Fully Secure Lattice-Based ABE from Noisy Linear Functional Encryption

Abstract

Constructing lattice-based fully secure attribute-based encryption (ABE) has always been a challenging task. Although there are many selective secure ABE schemes from the hardness of learning with errors (LWE) problem, it is hard to extend them to fully security, since the dual system technique in pairing-based cryptography cannot be applied to lattice-based constructions.

In this paper, we take a different approach: constructing fully secure ABE from another primitive called noisy linear functional encryption (NLinFE) which can be constructed from LWE problem. We give a fully secure ciphertext-policy ABE scheme for CNF formulae which security relies on the security of NLinFE and hardness of LWE. Since current constructions for NLinFE only satisfy bounded collusion security, our resulting scheme is also bounded collusion only, but it can be easily extended into unbounded security if unbounded NLinFE can be shown to exist. Also, since existing NLinFE schemes are inefficient, we give a new construction for NLinFE with better efficiency, hence our ABE construction is more efficient than other existing bounded collusion ABE/FE schemes.

Appendices

A Proof of Lemma 2.5

We first give the following lemma which is proven in [20, 32].

Lemma A.1

[20].

For any \(\epsilon \in (0,1)\), there exists \(\eta >0\), such that for \(s\ge \eta \), \(\rho _s(\varLambda ^\bot _\mathbf {u}(\mathbf {A}))\in [\frac{1-\epsilon }{1+\epsilon },1]\cdot \rho _s(\varLambda ^\bot _\mathbf {0}(\mathbf {A}))\).

By Lemma 2.1, we have that the distribution of \(\mathbf {x}\) is statistically close to \(D_{\varLambda ^\bot _\mathbf {u}(\mathbf {A}),s}\). So we only need to show that the distribution of \(\mathbf {x}'\) is statistically close to \(D_{\varLambda ^\bot _\mathbf {u}(\mathbf {A}'),s}\).

It is easy to see that \(\{\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}')\}_{\mathbf {b}\in \mathbb {Z}_q^{n'-n}}\) forms a partition of the lattice co-set \(\varLambda _\mathbf {u}^\bot (\bar{\mathbf {A}})\). So by the definition of discrete Gaussian, we have that, for any \(\mathbf {c}\in \varLambda ^\bot _\mathbf {u}(\mathbf {A}')\), let \(\mathbf {b}=\tilde{\mathbf {A}}\mathbf {c}\), we have \(Pr(\mathbf {x}=\mathbf {c})=q^{-(n'-n)}\rho _s(\mathbf {c})/\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}'))\). For a negligible \(\epsilon \), we choose s satisfies Lemma A.1. Then we have that for any \(\mathbf {b}'\), \(\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}'))/\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b'}^T)^T}(\mathbf {A}'))\in [\frac{1-\epsilon }{1+\epsilon },\frac{1+\epsilon }{1-\epsilon }]\).

By definition, we have:

$$\begin{aligned} D_{\varLambda ^\bot _\mathbf {u}(\mathbf {A}'),s}(\mathbf {c})=\frac{\rho _s(\mathbf {c})}{\rho _s(\varLambda ^\bot _{\mathbf {u}}(\bar{\mathbf {A}}))} =\frac{\rho _s(\mathbf {c})}{\sum _{\mathbf {b'}^T\in \mathbb {Z}_q^{n'-n}}\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b'}^T)^T}(\mathbf {A}'))}. \end{aligned}$$

So:

$$\begin{aligned} \frac{1-\epsilon }{1+\epsilon }\cdot \frac{\rho _s(\mathbf {c})}{q^{n'-n}\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}'))} \le D_{\varLambda ^\bot _\mathbf {u}(\mathbf {A}'),s}(\mathbf {c})\le \frac{1+\epsilon }{1-\epsilon }\cdot \frac{\rho _s(\mathbf {c})}{q^{n'-n}\rho _s(\varLambda ^\bot _{(\mathbf {u}^T|\mathbf {b}^T)^T}(\mathbf {A}'))}. \end{aligned}$$

Now we have that the statistical distance between the two distributions is no more than \(2\epsilon \), thus we have our result.

B Proof of Theorem 3.1

We prove this by a sequence of interactive games. Let Game 0 be the full security game defined above.

Game 1: Instead of \(\mathbf {c}_1=\mathbf {U}\cdot \mathbf {s}+\mathbf {e}_1+\mathbf {y}_\beta \), we compute \(\mathbf {c}_1=\mathbf {Z}\cdot \mathbf {c}_0-\mathbf {Z}\cdot \mathbf {e}_0+\mathbf {e}_1+\mathbf {y}_\beta \). Game 1 is the same as Game 0.

Game 2: In Game 2, \(\mathbf {c}_0\) is chosen uniform randomly from \(\mathbb {Z}_q^m\) instead of \(\mathbf {As+e}_0\). Game 2 is indistinguishable from Game 1 by the hardness of mheLWE.

Now, we remain to prove that in Game 2, the distinguishing advantage for any adversary is negligible. Let \(\mathbf {x}_1,...,\mathbf {x}_\kappa \) be the largest set of independent vectors in the key query, and we write \(\mathbf {X}=(\mathbf {x}_1|...|\mathbf {x}_\kappa )\), and \(\kappa \le k\). We write the ciphertext \(ct_\beta =(\mathbf {c}_0,\mathbf {c}_1^\beta )\). By the construction of our scheme, we only need to show that any adversary cannot distinguish between \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^0)\) and \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^1)\) with non-negligible probability.

Let \(\mathbf {y}=\mathbf {c}_1^0-\mathbf {c}_1^1={\mathbf {y}_0-\mathbf {y}_1\atopwithdelims ()\alpha _0-\alpha _1}\) for \(\alpha _0,\alpha _1\leftarrow \mathbb {Z}_q\). Since the last row of \(\mathbf {X}\) is 0, so \(\mathbf {y}\) is linearly independent with \(\mathbf {X}\) except for a negligible probability. We find a short solution \(\mathbf {t}\), such that \(\mathbf {X}^T\mathbf {t}=0\), \(\mathbf {y}^T\mathbf {t}\ne 0\), the coefficients of \(\mathbf {t}\) is co-prime, and \(\Vert \mathbf {t}\Vert =O(\mathrm {poly}(n))\). The solution exists by Siegel’s Lemma. We append vectors orthogonal to \(\mathbf {t},\mathbf {y}\) and linear independent with \(\mathbf {X}\) to form a invertible \(n\times n\) matrix (modulus q), written as \(\bar{\mathbf {X}}=(\mathbf {X}|\mathbf {y}|\mathbf {X}')\).

Given the invertible matrix \(\bar{\mathbf {X}}\), we have that \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^0)\) and \((\mathbf {A,ZA,X,XZ,c}_0,\mathbf {c}_1^1)\) are indistinguishable if and only if \((\mathbf {A,ZA,X,XZ,}\mathbf {c}_0,\bar{\mathbf {X}}^T\mathbf {c}_1^0)\) and \((\mathbf {A,ZA,X,XZ,c}_0,\bar{\mathbf {X}}^T\mathbf {c}_1^1)\) are indistinguishable.

We then write \(\bar{\mathbf {X}}^T\mathbf {c}_1^\beta \) as \((\mathbf {X}^T\mathbf {c}_1^\beta ,\mathbf {X'}^T\mathbf {c}_1^\beta ,\mathbf {y}^T\mathbf {c}_1^\beta )\). By the choice of \(\mathbf {X}'\), we have that \(\mathbf {X'}^T\mathbf {c}_1^0=\mathbf {X'}^T\mathbf {c}_1^1\).

By the definition of \(\beta \)-indistinguishability-based security, we have that \(|\langle \mathbf {x}_i,\mathbf {y}_0\rangle -\langle \mathbf {x}_i,\mathbf {y}_0\rangle |\le \beta \). So we have that \(\mathbf {X}^T\mathbf {c}_1^0=\mathbf {X}^T\mathbf {Z}(\mathbf {c}_0-\mathbf {e}_0)+\mathbf {X}^T\mathbf {e}_1+\mathbf {X}^T\mathbf {y}_0= \mathbf {X}^T\mathbf {Z}(\mathbf {c}_0-\mathbf {e}_0)+\mathbf {X}^T\mathbf {e}_1+\mathbf {X}^T\mathbf {y}_1+\mathbf {b}\) where \(\Vert \mathbf {b}\Vert _\infty \le \beta \). By the lemma below, we show that \(\mathbf {X}^T\mathbf {e}_1\) is indistinguishable from \(\mathbf {X}^T\mathbf {e}_1+\mathbf {b}\).

Lemma B.1

Given \(\mathbf {A}\in \mathbb {Z}^{n\times m}\), where each row of \(\mathbf {A}\) is independently sampled from \(D_{\mathbb {Z}^m,\sigma }\), \(\sigma =O(\mathrm {poly}(n))\), \(m\ge 3n\), \(\mathbf {b}\in \mathbb {Z}^n\), and \(\Vert \mathbf {b}\Vert _\infty \le \beta =O(\mathrm {poly}(n))\). Then there exists \(\mathbf {x}\in \mathbb {Z}^m\) and \(\Vert \mathbf {x}\Vert _\infty \le \delta =O(\mathrm {poly}(n))\) such that \(\mathbf {A}\mathbf {x}=\mathbf {b}\) except for a negligible probability.

Proof

This proof is using standard methods in linear algebra and number theory, we only give a proof sketch due to the page limits.

The proof consists of the several steps:

• For \(\mathbf {A}\in \mathbb {Z}^{n\times m}\), show that \(\mathbf {Ax=b}\) has an integer solution iff the determinants of all \(n\times n\) sub-matrixes of \(\mathbf {A}\) are co-prime. This is proven by constructing the elementary row/column transformations that transform \(\mathbf {A}\) into \(\mathbf {I|0}\).

• Show that for \(\mathbf {A}\) sampled as defined and each prime \(p<q\), the probability that the determinants of all \(n\times n\) sub-matrixes of \(\mathbf {A}\) are a multiple of p is negligible, hence the probability of \(\mathbf {Ax=b}\) has no integer solution is negligible. This is proven by induction on n: as long as there is at least one \((k-1)\times (k-1)\) sub-matrix of \(\mathbf {A}\) which determinant is not a multiple of p, there is at least one \(k\times k\) sub-matrix which determinant is not a multiple of p except for a negligible probability.

• We write \(\mathbf {A}_0\) as the first \(n-1\) rows of \(\mathbf {A}\), and \(\mathbf {a}^T\) as the last row of \(\mathbf {A}\). Using Siegel’s lemma, \(\mathbf {A}_0\mathbf {x=0}\) has a set of linear independent solutions with norm at most \(\mathrm {poly}(n)\), we write them as \(\mathbf {x}_1,...,\mathbf {x}_{m-n+1}\). Let \(c_i=\mathbf {a}^T\mathbf {x}_i\), then \(c_i=\mathrm {poly}(n)\) and \(c_1,...,c_{m-n+1}\) are co-prime (otherwise there is no integer solution for \(\mathbf {Ax=e}_n\), \(\mathbf {e}_n=(0,...,0,1)^T\)). By Bezout’s lemma, we construct \(d_1,...,d_{m-n+1}\) such that \(d_i=\mathrm {poly}(n)\) and \(c_1d_1+...+c_{m-n+1}d_{m-n+1}=1\), so \(d_1\mathbf {x}_1+...+d_{m-n+1}\mathbf {x}_{m-n+1}\) is an integer solution of \(\mathbf {Ax=e}_n\) with norm at most \(\mathrm {poly}(n)\).

• Similarly, we construct integer solutions for \(\mathbf {Ax=e}_i\) for \(i\in [n]\), and use them to construct a solution for \(\mathbf {Ax=b}\) with norm at most \(\mathrm {poly}(n)\).

   \(\square \)

Now we find \(\mathbf {r}\) such that \(\mathbf {X}^T\mathbf {r}=\mathbf {b}\) and \(\Vert \mathbf {r}\Vert _\infty \le \delta \), and we can write \(\mathbf {X}^T\mathbf {e}_1+\mathbf {b}\) as \(\mathbf {X}^T(\mathbf {e}_1+\mathbf {r})\). So we only need to show that \(\mathbf {e}_1\) and \(\mathbf {e}_1+\mathbf {r}\) are indistinguishable. By Lemma 2.3, we can choose large enough \(\sigma '\) such that \(\mathbf {e}_1\) is statistical indistinguishable from \(\mathbf {e}_1+\mathbf {r}\).

We write \(\mathbf {X}_{top}=(\mathbf {X}|\mathbf {X}')\). Now we only need to show that given \(\mathbf {A,ZA,X,X}^T\mathbf {Z,c}_0,\mathbf {X}_{top}^T\mathbf {c}_1^0\), \(\mathbf {y}^T\mathbf {c}_1^0\) is indistinguishable from \(\mathbf {y}^T\mathbf {c}_1^1\). The discussion is exactly the same as Theorem 2 in [5], except that the vector orthogonal to \(\mathbf {X}_{top}\) here is \(\mathbf {t}\), instead of \(\mathbf {y}\). We omit the details here due to the page limits.