Abstract
Constructing lattice-based fully secure attribute-based encryption (ABE) has always been a challenging task. Although there are many selective secure ABE schemes from the hardness of learning with errors (LWE) problem, it is hard to extend them to fully security, since the dual system technique in pairing-based cryptography cannot be applied to lattice-based constructions.
In this paper, we take a different approach: constructing fully secure ABE from another primitive called noisy linear functional encryption (NLinFE) which can be constructed from LWE problem. We give a fully secure ciphertext-policy ABE scheme for CNF formulae which security relies on the security of NLinFE and hardness of LWE. Since current constructions for NLinFE only satisfy bounded collusion security, our resulting scheme is also bounded collusion only, but it can be easily extended into unbounded security if unbounded NLinFE can be shown to exist. Also, since existing NLinFE schemes are inefficient, we give a new construction for NLinFE with better efficiency, hence our ABE construction is more efficient than other existing bounded collusion ABE/FE schemes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, S.: Indistinguishability obfuscation without multilinear maps: new methods for bootstrapping and instantiation. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 191–225. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_7
Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_6
Agrawal, S., Boyen, X., Vaikuntanathan, V., Voulgaris, P., Wee, H.: Functional encryption for threshold functions (or fuzzy IBE) from lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 280–297. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_17
Agrawal, S., Freeman, D.M., Vaikuntanathan, V.: Functional encryption for inner product predicates from learning with errors. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 21–40. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_2
Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 333–362. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_12
Agrawal, S., Pellet-Mary, A.: Indistinguishability obfuscation without maps: attacks and fixes for noisy linear FE. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 110–140. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_5
Agrawal, S., Rosen, A.: Functional encryption for bounded collusions, revisited. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 173–205. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_7
Ananth, P., Vaikuntanathan, V.: Optimal bounded-collusion secure functional encryption. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 174–198. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_8
Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_31
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, pp. 321–334 (2007)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Boyen, X.: Attribute-based functional encryption on lattices. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 122–142. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_8
Boyen, X., Li, Q.: Towards tightly secure lattice short signature and id-based encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 404–434. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_14
Brakerski, Z., Vaikuntanathan, V.: Circuit-ABE from LWE: unbounded attributes and semi-adaptive security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 363–384. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_13
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_27
Chen, J., Gong, J., Kowalczyk, L., Wee, H.: Unbounded ABE via bilinear entropy expansion, revisited. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 503–534. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_19
Cheung, L., Newport, C.: Provably secure ciphertext policy ABE. In: Proceedings of the 14th ACM conference on Computer and Communications Security, pp. 456–465 (2007)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Symposium on the Theory of Computing, pp. 197–206 (2008)
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Symposium on Theory of Computing Conference, STOC 2013, pp. 555–564 (2013)
Gorbunov, Sergey, Vaikuntanathan, Vinod, Wee, Hoeteck: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, Reihaneh, Canetti, Ran (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_11
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: Symposium on the Theory of Computing, pp. 545–554 (2013)
Goyal, R., Koppula, V., Waters, B.: Semi-adaptive security and bundling functionalities made generic and easy. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 361–388. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_14
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security 2006, pp. 89–98 (2006)
Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Adaptively secure inner product encryption from LWE. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 375–404. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_13
Kowalczyk, L., Lewko, A.B.: Bilinear entropy expansion from the decisional linear assumption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 524–541. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_26
Kowalczyk, L., Wee, H.: Compact adaptively secure ABE for \(\sf NC^1\) from k-Lin. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 3–33. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_1
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_12
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 195–203 (2007)
Regev, O.: New lattice-based cryptographic constructions. J. ACM (JACM) 51(6), 899–942 (2004)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)
Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 463–474 (2013)
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Tsabary, R.: Fully secure attribute-based encryption for t-CNF from LWE. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 62–85. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_3
Wang, Z., Fan, X., Liu, F.-H.: FE for inner products and its application to decentralized ABE. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11443, pp. 97–127. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17259-6_4
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_4
Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_26
Yamada, S.: Adaptively secure identity-based encryption from lattices with asymptotically shorter public parameters. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 32–62. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_2
Acknowledgements
This work is partially supported by the National Natural Science Foundation of China (No. 62072305, No. 61672339), the National Cryptography Development Fund (No. MMJJ20170111), and the Foundation of Science and Technology on Information Assurance Laboratory (No. KJ-17-109).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 2.5
We first give the following lemma which is proven in [20, 32].
Lemma A.1
[20].
For any \(\epsilon \in (0,1)\), there exists \(\eta >0\), such that for \(s\ge \eta \), \(\rho _s(\varLambda ^\bot _\mathbf {u}(\mathbf {A}))\in [\frac{1-\epsilon }{1+\epsilon },1]\cdot \rho _s(\varLambda ^\bot _\mathbf {0}(\mathbf {A}))\).
By Lemma 2.1, we have that the distribution of \(\mathbf {x}\) is statistically close to \(D_{\varLambda ^\bot _\mathbf {u}(\mathbf {A}),s}\). So we only need to show that the distribution of \(\mathbf {x}'\) is statistically close to \(D_{\varLambda ^\bot _\mathbf {u}(\mathbf {A}'),s}\).
It is easy to see that \(\{\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}')\}_{\mathbf {b}\in \mathbb {Z}_q^{n'-n}}\) forms a partition of the lattice co-set \(\varLambda _\mathbf {u}^\bot (\bar{\mathbf {A}})\). So by the definition of discrete Gaussian, we have that, for any \(\mathbf {c}\in \varLambda ^\bot _\mathbf {u}(\mathbf {A}')\), let \(\mathbf {b}=\tilde{\mathbf {A}}\mathbf {c}\), we have \(Pr(\mathbf {x}=\mathbf {c})=q^{-(n'-n)}\rho _s(\mathbf {c})/\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}'))\). For a negligible \(\epsilon \), we choose s satisfies Lemma A.1. Then we have that for any \(\mathbf {b}'\), \(\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}'))/\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b'}^T)^T}(\mathbf {A}'))\in [\frac{1-\epsilon }{1+\epsilon },\frac{1+\epsilon }{1-\epsilon }]\).
By definition, we have:
So:
Now we have that the statistical distance between the two distributions is no more than \(2\epsilon \), thus we have our result.
B Proof of Theorem 3.1
We prove this by a sequence of interactive games. Let Game 0 be the full security game defined above.
Game 1: Instead of \(\mathbf {c}_1=\mathbf {U}\cdot \mathbf {s}+\mathbf {e}_1+\mathbf {y}_\beta \), we compute \(\mathbf {c}_1=\mathbf {Z}\cdot \mathbf {c}_0-\mathbf {Z}\cdot \mathbf {e}_0+\mathbf {e}_1+\mathbf {y}_\beta \). Game 1 is the same as Game 0.
Game 2: In Game 2, \(\mathbf {c}_0\) is chosen uniform randomly from \(\mathbb {Z}_q^m\) instead of \(\mathbf {As+e}_0\). Game 2 is indistinguishable from Game 1 by the hardness of mheLWE.
Now, we remain to prove that in Game 2, the distinguishing advantage for any adversary is negligible. Let \(\mathbf {x}_1,...,\mathbf {x}_\kappa \) be the largest set of independent vectors in the key query, and we write \(\mathbf {X}=(\mathbf {x}_1|...|\mathbf {x}_\kappa )\), and \(\kappa \le k\). We write the ciphertext \(ct_\beta =(\mathbf {c}_0,\mathbf {c}_1^\beta )\). By the construction of our scheme, we only need to show that any adversary cannot distinguish between \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^0)\) and \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^1)\) with non-negligible probability.
Let \(\mathbf {y}=\mathbf {c}_1^0-\mathbf {c}_1^1={\mathbf {y}_0-\mathbf {y}_1\atopwithdelims ()\alpha _0-\alpha _1}\) for \(\alpha _0,\alpha _1\leftarrow \mathbb {Z}_q\). Since the last row of \(\mathbf {X}\) is 0, so \(\mathbf {y}\) is linearly independent with \(\mathbf {X}\) except for a negligible probability. We find a short solution \(\mathbf {t}\), such that \(\mathbf {X}^T\mathbf {t}=0\), \(\mathbf {y}^T\mathbf {t}\ne 0\), the coefficients of \(\mathbf {t}\) is co-prime, and \(\Vert \mathbf {t}\Vert =O(\mathrm {poly}(n))\). The solution exists by Siegel’s Lemma. We append vectors orthogonal to \(\mathbf {t},\mathbf {y}\) and linear independent with \(\mathbf {X}\) to form a invertible \(n\times n\) matrix (modulus q), written as \(\bar{\mathbf {X}}=(\mathbf {X}|\mathbf {y}|\mathbf {X}')\).
Given the invertible matrix \(\bar{\mathbf {X}}\), we have that \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^0)\) and \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^1)\) are indistinguishable if and only if \((\mathbf {A,ZA,X,XZ,}\mathbf {c}_0,\bar{\mathbf {X}}^T\mathbf {c}_1^0)\) and \((\mathbf {A,ZA,X,XZ,c}_0,\bar{\mathbf {X}}^T\mathbf {c}_1^1)\) are indistinguishable.
We then write \(\bar{\mathbf {X}}^T\mathbf {c}_1^\beta \) as \((\mathbf {X}^T\mathbf {c}_1^\beta ,\mathbf {X'}^T\mathbf {c}_1^\beta ,\mathbf {y}^T\mathbf {c}_1^\beta )\). By the choice of \(\mathbf {X}'\), we have that \(\mathbf {X'}^T\mathbf {c}_1^0=\mathbf {X'}^T\mathbf {c}_1^1\).
By the definition of \(\beta \)-indistinguishability-based security, we have that \(|\langle \mathbf {x}_i,\mathbf {y}_0\rangle -\langle \mathbf {x}_i,\mathbf {y}_0\rangle |\le \beta \). So we have that \(\mathbf {X}^T\mathbf {c}_1^0=\mathbf {X}^T\mathbf {Z}(\mathbf {c}_0-\mathbf {e}_0)+\mathbf {X}^T\mathbf {e}_1+\mathbf {X}^T\mathbf {y}_0= \mathbf {X}^T\mathbf {Z}(\mathbf {c}_0-\mathbf {e}_0)+\mathbf {X}^T\mathbf {e}_1+\mathbf {X}^T\mathbf {y}_1+\mathbf {b}\) where \(\Vert \mathbf {b}\Vert _\infty \le \beta \). By the lemma below, we show that \(\mathbf {X}^T\mathbf {e}_1\) is indistinguishable from \(\mathbf {X}^T\mathbf {e}_1+\mathbf {b}\).
Lemma B.1
Given \(\mathbf {A}\in \mathbb {Z}^{n\times m}\), where each row of \(\mathbf {A}\) is independently sampled from \(D_{\mathbb {Z}^m,\sigma }\), \(\sigma =O(\mathrm {poly}(n))\), \(m\ge 3n\), \(\mathbf {b}\in \mathbb {Z}^n\), and \(\Vert \mathbf {b}\Vert _\infty \le \beta =O(\mathrm {poly}(n))\). Then there exists \(\mathbf {x}\in \mathbb {Z}^m\) and \(\Vert \mathbf {x}\Vert _\infty \le \delta =O(\mathrm {poly}(n))\) such that \(\mathbf {A}\mathbf {x}=\mathbf {b}\) except for a negligible probability.
Proof
This proof is using standard methods in linear algebra and number theory, we only give a proof sketch due to the page limits.
The proof consists of the several steps:
-
For \(\mathbf {A}\in \mathbb {Z}^{n\times m}\), show that \(\mathbf {Ax=b}\) has an integer solution iff the determinants of all \(n\times n\) sub-matrixes of \(\mathbf {A}\) are co-prime. This is proven by constructing the elementary row/column transformations that transform \(\mathbf {A}\) into \(\mathbf {I|0}\).
-
Show that for \(\mathbf {A}\) sampled as defined and each prime \(p<q\), the probability that the determinants of all \(n\times n\) sub-matrixes of \(\mathbf {A}\) are a multiple of p is negligible, hence the probability of \(\mathbf {Ax=b}\) has no integer solution is negligible. This is proven by induction on n: as long as there is at least one \((k-1)\times (k-1)\) sub-matrix of \(\mathbf {A}\) which determinant is not a multiple of p, there is at least one \(k\times k\) sub-matrix which determinant is not a multiple of p except for a negligible probability.
-
We write \(\mathbf {A}_0\) as the first \(n-1\) rows of \(\mathbf {A}\), and \(\mathbf {a}^T\) as the last row of \(\mathbf {A}\). Using Siegel’s lemma, \(\mathbf {A}_0\mathbf {x=0}\) has a set of linear independent solutions with norm at most \(\mathrm {poly}(n)\), we write them as \(\mathbf {x}_1,...,\mathbf {x}_{m-n+1}\). Let \(c_i=\mathbf {a}^T\mathbf {x}_i\), then \(c_i=\mathrm {poly}(n)\) and \(c_1,...,c_{m-n+1}\) are co-prime (otherwise there is no integer solution for \(\mathbf {Ax=e}_n\), \(\mathbf {e}_n=(0,...,0,1)^T\)). By Bezout’s lemma, we construct \(d_1,...,d_{m-n+1}\) such that \(d_i=\mathrm {poly}(n)\) and \(c_1d_1+...+c_{m-n+1}d_{m-n+1}=1\), so \(d_1\mathbf {x}_1+...+d_{m-n+1}\mathbf {x}_{m-n+1}\) is an integer solution of \(\mathbf {Ax=e}_n\) with norm at most \(\mathrm {poly}(n)\).
-
Similarly, we construct integer solutions for \(\mathbf {Ax=e}_i\) for \(i\in [n]\), and use them to construct a solution for \(\mathbf {Ax=b}\) with norm at most \(\mathrm {poly}(n)\).
\(\square \)
Now we find \(\mathbf {r}\) such that \(\mathbf {X}^T\mathbf {r}=\mathbf {b}\) and \(\Vert \mathbf {r}\Vert _\infty \le \delta \), and we can write \(\mathbf {X}^T\mathbf {e}_1+\mathbf {b}\) as \(\mathbf {X}^T(\mathbf {e}_1+\mathbf {r})\). So we only need to show that \(\mathbf {e}_1\) and \(\mathbf {e}_1+\mathbf {r}\) are indistinguishable. By Lemma 2.3, we can choose large enough \(\sigma '\) such that \(\mathbf {e}_1\) is statistical indistinguishable from \(\mathbf {e}_1+\mathbf {r}\).
We write \(\mathbf {X}_{top}=(\mathbf {X}|\mathbf {X}')\). Now we only need to show that given \(\mathbf {A,ZA,X,X}^T\mathbf {Z,c}_0,\mathbf {X}_{top}^T\mathbf {c}_1^0\), \(\mathbf {y}^T\mathbf {c}_1^0\) is indistinguishable from \(\mathbf {y}^T\mathbf {c}_1^1\). The discussion is exactly the same as Theorem 2 in [5], except that the vector orthogonal to \(\mathbf {X}_{top}\) here is \(\mathbf {t}\), instead of \(\mathbf {y}\). We omit the details here due to the page limits.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, G., Wan, M., Liu, Z., Gu, D. (2021). Fully Secure Lattice-Based ABE from Noisy Linear Functional Encryption. In: Yu, Y., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2021. Lecture Notes in Computer Science(), vol 13007. Springer, Cham. https://doi.org/10.1007/978-3-030-88323-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-88323-2_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88322-5
Online ISBN: 978-3-030-88323-2
eBook Packages: Computer ScienceComputer Science (R0)