Optimal Broadcast Encryption from Pairings and LWE - AIST
Transcript of Optimal Broadcast Encryption from Pairings and LWE - AIST
Optimal Broadcast Encryption from Pairings and LWE
@Simons Institute
Shweta Agrawal (IITM) Shota Yamada (AIST)
Based on the work that will appear at EUROCRYPT 2020
https://eprint.iacr.org/2020/228
1
Our Results in Short
• Construct the optimal broadcast encryption (BE) from LWE and pairings.
– Optimal parameter size:|mpk|, |ct|, |sk| = poly( log N, λ) = poly(λ) where N = # of users in the system
– The first construction without MLM or iO
– Proven secure under LWE in the bilinear generic group model (GGM)
• More generally, we construct CP-ABE with special efficiency properties that implies optimal BE
2
Broadcast Encryption
All users in the system ( # of users = N )
Collusion resistance
3
Broadcast Encryption
All users in the system ( # of users = N )
Collusion resistance
Trivial solution:Prepare public key for each user by PKE.
Encrypt the message by each PK.O(N) ciphertext!
⇒Shorter ciphertext possible?
4
Previous Work on Broadcast Encryption
5
|𝐦𝐩𝐤| |𝐜𝐭| |𝐬𝐤| Ingredient(s)
Trivial 𝑂(𝑁) 𝑂(𝑁) 𝑂(1) Plain PKE
[BGW05] 𝑂(𝑁) 𝑂(1) 𝑂(1) Bilinear map
[BGW05] 𝑂(√𝑁) 𝑂(√𝑁) 𝑂(1) Bilinear map
[BZW14] 𝑂(1) 𝑂(1) 𝑂(1) log N-linear map
Ours 𝑂(1) 𝑂(1) 𝑂(1) Bilinear map & LWE
• We ignore poly(𝜆) factors. In particular, poly(log𝑁) factor is ignored.• We discount earlier constructions that do not provide full collusion
resistance and short ciphertext in the table.
Master secret key (msk)
sk𝑌
Decryption
If 𝑅 𝑋, 𝑌 = 1Can retrieve 𝑚𝑠𝑔
Master public key (mpk)
ct𝑋 for message 𝑚𝑠𝑔
Attribute-Based Encryption (ABE)
If 𝑅 𝑋, 𝑌 = 0
Decryption not possible
CP-ABE for (NC1) circuits: X = (NC1) circuit, Y= string KP-ABE for (NC1) circuits: X = string, Y = (NC1) circuit
6
• SK attribute = 𝑗 ∈ 𝑁 where 𝑗 = user index
• CT attribute = 𝐹𝑆 ⋅ where 𝑆 ⊆ 𝑁 , recipients
BE as CP-ABE for NC1 Circuit (1)
𝐹𝑆 𝑗 =1 if 𝑗 ∈ 𝑆
0 if 𝑗 ∉ 𝑆
𝑗 ∈ 0,1 log 𝑁
0/1
𝑗 = 𝑠2?
𝑗 = 𝑠|𝑆|?
𝑗 = 𝑠1?
…
𝑆 = 𝑠1, 𝑠2, … , 𝑠|𝑆|
7
BE as CP-ABE for NC1 Circuit (2)
• Short input (≈ 𝑂(log 𝑁))• Shallow depth (≈ 𝑂(log 𝑁))• But, wide width (≈ 𝑂(𝑁))
CP-ABE with width-independent compact parameters is enough for optimal BE!
𝑗 ∈ 0,1 log 𝑁
0/1
𝑗 = 𝑠2?
𝑗 = 𝑠|𝑆|?
𝑗 = 𝑠1?
…
𝐹𝑆 has
8
Starting Point: BGG+• Every existing CP-ABE scheme does not satisfy width-
independent efficiency.
• BGG+ does satisfy width-independent efficiency, but it is KP-ABE.
Convert BGG+ KP-ABE into CP-ABE!(while keeping the efficiency)
mpk = poly(𝜆, ℓ, 𝑑)
ct𝒙 = poly(𝜆, ℓ, 𝑑)
sk𝑭 = poly(𝜆, 𝑑)
Circuit
Input length = ℓ
Depth = 𝑑 F
Width = 𝑤
9
Simple Ideas that Don’t Work
We want to convert BGG+ into a CP-ABE.• Simply swapping CT and SK?
Secret key can be generated publicly. Secret key will be associated with message.
• Using universal circuit? 𝐹 ⇒ Description of 𝐹,𝑥 ⇒ 𝑈𝑥 ⋅ , where 𝑈𝑥 𝐹 = 𝐹(𝑥)then use BGG+
The input length is 𝐹BGG+ parameters depend
on the input length 10
Decomposability of BGG+
⋯
⋯
Decomposability:BGG+. Enc(𝑥,𝑚𝑠𝑔) can be divided into the following 2 steps:
1. First generate encodings
𝐜1,0
𝐜1,1
𝐜𝑖,0
𝐜𝑖,1
⋯
⋯
𝐜ℓ,0
𝐜ℓ,1 Where ℓ = length of 𝑥
2. To generate a ciphertext for attribute 𝑥 ∈ 0,1 ℓ, output
BGG+. ct𝑥 = 𝐜𝑖,𝑥𝑖 𝑖∈ ℓ
Can be generated without knowing 𝑥
Using BGG+. sk𝐹 with 𝐹 𝑥 = 1, one can
retrieve msg11
First Attempt: Combining [SS10] and [BGG+14]
𝑃𝐾1,0mpk = ⋯ ⋯
𝑃𝐾1,1
⋯ ⋯BGG+. sk𝐹
BGG+.mpkct𝐹 =
Encryption for 𝑭 :
m𝑠k = corresponding secret keys 𝑆𝐾𝑖,𝑏 𝑖,𝑏
𝑃𝐾𝑖,0
𝑃𝐾𝑖,1
𝑃𝐾ℓ,0
𝑃𝐾ℓ,1
𝐜1,0𝐜1,1
𝐜𝑖,0𝐜𝑖,1
𝐜ℓ,0𝐜ℓ,1
Generate BGG+.mpk, BGG+.msk , BGG+. sk𝐹 , and
12
First Attempt: Combining [SS10] and [BGG+14]
𝑃𝐾1,0mpk = ⋯ ⋯
𝑃𝐾1,1
⋯ ⋯
Generate BGG+.mpk, BGG+.msk , BGG+. sk𝐹 , and
BGG+. sk𝐹
BGG+.mpkct𝐹 =
Enc𝑃𝐾1,0(𝐜1,0)
Enc𝑃𝐾1,1(𝐜1,1)
sk𝑥 = S𝐾1,𝑥1 ⋯ ⋯
Enc𝑃𝐾𝑖,0(𝐜𝑖,0)
Enc𝑃𝐾𝑖,1(𝐜𝑖,1)
Enc𝑃𝐾ℓ,0(𝐜ℓ,0)
Enc𝑃𝐾ℓ,1(𝐜ℓ,1)
Decryption:
Recover BGG+. ct𝑥 = 𝐜𝑖,𝑥𝑖 𝑖∈ ℓand use BGG+. sk𝐹 to retrieve msg
S𝐾𝑖,𝑥𝑖 S𝐾ℓ,𝑥ℓ
KeyGen for 𝒙 :
Encryption for 𝑭 :
m𝑠k = corresponding secret keys 𝑆𝐾𝑖,𝑏 𝑖,𝑏
𝑃𝐾𝑖,0
𝑃𝐾𝑖,1
𝑃𝐾ℓ,0
𝑃𝐾ℓ,1
13
Checking the Efficiency of the Scheme
Circuit
Input length = ℓ
Depth = 𝑑
sk𝑥 =
mpk = ℓ ⋅ poly 𝜆 = poly(𝜆, ℓ)
ct𝐹= ℓ ⋅ poly 𝜆, 𝑑 + poly 𝜆, ℓ, 𝑑= poly(𝜆, ℓ, 𝑑)
sk𝑥 = ℓ ⋅ poly 𝜆, 𝑑 = poly(𝜆, ℓ, 𝑑)
Width = 𝑤
⋯
ct𝐹 =BGG+. sk𝐹
BGG+.mpk⋯
mpk =
ℓ
⋯
Circuit class supported
We want width independentefficiency.
Width independent compact parameters?
14
ct𝐹= ℓ ⋅ poly 𝜆, 𝑑 + poly 𝜆, ℓ, 𝑑= poly(𝜆, ℓ, 𝑑)
Checking the Efficiency of the Scheme
Circuit
Input length = ℓ
Depth = 𝑑
mpk =
ℓ
ct𝐹 =BGG+. sk𝐹
BGG+.mpk⋯
sk𝑥 =
mpk = ℓ ⋅ poly 𝜆 = poly(𝜆, ℓ)
sk𝑥 = ℓ ⋅ poly 𝜆, 𝑑 = poly(𝜆, ℓ, 𝑑)
Width = 𝑤
⋯
⋯
Circuit class supported
We want width independentefficiency.
Width independent compact parameters?
How about the security?Collusion of only 2 users breaks the secrurity:
E.g., 00000000 and 11111111
15
Our Approach for Adding Collusion Resistance (1)
• Our Idea:To prevent collusion using the power of pairing groups.
Pairings. 𝑒: 𝔾1 × 𝔾2 → 𝔾𝑇
(𝑔1𝑎 , 𝑔2
𝑏) ↦ 𝑒 𝑔1𝑎 , 𝑔2
𝑏 = 𝑒 𝑔1, 𝑔2𝑎𝑏
𝑔1𝑎 ↔ 𝑎 1
𝑔2𝑏 ↔ 𝑏 2
𝑔𝑇𝑐 ↔ 𝑐 𝑇
Bracket Notation.
16
Our Approach for Adding Collusion Resistance (2)
• In our first attempt, decryptor recovers {𝐜𝑖,𝑥𝑖} in the clear.
• Instead, what if the decryptor learns them only on the exponent?
𝐜𝑖,𝑥𝑖 𝑇 𝑖
• Collusion of two users still can obtain
𝐜𝑖,𝑏 𝑇 𝑖,𝑏and break the scheme.
17
• The problem is that the adversary can combine the partial decryption results by two different users.
• To prevent this, change the scheme so that decryptorrecovers
Adding Collusion Resistance
User specific randomness
𝜹𝐜𝑖,𝑥𝑖 𝑇 𝑖
18
• The problem is that the adversary can combine the partial decryption results by two different users.
• To prevent this, change the scheme so that decryptorrecovers
𝜹 𝒌 𝐜𝑖,𝑥𝑖
𝑘
𝑇 𝑖
Adding Collusion Resistance
No meaningful way to combine them!
𝜹 𝒋 𝐜𝑖,𝑥𝑖
𝑗
𝑇 𝑖
𝑗, 𝑘: index for different users
19
Challenge 1:BGG+ ciphertext is on the exponent and even randomized. Is decryption still possible on DL-hard group?
Challenge 2: If a decryptor (adverasary) only learns
𝛿 𝑗 𝒄𝑖,𝑥𝑖 𝑇 𝑖,𝑗,
the construction may indeed be secure.How do we make sure that the adversary does not obtain any other information?
Two Challenges with the Approach
20
• Decryption algorithm of BGG+ – From mpk, 𝑥, sk𝐹 , one can compute a linear function 𝐿𝐹
such that
𝐿𝐹 𝐜𝑖,𝑥𝑖 𝑖∈ ℓ= 𝑚
𝑞
2+ 𝑛𝑜𝑖𝑠𝑒
On the exponent:
𝐿𝐹 [𝛿𝐜𝑖,𝑥𝑖]𝑇 𝑖∈ ℓ= 𝛿 𝑚
𝑞
2+ 𝑛𝑜𝑖𝑠𝑒
𝑇
– Remove the noise to retrieve message 𝑚 ∈ {0,1}
On the exponent:
𝛿 𝑚𝑞
2+ 𝑛𝑜𝑖𝑠𝑒 is exponentially large.
How do we manage this? (Next slide)
Challenge 1:Decryption on Exponent (1)
Assume that 𝑚 ∈ {0,1}
21
Challenge 1:Decryption on Exponent (2)
• Let decryptor learn
𝛿 𝑚𝑞
2+ 𝑛𝑜𝑖𝑠𝑒
𝑇and 𝛿 𝑇
• If 𝑛𝑜𝑖𝑠𝑒 is polynomially small, one can learn 𝑚 by brute force search:
– Check all possible 𝑚 ∈ 0,1 , 𝑛𝑜𝑖𝑠𝑒 ∈ [−poly, poly]
• How do we have polynomially small noise?
– Use the careful evaluation algorithm of [BV15,GV15]
– Limits the circuit class to be NC1, but suffices for BE (Recall that our circuit is very small except for the width)
22
Challenge 2:Avoid Leaking Additional information (1)
• We want to let decryptor learn
𝑖∈ ℓ ,but nothing else.
• This allows us to prove the security while keeping the correctness.
• How do we realize that?
𝛿𝐜𝑖,𝑥𝑖 𝑇𝛿 𝑇
23
Challenge 2:Avoid Leaking Additional information (2)
𝛿 2
𝐜1,0 1⋯
𝐜1,1 1
𝐜𝑖,0 1
𝐜𝑖,1 1
𝐜ℓ,0 1
𝐜ℓ,1 1
⋯ct𝐹 =
sk𝑥 =
How do we set CT and SK? (Naïve Idea)
BGG+. sk𝐹
BGG+.mpk
Lesson learned from failure: The secret keys should be tied to 𝑥!
𝛿 𝑇
⇒ Can recover 𝛿𝐜𝑖,𝑥𝑖 𝑇 𝑖∈ ℓ, 𝛿 𝑇 .
⇒But can recover 𝛿𝐜𝑖,𝑏 𝑇 𝑖∈ ℓ ,𝑏∈{0,1}for all 𝑖 ∈ ℓ , 𝑏 ∈ {0,1} as well.
24
𝑤1,0 1mpk =
𝑤1,1 1
𝑤𝑖,0 1
𝑤𝑖,1 1
𝑤ℓ,0 1
𝑤ℓ,1 1
⋯ ⋯
ct𝐹 =𝑤1,0𝐜1,0 1
⋯𝑤1,1𝐜1,1 1
𝑤𝑖,0𝐜𝑖,0 1
𝑤𝑖,1𝐜𝑖,1 1
𝑤ℓ,0𝐜ℓ,0 1
𝑤ℓ,1𝐜ℓ,1 1
⋯ Other terms
Idea: Introduce position-wise randomness so that pairing productbetween only matching positions yields useful terms
sk𝑥 = 𝛿/𝑤1,𝑥1 2𝛿/𝑤ℓ,𝑥ℓ 2
𝛿/𝑤𝑖,𝑥𝑖 2⋯ ⋯ 𝛿 𝑇
Can recover = 𝑒( , )𝑤𝑖,𝑥𝑖𝐜𝑖,𝑥𝑖 1𝛿/𝑤𝑖,𝑥𝑖 2
𝛿𝐜𝑖,𝑥𝑖 𝑇
Challenge 2:Avoid Leaking Additional information (3)
25
𝑒 𝑤𝑖,𝑏 𝐜𝑖,𝑏 1, 𝛿/𝑤𝑗,𝑏′ 2
= 𝛿𝐜𝑖,𝑏𝑤𝑖,𝑏/𝑤𝑗,𝑏′ 𝑇
Challenge 2:Avoid Leaking Additional information (4)
How about the security? What if an adversary takes pairings of unmatching positions of components?
Due to this part, this term is “useless”.
For 𝑖, 𝑏 ≠ 𝑗, 𝑏′ ,
Security Intuition:From sk𝑥 = 𝑖∈[ℓ], one cannot obtain
no more useful information than 𝛿𝐜𝑖,𝑥𝑖 𝑇 𝑖∈[ℓ]as desired
𝛿/𝑤𝑖,𝑥𝑖 2
26
Final Scheme (1)
Encrypt(mpk, 𝐹,𝑚 ∈ {0,1})
• Run BGG+. Setup 1𝜆 → BGG+.mpk, BGG+.msk
• Run BGG+. KeyGen(BGG.msk, 𝐹) → BGG+. sk𝐹• Run first part of BGG+. Enc to obtain 𝐜𝑖,𝑏 𝑖∈ ℓ ,𝑏∈{0,1}
• Output:
ct𝐹 =𝑤1,0𝐜1,0 1
⋯BGG+. sk𝐹𝑤1,1𝐜1,1 1
𝑤𝑖,0𝐜𝑖,0 1
𝑤𝑖,1𝐜𝑖,1 1
𝑤ℓ,0𝐜ℓ,0 1
𝑤ℓ,1𝐜ℓ,1 1
⋯BGG+.mpk
Setup 1𝜆
𝑤1,0 1mpk =
𝑤1,1 1
𝑤𝑖,0 1
𝑤𝑖,1 1
𝑤ℓ,0 1
𝑤ℓ,1 1
⋯ ⋯
m𝑠k = 𝑤𝑖,𝑏 𝑖∈ ℓ ,𝑏∈{0,1}
• Generate:
ℓ =length of the input to circuits
27
Final Scheme (2)
Decrypt(mpk, sk𝑥 , ct𝐹 , 𝐹)
KeyGen msk, 𝑥
• Sample 𝛿 ← ℤ𝑝• Output
𝑤𝑖,𝑥𝑖𝐜𝑖,𝑥𝑖 1𝛿/𝑤𝑖,𝑥𝑖 2
ct𝐹 =𝑤1,0𝐜1,0 1
⋯BGG+. sk𝐹𝑤1,1𝐜1,1 1
𝑤𝑖,0𝐜𝑖,0 1
𝑤𝑖,1𝐜𝑖,1 1
𝑤ℓ,0𝐜ℓ,0 1
𝑤ℓ,1𝐜ℓ,1 1
⋯BGG+.mpk
• Parse
sk𝑥 = 𝛿/𝑤1,𝑥1 2𝛿/𝑤ℓ,𝑥ℓ 2
𝛿/𝑤𝑖,𝑥𝑖 2⋯ ⋯𝛿 𝑇
• Recover 𝛿𝐜𝑖,𝑥𝑖 𝑇= 𝑒( , ) for all 𝑖 ∈ ℓ
• Compute the linear function 𝐿𝐹 fromBGG+.mpk , BGG+. sk𝐹.
• Compute 𝐿𝐹 𝛿𝐜𝑖,𝑥𝑖 𝑇 𝑖∈ ℓ= 𝛿 𝑚
𝑞
2+ 𝑛𝑜𝑖𝑠𝑒
𝑇
• Recover 𝑚 ∈ 0,1 by bruteforce over 𝑚 ∈ {0,1} and 𝑛𝑜𝑖𝑠𝑒 ∈ [−poly, poly]28
Checking the Efficiency of the Scheme
Circuit
Input length = ℓ
Depth = 𝑑
mpk =
ℓ
ct𝐹 =BGG+. sk𝐹
BGG+.mpk⋯
sk𝑥 =
mpk = ℓ ⋅ poly 𝜆, 𝑑 = poly(𝜆, ℓ, 𝑑)
ct𝐹 = ℓ ⋅ poly 𝜆, 𝑑 + poly 𝜆, 𝑑= poly(𝜆, ℓ, 𝑑)
sk𝑥 = ℓ ⋅ poly 𝜆, 𝑑 = poly(𝜆, ℓ, 𝑑)
Width = 𝑤
⋯
⋯
Circuit class supported
We want width independentefficiency.
Width independent compact parameters?
29
Bilinear Generic Group Model• The security is proven in the bilinear generic group model
(GGM).
• Intuition on bilinear GGM:
– The only thing an adversary can do with group elements is to take pairings, then take linear combinations, and see if it equals to zero. If it doesn’t equal to zero, the adversary learns nothing about the encoded value.
30
𝑒 , =
𝑒 , =
𝑒 , =
𝑎 𝑏 𝑐= 0?
ct𝐹 =𝑤1,0𝐜1,0 1
⋯BGG+. sk𝐹𝑤1,1𝐜1,1 1
𝑤𝑖,0𝐜𝑖,0 1
𝑤𝑖,1𝐜𝑖,1 1
𝑤ℓ,0𝐜ℓ,0 1
𝑤ℓ,1𝐜ℓ,1 1
⋯BGG+.mpk
What can the adversary do? To take pairings between above components to obtain:
sk𝑥(𝑗) =𝛿(𝑗)/𝑤
1,𝑥1(𝑗)
2⋯ ⋯𝛿(𝑗)/𝑤
𝑖,𝑥𝑖(𝑗)
2
𝛿(𝑗)/𝑤ℓ,𝑥ℓ
(𝑗)
2𝛿(𝑗)
𝑇
where 𝑗 ∈ 𝑄 , 𝑄 = # of key queries, 𝐹 𝑥 𝑗 = 0
(𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′)𝐜𝑖,𝑏 𝑇𝛿 𝑗 𝐜
𝑖,𝑥𝑖(𝑗)
𝑇where 𝑖, 𝑏 ≠ 𝑖′, 𝑏′
and take linear combination among the terms.
What can the adversary see? The challenge ciphertext
The secret keys
Security Proof (1)
31
Claim 1If the adversary put a term from (A) into the linear combination, the result is not 0 with overwhelming probability.
(Proof intuition) The term 𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′ appears only when pairing
𝛿(𝑗)/𝑤𝑖′,𝑏′ 2𝑤𝑖,1𝐜𝑖,1 1
and
Other terms are multiplied by 𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′ with different 𝑗, 𝑖, 𝑖′, 𝑏, 𝑏′ .
Different monomials cannot cancel each other by linear combination.
What can the adversary do? To take linear combination among the following terms
(𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′)𝐜𝑖,𝑏 𝑇𝛿 𝑗 𝐜
𝑖,𝑥𝑖(𝑗)
𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=
given BGG+. sk𝐹, BGG+.mpk
Security Proof (2)
32
𝑖, 𝑗
Security Proof (3)
Claim 2
If the adversary puts terms from (B) with different 𝛿(𝑗) into the linear combination, the result is not 0 with overwhelming probability.
(Proof intuition) Different monomials cannot cancel each other by linear combination.
Recall that 𝛿(𝑗) is user specific randomness.➢ Collusion of different users is not useful.➢ We can focus on single-key setting.
What can the adversary do? To take linear combination among the following terms
given BGG+. sk𝐹, BGG+.mpk
33
(𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′)𝐜𝑖,𝑏 𝑇𝛿 𝑗 𝐜
𝑖,𝑥𝑖(𝑗)
𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=
𝑖, 𝑗
Security Proof (4)What can the adversary do? To take linear combination among the following terms
given BGG+. sk𝐹, BGG+.mpk
( BGG+. sk𝐹, BGG+.mpk, 𝐜𝑖,𝑥𝑖 𝑖)
≈𝑐 ( BGG+. sk𝐹, BGG+.mpk, random )
From single key and single ciphertext security of BGG+:
= BGG+. ct𝑥
34
(𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′)𝐜𝑖,𝑏 𝑇𝛿 𝑗 𝐜
𝑖,𝑥𝑖(𝑗)
𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=
𝑖, 𝑗
( BGG+. sk𝐹, BGG+.mpk, 𝑖 )
≈𝑐 ( BGG+. sk𝐹, BGG+.mpk, )
Security Proof (4)
From single key and single ciphertext security of BGG+:
No information on message revealed!
What can the adversary do? To take linear combination among the following terms
given BGG+. sk𝐹, BGG+.mpk
𝛿𝐜𝑖,𝑥𝑖 𝑇
random 𝑇
35
(𝛿 𝑗 𝑤𝑖,𝑏/𝑤𝑖′,𝑏′)𝐜𝑖,𝑏 𝑇𝛿 𝑗 𝐜
𝑖,𝑥𝑖(𝑗)
𝑇𝑗, 𝑖, 𝑏 ≠ 𝑖′, 𝑏′(A)= (B)=
𝑖, 𝑗
Comparison with [Brakerski-Vaikuntanathan’20]
• Both construct CP-ABE with special efficiency and then optimal BE.
• How to add collusion resistance?
– Ours: Introducing pairings
– BV20: Introducing novel variant of IBE/ABE from lattices
• Security&Functionality
– Ours: Provably secure in GGM Broken by quantum attackers, Only for NC1
– BV20: Without security proof (Maybe) Quantumly secure, For all circuits
36
Summary
• We construct CP-ABE for NC1 circuits with width independent compact parameter from lattices in blinear GGM.
• This implies the first optimal BE w.o. MLM/iO.
• In the paper, we show that the CP-ABE implies IBBE with similar efficiency property.
37
Open Problems
• Optimal BE from standard assumptions(hopefully from DLIN + LWE)
– More ambitious goal is BE solely from LWE.
• CP-ABE with width independent compact parameters for all circuits (with security proof).
• Application of our technique for other problems.
38
39