Generic Negation of Pair Encodings

Abstract

Attribute-based encryption (ABE) is a cryptographic primitive which supports fine-grained access control on encrypted data, making it an appealing building block for many applications. Pair encodings (Attrapadung, EUROCRYPT 2014) are simple primitives that can be used for constructing fully secure ABE schemes associated to a predicate relative to the encoding. We propose a generic transformation that takes any pair encoding scheme (PES) for a predicate \(P\) and produces a PES for its negated predicate \(\bar{P}\). This construction finally solves a problem that was open since 2015. Our techniques bring new insight to the expressivity and generality of PES and can be of independent interest. We also provide, to the best of our knowledge, the first pair encoding scheme for negated doubly spatial encryption (obtained with our transformation) and explore several other consequences of our results.

Appendices

A Pair Encoding for Negated Doubly Spatial Encryption

1.1 A.1 Building the Encoding

A direct application of our negated transformation (Fig. 1) to the encoding for doubly spatial encryption from [4] (after minor modifications so that it satisfies our structural constraints) leads to the encoding from Fig. 3. This encoding can be simplified, as the following reasoning shows that not all the polynomials are needed for reconstructability.

The only way to get polynomial \(s_0r_1b_0\) (and consequently \(\alpha s_0\)) as a linear combination of polynomials from \(L = \varvec{s} \otimes \varvec{k} \,\cup \, \varvec{c} \otimes \varvec{r}\) is through the two first polynomials in the key (multiplied by \(s_0\)): \(s_0r_1b_0 + s_0r_1w\) and \(s_0r_1b_0 + s_0r_1t\). For that, we need to express monomial \(s_0r_1w\) or monomial \(s_0r_1t\) as a linear combination of other polynomials in L. The former is impossible to obtain (since monomial \(s_0r_1w\) does not appear in any other polynomial in L). The latter can be achieved only through polynomial \(r_1s_0t - r_1\hat{s}_1 \in L\). Again, that requires to arrive at polynomial \(r_1\hat{s}_1\), which is present only in \(r_1s_1v - r_1\hat{s}_1\). Furthermore, \(r_1s_1v\) can only be (additionally) found in \(s_1r_1v + s_1\hat{r}_1\). However, \(s_1\hat{r}_1\) is present in several polynomials in L, namely: \(s_1r_2u + s_1\hat{r}_1\) and \(s_1(Y_j\hat{\varvec{r}}' + r_2b_{j} + \hat{r}_1 {y}_j)_{j \in [d]}\). The former contains a monomial, \(s_1r_2u\), that only additionally appears in \(r_2s_1u - r_2\hat{s}_2\), but \(r_2\hat{s}_2\) is only present in polynomials \(r_2(X_j\hat{\varvec{s}}' - s_1 b_{j} + \hat{s}_2 {x}_j)_{j \in [d]}\). Consequently, reconstructability will be possible if there exist coefficients \(\beta _j\) and \(\gamma _j\) for all \(j \in [0,d]\) such that:

Considering the different monomials in both sides of the equation, we deduce:

Consequently, reconstructability is possible if there exist coefficients \(\beta _j\) for all \(j \in [d]\) such that:

But this is equivalent to \(\varvec{y}-\varvec{x} \notin \mathrm{span}(Y) \cup \mathrm{span}(X)\) (see Lemma 1) which holds if and only if the predicate is true, as needed.

All the polynomials in the key and the ciphertext which have not been used for reconstructability can be eliminated. Figure 2 describes the resulting encoding after this simplification.

1.2 A.2 Arguing Security

Our Theorem 2 guarantees that the encoding from Fig. 3 is secure. Note that removing polynomials cannot change security (only spoil reconstructability), so the simpler scheme presented in the main body (Fig. 2) must also be secure. Nevertheless, we provide an independent proof of its security, for the sake of completeness.

Proof

(Security of the encoding from Fig. 2). Assume the predicate is false, i.e., the affine spaces \(\varvec{x} + \mathrm{span}(X)\) and \(\varvec{y} + \mathrm{span}(Y)\) intersect. Let \(\varvec{z} \in \mathbb {Z}_N^{d}\) be a vector in their intersection and let \(\varvec{z_x} \in \mathbb {Z}_N^{\ell }\) and \(\varvec{z_y} \in \mathbb {Z}_N^{\ell '}\) be such that:

$$ \varvec{x} + X\varvec{z_x} = \varvec{z} = \varvec{y} + Y\varvec{z_y} . $$

Observe that all the polynomials in \(\mathsf{EncKey}(N,(\varvec{y},Y))\) and \(\mathsf{EncCt}(N, (\varvec{x},X))\) (see Fig. 2) evaluate to zero on the following substitution:

$$\begin{aligned} (\varvec{b}, \hat{\varvec{r}}', \hat{\varvec{s}}') \leftarrow (\varvec{z}, \varvec{z}_y, \varvec{z}_x) \quad \,\,&r_1,s_1,\hat{r}_1,\hat{s}_2,u,t,\alpha \leftarrow 1 \quad \,\, b_0, s_0, r_2, \hat{s}_1, v \leftarrow -1 , \end{aligned}$$

but polynomial \(\alpha s_0\) evaluates to \(-1\) (\(\ne 0\)). As explained in Example 1, this is an evidence of the security of the encoding.

Fig. 3.

PES for negated doubly spatial encryption.

B Additional Definitions

1.1 B.1 Security of Attribute-Based Encryption

An ABE scheme is adaptively secure if there exists a negligible \(\epsilon \) such that for all PPT adversaries \(\mathcal{A}\), and all sufficiently large \(\lambda \in \mathbb {N}\), \(\mathsf{Adv}_{\mathcal{A}}^\mathsf{ABE}(\lambda ) < \epsilon (\lambda )\), where:

where the advantage is defined to be zero if some of the queries y made by \(\mathcal{A}\) to the \(\mathsf{KeyGen}\) oracle violates the condition \(P(x^\star ,y) = 0\).

1.2 B.2 Attribute-Based Encryption from Pair Encodings

In order to explain how to build attribute-based encryption from pair encodings, we need to introduce the notion of dual system groups (DSG) [2, 16, 17], since the compilers from pair encodings into ABE [1, 5] rely on DSG in a black-box way.

Dual System Groups

A dual system group is a tuple of six efficiently computable algorithms:

• \(\mathsf{SampP}(1^\lambda , 1^n)\): on input the security parameter and an integer n, outputs public parameters \(\mathsf {pp}\) and secret parameters \(\mathsf {sp}\) such that:

  \(\circ \):

  The public parameters, \(\mathsf {pp}\), include a triple of abelian groups \((\mathsf{G},\mathsf{H},\mathsf{G}_{\mathsf{t}})\) (that are \(\mathbb {Z}_p\)-modules for some \(\lambda \)-bits prime p), a non-degenerate bilinear map \(e : \mathsf{G}\times \mathsf{H}\rightarrow \mathsf{G}_{\mathsf{t}}\), an homomorphism \(\mu \) (defined over \(\mathsf{H}\)) and additional parameters required by \(\mathsf{SampP}\) and \(\mathsf{SampH}\).

  \(\circ \):

  Given \(\mathsf {pp}\), it is possible to uniformly sample to \(\mathsf{H}\).

  \(\circ \):

  The secret parameters, \(\mathsf {sp}\), include a distinguished element \(h^* \in \mathsf{H}\) (different from the unit) and additional parameters required by and .

• \(\mathsf{SampG}(\mathsf {pp})\) and output an element from \(\mathsf{G}^{n{+}1}\).

• \(\mathsf{SampH}(\mathsf {pp})\) and output an element from \(\mathsf{H}^{n{+}1}\).

• \(\mathsf{SampGT}\) is a function defined from \(\mathrm{Im}(\mu )\) to \(\mathsf{G}_{\mathsf{t}}\).

Additional conditions are required for correctness and security:

• projective: For all public parameters, \(\mathsf {pp}\), every \(h \in \mathsf{H}\) and all coin tosses \(\sigma \), it holds \(\mathsf{SampGT}(\mu (h); \sigma ) = e(g_0, h)\), where \((g_0, g_1,\dots ,g_n) \leftarrow \mathsf{SampG}(\mathsf {pp}; r)\).

• associative: Let \((g_0,g_1,\dots ,g_n) \leftarrow \mathsf{SampG}(\mathsf {pp})\), \((h_0,h_1,\dots ,h_n) \leftarrow \mathsf{SampH}(\mathsf {pp})\), it holds \(e(g_0, h_i) = e(g_i, h_0)\) for every \(i \in [n]\).

• \(\mathsf{H}\)-subgroup: \(\mathsf{SampH}(\mathsf {pp})\) is the uniform distribution over a subgroup of \(\mathsf{H}^{n{+}1}\).

• orthogonality: \(h^* \in \mathrm{Kernel}(\mu )\).

• non-degeneracy: For every \((h_0,h_1,\dots ,h_n) \leftarrow \mathsf{SampH}(\mathsf {pp})\), \(h^* \in \langle h_0 \rangle \). Furthermore, for every , .

• left-subgroup indistinguishability: \((\mathsf {pp},\, \varvec{g}) \approx _{c}(\mathsf {pp},\, \varvec{g}{\cdot } \varvec{\hat{g}})\).

• right-subgroup indistinguishability: \((\mathsf {pp},\, h^*,\, \varvec{g} {\cdot } \varvec{\hat{g}},\, \varvec{h}) \approx _{c}(\mathsf {pp},\, h^*,\, \varvec{g} {\cdot } \varvec{\hat{g}},\, \varvec{h} {\cdot } \varvec{\hat{h}})\).

• parameter-hiding: \((\mathsf {pp},\, h^*,\, \varvec{\hat{g}},\, \varvec{\hat{h}}) \equiv (\mathsf {pp},\, h^*,\, \varvec{\hat{g}}{\cdot }\varvec{\hat{g}'},\, \varvec{\hat{h}}{\cdot }\varvec{\hat{h}'})\).

Where, \(\approx _{c}\) denotes a distinguishing probability upper-bounded by a negligible function on \(\lambda \) and, for any \(n \in \mathbb {N}\), the above elements are sampled as:

$$\begin{aligned} (\mathsf {pp},\mathsf {sp}) \leftarrow \mathsf{SampP}(1^\lambda ,1^n) \end{aligned}$$

for .

Remark. Observe that we have presented the version of dual system groups defined in [15]. Other works consider slightly different conditions (e.g., the non-degeneracy of [1]). However, the widely used instantiation of DSG from k-lin given in [15] also satisfies the properties of those variations.

ABE from Pair Encodings

Given a pair encoding scheme \(\{\mathsf{Param}, \mathsf{EncKey}, \mathsf{EncCt}, \mathsf{Pair}\}\) (see Definition 2) for a predicate family \(P_{\kappa } : \mathcal{X}_{\kappa } \times \mathcal{Y}_{\kappa } \rightarrow \{0,1\}\) indexed by \(\kappa = (N,\mathsf{par})\) (let \(\lambda = |N|\)), an attribute-based encryption scheme can be constructed as follows:

• \(\mathsf{Setup}(1^\lambda ,\mathcal{X}_{\kappa },\mathcal{Y}_{\kappa })\): let \(n \leftarrow \mathsf{Param}(\mathsf{par})\) and run the DSG generation algorithm \(\mathsf{SampP}(1^\lambda , 1^n)\) to obtain \(\mathsf {pp}\) and \(\mathsf {sp}\). Let and . Output \((\mathsf {mpk}, \mathsf {msk})\).

• \(\mathsf{Enc}(\mathsf {mpk}, x)\): run \(\mathsf{EncCt}(N,x)\) to obtain polynomials \(\varvec{c}_x(\varvec{s},\varvec{\hat{s}},\varvec{b})\). For every \(\ell \in [w_3]\), let the \(\ell \)-th polynomial in \(\varvec{c}_x\) be

  

  for some coefficients and in \(\mathbb {Z}_p\). Now, run \(\mathsf{SampG}\) to produce

  $$\begin{aligned} (\hat{g}_{\{i,0\}}, \hat{g}_{\{i,1\}},\dots ,\hat{g}_{\{i,n\}})&\leftarrow \mathsf{SampG}(\mathsf {pp}) \qquad \text { for }i \in [w_2] \\ (g_{\{i,0\}}, g_{\{i,1\}},\dots ,g_{\{i,n\}})&\leftarrow \mathsf{SampG}(\mathsf {pp}) \qquad \text { for }i \in [0,w_1{-}1] \\ (g_{\{0,0\}}, g_{\{0,1\}},\dots ,g_{\{0,n\}})&\leftarrow \mathsf{SampG}(\mathsf {pp}; \sigma ) \end{aligned}$$

  Observe that we have made explicit the coin tosses, \(\sigma \), used in the last sampling. Setup and define the symmetric encryption key as , where for every \(i \in [0,w_1{-}1]\); and for every \(\ell \in [w_3]\), is computed as

  

  Output \((\mathsf {ct}_x, \tau )\).

• \(\mathsf{KeyGen}(\mathsf {msk},y)\): run \(\mathsf{EncKey}(N,y)\) to obtain polynomials \(\varvec{k}_y(\varvec{r},\varvec{\hat{r}},\varvec{b})\). For every \(\ell \in [m_3]\), let the \(\ell \)-th polynomial in \(\varvec{k}_y\) be

  

  for some coefficients , and in \(\mathbb {Z}_p\). Now, run \(\mathsf{SampH}\) to produce

  $$\begin{aligned} (\hat{h}_{\{i,0\}}, \hat{h}_{\{i,1\}},\dots ,\hat{h}_{\{i,n\}})&\leftarrow \mathsf{SampH}(\mathsf {pp}) \qquad \text { for }i \in [m_2] \\ (h_{\{i,0\}}, h_{\{i,1\}},\dots ,h_{\{i,n\}})&\leftarrow \mathsf{SampH}(\mathsf {pp}) \qquad \text { for }i \in [m_1] \end{aligned}$$

  Define the secret key as , where for every \(i \in [m_1]\); and for every \(\ell \in [m_3]\), is computed as

  

  Output \(\mathsf {sk}_y\).

• \(\mathsf{Dec}(\mathsf {mpk},\mathsf {sk}_y,\mathsf {ct}_x,x)\): run \(\mathsf{Pair}(N,x,y)\) to obtain matrices \(E, E'\) (note that y is assumed to be extractable from \(\mathsf {sk}_y\), whereas x is explicitly included as an input to \(\mathsf{Dec}\)). Define:

  

  Output the symmetric encryption key \(\tau \).