We first recall the construction of 1-key ABE from [AJS17]. We then prove that this construction is a splittable 1-key ABE scheme.
Construction of 1-Key ABE for TMs [AJS17]. We will use the following primitives in our
construction:
1. A puncturable PRF family denoted byF.
2. A storage accumulator scheme based on iO and one-way functions that was constructed by [KLW15]. We denote it byAcc= (SetupAcc,EnforceRead,EnforceWrite,PrepRead,PrepWrite,
VerifyRead,WriteStore,Update). Let Σtape be the associated message space with accumulated
value of size `Acc bits.
3. An iterators scheme denoted by Itr =(SetupItr, ItrEnforce, Iterate). Let {0,1}2λ+`Acc be the
associated message space with iterated value of size `Itr bits.
4. A splittable signatures scheme denoted by SplScheme = (SetupSpl,SignSpl,VerSpl,SplitSpl, SignSplAbo). Let {0,1}`Itr+`Acc+2λ be the associated message space.
Our Scheme. We now describe our construction of a 1-key ABE scheme ABE = (ABE.Setup,
ABE.KeyGen,ABE.Enc,ABE.Dec) for the Turing machine familyM. Without loss of generality, the start state of every Turing machine in Mis denoted by q0. We denote the message space for the
ABE scheme as MSG.
ABE.Setup(1λ): On input a security parameterλ, it first executes the setup of splittable signatures
scheme to compute (SKtm,VKtm,VKrej)←SetupSpl(1λ). Next, it executes the setup of the accumu-
lator scheme to obtain the values (PPAcc,we0,store]0) ← SetupAcc(1
λ). It then executes the setup
of the iterator scheme to obtain the public parameters (PPItr, v0)←SetupItr(1λ).
It finally outputs the following public key-secret key pair,
ABE.PP= (VKtm,PPAcc,we0,store]0,PPItr, v0),ABE.SK= (ABE.PP,SKtm)
ABE.KeyGen(SKtm, M ∈ M): On input a master secret keyABE.SK= (ABE.PP,SKtm) and a Turing
machineM ∈ M, it executes the following steps:
1. Parse the public keyABE.PP as (VKtm,PPAcc,we0,store]0,PPItr, v0).
2. Initialization of the storage tree: Let`tm=|M|be the length of the machineM. For 1≤ j ≤`tm, compute store]j = WriteStore(PPAcc,store]j−1, j−1, Mj), auxj =PrepWrite(PPAcc,
]
storej−1, j−1),wej =Update(PPAcc,wej−1, Mj, j−1, auxj) , whereMj denotes the j
th bit of
M. Set the rootw0=we`tm.
3. Signing the accumulator value: Generate a signature on the message (v0, q0, w0,0) by
It outputs the ABE keyABE.skM = (M, w0, σtm, v0,store]0).
[Note: The key generation does not output the storage tree store0 but instead it just outputs the
initial store value store]0. As we see later, the evaluator in possession of M, store]0 and PPAcc can
reconstruct the treestore0.]
ABE.Enc(ABE.PP, x,msg): On input a public key ABE.PP = (VKtm,PPAcc,we0,store]0,PPItr, v0),
attributex∈ {0,1}∗ and message msg∈MSG, it executes the following steps:
1. Sample a PRF key KAat random from the family F.
2. Obfuscating the next step function: Consider a universal Turing machine Ux(·) that
on input M executes M on x for at most 2λ steps and outputs M(x) if M terminates,
otherwise it outputs ⊥. Compute an obfuscation of the program NxtMsgdescribed in Figure
5, namely N ← iO(NxtMsg{Ux(·),msg,PPAcc,PPItr, KA}). NxtMsg is essentially the next
message function of the Turing machineUx(·) – it takes as input a TMM and outputsM(x)
if it halts within 2λ else it outputs⊥. In addition, it performs checks to validate whether the previous step was correctly computed. It also generates authentication values for the current step.
3. Compute an obfuscation of the programS←(SignProg{KA,VKtm}) whereSignProgis defined
in Figure 6. The program SignProg takes as input a message-signature pair and outputs a signature with respect to a different key on the same message.
It outputs the ciphertext ABE.CT= (N, S).
ABE.Dec(ABE.skM,ABE.CT): On input the ABE key ABE.skM = (M, w0, σtm, v0,store]0) and a
ciphertext ABE.CT= (N, S), it first executes the obfuscated program S y= (v0, q0, w0,0), σtm
to obtain σ0. It then executes the following steps.
1. Reconstructing the storage tree: Let`tm=|M|be the length of the TMM. For 1≤j≤ `tm, update the storage tree by computing, store]j = WriteStore(PPAcc,store]j−1, j−1, Mj).
Setstore0 =store]`tm.
2. Executing N one step at a time: For i= 1 to 2λ,
(a) Compute the proof that validates the storage value storei−1 (storage value at (i−1)th
time step) at position posi−1. Let (symi−1, πi−1)←PrepRead(PPAcc, storei−1,posi−1).
(b) Compute the auxiliary value,auxi−1←PrepWrite(PPAcc, store−1,posi−1).
(c) Run the obfuscated next message function. Computeout←N(i,symi−1,posi−1,sti−1, wi−1,
vi−1, σi−1, πi−1, auxi−1). Ifout∈MSG∪ {⊥}, outputout.
Else parse outas (symw,i,posi,sti, wi, vi, σi).
(d) Compute the storage value,storei ←WriteStore(PPAcc, storei−1,posi−1,symw,i).
ProgramNxtMsg
Constants: Turing machineUx=hQ,Σtape, δ, q0, qacc, qreji, messagemsg, Public parameters for accumula-
torPPAcc, Public parameters for Iterator PPItr, Puncturable PRF keyKA∈ K.
Input: Time t ∈ [T], symbol symin ∈ Σtape, position posin ∈ [T], state stin ∈ Q, accumulator value
win∈ {0,1}`Acc, Iterator value vin, signatureσin, accumulator proofπ, auxiliary valueaux.
1. Verification of the accumulator proof:
• IfVerifyRead(PPAcc, win,symin,posin, π) = 0 output⊥.
2. Verification of signature on the input state, position, accumulator and iterator values: • LetF(KA, t−1) =rA. Compute (SKA,VKA,VKA,rej) =SetupSpl(1λ;rA).
• Letmin= (vin,stin, win,posin). IfVerSpl(VKA, min, σin) = 0 output⊥.
3. Executing the transition function:
• Let (stout,symout, β) =δ(stin,symin) andposout=posin+β.
• Ifstout=qrejoutput⊥.
• Ifstout=qaccoutputmsg.
4. Updating the accumulator and the iterator values:
• Computewout =Accumulate(PPAcc, win,symout,posin, aux). Ifwout =Reject, output⊥.
• Computevout=Iterate(PPItr, vin,(stin, win,posin)).
5. Generating the signature on the new state, position, accumulator and iterator values: • LetF(KA, t) =rA0 . Compute (SK 0 A,VK 0 A,VK 0 A,rej)←SetupSpl(1λ;rA0 ).
• Letmout= (vout,stout, wout,posout) andσout =SignSpl(SK0A, mout).
6. Outputsymout,posout,stout, wout, vout, σout.
Figure 5: Program NxtMsg
ProgramSignProg
Constants: PRF keyKA and verification keyVKtm.
Input: Messagey and a signatureσtm.
1. IfVerSpl(VKtm, y, σtm) = 0 then output⊥.
2. Execute the pseudorandom function on input 0 to obtainrA←F(K,0). Execute the setup of splittable
signatures scheme to compute (SK0,VK0)←SetupSpl(1λ;rA).
3. Compute the signatureσ0←SignSpl(SK0, y). 4. Outputσ0.
Figure 6: ProgramSignProg
The proof of the above theorem can be found in [AJS17].
Proof that ABE is Splittable. We now claim that the above scheme is a splittable 1-key ABE
scheme.
Theorem 11. ABE is a splittable 1-key ABE for TMs scheme.
Proof. To prove this, we just need to show that ABEsatisfies the split decryption key property. Let M ∈ M. The decryption key ofM is generated as (M, w0, σtm, v0,store]0)←ABE.KeyGen(
SKtm, M). Thus, ABE satisfies the split decryption key property since (w0, σtm, v0,store]0) can be
viewed as aux and furthermore, |aux|is indeed a fixed polynomial in λ(independent of|M|).