FE for Inner Products and Its Application to Decentralized ABE

In this work, we revisit the primitive functional encryption (FE) for inner products and show its application to decentralized attribute- based encryption (ABE). Particularly, we derive an FE for inner prod- ucts that satisfies a stronger notion, and show how to use such an FE to construct decentralized ABE for the class {0,1}{0,1}-LSSS against bounded collusions in the plain model. We formalize the FE notion and show how to achieve such an FE under the LWE or DDH assumption. Therefore, our resulting decentralized ABE can be constructed under the same standard assumptions, improving the prior construction by Lewko and Waters (Eurocrypt 2011). Finally, we also point out challenges to construct decentralized ABE for general functions by establishing a relation between such an ABE and witness encryption for general NP statements

Server-aided revocable attribute-based encryption resilient to decryption key exposure

Attribute-based encryption (ABE) is a promising approach that enables scalable access control on encrypted data. However, one of the main efficiency drawbacks of ABE is the lack of practical user revocation mechanisms. In CCS 2008, Boldyreva, Goyal and Kumar put forward an efficient way to revoke users. But, it requires each data user storing a (non-constant) number of long-term private keys and periodically communicating with the key generation center to update his/her decryption keys. In ESORICS 2016, Cui et al. proposed the first server-aided revocable ABE scheme to address the above two issues. It involves an untrusted server to transform any non-revoked user’s ABE ciphertexts into short ciphertexts using user’s short-term transformation keys. The data user can fully decrypt the transformed ciphertexts using his/her local decryption keys. Cui et al. also introduced the decryption key exposure (DKE) attacks on transformation keys. However, if the untrusted server colludes with an adversary, the scheme may be insecure against DKE attacks on user’s local decryption keys. In this paper, we first revisit Cui et al. security model, and enhance it by capturing the DKE attacks on user’s local decryption keys and allowing the adversary to fully corrupt the server simultaneously. We then construct a server-aided revocable ABE based on Rouselakis-Waters ciphertext-policy ABE (CCS 2013). We show that our scheme is secure against local decryption key exposure attacks, and maintains the outstanding properties of efficient user revocation, short local ciphertext size and fast local decryption

Revocable hierarchical identity-based encryption with shorter private keys and update keys

Revocable hierarchical identity-based encryption (RHIBE) is an extension of HIBE that supports the revocation of user\u27s private keys to manage the dynamic credentials of users in a system. Many different RHIBE schemes were proposed previously, but they are not efficient in terms of the private key size and the update key size since the depth of a hierarchical identity is included as a multiplicative factor. In this paper, we propose efficient RHIBE schemes with shorter private keys and update keys and small public parameters by removing this multiplicative factor. To achieve our goals, we first present a new HIBE scheme with the different generation of private keys such that a private key can be simply derived from a short intermediate private key. Next, we show that two efficient RHIBE schemes can be built by combining our HIBE scheme, an IBE scheme, and a tree based broadcast encryption scheme in a modular way

Match me if you can: matchmaking encryption and its applications

We introduce a new form of encryption that we name matchmaking encryption (ME). Using ME, sender S and receiver R (each with its own attributes) can both specify policies the other party must satisfy in order for the message to be revealed. The main security guarantee is that of privacy-preserving policy matching: During decryption nothing is leaked beyond the fact that a match occurred/did not occur. ME opens up new ways of secretly communicating, and enables several new applications where both participants can specify fine-grained access policies to encrypted data. For instance, in social matchmaking, S can encrypt a file containing his/her personal details and specify a policy so that the file can be decrypted only by his/her ideal partner. On the other end, a receiver R will be able to decrypt the file only if S corresponds to his/her ideal partner defined through a policy. On the theoretical side, we define security for ME, as well as provide generic frameworks for constructing ME from functional encryption. These constructions need to face the technical challenge of simultaneously checking the policies chosen by S and R, to avoid any leakage. On the practical side, we construct an efficient identity-based scheme for equality policies, with provable security in the random oracle model under the standard BDH assumption. We implement and evaluate our scheme and provide experimental evidence that our construction is practical. We also apply identity-based ME to a concrete use case, in particular for creating an anonymous bulletin board over a Tor network