Generic constructions for ANOBE from ABE - ANOBE from Attribute-Based Encryption

4.5 ANOBE from Attribute-Based Encryption

4.5.1 Generic constructions for ANOBE from ABE

This section is dedicated to formalizing the relation between ABE and BE. To this end, we provide generic ways to achieve BE (and in particular ANOBE) from both flavours of ABE, namely ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). While it is fairly natural to think of a BE scheme as a CP-ABE scheme whose ciphertext policy is set-membership, it is perhaps not so intuitive to see BE as arising as a special instance of KP-ABE.

We explore these ideas next, giving first some intuition and then the detailed constructions and proofs.

BE and CP-ABE. Let U be the universe of users of the desired BE scheme. We consider a CP-ABE scheme whose universe of attributes is precisely U. Being user i will translate to having attribute i. Furthermore, belonging to the target broadcast set S will correspond to a set-membership policy. This can be expressed as a disjunction of attributes, i.e. users. It is then very intuitive to think of a BE scheme as a CP-ABE scheme with the above-mentioned encryption policy.

More formally, let Γ = (CPABE.PG,CPABE.Setup, CPABE.KeyGen,CPABE.Enc,

CPABE.Dec) be a CP-ABE scheme which efficiently supports disjunction policies.

LetU be the universe of attributes, where_|U_|=n. We will construct a BE scheme from Γ, having U as the universe of users and the same message and ciphertext space, in the following way:

BE.PG(1λ_{, n}_{): Run}_CP

ABE.PGon input 1λand returnpars, which implicitly contain nand a description of the message spaceMsgSpand the ciphertext spaceCtSp

of the scheme.

BE.Setup(pars): RunCPABE.Setup(pars) to obtain the master public key CP-MPK

and the master secret key CP-MSK. Let BE-MPK := CP-MPK, BE-MSK := CP-MSK and output (BE-MPK,BE-MSK).

BE.KeyGen(BE-_MPK_,_BE-_MSK_{, i}_{): Run} _CP_ABE_.KeyGen_(BE-MPK_,_BE-MSK_{, i}_{) to}

BE.Enc(BE-_MPK_{, M, S}_{): Let}W

j∈Sj be the policy representing the disjunction of attributes (users)j∈S. LetA_{be the access structure supporting this policy.} Run CPABE.Enc(BE-MPK, M,A) to obtain a ciphertext C.

BE.Dec(BE-_MPK_{, C, sk}_{i): Run} _CP_ABE_.Dec _{on the same input to obtain either a}

message M or a failure symbol⊥.

The correctness of the BE scheme follows directly from the correctness of the CP- ABE scheme Γ used to construct it. This guarantees that if user i satisfies the disjunction policy (i.e.i∈S) then he can successfully decrypt.

The following result holds.

Theorem 4.11 LetΓbe a policy-hiding and IND-CCA secure CP-ABE scheme sup- porting disjunction policies. Then the BE scheme constructed as above is adaptively ANO-IND-CCA secure.

Proof. Let _A be an adversary against the ANO-IND-CCA security of the BE scheme. We will construct an adversary _B that will interact with _A to break the policy-hiding and IND-CCA security of Γ. The game proceeds as follows.

Setup. The challenger_CrunsCPABE.PG(1λ) to obtainparsandCPABE.Setup(pars)

to generate the master public key CP-MPK and the master secret key CP-MSK and gives (pars,CP-MPK) to the adversaryA.

Phase 1. _A can adaptively issue key-extraction queries for any useri_∈U. Such a query is passed on to_B, who gives it to_C as secret-key query for attributei. _C will respond to each query with the private keyski, which is passed toB, who then forwards it toAas the key for useri. Amay also issue decryption queries of the type (C, i), where i∈ U. B passes such queries to C and forwards C’s response toA.

Challenge. _A selects two equal-length messages M0 and M1 ∈ MsgSp and two

equal-size target sets S0, S1 ⊆U, such that i /∈S0△S1 for any of the queries

require M0 =M1. A passes M0, M1, S0, S1 to B. B creates access structures

A₀ _and A₁ _{expressing the disjunction of all the indices} _j _∈ _S₀ _and _k _∈ _S₁_, respectively. It passes M0, M1,A0,A1 to C. C chooses a random b ← {0,1},

computesC⋆_←_CP

ABE.Enc(CP-MPK,Mb,Ab) and passesC⋆ toB, who in turn passes it to _A.

Phase 2. _Acontinues to issue secret-key-extraction queries with the restriction that

i /_∈ S0△S1 and if i∈ S0∩S1 then we require M0 = M1. These queries are

dealt with by B as in Phase 1. A can also issue decryption queries with the restriction that ifC=C⋆ _{then either}_{i /}_∈_S

0△S1 ori∈S0∩S1 andM0 =M1.

Guess. The adversary outputs its guess b′ _for_b_and _B _{outputs the same guess.}

B perfectly simulates the ANO-IND-CCA game for _A. Hence _A’s advantage is as it would be in the real game and by construction _Bwins whenever _Adoes. BE and KP-ABE.Not so intuitive is to see BE as arising as a special instance of KP-ABE. In the definition of KP-ABE the policy input to the key generation algorithm is expressed by an access structure, which in our model is represented by an access tree. In order to realize BE using ABE, we select as the tree for generating the key of user i the trivial tree consisting of a single leaf for attribute i. In KP- ABE, decryption succeeds if the set of attributesS specified in the encryption phase satisfies the policy given during key generation. In particular, for the degenerate case of BE, the policy (tree) is satisfied if and only if the attribute (user) iis in S. This is precisely what is needed in the BE setting, i.e., a user ican decrypt if and only ifi_∈S, whereS is the target broadcast set. Hence, BE can also be cast in the framework of KP-ABE.

We formalize this by considering a KP-ABE scheme K = (KPABE.PG,

KPABE.Setup,KPABE.KeyGen,KPABE.Enc,KPABE.Dec). Let U be the universe of at-

tributes, where _|U_|=n. We will construct a BE scheme fromK, having U as the universe of users and the same message and ciphertext space, in the following way:

BE.PG(1λ_{, n}_{): Run}_KP

ABE.PGon input 1λand returnpars, which implicitly contain nand a description of the message spaceMsgSpand the ciphertext spaceCtSp

BE.Setup(pars): RunKPABE.Setup(pars) to obtain the master public key KP-MPK

and the master secret key KP-MSK. Let BE-MPK := KP-MPK, BE-MSK := KP-MSK and output (BE-MPK,BE-MSK).

BE.KeyGen(BE-_MPK_,_BE-_MSK_{, i}_{): Run} _KP_ABE_.KeyGen_(BE-MPK_,_BE-MSK_{, i}_{) to}

obtain ski, the secret key corresponding to the single-leaf access tree i.

BE.Enc(BE-_MPK_{, M, S}_{): Run} _KP_ABE_.Enc_(BE-MPK_{, M, S}_{) to obtain a ciphertext}

BE.Dec(BE-_MPK_{, C, sk}_{i): Run} _KP_ABE_.Dec _{on the same input to obtain either a}

message M or a failure symbol_⊥.

The correctness of the BE scheme follows from the correctness of the KP-ABE scheme K used to construct it since in our model a set of attributes S satisfies a single-leaf access tree if and only if the attribute associated with that leaf is in S.

The following result holds.

Theorem 4.12 LetKbe an attribute-hiding and IND-CCA secure KP-ABE scheme. Then the BE scheme constructed as above is adaptively ANO-IND-CCA secure.

Proof. Let A be an adversary against the ANO-IND-CCA security of the BE scheme. We will construct an adversary B that will interact with A to break the attribute-hiding and IND-CCA security ofK. The game proceeds as follows.

Setup. The challenger_CrunsKPABE.PG(1λ) to obtainparsandKPABE.Setup(pars)

to generate the master public key KP-MPK and the master secret key KP-MSK and gives (pars,KP-MPK) to the adversary_A.

Phase 1. A can adaptively issue key-extraction queries for any useri∈U. Such a query is passed on toB, who gives it toCas secret-key query for the degenerate single-leaf access treei. C will respond to each query with the private keyski, which is passed to_B, who then forwards it to_Aas the key for user i. _Amay also issue decryption queries of the type (C, i), where i _∈ U. _B passes such queries to_C and forwards to _C’s response to _A.

Challenge. A selects two equal-length messages M0 and M1 ∈ MsgSp and two

equal-size target sets S0, S1 ⊆U, such that i /∈S0△S1 for any of the queries

imade in Phase 1. If for any of such queries we have thati∈S0∩S1 the we

requireM0 =M1. ApassesM0, M1, S0, S1 toB. BpassesM0, M1, S0, S1 toC.

C chooses a randomb_{← {}0,1_}, computes C⋆_←_KP

ABE.Enc(KP-MPK,Mb, Sb) and passesC⋆ _to_B_{, who in turn passes it to} _A_.

Phase 2. A continues to issue secret-key-extraction queries with the restriction that i /∈S0△S1 and ifi∈S0∩S1 then we requireM0 =M1. These queries

are dealt with by _B as in Phase 1. _A can also issue decryption queries with the restriction that if (C, i) = (C⋆_{, i}_{) then either} _{i /}_∈ _S

0△S1 ori ∈ S0∩S1

and M0=M1.

Guess. The adversary outputs its guess b′ forband B outputs the same guess.

B perfectly simulates the ANO-IND-CCA game for _A. Hence _A’s advantage is as it would be in the real game and by construction _Bwins whenever _Adoes.

What we have just proved provides us with a potentially powerful tool: all the progress achieved in the area of ABE could be highly relevant to the improve- ment of the state of the art of BE. In practice, this approach is limited to the currently available ABE schemes. In particular, what we are looking for ideally is an attribute(policy)-hiding KP(CP)-ABE scheme, with short ciphertexts, involving efficient algorithms, and which is non-selectively IND-CCA secure in the standard model. Unfortunately, we do not have such a scheme. We hence briefly recall what are the features of the existing ABE schemes.

The ABE research community has focused on obtaining schemes allowing for policies that could be as expressive as possible [53, 32, 12, 70]. These schemes however only achieve selective security and provide no anonymity guarantee. Furthermore, they are not very efficient. In [54], the authors present athreshold CP-ABE scheme with constant-size ciphertext. Even if this limited policy could fit our purposes, the scheme unfortunately suffers from the same security drawbacks as the other ABE schemes.

the issue of anonymity, but the scheme the authors present is characterized by large keys and ciphertexts, linear innas opposed to the size ofS. Similar considerations go for the work in [61], where Lewko et al. introduce the notion offunctional encryption and provide a fully secure ABE scheme, but the private key and ciphertext sizes prevent it from being a suitable candidate for the construction of BE. Follow-up work in the area (for instance, [69]) suffers from the same limitation. Indeed these recently proposed primitives, which have ABE as a special case, are very powerful and their instantiation allows for great expressiveness. However, for the use of ABE that we have in mind, namely constructing ANOBE schemes, finding anonymous and fully secure ABE schemes that support even simple policies but that are efficient is still an open problem.

In document Anonymity and Time in Public-Key Encryption (Page 106-111)