A Study of Pair Encodings: Predicate Encryption in Prime Order Groups
Lecture Notes in Computer Science
Pair encodings and predicate encodings, recently introduced by Attrapadung (Eurocrypt 2014) and Wee (TCC 2014) respectively, greatly simplify the process of designing and analyzing predicate and attribute-based encryption schemes. However, they are still somewhat limited in that they are restricted to composite order groups, and the information theoretic properties are not sufficient to argue about many of the schemes. Here we focus on pair encodings, as the more general of the two. We first
... dy the structure of these objects, then propose a new relaxed but still information theoretic security property. Next we show a generic construction for predicate encryption in prime order groups from our new property; it results in either semi-adaptive or full security depending on the encoding, and gives security under SXDH or DLIN. Finally, we demonstrate the range of our new property by using it to design the first semi-adaptively secure CP-ABE scheme with constant size ciphertexts. In traditional public key encryption systems, a message is encrypted under a particular public key, with the guarantee that it can only be decrypted by the party holding the corresponding secret key. Attribute based encryption (ABE), introduced in [SW05], instead allows us to use attributes to determine who has the power to decrypt. In these systems, there is a single entity which publishes system parameters and distributes the appropriate decryption keys to various parties. In key-policy ABE (KP-ABE) [GPSW06], a message is encrypted under a set of attributes describing that message, and each decryption key is associated with a policy describing which ciphertexts it can decrypt. Conversely, in ciphertext-policy ABE (CP-ABE) [BSW07] each user is given a decryption key that depends on his attributes, and ciphertexts are encrypted with policies describing which users can decrypt them. ABE has been proposed for a variety of applications, from social network privacy to pay-per-view broadcasting to health record access-control to cloud security (see e.g. [PTMW06, TBEM08, BBS + 09, APG + 11, SRGS12]). Recently there has been a lot of progress in terms of both security and functionality. Using the dual system framework introduced by Waters [Wat09], several works [LOS + 10, LW12] have designed ABE schemes that satisfy the natural security definition, avoiding the restrictions of selective security 1 . Other works consider extra features like short ciphertexts whose length is independent of the size of the associated attribute set and policy [ALdP11, YAHK14], or "unbounded" schemes that place no bounds on the space of possible attributes or the number of attributes that can be tied to a ciphertext or key [LW11, OT12, RW13]. Predicate encryption [BSW11] generalizes the concept to require only that the ciphertext and key are associated with values x, y, and decryption succeeds iff some predicate P (x, y) holds. Note that in this work we assume that x and y are revealed by the ciphertext and key respectively; we do not consider attribute-hiding [BW07, KSW08] or predicatehiding [SSW09, BRS13]. As these schemes have progressed, however, constructions and proofs have become increasingly complex. Many of the proposed schemes require composite order pairings, in which the order of the pairing groups is a product of two or more primes; since these schemes require that factoring the group order is hard, this in practice means that these groups must be at least an order of magnitude larger than prime order groups of comparable security level, and according to [Gui13] composite order pairing computations are at least 2 orders of magnitude slower. This has prompted efforts to design schemes in prime order groups [OT10, OT12, Fre10, Lew12, HHH + 14], but many of these schemes still have fairly high cost as compared to their selectively secure counterparts, and designing and analyzing security of such schemes can be quite challenging. Two very recent works, by Wee [Wee14] and Attrapadung [Att14] make significant progress in simplifying the design and analysis of new constructions. These works introduce simple new objects, called predicate encodings and pair encodings respectively in the two works, which can be used to construct ABE and other predicate encryption schemes. Essentially, they consider one decryption key and one ciphertext, and focus on what happens in the exponent space. Both formalisms introduce simple information theoretic properties on these objects and show that if these properties are met, they can be extended into fully secure ABE/predicate encryption schemes. The major advantage of this approach is that instead of having to design and prove security of a complex scheme, now all one has to do is design and analyze an appropriate encoding, which is a much simpler task. This vastly simplifies the design of new schemes, and in fact, both works resulted in new constructions and more efficient variants of previously known schemes.