Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption

Abstract

We propose an efficient large-universe multi-authority ciphertext - policy attribute-based encryption system. In a large-universe ABE scheme, any string can be used as an attribute of the system, and these attributes are not necessarily enumerated during setup. In a multi-authority ABE scheme, there is no central authority that distributes the keys to users. Instead, there are several authorities, each of which is responsible for the authorized key distribution of a specific set of attributes. Prior to our work, several schemes have been presented that satisfy one of these two properties but not both.

Our construction achieves maximum versatility by allowing multiple authorities to control the key distribution for an exponential number of attributes. In addition, the ciphertext policies of our system are sufficiently expressive and overcome the restriction that “each attribute is used only once” that constrained previous constructions. Besides versatility, another goal of our work is to increase efficiency and practicality. As a result, we use the significantly faster prime order bilinear groups rather than composite order groups. The construction is non-adaptively secure in the random oracle model under a non-interactive q-type assumption, similar to one used in prior works. Our work extends existing “program-and-cancel” techniques to prove security and introduces two new techniques of independent interest for other ABE constructions. We provide an implementation and some benchmarks of our construction in \(\mathsf {Charm}\), a programming framework developed for rapid prototyping of cryptographic primitives.

Appendices

A “Zero-Out” Lemma

Due to lack of space the proof of the lemma is presented in the full version of the paper [41].

Lemma 1

Let \(A \in \mathbb {Z}_p^{\ell \times n}\) be the secret sharing matrix of a linear secret sharing scheme for an access policy \(\mathbb {A}\) and let \(\mathcal {C} \subseteq [\ell ]\) be a non-authorized set of rows. Let \(c\in \mathbb {N}\) be the dimension of the subspace spanned by the rows of \(\mathcal {C}\).

Then the distribution of the shares \(\{\lambda _x\}_{x\in [\ell ]}\) sharing the secret \(z\in {\mathbb {Z}_p}\) generated with the matrix A is the same as the distribution of the shares \(\{\lambda '_x\}_{x\in [\ell ]}\) sharing the same secret z generated with some matrix \(A'\), where \(A'_{x,j} = 0\) for all \((x,j)\in \mathcal {C}\times [n-c]\) (see Fig. 1).

Fig. 1.

Transformation of the policy matrix A to be used by the simulator. Rows that belong to corrupted authorities are highlighted.

B Bilinear Groups

Our construction works with instantiations of bilinear groups of prime order. Abstractly, let \(\mathbb {G}\) and \(\mathbb {G}_T\) be two multiplicative cyclic groups of prime order p, where the group operation is efficiently computable in the security parameter. Let g be a generator of \(\mathbb {G}\) and \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be an efficiently computable pairing function that satisfies the following properties:

1. 1.

   Bilinearity: for all \(u,v\in \mathbb {G}\) and \(a,b\in \mathbb {Z}_p\) it is true that \(e(u^a,v^b)=e(u,v)^{ab}\).

2. 2.

   Non-degeneracy: \(e(g,g)\ne \mathbb {1}_{\mathbb {G}_T}\).

The above definition considers the so called symmetric groups, where the two arguments of the pairing belong to the same group. In general, there exist asymmetric bilinear groups, where \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) and \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) are three different groups of prime order p. Several asymmetric instantiations of bilinear groups possess beneficial properties such as faster operations under the same security level and/or easier hashing to group elements.

C Approximate Security Level of all \(\mathsf {Charm}\) Elliptic Curves

In Table 2 we present the approximate security levels of all the elliptic curves supported by \(\mathsf {Charm}\). Although the results of the table do not necessarily translate to the security level of our assumption (or the various assumptions of the other ABE schemes), they provides an intuitive comparison between the security levels of the different instantiations. For more information on the security of discrete log and of q-type assumptions we refer the reader to [19, 24, 33, 38].

Table 2. Approximate security levels of the utilized ECC groups. “SS” are super singular curves (symmetric bilinear groups), while “MNT” are the Miyaji, Nakabayashi, Takano curves (asymmetric bilinear groups). The number after the type of the curve denotes the size of the base field in bits.

D Prime vs Composite Order Group Operations

In order to demonstrate the generic difference in the efficiency of prime order vs composite order implementations, we timed the group exponentiation (of a random group element with a random exponent) and pairing operations (on random group elements) in the \(\mathsf {MIRACL}\) framework [31] for different security levels. The benchmarks were executed on a dual core Intel^® Xeon^® CPU W3503@2.40 GHz with 2.0 GB RAM running Ubuntu R10.04. The elliptic curve utilized for all benchmarks was the super-singular (symmetric) curve \(y^2=x^3+1 \mod p\) with embedding degree 2 for suitable primes p.

In Table 3 we can see the significant gap between the timings in prime and composite order groups for the same security levels. This is the main reason that we used prime order groups for our construction.

Table 3. Average timing results in milliseconds over 100 repeats of group exponentiations and pairings in \(\mathsf {MIRACL}\).