the adversary can obtain keys of his own choice, both before and after the challenge ciphertext. Thus, the applicability of currently known FE for inner products is still limited. Therefore, we ask the following question:

1.2 Our Results

Below we summarize our answers to the two questions in three folds as below.

1.
For the question related to decentralized ABE, we first generalize the security notion of [41] by considering adaptive corruption of parties (in addition to making adaptive key queries). Then we construct a new scheme for $\{0,1\}$-$\mathsf {LSSS} $ (a class that captures monotone boolean formula) with the building block – functional encryption for inner products (with a stronger security requirement). Our scheme is in the plain model and the security holds against bounded collusion.
2.
We formalize this requirement and instantiate two schemes – one by LWE, and the other by DDH. Our constructions make essential modifications of the constructions by [6], and we improve the analysis significantly (especially for the LWE-based construction), resulting in more efficient schemes with stronger security.
3.
We show that decentralized ABE for general access structures is somewhat equivalent to witness encryption (WE) for general NP relations. This can be viewed as a challenge in achieving decentralized ABE based on standard assumptions, as we are not aware of any construction of WE for NP relations based on standard assumptions.

By putting (1) and (2) together, we achieve the following informal theorem:

Theorem 1.1

(Informally Stated). Assume the DDH or LWE assumption. For the function class of $\{0,1\}$-$\mathsf {LSSS} $, there exists a decentralized ABE scheme that is secure against adversary who can make adaptive key queries and adaptively corrupt parties, with bounded collusions.

Our LWE-based construction provides another path to construct decentralized ABE that is potentially secure against quantum computers as long as LWE is quantum hard. Next we compare our DDH construction with that of the prior work [41]. First, both schemes achieve the function class $\{0,1\}$-$\mathsf {LSSS} $. Second, our scheme achieves stronger security against adaptive corruptions of parties, yet the work [41] achieves security against static security where the adversary needs to commit to a subset of corrupted parties at the beginning of the security experiment. Third, our scheme only relies on the DDH assumption without the need of pairings, yet the work [41] requires three new assumptions on bilinear groups. Finally, the work [41] can support an unbounded number of collusions by using random oracle, yet in the plain model, their scheme can only support a bounded number of collusions. On the other hand, our scheme works natively in the plain model and supports a bounded number of collusions. We leave it as an interesting open question whether our scheme can be upgraded in the random oracle model.

1.3 Our Techniques

Decentralized ABE. In this work, one focus is to construct decentralized ABE, following the direction of the prior work [22, 41]. We first briefly review the setting. In a decentralized ABE system, anyone can become an authority by simply creating a public key and issuing secret keys to different users for their attributes, without coordinating with (or even being aware of) other authorities. Similarly as in [22, 41], we use the concept of global identifiers $(\mathsf {GID})$ to link together secret keys issued by different authorities. Ciphertexts are generated corresponding to some access structure over attributes. The decryptor can recover the message if he holds secret keys from different attributes that have the same $\mathsf {GID} $ and satisfy the access structure specified by the ciphertext. In the security model, the adversary can corrupt authorities and query authorities for attributes associated with $\mathsf {GID} $ adaptively, with the restrictions that the information learned from these collusion cannot help adversary decrypt challenge ciphertext. For the bounded collusion setting, the number of $\mathsf {GID} $ queried by adversary is fixed according to the scheme parameter.

To present our intuition, we first consider a very simple case and then present how we can generalize the idea. Let us assume that there is only one known $\mathsf {GID} $, and there are three parties $P_{1},P_{2},P_{3}$, where each $P_{i}$ holds only one attribute i. In this case, constructing a decentralized ABE is simple. Each $P_{i}$ just samples $(\mathsf {pk} _{i}, \mathsf {sk} _{i})$ from a regular encryption scheme, and outputs $\mathsf {pk} _{i}$ as the master public key and keeps $\mathsf {sk} _{i}$ as the master secret key. To issue a key for the attribute i, the party $P_{i}$ just simply outputs $\mathsf {sk} _{i}$. To encrypt a message m, the encryptor first secret share $ (w_{1},w_{2},w_{3}) \leftarrow \mathsf {Share} (m)$ (according to its access structure), and outputs $\mathsf {Enc} _{\mathsf {pk} _{1}} (w_{1}), \mathsf {Enc} _{\mathsf {pk} _{2}} (w_{2}), \mathsf {Enc} _{\mathsf {pk} _{3}} (w_{3})$ as the ciphertext. Intuitively, if the decryptor holds a set of keys $\{\mathsf {sk} _{j}\}_{j\in S}$ where S satisfies the access structure, then the decryptor can obtain $\{w_{j}\}_{j\in S} $ and recover the original message m. On the other hand, if S does not satisfy the structure, then by the security of the secret sharing scheme, the adversary cannot learn any information about m.

To generalize the idea to a larger $\mathsf {GID} $ domain, we consider a new secret sharing that takes shares over polynomials.^{Footnote 1} Particularly, we let $p_{0}(x) = m$ be a constant degree polynomial with the coefficient m. The encryptor now shares $(p_{1}(x), p_{2}(x), p_{3}(x)) \leftarrow \mathsf {Share} (p_{0}(x))$, and outputs the ciphertext as $\Big (\mathsf {Enc} _{\mathsf {pk} _{1}} (p_{1}(x)),$ $\mathsf {Enc} _{\mathsf {pk} _{2}} (p_{2}(x)), \mathsf {Enc} _{\mathsf {pk} _{3}} (p_{3}(x)) \Big )$. Suppose we can achieve the following properties:

1.
$P_{i}$ can issue a secret key $\mathsf {sk} _{i,\mathsf {GID}}$ such that whoever holds the key can learn $p_{i}(\mathsf {GID})$.
2.
Suppose $\Big ( \left\{ p_{i}(\mathsf {GID} _{1}) \right\} _{i\in S_{1}}, \left\{ p_{i}(\mathsf {GID} _{2}) \right\} _{i\in S_{2}},\dots , \left\{ p_{i}(\mathsf {GID} _{t})\right\} _{i\in S_{t}} \Big )$ is given for distinct $\mathsf {GID} _{1},\dots , \mathsf {GID} _{t}$.
1. (a)
  If there exists some $S_{j}$ that satisfies the access structure, then one can recover $p_{0}(\mathsf {GID} _{j}) = m$.
2. (b)
  If no such $S_{j}$ exists, then $p_{0}(x) = m$ remains hidden.

Then it is not hard to see that the scheme also achieves the decentralized ABE, as $P_{i}$ can issue $\mathsf {sk} _{i,\mathsf {GID}}$ as Property 1, the decryption works by Property 2(a), and intuitively, security is guaranteed by Property 2(b).

Now we elaborate on how to implement the properties in more details. First, we can see that functional encryption (FE) is exactly what we need for Property 1, and in fact, FE for inner products suffices for the functionality. The encryption algorithm can encrypt $\varvec{y} = (c_{0}, c_{1},\dots , c_{k})$ that represents the polynomial $p(x) = \sum _{i=0}^{k} c_{i}x^{i} $, and a key for $\mathsf {GID} $ can be set as the FE key $\mathsf {sk} _{\varvec{x}}$ for $\varvec{x} = (1, \mathsf {GID}, \mathsf {GID} ^{2},\dots , \mathsf {GID} ^{k})$. By using the FE decryption with the secret key $\mathsf {sk} _{\varvec{x}}$, one can learn $\langle \varvec{x}, \varvec{y} \rangle = p(\mathsf {GID})$. To implement Property 2, we find that we can apply the known $\{0,1\}$-$\mathsf {LSSS} $ sharing scheme [13] over the coefficients of the polynomial, and prove Properties 2(a) and 2(b). If the shares of polynomials are of degree k, then we can tolerate up to $t = k-1$ distinct $\mathsf {GID} $ queries. See our Sect. 4 for further details.

We notice that any FE for inner products can achieve the functionality of Property 1 as stated above, yet connecting security of the FE and security of the decentralized ABE is not obvious. First, the (challenge) messages used in the decentralized ABE come from a distribution (i.e., shares from $\mathsf {Share} \left( p_{0}(x) \right) $ form a distribution), yet the IND-based security considered by prior work [1, 6, 16] focuses on two fixed challenge messages $\varvec{y}_{0} $ and $ \varvec{y}_{1}$. It is not clear how to define two fixed $\varvec{y}_{0} $ and $ \varvec{y}_{1}$ to capture two distributions of $\mathsf {Share} \left( p_{0}(x) \right) $ and $\mathsf {Share} \left( q_{0}(x) \right) $ in the decentralized ABE setting, and furthermore, is not clear how to define admissible key queries in our setting. SIM-based FE might be helpful, but it is impossible to achieve the notion (for challenge ciphertexts that encrypt a vector of messages) if the adversary is allowed to make post-challenge ciphertext key queries, as pointed out by [6]. We also note that the scheme of Gorbunov, Vaikuntanathan, and Wee [31] cannot be applied to our setting directly, as their SIM adaptive security only holds for challenge ciphertexts that encrypt a single-message.^{Footnote 2} Second, in our decentralized ABE, the adversary is allowed to corrupt parties and make key queries adaptively, i.e., at any time of the game. It is not clear whether the currently functional encryption schemes are secure under adaptive corruption if several ciphertexts under different public keys are given first and then several master secret keys are compromised. Consider the following example: suppose $\mathsf {Enc} _{\mathsf {pk} _{1}}(\varvec{y}_{1}), \mathsf {Enc} _{\mathsf {pk} _{2}}(\varvec{y}_{2}), \mathsf {Enc} _{\mathsf {pk} _{3}}(\varvec{y}_{3})$ are given first, and then the adversary can corrupt any subset, say $\mathsf {sk} _{1}$ and $\mathsf {sk} _{2}$, and make key query to $\mathsf {sk} _{3}$, what security can we guarantee for the remaining message $\varvec{y}_{3}$?

Functional Encryption for Inner Products. To handle the issues above, we consider a more generalized security notion of functional encryption. Intuitively, our framework considers encryption over a set of messages from two (challenge) distributions, say $(\varvec{y}_{1}, \dots , \varvec{y}_{\ell }) \leftarrow \mathcal {D}^{\ell }_{b}$ for $b\in \{0,1\}$, under different public keys $(\mathsf {pk} _{1},\dots , \mathsf {pk} _{\ell })$, and the ciphertexts $\left( \mathsf {Enc} _{\mathsf {pk} _{1}} (\varvec{y}_{1}), \dots , \mathsf {Enc} _{\mathsf {pk} _{\ell }} (\varvec{y}_{\ell }) \right) $ are given to the adversary. The adversary can make (1) a corruption query to any $\mathsf {sk} _{i}$ and (2) a key query $\varvec{x}$ to an uncorrupted $\mathsf {sk} _{j}$, multiple times before or after the challenge phase. Our security requires that the adversary cannot guess b correctly, as long as the distributions $\mathcal {D}_{0}^{\ell }$ and $\mathcal {D}_{1}^{\ell }$ remain indistinguishable under the functionalities from (1) and (2). This security notion lies in between the IND-based security and the SIM-based security. We prove that any functional encryption that satisfies the notion can be used to implement the idea above to build a secure decentralized ABE. We present the details in Sect. 4.

Next we turn to the question how to build such a functional encryption scheme. We make essential modifications of the DDH and LWE-based constructions from the work [6], and prove that the modified schemes achieve our new security definition. Conceptually, we develop two new techniques: (1) we use a complexity leverage argument (or random guessing [36]) in a clever way that does not affect of the underlying LWE or DDH assumption at all. (2) Our LWE-based construction uses a re-randomized technique proposed in the work [37] to avoid the use of multi-hint extended LWE as required by the work [6]. The reduction from multi-hint LWE to LWE incurs a significant security loss, and the standard deviation required by the discrete Gaussian distribution is large. By using our new analysis, we are able to have a direct security proof of the scheme without multi-hint LWE, resulting in an exponential improvement over the parameters. Below we elaborate on more details. As we improve over some subtle but important points of the work [6], for the next paragraph we assume some familiarity of the work [6].

We briefly review the approach of [6]. The master public/secret keys have the form $\mathsf {mpk} = (\mathbf {A}, \mathbf {U})$ and $\mathsf {msk} =\mathbf {Z}$ such that $\mathbf {U} = \mathbf {Z} \mathbf {A}$. The ciphertext has the form $\mathsf {Enc} (\varvec{y}) = (c_{0},c_{1}) $ where $c_{0}= \mathbf {A} \varvec{s} + \varvec{e}_{0}$, and $c_{1} = \mathbf {U} \varvec{s} + \varvec{e}_{1} + K \varvec{y}$ for some appropriate number K. The security proof of [6] proceeds as follows:

Let $H_{0}$ be the original game.
Hybrid $H_{1}$: $c_{0}$ remains the same, and $c_{1} = \mathbf {Z} (c_{0} -\varvec{e}_{0}) + \varvec{e}_{1} + K \varvec{y}$.
Hybrid $H_{2}$: $c_{0}$ is switched to the uniform vector, and $c_{1}$ remains the same as $H_{1}$.

It is quite easy to see that $H_{1}$ is just a rephrase of $H_{0}$, so the two hybrids are identical. The difference between $H_{1}$ and $H_{2}$ relies on the multi-hint extended LWE, as we need the hint of $\mathbf {Z} \varvec{e}_{0}$ in order to simulate $c_{1}$ given $c_{0}$. Then Agrawal et al. [6] showed that in $H_{2}$, the adversary has a negligible winning probability with an information-theoretic argument. This is to say, in $H_{2}$, even a computationally unbounded adversary cannot win the game with better than a negligible probability.

To get rid of the use of multi-hint extended LWE, we modify the hybrid 1:

New $H_{1}'$: $c_{0}$ remains the same as $H_{0}$, and $c_{1}= \mathsf {ReRand}(\mathbf {Z}, \varvec{c}_{0}, \alpha q, \sigma ^{*}) + K \varvec{y}$ for some $\alpha q, \sigma ^{*}$.

The algorithm $\mathsf {ReRand}$ was proposed in the work by Katsumata et al. [37]. We show that this technique can be used to improve analysis in our setting: by setting $\alpha q, \sigma ^{*}$ appropriately, the output distribution of the $\mathsf {ReRand}$ will be statistically close to $\mathbf {U} \varvec{s} + \varvec{e}^{*}$ where $\varvec{e}^{*}$ has the same distribution of $\varvec{e}_{1}$. Consequently, $c_{1}$ can be generated independent of $\varvec{e}_{0}$, and thus we can get rid of the need of the multi-hint LWE.

To prove security of our setting, we need to analyze the success probability of an adversary in $H_{2}$. We observe that the proof technique by the work [6] cannot be applied to our setting. Intuitively, the crux of their security proof (in $H_{2}$) relies on the following facts: (1) once the adversary submits the challenge messages $\varvec{y}_{0}, \varvec{y}_{1}$, the space of key queries in the remaining game is fixed to $\varLambda ^{\bot }(\varvec{y}_{0} - \varvec{y}_{1})$. (2) The adversary cannot distinguish $\varvec{y}_{0}$ from $\varvec{y}_{1}$ even if he is given the ciphertext and a set of keys in each dimension of $\varLambda ^{\bot }(\varvec{y}_{0} - \varvec{y}_{1})$ at the same time. (This is captured as $\mathbf {X}_{top} \mathbf {Z}$ in their proof.) (3) Any post-challenge key queries can be derived by a linear combination of the keys obtained in (2), i.e, $\mathbf {X}_{top} \mathbf {Z}$. In our setting however, the fact (1) no longer holds. Given two message distributions, it is not clear whether the space for the remaining key queries is even fixed or not. Therefore, their argument cannot be used in our setting.

Another possible way to handle adaptive queries is to use a complexity leveraging argument (or random guessing according to the work [36]). However, by folklore we know that naively applying the argument will result in an exponential security loss, i.e., $\epsilon _{\mathsf {scheme}} \le 2^{\lambda } \cdot \epsilon _{\mathsf {LWE}}$. Our new insight to tackle this problem is to apply it cleverly: we only apply the argument in the hybrid $H_{2}$ where all the analysis is information-theoretic. In more details, we show that in $H_{2}$ the advantage of any adversary who only makes pre-challenge ciphertext key queries is bounded by some $\epsilon _{2}$, and by the complexity leveraging argument, the advantage of a full adversary is bounded by $2^{\lambda } \cdot \epsilon _{2}$. By setting the parameters appropriately, we can afford the loss without affecting the hardness of the underlying $\mathsf {LWE}$ or $\mathsf {DDH}$ assumption. Our overall advantage of the adversary would be $\epsilon _{\mathsf {scheme}} \le \varDelta (H_{0}, H_{1}) + \varDelta (H_{1}, H_{2}) + \mathbf {Adv}(H_{2} )$. By the property of $\mathsf {ReRand}$, $\varDelta (H_{0}, H_{1}) $ is negligible; by the security of $\mathsf {LWE}$, $\varDelta (H_{1}, H_{2}) \le \epsilon _{\mathsf {LWE}}$; by the above argument $ \mathbf {Adv}(H_{2} ) = 2^{\lambda } \cdot \epsilon _{2}$ can also be set to negligible. Therefore, we have $\epsilon _{\mathsf {scheme}} \le \epsilon _{\mathsf {LWE}} + \mathsf {negl} (\lambda )$. Details can be found in the full version of the paper.

Can We Achieve Decentralized ABE for General Functions? After achieving decentralized ABE for $\{0,1\}$-$\mathsf {LSSS} $, it is natural to ask whether we can do more. Here we show that any decentralized ABE for general functions implies a witness encryption (WE) for general NP statements. On the other hand, an extractable witness encryption for general NP statements plus signatures implies decentralized ABE, following the argument of the work [29]. The result provides a challenge to construct decentralized ABE for general functions under standard assumptions, as we are not aware of any construction of WE from standard assumptions. We leave it as an interesting open question whether there exists a decentralized ABE for a class between $\{0,1\}$-$\mathsf {LSSS} $ and general functions.

1.4 Additional Related Work

Decentralized ABE. The problem of building ABE with multiple authorities was proposed by Sahai and Waters [53], and first considered by Chase [22]. In [22], Chase introduced the concept of using a global identifier to link secret keys together. However, her system relies on a central authority and is limited to express a strict AND policy over a pre-determined set of authorities. Müller et al. [46, 47] proposed another construction with a centralized authority for any LSSS structure, based on [54], but their construction is secure only against non-adaptive queries. Lin et al. [43] showed a threshold based scheme (somewhat decentralized) against bounded collusions. In their system, the set of authorities is fixed ahead of time, and they must interact during system setup. Chase and Chow [23] showed how to remove the central authority using a distributed PRF, but the restriction of an AND policy over a pre-determined set of authorities remained. In [41], Lewko and Waters proposed a decentralized ABE system for any LSSS structure from bilinear groups. Their system is secure against adaptive secret key queries and selective authority corruption in random oracle model. Liu et al. [44] proposed a fully secure decentralized ABE scheme in standard model, but there exists multiple central authorities issuing identity-related keys to users.

Functional Encryption for Inner Products. The problem of FE for inner products was first considered by Abdalla et al. [1], where they show constructions against selective adversaries based on standard assumptions, like DDH and LWE. Later on, Bishop et al. [12] consider the same functionality in the secret-key setting with the motivation of achieving function privacy and security against adaptive adversaries. Recently, in work by Agrawal et al. [6], they provide constructions in public key setting based on several standard assumptions that are secure against more realistic adaptive adversaries, where challenge messages are declared in the challenge phase, based on previously collected information. Benhamouda et al. [10] show a CCA-Secure Inner-Product Functional Encryption generically from projective hash functions with homomorphic properties.

For the multi-input version of the inner product functionality, more recently, Abdalla et al. [2] show a construction of multi-input functional encryption scheme (MIFE) for the inner products functionality based on the k-linear assumption in prime-order bilinear groups, which is secure against adaptive adversaries. In [24], Datta et al. describe two non-generic constructions based on bilinear groups of prime order, where one construction can withstand an arbitrary number of encryption slots.

Witness Encryption. Recently, Brakerski et al. [19] proposed a new framework to construct WE via ABE. We note that a result similar to our construction can be obtained from their work.

1.5 Roadmap

The notations and some preliminaries are described in Sect. 2. In Sect. 3, we present our new security definition for FE, and propose an $\mathsf {LWE}$ based construction satisfying our new security. Due to the space limitation, we defer the full security proof to the full version of the paper. In Sect. 4, we give a stronger security definition for decentralized ABE and present our construction. Furthermore, we explore the relationship between decentralized ABE and (extratable) witness encryption in Sect. 5. The DDH-based constructions for FE and decentralized ABE can be found in the full version of the paper.

2 Preliminaries

Notations. We use $\lambda $ to denote security parameter throughout this paper. For an integer n, we write [n] to denote the set $\{1, \ldots , n\}$. We use bold lowercase letters to denote vectors (e.g. $\varvec{v}$) and bold uppercase letters for matrices (e.g. $\mathbf {A}$). For a vector $\varvec{v}$, we let $\Vert \varvec{v}\Vert $ denote its $\ell _{2}$ norm. The $\ell _{2}$ norm of a matrix $\mathbf {R}=\{\varvec{r}_{1},...,\varvec{r}_{m}\}$ is denoted by $\Vert \mathbf {R}\Vert = \max _{i} \Vert \varvec{r}_{i}\Vert $. The spectral norm of $\mathbf {R}$ is denoted by $\mathsf {s} _{1}(\mathbf {R})=\mathsf {sup} _{\varvec{x}\in \mathbb {R}^{m+1}}\Vert \mathbf {R}\cdot \varvec{x}\Vert $.

We say a function $\mathsf {negl} (\cdot ): \mathbb {N}\rightarrow (0,1)$ is negligible, if for every constant $c \in \mathbb {N}$, $\mathsf {negl} (n) < n^{-c}$ for sufficiently large n. For any set X, we denote by $\mathcal {P}(X)$ as the power set of X. For any $Y, Z\in \{0,1\}^{n}$, we say that $Y\subseteq Z$ if for each index $i\in [n]$ such that $Y_{i}=1$, We have $Z_{i}=1$. The statistical distance between two distributions X and Y over a countable domain D is defined to be $\frac{1}{2}\sum _{d\in D}|X(d)-Y(d)|$. We say that two distributions are statistically close if their statistical distance is negligible in $\lambda $.

A family of functions $\mathcal {H}=\{h_{i}:D\rightarrow R\}$ from a domain D to range R is called k-wise independent, if for every pairwise distinct $x_{1},...,x_{k}\in D$ and every $y_{1},..., y_{k}\in R$,

$$\mathsf {Pr}_{h\leftarrow \mathcal {H}}[h(x_{1})=y_{1}\wedge ...\wedge h(x_{k})=y_{k}]=1/|R|^{k}.$$

We briefly describe the syntax of secret sharing and the $\{0,1\}$-$\mathsf {LSSS} $ access structure, and refer the full version of the paper for further details. A secret sharing scheme consists of two algorithms as follow: $\mathsf {SS} =(\mathsf {SS}.\mathsf {Share}, \mathsf {SS}.\mathsf {Combine})$. The share algorithm $\mathsf {SS}.\mathsf {Share} $ takes input a secret message k and an access structure $\mathbb {A} $ and output a set of shares $s_{1},\dots , s_{t}$. The combine algorithm $\mathsf {SS}.\mathsf {Combine} $ takes input a subset of shares can recover the secret k if the subset satisfies the access structure $\mathbb {A} $. If not, then the secret k should remain hidden to the algorithm. Briefly speaking, if the combine algorithm just applies a linear combination over shares to recover the message, then the secret sharing scheme is called linear, or $\mathsf {LSSS} $ in brief. If the coefficients are in $\{0,1\}$, then it is called $\{0,1\}$-$\mathsf {LSSS} $. It is worthwhile pointing out that the $\{0,1\}$-$\mathsf {LSSS} $ contains a powerful class called Monotone Boolean Formula (MBF) pointed out by the work [13, 41], who showed that any MBF can be expressed as an access structure in $\{0,1\}$-$\mathsf {LSSS} $. In this work, our construction of decentralized ABE achieves the class of $\{0,1\}$-$\mathsf {LSSS} $ and thus supports any the class of MBF.

3 Adaptively Secure FE for Chosen Message Distributions

In this section, we define a new security notion of functional encryption, called adaptively secure functional encryption for chosen message distributions. This notion is a generalization of prior adaptively secure functional encryption [6]. We first propose the definition, and then construct an LWE-based scheme that achieves the security notion. Our construction modified the scheme of [6] in an essential way, and our security analysis provides significantly better parameters than the work [6]. The DDH-based construction and its security proof can be analyzed in a similar way as our LWE-based scheme.

3.1 New Security Definition

In functional encryption, a secret key $\mathsf {sk} _g$ is associated with a function g, and a ciphertext $\mathsf {ct} _x$ is associated with some input x from the domain of g. The functionality of FE requires that the decryption procedure outputs g(x), while security guarantees that nothing more than g(x) can be learned. The formal description of syntax is in the full version of the paper.

Suppose that in a functional encryption scheme, a set of messages can be chosen from two distributions, and we obtain a set of ciphertexts by encrypting each message $y_i$ using different master public keys $\mathsf {mpk} _i$. Before choosing the two message distributions, the adversary is sent a set of master public keys $\{\mathsf {mpk} _i\}_{i \in [t]}$ and can also make two kinds of queries:

Function queries: For query (f, i), obtain secret key $\mathsf {sk} _i^f$ for function f from $\mathsf {msk} _i$.
Opening queries: For query i, obtain master secret key $\mathsf {msk} _i$.

The natural restrictions we enforce here are (1) the distributions of queried function evaluations for the two message distributions remains indistinguishable, (2) the distributions of opening messages are also indistinguishable. Otherwise, there can be no security as the adversary can trivially distinguish the two message distributions. On the other hand, other additional information such as, the opening messages, queried keys, and the function values, may help the adversary to learn to distinguish the message distributions from the ciphertexts. Our new security notion – adaptively secure functional encryption for chosen message distributions, requires that the choice of the message distribution of challenger remains indistinguishable even if the adversary is given the additional information.

We formalize IND-based security definition with respect to admissible mappings. For ease of exposition, we first define the query mappings.

Definition 3.1

Let $t=t(\lambda )$ be an integer and $\mathcal {M}$ be the message space. $\{x_i\}_{i\in [t]} \in \mathcal {M}^t$ is a set of messages, and $f: \mathcal {M}\rightarrow \mathcal {K}$ be a function. We define the functions $(i,f): \mathcal {M}^{t}\rightarrow \mathcal {K}$ as $(i,f)(x_{1},...,x_{t})=f(x_{i})$, and function $(i,I): \mathcal {M}^{t}\rightarrow \mathcal {M}$ as $(i,I)(x_{1},...,x_{t})=x_{i}$.

Definition 3.2

(Admissible mappings). Let $t=t(\lambda )$ be an integer, $\mathcal {M}$ be the message space, and $\mathcal {M}_{0}, \mathcal {M}_{1}$ be two distributions over space $\mathcal {M}^{t}$. Let subsets $T_1, T_2 \subsetneq [t]$ such that $T_{2}\cap T_{1}=\emptyset $ and $|T_{2}\cup T_{1}| < t$, and let $\{k_{i}\}_{i\in T_{2}}$ be a set of integers. We say that mappings $\{(i,I)\}_{i\in T_{1}}$ and $\{(i,f_{ij})\}_{i\in T_{2}, j\in [k_{i}]}$ are admissible if it holds that

$$\begin{aligned}&\{\{(i,I)(\mathcal {M}_{0})\}_{i\in T_{1}}, \{(i,f_{ij})(\mathcal {M}_{0})\}_{i\in T_{2}, j \in [k_{i}]}\}\\ =\,&\{\{(i,I)(\mathcal {M}_{1})\}_{i\in T_{1}}, \{(i,f_{ij})(\mathcal {M}_{1})\}_{i\in T_{2}, j \in [k_{i}]}\} \end{aligned}$$

Remark 3.3

The requirement of admissible mappings is that the above two distributions are identical. We can also relax the definition by requiring the two distributions are statistically or computationally close.

We define the adaptive security of functional encryption for chosen message distributions through an experiment $\mathbf {Expt} ^\mathsf{FE}_\mathcal {A} (1^\lambda , 1^{t})$ between an adversary and challenger:

1.
Setup: For $i \in [t]$, challenger first computes $(\mathsf {mpk} _i, \mathsf {msk} _i) \leftarrow \mathsf {Setup} (1^\lambda )$, then sends $\{\mathsf {mpk} _i\}_{i \in [t]}$ to adversary $\mathcal {A} $.
2.
Query Phase I: Proceeding adaptively, adversary can make any polynomial number of queries to the oracle $\mathcal {O} (\{\mathsf {msk} _i\}_{i \in [t]}, \cdot )$ of the following two kinds:
- Function queries $(i, f_{ij})$: Challenger sends back $\mathsf {sk} _{f_{ij}} \leftarrow \mathsf {KeyGen} (\mathsf {sk} _i, f_{ij})$.
- Opening queries (i, I): Challenger sends back $\mathsf {msk} _i$.
3.
Challenge Phase: Adversary $\mathcal {A} $ sends two message distributions $\mathcal {M}_0$ and $\mathcal {M}_1$ over message space $\mathcal {M}^t$ with the restriction that any queries made in Query Phase I are admissible with respect to $(\mathcal {M}_0, \mathcal {M}_1)$ (c.f. Definition 3.2). The challenger chooses a random bit $b \in \{0,1\}$, and sends ciphertext $\{\mathsf {ct} _i = \mathsf {Enc} (\mathsf {mpk} _i, x_i)\}_{i \in [t]}$ back to adversary, where $\{x_i\}_{i \in [t]} \leftarrow \mathcal {M}_b$.
4.
Query Phase II: Adversary $\mathcal {A} $ can continue making queries as specified in Query Phase I as long as the queries are admissible.
5.
Guess: Adversary $\mathcal {A} $ outputs his guess $b'$.

We define the advantage of adversary $\mathcal {A} $ in the experiment $\mathbf {Expt} ^\mathsf{FE}_\mathcal {A} (1^\lambda , 1^{t})$ as

$$\mathbf {Adv}_\mathcal {A} (1^\lambda , 1^{t})=|\mathsf {Pr}[\mathbf {Expt} ^\mathsf{FE}_\mathcal {A} (1^\lambda , 1^{t})=1]-1/2|$$

Definition 3.4

We say a functional encryption scheme $\varPi $ is adaptively secure for chosen message distributions security if for any polynomial $t=t(\lambda )$, and any $\textsc {ppt} $ adversary $\mathcal {A} $, we have $\mathbf {Adv}_\mathcal {A} (1^\lambda , 1^{t}) \le \mathsf {negl} (\lambda )$.

3.2 Functional Encryption for Inner Products Modulo p

Agrawal et al. [6] show a construction of functional encryption for inner products modulo p assuming the hardness of LWE problem. In this section, we made some important modifications of their construction, particularly the encryption and key generation algorithms, and then show that the modified scheme satisfies our new security definition. Our modifications and new analysis provide significantly better parameters as we will discuss below. We first present the construction:

$\mathsf {Setup} (1^{n},1^{\ell } ,1^{k},p)$: Set integers $m, q=p^{e}$ for some integer e, and real numbers $\alpha , \alpha '\in (0,1)$. Randomly sample matrices $\mathbf {A}\overset{\$}{\leftarrow }\mathbb {Z}^{m\times n}_{q}$ and $\mathbf {Z}_{i}\xleftarrow {\$} \mathbb {Z}^{\ell \times m}_{p}$, for $i=1,...,k$. Compute $\mathbf {U}_{i}=\mathbf {Z}_{i}\cdot \mathbf {A}\in \mathbb {Z}^{\ell \times n}_{q}$. Output $\mathsf {mpk}:=(\mathbf {A},\{\mathbf {U}_{i}\}_{i\in [k]})$ and $\mathsf {msk}:=(\{\mathbf {Z}_{i}\}_{i\in [k]})$.
$\mathsf {KeyGen} (\mathsf {msk}, \varvec{x})$: On input a vector $\varvec{x}=(\varvec{x}_{1}, \ldots , \varvec{x}_{k}),$ where for each $i\in [k]$, $\varvec{x}_{i}\in \mathbb {Z}^{\ell }_{p}$, compute the secret key $\varvec{z}_{\varvec{x}}$ as follows. As $\varvec{x}$ is linearly independent from the key queries have been made so far modulo p, we can compute $\varvec{z}_{\varvec{x}}=\sum ^{k}_{i=1}\varvec{x}^{T}_{i}\cdot \mathbf {Z}_{i}$, and output secret key $\mathsf {sk} _{\varvec{x}} = \varvec{z}_{\varvec{x}}$.
$\mathsf {Enc} (\mathsf {mpk}, \varvec{y})$: On input $\varvec{y}=(\varvec{y}_{1},...,\varvec{y}_{k})$, where for each $i\in [k]$, $\varvec{y}_{i}\in \mathbb {Z}^{\ell }_{p}$, sample $\varvec{s} \overset{\$}{\leftarrow }\mathbb {Z}^{n}_{q}, \varvec{e}_{0} \leftarrow \mathcal {D}^{m}_{\mathbb {Z},\alpha q}$ and $\{\varvec{e}_{i}\}_{i\in [k]} \leftarrow \mathcal {D}^{\ell }_{\mathbb {Z},\alpha ' q}$ and compute
$$\varvec{c}_{0}=\mathbf {A}\cdot \varvec{s}+\varvec{e}_{0}\in \mathbb {Z}^{m}_q, \quad \varvec{c}_i = \mathbf {U}_i\cdot \varvec{s}+\varvec{e}_{i}+p^{e-1}\cdot \varvec{y}_{i}\in \mathbb {Z}^{\ell }_q, \forall i \in [k]$$
Then, output $\mathsf {ct} =(\varvec{c}_{0}, \{\varvec{c}_{i}\}_{i\in [k]})$.
$\mathsf {Dec} (\mathsf {mpk}, \mathsf {sk} _{\varvec{x}}, \mathsf {ct})$: On input $\mathsf {ct} =(\varvec{c}_{0}, \{\varvec{c}_{i}\}_{i\in [k]})$ and a secret key $\mathsf {sk} _{\varvec{x}} = \varvec{z}_{\varvec{x}}$ for $\varvec{x}=(\varvec{x}_{1}, \ldots ,\varvec{x}_{k})\in \mathbb {Z}^{k\ell }_{p}$, compute $\mu '=\sum ^{k}_{i=1}\langle \varvec{x}_{i},\varvec{c}_{i} \rangle -\langle \varvec{z}_{\varvec{x}},\varvec{c}_{0} \rangle $ and output the value $\mu \in \mathbb {Z}_{p}$ that minimizes $|p^{e-1}\cdot \mu -\mu '|$.

Decryption Correctness. Correctness derives from the following equation:

$$ \mu ' =\sum ^{k}_{i=1}\langle \varvec{x}_{i},\varvec{c}_{i} \rangle -\langle \varvec{z}_{\varvec{x}},\varvec{c}_{0} \rangle = p^{e-1}\cdot \left( \sum ^{k}_{i=1}\langle \varvec{x}_{i},\varvec{y}_{i} \rangle \bmod p \right) +\sum ^{k}_{i=1}\langle \varvec{x}_{i},\varvec{e}_{i} \rangle -\langle \varvec{z}_{\varvec{x}},\varvec{e}_{0} \rangle \bmod q $$

If the magnitude of error term $\sum ^{k}_{i=1}\langle \varvec{x}_{i},\varvec{e}_{i} \rangle -\langle \varvec{z}_{\varvec{x}},\varvec{e}_{0} \rangle $ is $\le p^{e-1}/2$ with overwhelming probability, then the correctness holds with overwhelming probability.

Parameters Setting. The parameters in Table 1 are selected in order to satisfy the following constraints. In the table below, $e,c_{1},c_{2},\delta _{1},\delta _{2},\delta $ are constants, and $\delta =\delta _{1}+\delta _{2}$

Table 1. Parameter description and simple example setting

Full size table

To ensure correctness of decryption, we require $p^{e-1}>2kp^{2}m\ell \alpha q(2\sqrt{\ell }+\sqrt{m})$.
To ensure the correctness of $\mathsf {ReRand}$ algorithm, we require $\sigma ^{*}\ge pm$.
By the property of $\mathsf {ReRand}$ algorithm, we have $\alpha ^{'}q=2\sigma ^{*}\alpha q$.
To ensure small enough reduction loss for the $\mathsf {ReRand}$ algorithm, we require $\alpha q>\sqrt{\lambda +tk^{2}\ell ^{2}\log p}$.
To ensure large enough entropy required by Claim (in full version), we require $m\ge 2k\ell +ek\ell (n+1)+3\lambda $.

Comparison with the Work [4, 6]. Our analysis shows that the scheme can support a much wider range of parameters than the analysis of Agrawal et al. [6]. For their analysis, the efficiency degrade quickly when the dimension increases, and in particular, the modulus $q \ge p^{\ell }$. This is why the work [6] sets the dimension $\ell = \varOmega (\log n)$. In our analysis, we can build a direct reduction to $\mathsf {LWE}$ (without using the intermediate extended $\mathsf {LWE}$), allowing us to choose $\mathbf {Z}_{i} \leftarrow \mathbf {U} (Z_{p}^{\ell \times m})$ (instead of using a discrete Gaussian with a very large deviation). This gives us a significant improvement over the parameters: our modulus q does not depend on $\ell $ in an exponential way, so we can set the dimension to any fixed polynomial, without increasing q significantly.

A subsequent work [4] improved the parameters significantly, yet with a tradeoff of weaker security where the adversary can only receive $\mathsf {sk} _{\varvec{x}} $ for random $\varvec{x}$’s before the challenge ciphertext and cannot issue more key queries afterwards. Their scheme [4] is useful in the setting of designing trace-and-revoke systems, but cannot be applied to the decentralized ABE where the adversary can obtain keys of his own choice, both before and after the challenge ciphertext.

Security Proof. Now we can show the following theorem that under the parameters above, the functional encryption for inner product scheme described above is adaptively secure for chosen message distributions. Due to space limit, we defer the full proof to the full version of the paper.

Theorem 3.5

Under the $\mathsf {LWE}$ assumption, the above functional encryption for inner products is adaptively secure for chosen message distributions, assuming for each $\mathsf {msk} _{i}$, the secret key queries to the $\mathsf {msk} _{i}$ are linearly independent.

Remark 3.6

The functionality of the scheme described above is inner products modulo a prime p. In [6], the authors have given an attack for the case that the secret key queries are not linearly independent modulo p but linearly independent over the integers, and they proposed a stateful key generation technique to get rid of the attack. Here we can also use a stateful key generation algorithm to remove the last assumption (i.e., linearly independent queries) in the theorem.

4 Decentralized ABE: Stronger Definition and Construction

In this section, we first describe the syntax of decentralized ABE, following the work [41], and then we define a stronger security notion. Next, we present our construction and security proof, relying on the functional encryption scheme in Sect. 3.2. We first present a basic scheme that supports smaller $\mathsf {GID} $ and message spaces (Sect. 4.2), and next we show an improved scheme that supports significantly larger spaces (Sect. 4.3).

4.1 Syntax of Decentralized ABE Scheme and Stronger Security

We first recall the syntax of decentralized ABE as defined in [41] and then present a stronger security definition. Let $\mathcal {F}$ be a function class. A decentralized ABE for $\mathcal {F}$ consists of the following algorithms:

$\mathsf {Global}. \mathsf {Setup} (1^\lambda )\rightarrow \mathsf {GP} $ The global setup algorithm takes in the security parameter $\lambda $ and outputs global parameters $\mathsf {GP} $ for the system.
$\mathsf {Authority}. \mathsf {Setup} (\mathsf {GP})\rightarrow (\mathsf {pk}, \mathsf {sk})$ Each authority runs the authority setup algorithm with $\mathsf {GP} $ as input to produce its own secret key and the public key pair $(\mathsf {sk},\mathsf {pk})$.
$\mathsf {Enc} (\mu , f, \mathsf {GP}, \{\mathsf {pk} \})\rightarrow \mathsf {ct} $ Encryption algorithm takes as inputs a message $\mu $, a function $f\in \mathcal {F}$, a set of public keys for relevant authorities, and the global parameters, and outputs a ciphertext $\mathsf {ct} $.
$\mathsf {KeyGen} (\mathsf {GID}, \mathsf {GP}, i, \mathsf {sk})\rightarrow \mathsf {k} _{i,\mathsf {GID}}$ The key generation algorithm takes as inputs an identity $\mathsf {GID} $, global parameters $\mathsf {GP} $, an attribute i, and secret key $\mathsf {sk} $ for this authority who holds the attribute. It produces a key $\mathsf {k} _{i,\mathsf {GID}}$ for this attribute-identity pair.
$\mathsf {Dec} (\mathsf {ct}, \mathsf {GP}, \{\mathsf {k} _{i,\mathsf {GID}}\})\rightarrow \mu $ The decryption algorithm takes as inputs the global parameters $\mathsf {GP} $, a ciphertext $\mathsf {ct} $, and a set of keys $\{\mathsf {k} _{i,\mathsf {GID}}\}$ corresponding to attribute-identity pairs. It outputs a message $\mu $, if the set of attributes i satisfies the policy specified by f and all the identities have the same $\mathsf {GID} $. Otherwise, it outputs $\perp $.

Definition 4.1

(Correctness). We say a decentralized ABE scheme is correct if for any $\mathsf {GP} \leftarrow \mathsf {Global}.\mathsf {Setup} (1^\lambda )$, $f\in \mathcal {F}$, message $\mu $, and $\{\mathsf {k} _{i,\mathsf {GID}}\}$ obtained from the key generation algorithm for the same identity $\mathsf {GID} $ where the attributes satisfy the policy f, we have

$$\mathsf {Pr}[\mathsf {Dec} (\mathsf {Enc} (\mu ,f,\mathsf {GP},\{pk\}), \mathsf {GP}, \{\mathsf {k} _{i,\mathsf {GID}}\})=\mu ]=1-\mathsf {negl} (\lambda ).$$

Security Definition. We define the notion of full security of decentralized ABE schemes. In our setting, the adversary can adaptively corrupt authorities, as well as making adaptive key queries. In a similar but weaker model defined in [41], the adversary can make adaptive key queries but only static corruption queries, i.e., the adversary can only corrupt parties before the global parameter is generated.

Let $t = \mathsf {poly}(\lambda )$ denote the number of authorities, and we consider parties $P_{1},P_{2}, \ldots , P_{t}$, where each party $P_{i}$ holds an attribute i. Then we define the security notion via an experiment $\mathbf {Expt} ^\mathsf{dabe}_\mathcal {A} (1^\lambda , 1^{t})$ between an adversary and the challenger:

1.
$\mathsf {Setup} $: The challenger runs $\mathsf {GP} \leftarrow \mathsf {Global}\ \mathsf {Setup} (1^\lambda )$, and then $ (\mathsf {pk} _{i}, \mathsf {sk} _{i}) \leftarrow \mathsf {Authority}\ \mathsf {Setup} (\mathsf {GP})$ for $i \in [t]$. Then the challenger sends $\left( \mathsf {GP}, \{\mathsf {pk} _{i}\}_{i \in [t]} \right) $ to the adversary, and keeps $\{\mathsf {sk} _{i}\}_{i\in [t]}$ secretly.
2.
Key Query Phase 1: Proceeding adaptively, adversary can make the two types of queries:
1. (a)
  Secret key query $(i,\mathsf {GID})$: $\mathcal {A} $ submits a pair $(i, \mathsf {GID})$ to the challenger, where i is an attribute belonging to an uncorrupted authority $P_{i}$ and $\mathsf {GID} $ is an identity. The challenger runs $\mathsf {k} _{i,\mathsf {GID}} \leftarrow \mathsf {KeyGen} (\mathsf {GID}, \mathsf {GP}, i, \mathsf {sk} _{i}) $ and forwards the adversary $\mathsf {k} _{i,\mathsf {GID}}$.
2. (b)
  Corruption query $(i,\mathsf {corr})$: $\mathcal {A} $ submits $(i,\mathsf {corr})$ to the challenger, where i is an attribute that the adversary want to corrupt. The challenger responds by giving $\mathcal {A} $ the corresponding master secret key $\mathsf {msk} _{i}$.
3.
Challenge Phase: $\mathcal {A} $ specify two messages $\mu _{0}, \mu _{1}$, and a function f, where function satisfies the following constraint. We let $\varvec{\omega }_{c}$ denote the attributes controlled by the corrupted authorities, and for each $\mathsf {GID} $ we let $\varvec{\omega }_{\mathsf {GID}}$ denote the attributes which the adversary has queried. We require that $f(\varvec{\omega }_{c},\varvec{\omega }_{\mathsf {GID}})\ne 1$ (In other words, the adversary does not hold a set of keys that allow decryption). The challenger flips a random coin $b\in \{0,1\}$ and sends the adversary an encryption of $\mu _{b}$ under f.
4.
Key Query Phase 2: The adversary can further make corruption and key queries as the $\mathsf {Key\ Query\ Phase\ 1}$, under the constraint of f as specified above.
5.
Guess: The adversary submits a guess bit $b'$, and wins if $b'=b$. The advantage of adversary in the experiment $\mathbf {Expt} ^\mathsf{dabe}_\mathcal {A} (1^\lambda ,1^{t})$ is defined as $\mathbf {Adv}_\mathcal {A} (1^\lambda )=|\mathsf {Pr}[b^{'}=b]-1/2|$.

Definition 4.2

A decentralized ABE scheme is fully secure if for any $\textsc {ppt} $ adversary $\mathcal {A} $, we have $\mathbf {Adv}_\mathcal {A} (1^\lambda )\le \mathsf {negl} (\lambda )$. The scheme is fully secure against k-bounded collusion if we further require that $\mathcal {A} $ can query at most k distinct $\mathsf {GID} $’s in the experiment.

4.2 Our Basic Construction

In the description here, we first present our basic construction of decentralized ABE for $\{0,1\}$-$\mathsf {LSSS} $. The basic construction can only support $\mathsf {GID} \in \mathbf {GF}(p)$ for some fixed prime p, and the message space is also $\mathbf {GF}(p)$. Next we show how to extend the $\mathsf {GID} $ domain to $\mathbf {GF}(p^{\ell })$ by using the field extension technique.

Our construction uses the following building blocks: (1) a $\{0,1\}$-$\mathsf {LSSS} $ scheme $\mathsf {SS} $, and (2) a fully secure functional encryption for inner product modulo p, denoted as $\mathsf {FEIP}$. We can instantiate the $\{0,1\}$-$\mathsf {LSSS} $ as definition in [13], and the $\mathsf {FEIP}$ as the construction in Sect. 3.2. Then we define our construction $\varPi = (\mathsf {Global}.\mathsf {Setup}, \mathsf {Authority}.\mathsf {Setup}, \mathsf {Enc}, \mathsf {KeyGen}, \mathsf {Dec})$ as follows:

$\mathsf {Global}.\mathsf {Setup} (1^\lambda )$: On input security parameter $\lambda $, the global setup algorithm sets $k = k(\lambda )$ to denote the collusion bound of the scheme and $t = t(\lambda )$ to denote the number of associated attributes. The global setup algorithm also sets an integer $n=n(\lambda )$ and a prime number $p=p(\lambda )$. It outputs $\mathsf {GP} = (k, t, n, p)$ as the global parameter.
$\mathsf {Authority}.\mathsf {Setup} (\mathsf {GP})$: On input $\mathsf {GP} $, for any attribute i belonged to the authority, the authority runs the algorithm $\mathsf {FEIP}.\mathsf {Setup} (1^{n},1^{\ell }, 1^{k}, p)$ to generate $\mathsf {FEIP}.\mathsf {mpk} _{i}$ and $\mathsf {FEIP}.\mathsf {msk} _{i}$. Then output $\mathsf {pk} =\{\mathsf {FEIP}.\mathsf {mpk} _{i}\}$ as its public key, and keep $\mathsf {sk} =\{\mathsf {FEIP}.\mathsf {msk} _{i}, \forall i\}$ as its secret key. (In the basic scheme, $\ell $ is set to 1.)
$\mathsf {Enc} (\mu , (\mathbf {A}, \rho ), \mathsf {GP}, \{\mathsf {pk} \})$: On input a message $\mu \in \mathbb {Z}_{p}$, an access matrix $\mathbf {A}\in \mathbb {Z}^{t \times d}_{p}$ with $\rho $ mapping its row number x to attributes, the global parameters $\mathsf {GP} $, and the public keys $\{\mathsf {FEIP}.\mathsf {mpk} _{i}\}$ of the relevant authorities. The encryption algorithm invokes k times $\{0,1\}\text {-} \mathsf {LSSS} $ for secret space $\mathcal {K}=\mathbb {Z}_{p}$ to generate:
$$(u_{1,1},...u_{1,t})\leftarrow \mathsf {SS}.\mathsf {Share} (\mu , \mathbf {A}), $$

$$(u_{i,1},...u_{i,t})\leftarrow \mathsf {SS}.\mathsf {Share} (0, \mathbf {A}), \forall i \in [2,k].$$
For each $(u_{1,x},...,u_{k,x})\in \mathbb {Z}^{k}_{p}, x \in [t]$ it generates
$$\mathsf {FEIP}.\mathsf {ct} _{\rho (x)}\leftarrow \mathsf {FEIP}.\mathsf {Enc} (\mathsf {FEIP}.\mathsf {mpk} _{\rho (x)},(u_{1,x},...,u_{k,x})).$$
The ciphertext is $\mathsf {ct} =( \{\mathsf {FEIP}.\mathsf {ct} _{\rho (x)}\}_{x=1,...t})$.
$\mathsf {KeyGen} (\mathsf {GID}, i, \mathsf {sk}, \mathsf {GP})$: On inputs attribute i, global identifier $\mathsf {GID} \in \mathbb {Z}_p$, secret key $\mathsf {sk} $ and global parameter $\mathsf {GP} $, the algorithm sets $\varvec{\mathsf {GID}}= (1,\mathsf {GID},...,\mathsf {GID} ^{k-1})$ and computes
$$\mathsf {FEIP}.\mathsf {sk} _{i,\mathsf {GID}}\leftarrow \mathsf {FEIP}.\mathsf {KeyGen} (\mathsf {FEIP}.\mathsf {msk} _{i},\varvec{\mathsf {GID}}),$$
and outputs $\mathsf {k} _{i,\mathsf {GID}}=\mathsf {FEIP}.\mathsf {sk} _{i,\mathsf {GID}}$.
$\mathsf {Dec} (\{\mathsf {k} _{i,\mathsf {GID}}\}, \mathbf {A}, \mathsf {ct}, \mathsf {GP})$: On input secret keys $\{\mathsf {k} _{\rho (x),\mathsf {GID}}\}$, the access matrix $\mathbf {A}$, ciphertext $\mathsf {ct} $ and global parameter $\mathsf {GP} $, the decryptor first checks if $(1,0, \ldots , 0)$ is in the span of the rows $\{\mathbf {A}_x\}$. If not, the algorithm outputs $\bot $. Otherwise, it computes
$$\eta _{\rho (x)}=\mathsf {FEIP}.\mathsf {Dec} \left( \mathsf {FEIP}.\mathsf {sk} _{\rho (x),\mathsf {GID}}, \mathsf {FEIP}.\mathsf {ct} _{\rho (x)} \right) \text { for each } \rho (x),$$
and outputs $\eta = \mathsf {SS}.\mathsf {Combine} (\{\eta _{\rho (x)}\})$.

Remark 4.3

We note that for any distinct k GID’s, $\mathsf {GID} _{1},\dots , \mathsf {GID} _{k}$, the vectors $ \left\{ \varvec{\mathsf {GID}}_{i} = (1,\mathsf {GID} _{i},...,\mathsf {GID} ^{k\!-\!1}_{i}) \right\} _{i\in [k]} $ are linearly independent. In our construction above, each $\mathsf {GID} \in \mathbb {Z}_{p}$ and the vectors can be expressed as a Vandermonde matrix $\mathbf {X}=\begin{bmatrix} 1&\ldots&1\\ x_{1}&\ldots&x_k \\ \vdots&\ddots&\vdots \\ x^{k\!-\!1}_{1}&\ldots&x^{k\!-\!1}_{k} \end{bmatrix}$, which is full-rank if the elements $\{x_{i}\}_{i\in [k]}$ are distinct. Therefore, for any less than k distinct GID’s, the key queries for these GID’s are linearly independent.

Correctness. We show that the scheme above is correct. By correctness of the fully secure functional encryption scheme $\mathsf {FEIP}$, we have that for each $\rho (x)$,

$$\eta _{\rho (x)}=u_{1,\rho (x)}+\sum ^{k-1}_{j=1}u_{j+1,\rho (x)}\mathsf {GID} ^{j} \bmod p.$$

Since $(u_{1,1},...u_{1,t})$ is secret sharing of message $\mu $, and $\{(u_{i,1},...u_{i,t})\}_{i = 2}^k$ is secret sharing of 0, then by correctness of $\{0,1\}\text {-} \mathsf {LSSS} $ scheme, we have that $\eta =\mu \bmod p$. This proves correctness.

Parameter Setting. We can instantiate the scheme $\mathsf {FEIP}$ (c.f. Sect. 3.2) by setting $n=\lambda $, $\ell =1$, $k=\mathsf {poly}(\lambda )$, $t=\mathsf {poly}(\lambda )$ and $p=\mathsf {poly}(\lambda )$, and obtain a decentralized ABE with both the message space and $\mathsf {GID} $ space being $\mathbb {Z}_{p}$. In summary, our basic scheme can support any fixed $\mathsf {poly}(\lambda )$ $\mathsf {GID} $ and message spaces, against any fixed $\mathsf {poly}(\lambda )$ bounded collusion.

Security Proof. Next we prove security of the above scheme in the following theorem.

Theorem 4.4

Assuming that $\mathsf {FEIP}$ is a functional encryption for inner products and $\mathsf {FEIP}$ is adaptively secure for chosen message distributions, and $\mathsf {SS} $ is a $\{0,1\}\text {-} \mathsf {LSSS} $, the decentralized ABE construction $\varPi $ described above is fully secure against $k-1$ bounded collusion.

Proof

We prove the theorem by reduction. Assume that there exists an adversary $\mathcal {A} $ who breaks the scheme with some non-negligible advantage $\epsilon $, then we can construct a reduction $\mathcal {B} $ that breaks the security of $\mathsf {FEIP}$. Given an adversary $\mathcal {A} $, we define $\mathcal {B} $ as follows:

1.
$\mathcal {B} $ first receives $\{\mathsf {mpk} _{i}\}$ from its challenger, and forwards $\{\mathsf {mpk} _{i}\}$ to $\mathcal {A} $.
2.
$\mathcal {B} $ runs $\mathcal {A} $ to simulate the $\mathsf {Key\ Query\ Phase\ 1}$ of the ABE security game. In each round, $\mathcal {B} $ may receive either a corruption query (i, I) or a key query $(\mathsf {GID}, i)$.
- Upon receiving a query $(\mathsf {GID}, i)$, $\mathcal {B} $ makes a key query $\big ((1,\mathsf {GID},...,\mathsf {GID} ^k),i \big ) $ to its challenger, and receives $\mathsf {k} _{i,\mathsf {GID}}$. $\mathcal {B} $ forward $\mathcal {A} $ with the key.
- Upon receiving a query $(i,\mathsf {corr})$, $\mathcal {B} $ make a query (i, I) to the challenger and receives $\mathsf {msk} _{i}$. $\mathcal {B} $ just sends $\mathcal {A} $ $\mathsf {msk} _{i}$.
$\mathcal {B} $ continue to run this step until $\mathcal {A} $ makes the challenge query.
3.
Upon receiving $\mathcal {A} $’s challenge query, which contains an access structure $\mathbb {A} $ and two messages $\mu _{0}, \mu _{1}\in \mathbb {Z}_{p}$, $\mathcal {B} $ first checks whether all the key queries satisfy the constraint of the security game of decentralized ABE. (This can be efficiently checked in our setting). If not, $\mathcal {B} $ aborts the game and outputs a random guess. Otherwise, $\mathcal {B} $ defines two distributions $\mathcal {M}_{0}$ and $\mathcal {M}_{1}$ as follows. For $b\in \{0,1\}$, $\mathcal {M}_{b}$ is defined as the distribution that first samples k times of the $\{0,1\}$-$\mathsf {LSSS} $ procedure
$$(u^{(b)}_{1,1},...u^{(b)}_{1,t}) \leftarrow \mathsf {SS}.\mathsf {Share} (\mu _{b}, \mathbf {A})$$

$$(u^{(b)}_{i,1},...u^{(b)}_{i,t})\leftarrow \mathsf {SS}.\mathsf {Share} (0, \mathbf {A}), \forall i \in [2,k].$$
Then $\mathcal {M}_{b}$ outputs:
$$\left( (u^{(b)}_{1,1},...,u^{(b)}_{k,1} ),...,(u^{(b)}_{1,t},...,u^{(b)}_{k,t} ) \right) .$$
$\mathcal {B} $ sends the descriptions of $\mathcal {M}_{0},\mathcal {M}_{1}$ (which can be succinctly described, e.g., $(\mu _{b}, \mathbf {A})$) to the challenger, and then $\mathcal {B} $ forwards $\mathcal {A} $ the challenge ciphertext received from the external $\mathsf {FEIP}$ challenger.
4.
$\mathcal {B} $ simulates the $\mathsf {Key\ Query\ Phase\ 2}$ in the same way as Step 2.
5.
Finally $\mathcal {B} $ outputs $\mathcal {A} $’s guess $b'$.

Next we are going to analyze the reduction $\mathcal {B} $. Since $\mathcal {B} $ perfectly emulates the $\mathsf {FEIP}$ security game for $\mathcal {A} $, $\mathcal {B} $’s advantage is the same as $\mathcal {A} $’s, assuming the queries are admissible in the $\mathsf {FEIP}$ security game. Therefore, it suffices to prove the theorem by showing that the queries made by $\mathcal {B} $ are admissible.

The assumption of the theorem requires that $\mathcal {A} $ can query at most $k-1$ different $\mathsf {GID} $’s for each $\mathsf {msk} _{i}$. Let $T_{1}$ be the set that $\mathcal {B} $ (and also $\mathcal {A} $ as well) makes corruption queries, and $k_{i}$ be the number of secret key queries that $\mathcal {B} $ makes to $\mathsf {msk} _{i}$. Then we need to show that the two distributions defined below are identical, i.e., $\mathcal {D}_{0} = \mathcal {D}_{1}$, where

$$ D_{b} = \left\{ \left\{ (i,I)(\mathcal {M}_{b}) \right\} _{i\in T_{1}}, \left\{ (i,\varvec{x}_{ij})(\mathcal {M}_{b}) \right\} _{i\in T_{2}, j \in [k_{i}]} \right\} , $$

where $\varvec{x}_{ij}=(1,\mathsf {GID} _{ij},...\mathsf {GID} ^{k-1}_{ij})$, $T_{1}$ is the set $\mathcal {B} $ corrupts, and $T_{2}$ is the set that $\mathcal {B} $ makes key queries but does not corrupt.

We note that, for an opening query (i, I), $(i,I) (\mathcal {M}_{b}) = \left( u^{(b)}_{1,i},...,u^{(b)}_{k,i} \right) $ can be viewed as coefficients of the polynomial $P_{i}(x) =u^{(b)}_{1,i}+\sum ^{k}_{j=2}u^{(b)}_{j,i}\cdot x^{j-1} \mod p).$ By the property of Lagrange interpolation formula, the coefficients of a polynomial P(x) of degree k can be uniquely determined given $P(x_{1}), \dots , P(x_{k})$ for any distinct $(x_{1},\dots , x_{k})$. This implies that $(i,I)(\mathcal {M}_{b})$ can be simulated by $\{ (i, \varvec{\mathsf {GID}}_{ij}) (\mathcal {M}_{b}) \}_{j\in [k]}$ for any distinct $\{\mathsf {GID} _{ij}\}_{j\in [k]}$, where $\varvec{\mathsf {GID}}= (1,\mathsf {GID}, \dots , \mathsf {GID} ^{k-1})$. Therefore, it is without loss of generality to assume that $D_{b}$ only contains information of the form $\{(i,\varvec{\mathsf {GID}}_{ij})(\mathcal {M}_{b}) \}$.

As we argue above, all queries are of the form $ (i, \varvec{x}_{ij})$, so we can re-write the queries in $D_{b}$ as $\{q_{1}, \dots , q_{n} \}$, where each $q_{j}$ is of the form $(i, \varvec{x})$. Denote $\{q_{1}, \dots , q_{n} \}$ as $\overrightarrow{\varvec{q}}$, and then we can further re-write $D_{b}$ as $\overrightarrow{\varvec{q}} (\mathcal {M}_{b})$. Now it suffices to show that for every admissible $\overrightarrow{\varvec{q}}$ and possible values $\varvec{z}$,

$$\mathsf {Pr}[\overrightarrow{\varvec{q}}(\mathcal {M}_{0})=\varvec{z}]=\mathsf {Pr}[\overrightarrow{\varvec{q}}(\mathcal {M}_{1})=\varvec{z}].$$

$\mathsf {Pr}[\overrightarrow{\varvec{q}}(\mathcal {M}_{b})=\varvec{z}]$ can be expanded as

$$\begin{aligned}&\mathsf {Pr}[\overrightarrow{\varvec{q}}(\mathcal {M}_{b})=\varvec{z}]\\ =\,&\mathsf {Pr}[q_{1}(\mathcal {M}_{b})=z_{1}]\cdot \mathsf {Pr}[q_{2}(\mathcal {M}_{b})=z_{2}|q_{1}(\mathcal {M}_{b})=z_{1}]\cdot \cdot \cdot \\&\mathsf {Pr}[q_{n}(\mathcal {M}_{b})=z_{n}|q_{1}(\mathcal {M}_{b})=z_{1}\wedge ...\wedge q_{n-1}(\mathcal {M}_{b})=z_{n-1}]. \end{aligned}$$

We first observe that the message distribution $\mathcal {M}_{b} = \Big ( (u^{(b)}_{1,1},...,u^{(b)}_{k,1} ),...,(u^{(b)}_{1,t}, ...,u^{(b)}_{k,t} ) \Big )$ can be viewed as coefficients of t degree-k polynomials $\left( P_{1}(x),\dots , P_{t}(x) \right) $. Since the marginal distribution of $ (u^{(b)}_{1,i},...,u^{(b)}_{k,i} )$ is uniformly random by the $\{0,1\}$-$\mathsf {LSSS} $ property, the marginal distribution of any polynomial $P_{i}$ is uniform, i.e., a random degree-k polynomial in $\mathbb {Z}_{p}$. Therefore, $\mathsf {Pr}[q_{1}(\mathcal {M}_{b}) = x_{1}] = 1/p$, independent of b.

Next we will show that for any $j\in [n]$,

$$ \mathsf {Pr}\left[ q_{j}(\mathcal {M}_{b}) = z_{j} \ | \ q_{j-1} (\mathcal {M}_{b}) = z_{j-1} \wedge \dots \wedge q_{1} (\mathcal {M}_{b}) = z_{1} \right] =1/p, $$

assuming $q_{1}, \dots , q_{j}$ are admissible.

To prove this, we first set up some notations. We assume that $\mathsf {GID} _{1}, \dots , \mathsf {GID} _{k-1}$ are the identifiers queried by the adversary. If the adversary corrupts some $\mathsf {msk} _{i}$, then he will further learn $P_{i}(\mathsf {GID} _{k})$ (for another $\mathsf {GID} _{k}$) in addition to $P_{i}(\mathsf {GID} _{1}), \dots , P_{i}(\mathsf {GID} _{k-1})$. We assume that $q_{j} = (i, \varvec{\mathsf {GID}}_{r})$ for some $i\in [t], r\in [k]$. Let S be an arbitrary maximal invalid set that includes all v’s with $(v, \varvec{\mathsf {GID}}_{r})$ belongs to the queries $\{q_{1},\dots , q_{j}\}$, according to the access structure $\mathbb {A} $, i.e. $\{v: (v,\varvec{\mathsf {GID}}_{r}) \in \{q_{1},\dots ,q_{j}\}\} \subseteq S$. Since the queries are admissible, such a set S always exists.

By the privacy guarantee of the $\mathsf {LSSS} $, we know the distributions of the polynomials $P_{1}(x),\dots , P_{t}(x)$ generated in the encryption algorithm is identical to the following process:

For every $v \in S$, sample $P_{v}(x)$ (the coefficients) uniformly and independently at random.
For every $v\notin S$, set $P_{v}(x) = \mu _{b} - \sum _{w \in \varGamma _{v}} P_{w}(x)$, where $\varGamma _{v} \subseteq S$ is the reconstruction set that can be efficiently determined given $(v,\mathbb {A})$.

Next, we observe the following facts:

1.
Since $P_{i}(x)$ is a random polynomial (the marginal distribution), we know that the (marginal) distribution $P_{i}(\mathsf {GID} _{r})$ is uniformly random even conditioned on all $\{P_{i}(\mathsf {GID} _{w}) \}_{w\in [k] \setminus \{r\}}$ (as a random degree k polynomial is k-wise independent).
2.
From the above sampling procedure, we know that $P_{i}(x)$ is independent of $\{P_{v}(x)\}_{v\in S\setminus \{i\}}$.
3.
From the above two facts, we know that the (marginal) distribution $P_{i}(\mathsf {GID} _{r})$ is still uniformly random even further conditioned on $\{P_{v}(x)\}_{v\in S\setminus \{i\}}$ and $\{P_{i}(\mathsf {GID} _{w})\}_{w\in [k] \setminus \{r\}}$.
4.
For every $v\notin S$, $w\in [k] \setminus \{r\}$, $P_{v}(\mathsf {GID} _{w})$ can be deterministically obtained given the information $\{P_{v}(x)\}_{v\in S\setminus \{i\}}$ and $\{P_{i}(\mathsf {GID} _{w})\}_{w\in [k] \setminus \{r\}}$. This implies that the conditional distribution $P_{i}(\mathsf {GID} _{r})$ is uniform even further given $\{P_{v} (\mathsf {GID} _{w})\}_{v\in [t] \setminus S, w \in [k]\setminus \{r\}}$ in addition to $\{P_{v}(x)\}_{v\in S\setminus \{i\}}$ and $\{P_{i}(\mathsf {GID} _{w})\}_{w\in [k] \setminus \{r\}}$.

It is not hard to see that the information of $q_{1} (\mathcal {M}_{b}), \dots , q_{j-1} (\mathcal {M}_{b})$ can be obtained given $\{P_{v} (\mathsf {GID} _{w})\}_{v\in [t] \setminus S, w \in [k]\setminus \{r\}}$, $\{P_{v}(x)\}_{v\in S\setminus \{i\}}$, and $\{P_{i}(\mathsf {GID} _{w})\}_{w\in [k] \setminus \{r\}}$. Therefore, we have showed: for any $j\in [n]$,

$$ \Pr \left[ q_{j}(\mathcal {M}_{b}) = z_{j} \ | \ q_{j-1} (\mathcal {M}_{b}) = z_{j-1} \wedge \dots \wedge q_{1} (\mathcal {M}_{b}) = z_{1} \right] =1/p. $$

Then we can conclude that

$$\begin{aligned}&\mathsf {Pr}[\overrightarrow{\varvec{q}}(\mathcal {M}_{0})=\varvec{x}]\\ =\,&\mathsf {Pr}[q_{1}(\mathcal {M}_{0})=x_{1}]\cdot \mathsf {Pr}[q_{2}(\mathcal {M}_{0})=x_{2}|q_{1}(\mathcal {M}_{0})=x_{1}]\cdot \cdot \cdot \\&\mathsf {Pr}[q_{n}(\mathcal {M}_{0})=x_{n}|q_{1}(\mathcal {M}_{0})=x_{1}\wedge ...\wedge q_{n-1}(\mathcal {M}_{0})=x_{n-1}]\\ =\,&\mathsf {Pr}[q_{1}(\mathcal {M}_{1})=x_{1}]\cdot \mathsf {Pr}[q_{2}(\mathcal {M}_{1})=x_{2}|q_{1}(\mathcal {M}_{1})=x_{1}]\cdot \cdot \cdot \\&\mathsf {Pr}[q_{n}(\mathcal {M}_{1})=x_{n}|q_{1}(\mathcal {M}_{1})=x_{1}\wedge ...\wedge q_{n-1}(\mathcal {M}_{1})=x_{n-1}]\\ =\,&\mathsf {Pr}[\overrightarrow{\varvec{q}}(\mathcal {M}_{1})=\varvec{x}]. \end{aligned}$$

This proves that all the queries $\mathcal {B} $ makes during the game are admissible. This means that $\mathcal {B} $ is a legal adversary in the security game of $\mathsf {FEIP}$. Since $\mathcal {B} $ also perfect simulates the challenger of $\mathcal {A} $, the advantage of $\mathcal {B} $ is the same as the advantage of $\mathcal {A} $, a non-negligible quantity. This reaches a contraction, and completes the proof. $\square $

4.3 An Improved Construction for Large Spaces

We can modify our basic construction so that it can support significantly lager $\mathsf {GID} $ and message spaces, using the technique of finite field extension to $\mathbf {GF}(p^{\ell })$ for some $\ell $. In more detail, we consider the embedding technique described in the work [45, 56]. Intuitively, we can compute $\mathbf {GF}(p^{\ell })$ field operations via projecting $\mathbf {GF}(p^{\ell })$ elements to $\mathbb {Z}_{p}^{\ell }$ (and $\mathbb {Z}_{p}^{\ell \times \ell }$), and thus, the field operations can be supported by our $\mathsf {FEIP}$ scheme.

Let $p\in \mathbb {N}$ be a prime, $\ell \in \mathbb {N}$, and let f(x) be a monic irreducible polynomial in $\mathbb {Z}_{p}$ of degree $\ell $. Then we define $R =\mathbb {Z}_{p}[X]/\langle f(x) \rangle $, and note that R is isomorphic to $\mathbf {GF}(p^{\ell })$ as p is a prime and f(x) is an irreducible polynomial of degree $\ell $. We will use R as the representation of $\mathbf {GF}(p^{\ell })$.

We then define two mappings $\phi : R\rightarrow \mathbb {Z}^{\ell }_{p}$ and $\mathsf {Rot}: R\rightarrow \mathbb {Z}^{\ell \times \ell }_{p}$ by

$$\phi : \theta =a_{1}+a_{2}x+...+a_{\ell }x^{\ell -1}\mapsto (a_{1},...,a_{\ell })^{\top },$$

$$\mathsf {Rot}: \theta =a_{1}+a_{2}x+...+a_{\ell }x^{\ell -1}\mapsto \left[ \phi (\theta ) \phi (\theta x)...\phi (\theta x^{\ell -1}) \right] .$$

We note that $\mathsf {Rot} (\theta )\cdot \phi (\vartheta )=\phi (\theta \vartheta )$, $\mathsf {Rot} (\theta )\cdot \mathsf {Rot} (\vartheta )=\mathsf {Rot} (\theta \vartheta )$, and $\mathsf {Rot} (\theta )+\mathsf {Rot} (\vartheta )=\mathsf {Rot} (\theta +\vartheta )$. This means that $\mathsf {Rot} $ is a ring-homomorphism from R to $\mathbb {Z}^{\ell \times \ell }_{p}$. If $\theta \ne \theta ^{'}\in \mathbf {GF}(p^{\ell })$, then $\mathsf {Rot} (\theta )-\mathsf {Rot} (\theta ^{'})=\mathsf {Rot} (\theta -\theta ^{'})\ne 0$.

Now we present our modified construction $\varPi = (\mathsf {Global}. \mathsf {Setup}, \mathsf {Authority}. \mathsf {Setup}, \mathsf {Enc}, \mathsf {KeyGen}, \mathsf {Dec})$:

$\mathsf {Global}.\mathsf {Setup} (1^\lambda )$: On input the security parameter $\lambda $, the global setup algorithm sets $k = k(\lambda )$ to denote the collusion bound of our scheme and $t = t(\lambda )$ to denote the number of associated attributes. The global setup algorithm also sets $n=n(\lambda )$, $\ell =\ell (\lambda )$ and $p=p(\lambda )$ to denote the input parameters of $\mathsf {FEIP}.\mathsf {Setup} $. It outputs $\mathsf {GP} = (k, t, n, \ell , p)$ as the global parameter, and sets both the $\mathsf {GID} $ and message spaces as $\mathbf {GF}(p^{\ell })$.
$\mathsf {Authority}.\mathsf {Setup} (\mathsf {GP})$: On input $\mathsf {GP} $, for attribute i belonged to the authority, the authority runs the algorithm $\mathsf {FEIP}.\mathsf {Setup} (1^n,1^\ell ,1^{k},p)$ to generate $\mathsf {FEIP}.\mathsf {mpk} _{i}$ and $\mathsf {FEIP}.\mathsf {msk} _{i}$. Then output $\mathsf {pk} =\{\mathsf {FEIP}.\mathsf {mpk} _{i}\}$ as its public key, and keep $\mathsf {sk} =\{\mathsf {FEIP}.\mathsf {msk} _{i}, \forall i\}$ as its secret key.
$\mathsf {Enc} (\mu , (\mathbf {A}, \rho ), \mathsf {GP}, \{\mathsf {pk} \})$: On input a message $\mu \in \mathbf {GF}(p^\ell )$, an access matrix $\mathbf {A}\in \mathbf {GF}(p^\ell )^{t \times d}$ with $\rho $ mapping its row number x to attributes, the global parameters $\mathsf {GP} $, and the public keys $\{\mathsf {FEIP}.\mathsf {mpk} _{i}\}$ of the relevant authorities. The encryption algorithm invokes k times $\{0,1\}\text {-} \mathsf {LSSS} $ over secret space $\mathbf {GF}(p^\ell )$ to generate
$$( u_{1,1},... u_{1,t})\leftarrow \mathsf {SS}.\mathsf {Share} (\mu , \mathbf {A}),$$

$$( u_{i,1},... u_{i,t})\leftarrow \mathsf {SS}.\mathsf {Share} (0, \mathbf {A}), \forall i \in [2,k],$$
For each $( u_{1,x},..., u_{k,x})\in \mathbf {GF}(p^\ell )^{k}, x \in [t]$, the encryption algorithm first computes:
$$(\varvec{u}_{1,x},...,\varvec{u}_{k,x})\leftarrow \phi ( u_{1,x},..., u_{k,x}),$$
and then generates
$$\mathsf {FEIP}.\mathsf {ct} _{\rho (x)}\leftarrow \mathsf {FEIP}.\mathsf {Enc} (\mathsf {FEIP}.\mathsf {mpk} _{\rho (x)},(\varvec{u}_{1,x},...,\varvec{u}_{k,x})).$$
The ciphertext is $\mathsf {ct} =(\{\mathsf {FEIP}.\mathsf {ct} _{\rho (x)}\}_{x=1,...t})$.
$\mathsf {KeyGen} (\mathsf {GID}, i, \mathsf {sk}, \mathsf {GP})$: On input attribute i, global identifier $\mathsf {GID} \in \mathbf {GF}(p^{\ell })$, secret key $\mathsf {sk} $ and global parameters $\mathsf {GP} $. To generate a key for $\mathsf {GID} $ for attribute i belonging to an authority, the authority first computes k elements $\mathsf {GID} ^{j}\in \mathbf {GF}(p^{\ell }), \forall j\in [k - 1]$, then computes $\mathsf {Rot} (\mathsf {GID} ^{j}), \forall j\in [k - 1]$, and denotes the column vectors of $\begin{bmatrix} \mathbf {I}\\ \mathsf {Rot} (\mathsf {GID})\\ \vdots \\ \mathsf {Rot} (\mathsf {GID} ^{k-1}) \end{bmatrix}$ to be $\{\varvec{g}_{j}\}_{j\in \ell }$, where $\mathbf {I}$ is the identity matrix in $\mathbb {Z}^{\ell \times \ell }_{p}$, finally sets
$$\mathsf {FEIP}.\mathsf {sk} ^{(j)}_{i,\mathsf {GID}}\leftarrow \mathsf {FEIP}.\mathsf {KeyGen} \left( \mathsf {FEIP}.\mathsf {msk} _{i},\varvec{g}_{j}, \mathsf {rand}_{i} \right) , \forall j \in [\ell ].$$
Outputs $\mathsf {k} _{i,\mathsf {GID}}=\{\mathsf {FEIP}.\mathsf {sk} ^{(j)}_{i,\mathsf {GID}}\}_{j\in [\ell ]}$.
$\mathsf {Dec} (\{\mathsf {k} _{i,\mathsf {GID}}\}, \mathbf {A}, \mathsf {ct}, \mathsf {GP})$: On input secret keys $\{\mathsf {k} _{\rho (x),\mathsf {GID}}\}$, the access matrix $\mathbf {A}$, ciphertext $\mathsf {ct} $ and global parameters $\mathsf {GP} $, the decryptor first checks if $(1,0, \ldots , 0)$ is in the span of the rows $\{\mathbf {A}_x\}$ or not. If not, the algorithm outputs $\bot $. Otherwise, it computes
$$\eta ^{(j)}_{\rho (x)}=\mathsf {FEIP}.\mathsf {Dec} \left( \mathsf {FEIP}.\mathsf {sk} ^{(j)}_{\rho (x),\mathsf {GID}}, \mathsf {FEIP}.\mathsf {ct} _{\rho (x)} \right) , \forall j \in [\ell ], \text { for each } \rho (x),$$
and sets $\varvec{\eta }_{\rho (x)}=\left( \eta ^{(1)}_{\rho (x)},...,\eta ^{(\ell )}_{\rho (x)} \right) $, $\theta _{\rho (x)} = \phi ^{-1}(\varvec{\eta }_{\rho (x)})$, then outputs $\theta = \mathsf {SS}.\mathsf {Combine} (\{\theta _{\rho (x)}\})$.

Correctness. By correctness of the scheme $\mathsf {FEIP}$, we have that for each $\rho (x)$,

$$\begin{aligned} \varvec{\eta }_{\rho (x)}&=\varvec{u}_{1,\rho (x)}+\sum ^{k-1}_{j=1}\varvec{u}_{j\!+\!1,\rho (x)}\mathsf {Rot} (\mathsf {GID} ^{j}) (\mathrm {mod}\ p)\\&=\phi (u_{1,\rho (x)}+\sum ^{k-1}_{j=1}u_{j\!+\!1,\rho (x)}\mathsf {GID} ^{j}). \end{aligned}$$

Then $\theta _{\rho (x)}=u_{1,\rho (x)}+\sum ^{k-1}_{j=1}u_{j\!+\!1,\rho (x)}\mathsf {GID} ^{j}$. By correctness of the $\{0,1\}\text {-} \mathsf {LSSS} $ scheme over $\mathbf {GF}(p^{\ell })$, we have that $\theta =\mu .$ This proves correctness.

Parameters. We can instantiate the scheme $\mathsf {FEIP}$ (c.f. Sect. 3.2) by setting $n=\lambda $, $\ell =\mathsf {poly}(\lambda )$ $k=\mathsf {poly}(\lambda )$, $t=\mathsf {poly}(\lambda )$ and $p=\mathsf {poly}(\lambda )$, and obtain a decentralized ABE with both the message space and $\mathsf {GID} $ space being $\mathbf {GF}(p^{\ell })$. In summary, our modified scheme can support exponential-sized $\mathsf {GID} $ and message spaces, against any fixed $\mathsf {poly}(\lambda )$ bounded collusion.

Security. Security of the modified scheme can be proven in the same way as our basic scheme, as the only difference is the underlying finite field. We note that the analysis that the distributions $D_{b}$ are identical in the proof of Theorem 4.4 works for any underlying finite field (either $\mathbb {Z}_{p}$ or $\mathbf {GF}(p^{\ell })$), so the analysis can be carried to the modified scheme straightforwardly. To avoid repetition, we just state the theorem as follow.

Theorem 4.5

Assume that $\mathsf {FEIP}$ is a functional encryption for inner products that is adaptively secure for chosen message distributions, and $\mathsf {SS} $ is a $\{0,1\}\text {-} \mathsf {LSSS} $ over $\mathbf {GF}(p^{\ell })$. Then the scheme $\varPi $ above is a fully secure decentralized ABE against $k-1$ bounded collusion for $\{0,1\}$-$\mathsf {LSSS} $ over $\mathbf {GF}(p^{\ell })$.

Combining Theorem 4.5 and the instantiation by Theorem 3.5, we obtain the following corollary:

Corollary 4.6

Assume the LWE assumption. Then there exits a decentralized ABE that is fully secure against $k-1$ bounded collusion for any polynomial k, for the function class $\{0,1\}$-$\mathsf {LSSS} $ over $\mathbb {Z}_{p}$ for any polynomial prime p. The scheme supports exponential-sized $\mathsf {GID} $ and message spaces.

5 Witness Encryption and Decentralized ABE

In this section, we discuss the relation between decentralized ABE and witness encryption, which is introduced by Garg et al. [28]. We first recall the syntax of witness encryption and its security, after that we give a construction of witness construction for NP language using decentralized ABE for general circuits, and then show that extractable witness encryption implies decentralized ABE for general circuits.

5.1 Witness Encryption

We recall the syntax of WE introduced by Garg et al. [28], and also the extractability security defined by Goldwasser et al. [29]. A witness encryption scheme for an NP language L (with corresponding witness relation R) consists of algorithms $\varPi = (\mathsf {Enc}, \mathsf {Dec})$:

$\mathsf {Enc} (1^\lambda , x, \mu )$: On input the security parameter $\lambda $, an unbounded-length string x, and a message $\mu \in \{0,1\}$, the encryption algorithm outputs a ciphertext $\mathsf {ct} $.
$\mathsf {Dec} (\mathsf {ct}, w)$: On input a ciphertext and an unbounded-length string w, the decryption algorithm outputs a message $\mu $ or a special symbol $\bot $.

Definition 5.1

(Witness Encryption). We say $\varPi $ described above is a witness encryption, if it satisfies:

Correctness: For any security parameter $\lambda $, any $\mu \in \{0,1\}$, and $x \in L$ such that $R(x, w) = 1$, we have that
$$\mathsf {Pr}[\mathsf {Dec} (\mathsf {Enc} (1^\lambda , x, \mu ), w) = \mu ] = 1$$
Soundness Security: For any $\textsc {ppt} $ adversary $\mathcal {A} $, there exists a negligible function $\mathsf {negl} (\cdot )$ such that for any $x \notin L$, we have:
$$|\mathsf {Pr}[\mathcal {A} (\mathsf {Enc} (1^\lambda , x, 0)) = 1] - \mathsf {Pr}[\mathcal {A} (\mathsf {Enc} (1^\lambda , x, 1)) = 1]| < \mathsf {negl} (\lambda )$$

Definition 5.2

(Extractable security). A witness encryption scheme for an NP language L is secure if for all $\textsc {ppt} $ adversary $\mathcal {A} $, and all poly q, there exist a $\textsc {ppt} $ extractor E and a poly p, such that for all auxiliary inputs z and for all $x\in \{0,1\}^{*}$, the following holds:

$$\begin{aligned} \mathrm {Pr}[b\leftarrow \{0,1\};&\mathsf {ct} \leftarrow \mathsf {WE.Enc}(1^{\lambda },x,b):\mathcal {A} (x,\mathsf {ct},z)=b]\ge 1/2+1/q(|x|) \\&\Rightarrow \mathrm {Pr}[E(x,z)=\omega : (x,\omega )\in R_{L}]\ge 1/p(|x|). \end{aligned}$$

5.2 Witness Encryption from Decentralized ABE for General Circuit

We first describe a transformation from witness encryption for NP languages from decentralized ABE for general circuits. Intuitively, the witness encryption can use the Decentralized ABE scheme in the following way: the general circuit f is used as the NP verifier such that the decryptor can recover the message if he has the witness $\omega $ for the statement x satisfying $f(x, \omega ) =1$.

More specifically, given an NP language L, we present witness encryption scheme $(\mathsf {WE}.\mathsf {Enc}, \mathsf {WE}.\mathsf {Dec})$ for L as follows:

$\mathsf {WE}.\mathsf {Enc} (1^{\lambda },x,\mu )$: The encryption algorithm takes input a string $x\in \{0,1\}^{n}$ (whose witness has length bounded by m) and message $\mu $. Then the algorithm runs the following procedures:
- It runs $\mathsf {Global}.\mathsf {Setup} $ and $ \mathsf {Authority}.\mathsf {Setup} $ to generate a global parameters $\mathsf {GP} $ and public keys $\{\mathsf {pk} _{i}\}_{i \in [n+m]}$ and secret keys $\mathsf {sk} =\{\mathsf {sk} _{i}\}_{i \in [n + m]}$.
- Then it invokes $\mathsf {KeyGen} $ to generate $\{\mathsf {k} _{i,x_{i}}\}_{i \in [n]}$ and $\{\mathsf {k} _{j,0}, \mathsf {k} _{j,1}\}_{j=n+1}^{n + m}$.^{Footnote 3}
- It sets $f: \{0,1\}^{n} \times \{0,1\}^{m} \rightarrow \{0,1\}$ as the NP verifier for L that on input $x \in \{0,1\}^{n}, \omega \in \{0,1\}^{m}$ outputs 1 iff $\omega $ is a valid witness of x. Then it generates $\mathsf {ct} \leftarrow \mathsf {Enc} (\mu ,f ,\mathsf {GP},\{\mathsf {pk} _{i}\}_{i \in [n+m]})$.
- Finally, it outputs $\mathsf {ct} = \left( x,\{\mathsf {k} _{i,x_{i}}\}_{i \in [n]}, \{\mathsf {k} _{j,0}, \mathsf {k} _{j,1}\}_{j=n+1}^{n+m},\{\mathsf {pk} _{i}\}_{i \in [n+m]},\mathsf {ct} \right) $.
$\mathsf {WE.Dec}(1^{\lambda },\omega ,\mathsf {ct})$: The decryption algorithm takes input a witness $\omega \in \{0,1\}^{m}$ for the statement $x\in \{0,1\}^{n}$ and a ciphertex $\mathsf {ct} $ for x. Then the algorithm runs the following procedures:
- It first checks if $f(x,\omega )=1$ holds, if not, the decryption algorithm outputs $\bot $.
- Otherwise, for $j = n + 1,\ldots , n + m$, the decryption algorithm chooses $\mathsf {k} _{j, \omega _t}$ from $\{\mathsf {k} _{j,0}, \mathsf {k} _{j,1}\}_{j = n + 1}^{n + m}$ (where $\omega _{i} \in \{0,1\}$ is the i-th bit of $\omega $). Then it outputs
  $$ \mu = \mathsf {Dec} \left( \mathsf {ct},\mathsf {GP},\left\{ \{\mathsf {k} _{i,x_{i}}\}_{i \in [n]},\{\mathsf {k} _{j,\omega _{t}}\}_{j = n + 1}^{n + m} \right\} \right) .$$

Correctness of the witness encryption scheme is straightforward from the correctness of decentralized ABE scheme. Now we can show the following theorem. Due to space limit, we defer the full proof to the full version of the paper.

Theorem 5.3

Assuming that $\varPi $ is a secure decentralized ABE scheme for general circuits (against 1-bounded corruption, static corruption of authorities and selective key queries), the witness encryption scheme above is secure.

Remark 5.4

Bellare et al. [9] has introduced a stronger security of $\mathsf {WE} $ which is denoted as adaptive soundness security. However, our construction can not achieve the stronger adaptive soundness security, because the NP language L we defined is not (efficiently) falsifiable.

Remark 5.5

We note that a weaker notion of decentralized ABE (where the adversary makes static corruption at the beginning of security game, and key queries only once) suffices to construct the witness encryption scheme. This demonstrates the hardness to construct decentralized ABE for general circuits.

Remark 5.6

The scheme we construct above makes use of a decentralized ABE scheme for $n+m$ authorities. We can also construct a WE scheme by invoking a decentralized ABE scheme for only two authorities. Intuitively, we set the attribute space as $\{0,1\}^{n}$. Then the NP statement $x \in \{0,1\}^{n}$ is the one attribute controlled by the non-corrupt authority, and the witness $\omega \in \{0,1\}^{m}$ of x is the one attribute controlled by the corrupt authority. We set f as the NP verifier algorithm. And the decryptor of WE scheme can recover the message if he can find the witness $\omega $ for x such that $f(x, \omega ) =1$. Then we can obtain the scheme similarly to the scheme above.

5.3 Decentralized ABE from Extractable Witness Encryption

Next, we show how to construct a decentralized ABE for general circuits from the following two components: (1) an extractable witness encryption scheme $\mathsf {WE}=(\mathsf {WE.Enc}, \mathsf {WE.Dec})$ [29], and (2) an existentially unforgeable signature scheme $\mathsf {SIG}=(\mathsf {SIG.KeyGen}, \mathsf {SIG.Sign}, \mathsf {SIG.Verify})$ [30].

In our construction, we assume that each authority $P_i$ has a polynomial number of distinct attributes $S_i = \{x_j\}$. This is without loss of generality because we can always encode the party’s ID in the first several bits of the attributes. Our construction $\varPi =(\mathsf {Authority}\ \mathsf {Setup}, \mathsf {Enc}, \mathsf {KeyGen}, \mathsf {Dec})$ (we omit algorithm $\mathsf {Global}\ \mathsf {Setup} $, as it does not affect the functionality) is described as follows:

$\mathsf {Authority}\ \mathsf {Setup} (1^{\lambda })$ (for party $P_{j}$): On input security parameter $\lambda $, for each attribute $x_i$ belonged to the authority $P_{j}$, i.e., $\varvec{x}_{i}\in S_{j}$, the algorithm runs $\mathsf {SIG.KeyGen}(1^\lambda )$ to generate key pair $(\mathsf {svk}_{\varvec{x}_{i}}, \mathsf {ssk}_{\varvec{x}_{i}})$. Then it sets $\mathsf {pk} =\{\mathsf {svk}_{\varvec{x}_{i}}\}_{\varvec{x}_{i} \in S_{j}}$ as the public key, and keeps $\mathsf {sk} =\{\mathsf {ssk}_{\varvec{x}_{i}}\}_{\varvec{x}_{i} \in S_{j}}$ as its secret key.
$\mathsf {Enc} (\{\mathsf {pk} \},f,\mu )$: On input public key $\mathsf {pk} $, a function f and message $\mu $, the encryption algorithm sets an instance $x_{f}$ as $x_{f}=(\{\mathsf {svk}_{\varvec{x}_{i}}\},f)$, and defines NP language L such that $x_{f}\in L$ if and only if there exists n signature pairs $(\sigma _{1},(\varvec{x}_{1},\mathsf {GID})), \ldots , (\sigma _{n},(\varvec{x}_{n},\mathsf {GID}))$ such that
$$(\forall i, \mathsf {SIG.Verify}_{\mathsf {svk}_{\varvec{x}_{i}}}(\sigma _{i},(\varvec{x}_{i},\mathsf {GID}))=1)\wedge (f(\varvec{x}_{1},...,\varvec{x}_{n})=1)$$
Next it computes and outputs $\mathsf {ct} \leftarrow \mathsf {WE.Enc}(x_{f},\mu )$.
$\mathsf {KeyGen} (\varvec{x}_{j},\mathsf {GID},\mathsf {sk} _{i})$: On input attribute $\varvec{x}_j$, the authority outputs $\mathsf {k} _{j,\mathsf {GID}} = \sigma _{j}\leftarrow \mathsf {SIG.Sign}(\mathsf {ssk}_{i},(\varvec{x}_{j},\mathsf {GID}))$ if $\varvec{x}_j \in S_i$. Otherwise, it outputs $\bot $.
$\mathsf {Dec} (\{\mathsf {k} _{i,\mathsf {GID}}\},\mathsf {GP},\mathsf {ct})$: If the decryptor has a set of keys with the same $\mathsf {GID} $ such that $f(\varvec{x}_{1}, \ldots ,\varvec{x}_{n})=1$, and all the signature verifications succeed, then $\{\mathsf {k} _{i,\mathsf {GID}}\}$ servers as witness for $x_{f}$, and it calls $\mathsf {WE.Dec}(\omega , \mathsf {ct})$ to recover the message $\mu $. Otherwise, the decryption fails.

It is straightforward that the correctness of the scheme described above comes from the correctness of witness encryption $\mathsf {WE}$ and signature scheme $\mathsf {SIG}$.

Next, we are going to show that the construction above achieves a ABE against static corruption. For convenience of our proof, we use the following presentation of definition for security against static corruption. Let $\mathcal {A} =(\mathcal {A} _{1},\mathcal {A} _{2})$ be an adversary, and T denote the set of authorities.

We say that the scheme is secure (against static corruption of authorities) if for all PPT adversaries $\mathcal {A} $, the advantage $\mathbf {Adv}^\mathsf{dabe}_{\mathcal {A}}$ of $\mathcal {A} $ is negligible. where:

$$\mathbf {Adv}^\mathsf{dabe}_{\mathcal {A}}=|\mathrm {Pr}[\mathsf {Exp}^\mathsf{dabe}_{\mathcal {A}}(1^{\lambda })=1]-1/2|.$$

Then we can show the following theorem. Due to space limit, we defer the full proof to the full version of the paper.

Theorem 5.7

Assuming the existence of an extractable witness encryption scheme $\mathsf {WE}$ and an existentially unforgeable signature scheme $\mathsf {SIG}$, then the scheme described above is secure against static corruption of authorities.

6 Conclusion

We investigated the constructions of LWE-based and DDH-based decentralized ABE, which satisfy stronger security notion that adversary can make corruption queries of parties adaptively in addition to making adaptive key queries. As a building block, we first introduced a functional encryption for inner product functionality with a stronger security requirement, and then we proposed the constructions of FE for inner product with the stronger security by making some modifications of the constructions by [6]. Combining the FE for inner product with the stronger security and a $\{0,1\}$-$\mathsf {LSSS} $ scheme, we obtained the constructions of the desired decentralized ABE. Finally, we showed that decentralized ABE for general access structures is somewhat equivalent to witness encryption (WE) for general NP relations.

Our scheme is in the plain model and the security holds against bounded collusion, the work [41] can support an unbounded number of collusions by using random oracle. We leave it as an interesting open question whether our scheme can be upgraded in the random oracle model.

Notes

1.
We will discuss the secret sharing in more details, but let us focus on the high level concepts at this point.
2.
The work [31] can derive an IND adaptively secure scheme for challenge ciphertexts that encrypt a vector of messages, but as we discussed above, IND security seems not sufficient for our application.
3.
In our setting, we consider a general case where there is no $\mathsf {GID} $.

References

Abdalla, M., Bourse, F., De Caro, A., Pointcheval, D.: Simple functional encryption schemes for inner products. In: Katz [38], pp. 733–751
Google Scholar
Abdalla, M., Gay, R., Raykova, M., Wee, H.: Multi-input inner-product functional encryption from pairings. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 601–626. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_21
Chapter Google Scholar
Agrawal, S.: Stronger security for reusable garbled circuits, general definitions and attacks. In: Katz and Shacham [40], pp. 3–35
Google Scholar
Agrawal, S., Bhattacherjee, S., Phan, D.H., Stehlé, D., Yamada, S.: Efficient public trace and revoke from standard assumptions: extended abstract. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 2277–2293. ACM Press, New York (2017)
Google Scholar
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_2
Chapter Google Scholar
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw and Katz [50], pp. 333–362
Google Scholar
Agrawal, S., Rosen, A.: Functional encryption for bounded collusions, revisited. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 173–205. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_7
Chapter Google Scholar
Ananth, P., Fan, X.: Attribute based encryption for RAMs from LWE. Cryptology ePrint Archive, Report 2018/273 (2018). https://eprint.iacr.org/2018/273
Bellare, M., Hoang, V.T.: Adaptive witness encryption and asymmetric password-based cryptography. In: Katz [38], pp. 308–331
Google Scholar
Benhamouda, F., Bourse, F., Lipmaa, H.: CCA-secure inner-product functional encryption from projective hash functions. In: Fehr, S. (ed.) PKC 2017, Part II. LNCS, vol. 10175, pp. 36–66. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_2
Chapter Google Scholar
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Computer Society Press, May 2007
Google Scholar
Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product encryption. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 470–491. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_20
Chapter Google Scholar
Boneh, D., et al.: Threshold cryptosystems from threshold fully homomorphic encryption. Cryptology ePrint Archive, Report 2017/956 (2017). https://eprint.iacr.org/2017/956
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Chapter Google Scholar
Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.): 45th ACM STOC. ACM Press, New York (2013)
Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Boyen, X.: Attribute-based functional encryption on lattices. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 122–142. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_8
Chapter Google Scholar
Boyen, X., Li, Q.: Turing machines with shortcuts: efficient attribute-based encryption for bounded functions. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 267–284. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_15
Chapter Google Scholar
Brakerski, Z., Jain, A., Komargodski, I., Passelegue, A., Wichs, D.: Non-trivial witness encryption and null-iO from standard assumptions. Cryptology ePrint Archive, Report 2017/874 (2017). https://eprint.iacr.org/2017/874
Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: unbounded attributes and semi-adaptive security. In: Robshaw and Katz [50], pp. 363–384
Google Scholar
Canetti, R., Garay, J.A. (eds.): CRYPTO 2013, Part II. LNCS, vol. 8043. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1
Book MATH Google Scholar
Chase, M.: Multi-authority attribute based encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_28
Chapter Google Scholar
Chase, M., Chow, S.S.M.: Improving privacy and security in multi-authority attribute-based encryption. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) ACM CCS 2009, pp. 121–130. ACM Press, New York (2009)
Google Scholar
Datta, P., Okamoto, T., Tomida, J.: Full-hiding (unbounded) multi-input inner product functional encryption from the k-linear assumption. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part II. LNCS, vol. 10770, pp. 245–277. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_9
Chapter Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, pp. 40–49. IEEE Computer Society Press, October 2013
Google Scholar
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Canetti and Garay [21], pp. 479–499
Google Scholar
Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Functional encryption without obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part II. LNCS, vol. 9563, pp. 480–511. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_18
Chapter Google Scholar
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh et al. [15], pp. 467–476
Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti and Garay [21], pp. 536–553
Google Scholar
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Article MathSciNet Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini and Canetti [52], pp. 162–179
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Boneh et al. [15], pp. 545–554
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M.J.B. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 2006, pp. 89–98. ACM Press, October/November 2006. Cryptology ePrint Archive Report 2006/309
Google Scholar
Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: USENIX Security Symposium, vol. 2011 (2011)
Google Scholar
Jafargholi, Z., Kamath, C., Klein, K., Komargodski, I., Pietrzak, K., Wichs, D.: Be adaptive, avoid overcommitting. In: Katz and Shacham [40], pp. 133–163
Google Scholar
Katsumata, S., Yamada, S.: Partitioning via non-linear polynomial functions: more compact IBEs from ideal lattices and bilinear maps. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 682–712. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_23
Chapter Google Scholar
Katz, J. (ed.): PKC 2015. LNCS, vol. 9020. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2
Book MATH Google Scholar
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Chapter Google Scholar
Katz, J., Shacham, H. (eds.): CRYPTO 2017, Part I. LNCS, vol. 10401. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7
Book MATH Google Scholar
Lewko, A., Waters, B.: Decentralizing attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_31
Chapter Google Scholar
Lewko, A.B., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Chapter Google Scholar
Lin, H., Cao, Z., Liang, X., Shao, J.: Secure threshold multi authority attribute based encryption without a central authority. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 426–436. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_33
Chapter Google Scholar
Liu, Z., Cao, Z., Huang, Q., Wong, D.S., Yuen, T.H.: Fully secure multi-authority ciphertext-policy attribute-based encryption without random oracles. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 278–297. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_16
Chapter Google Scholar
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: 43rd FOCS, pp. 356–365. IEEE Computer Society Press, November 2002
Google Scholar
Müller, S., Katzenbeisser, S., Eckert, C.: Distributed attribute-based encryption. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 20–36. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00730-9_2
Chapter Google Scholar
Muller, S., Katzenbeisser, S., Eckert, C.: On multi-authority ciphertext-policy attribute-based encryption. Bull. Korean Math. Soc. 46(4), 803–819 (2009)
Article MathSciNet Google Scholar
O’Neill, A.: Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010). http://eprint.iacr.org/2010/556
Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM CCS 2007, pp. 195–203. ACM Press, New York (2007)
Google Scholar
Robshaw, M., Katz, J. (eds.): CRYPTO 2016, Part III. LNCS, vol. 9816. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3
Book MATH Google Scholar
Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 463–474. ACM Press, New York (2013)
Google Scholar
Safavi-Naini, R., Canetti, R. (eds.): CRYPTO 2012. LNCS, vol. 7417. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5
Book MATH Google Scholar
Sahai, A., Waters, B.R.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Chapter Google Scholar
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_4
Chapter Google Scholar
Waters, B.: Functional encryption for regular languages. In: Safavi-Naini and Canetti [52], pp. 218–235
Google Scholar
Xagawa, K.: Improved (hierarchical) inner-product encryption from lattices. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 235–252. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_15
Chapter Google Scholar

Download references

Acknowledgements

We would like to thank Qiang Tang, Mingsheng Wang for their helpful discussions and suggestions. We also thank the anonymous reviewers of PKC 2019 for their insightful advices. Zhedong Wang is supported by the National Key R&D Program of China-2017YFB0802202. Xiong Fan is supported in part by IBM under Agreement 4915013672 and NSF Award CNS-1561209. Feng-Hao Liu is supported by the NSF Award CNS-1657040. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the sponsors.

Author information

Authors and Affiliations

School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Zhedong Wang
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Zhedong Wang
Cornell University, Ithaca, NY, USA
Xiong Fan
Florida Atlantic University, Boca Raton, FL, USA
Feng-Hao Liu

Authors

Zhedong Wang
View author publications
You can also search for this author in PubMed Google Scholar
Xiong Fan
View author publications
You can also search for this author in PubMed Google Scholar
Feng-Hao Liu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhedong Wang .

Editor information

Editors and Affiliations

Institute of Information Engineering, SKLOIS, Beijing, China
Dongdai Lin
NEC Corporation, Kawasaki, Japan
Kazue Sako

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wang, Z., Fan, X., Liu, FH. (2019). FE for Inner Products and Its Application to Decentralized ABE. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_4

Download citation

DOI: https://doi.org/10.1007/978-3-030-17259-6_4
Published: 06 April 2019
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17258-9
Online ISBN: 978-3-030-17259-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics