Predicate encryption with selective-opening security for receivers: formal definition, generic construction, and concrete instantiations for several primitives

Abstract

With the rise of cloud computing, multi-user scenarios have become a common setting for data sharing nowadays. The conservative security notion might not be sufficient for such a data sharing model. As a response to this challenge, there has been significant research targeting security against receiver selective-opening (RSO) attacks. However, we found that none of these studies discuss RSO security specifically for predicate encryption (PE)—an encryption mechanism naturally designed for multi-user data sharing. This manuscript first formalizes the RSO security for PE. We then present a generic PE construction that achieves RSO security based on the simulation-based definition. Our work also features several instantiations for various predicate families, including attribute-based encryption for the monotone span program, which is known as one of the most expressive PE.

Appendices

Appendix A: Details of the embedding relationships

In this section, we show the details of the embedding relationships between IP and several predicate families.

1.1 A.1: Hidden vector encryption

A HVE scheme is a PE scheme supporting the following predicate family:

• \(\kappa = (\ell _1, \ell _2),\) for some \(\ell _1, \ell _2 \in \mathbb {N}\).

• \(\mathbb {X}_\kappa = (\Sigma )^{\ell _1}, \mathbb {Y}_\kappa = (\Sigma _*)^{\ell _1}\), where \(\Sigma \) is an alphabet set with \(\ell _2\) elements, \(\Sigma _* = \Sigma \cup \{*\}\), and \(*\) is the wildcard character. Here we note that, in most papers, \(\Sigma \) is chosen to be \(\{0, 1\}\), i.e., \(\ell _2 = 2\).

• \(R_\kappa ^{\textsf{HV}}(X, Y) = 1 \Longleftrightarrow \forall i \in [\ell _1], (X[i]= Y[i]) \vee (Y[i] = *)\), where X[i], Y[i] denote the ith element in X, Y, respectively.

Katz et al. [32] have shown that

$$\begin{aligned} R^{\textsf{IP}} \xrightarrow [(g_P, g_C, g_K)]{\textsf{SIMRSO}} R^{\textsf{HV}}, \end{aligned}$$

with \(\Sigma = \mathbb {Z}_p, g_P((\ell _1, \ell _2)) = (2\ell _1, \ell _2), g_C(X) = X' \in \Sigma ^{2\ell _1}, g_K(Y) = Y' \in \Sigma _*^{2\ell _1}\), where for \(i \in [\ell _1]\),

$$\begin{aligned} X'[2i-1] = - \delta _i X[i],~~ X'[2i] = \delta _i,~~ \delta _i \xleftarrow {\$} \mathbb {Z}_p \end{aligned}$$

and

$$\begin{aligned} \left\{ \begin{array}{lll} Y'[2i-1] = 1, &{} Y'[2i] = Y[i], &{} ~if~ Y[i] \ne *; \\ Y'[2i-1] = 0, &{} Y'[2i] = 0, &{} ~if~ Y[i] = *. \end{array}\right. \end{aligned}$$

Besides, since \(\textsf{Dual}(R^{\textsf{IP}}) = R^{\textsf{IP}}\), by switching the roles of \(g_C, g_K\), we can further obtain

$$\begin{aligned} R^{\textsf{IP}} \xrightarrow [(g_P, g_K, g_C)]{\textsf{SIMRSO}} \textsf{Dual}(R^{\textsf{HV}}). \end{aligned}$$

Therefore, by applying Lemma 2 and Corollary 1, we can obtain SIM-RSO-CPA secure PE schemes for \(R^{\textsf{HV}}, \textsf{Dual}(R^{\textsf{HV}}), \textsf{Neg}(R^{\textsf{HV}})\), and \(\textsf{Neg}(\textsf{Dual}(R^{\textsf{HV}}))\).

1.2 A.2: Broadcast encryption

A BE scheme is a PE scheme supporting the following predicate family:

• \(\kappa = (\ell ),\) for some \(\ell \in \mathbb {N}\).

• \(\mathbb {X}_\kappa = 2^{[\ell ]}\).

• \(\mathbb {Y}_\kappa = [\ell ]\)

• \(R_\kappa ^{\textsf{Br}}(X, Y) = 1 \Longleftrightarrow Y \in X\).

We can embed such membership predicate into inner-product predicate as follows. Define \(f_X(z) = \prod _{i \in X}(z - i)\) for a set X, and define

$$\begin{aligned} \begin{array}{ll} g_P((\ell )) &{} = (\ell ); \\ g_C(X) &{} = ( the~coefficient~of~ f_X(z)); \\ g_K(Y) &{} = (1, Y, Y^2, \dots , Y^{\ell -1}). \end{array} \end{aligned}$$

This works since

$$\begin{aligned} Y \in X \Longleftrightarrow f_X(Y) = 0 \Longleftrightarrow \langle g_C(X), g_K(Y) \rangle = 0, \end{aligned}$$

and hence we have

$$\begin{aligned} R^{\textsf{IP}} \xrightarrow [(g_P, g_C, g_K)]{\textsf{SIMRSO}} R^{\textsf{Br}}. \end{aligned}$$

Such implication has been used to construct KPABE [3] under certain restrictions.

1.3 A.3: Subset predicate encryption and its variants

A SPE scheme is a PE scheme supporting the following predicate family:

• \(\kappa = (\ell ),\) for some \(\ell \in \mathbb {N}\).

• \(\mathbb {X}_\kappa = \mathbb {Y}_\kappa = 2^{[\ell ]}\).

• \(R_\kappa ^{\textsf{SP}}(X, Y) = 1 \Longleftrightarrow Y \subseteq X\).

We use characteristic string representation for a set. That is, for a set \(S \in 2^{[\ell ]}\), we interpret S as a vector with length \(\ell \), such that, for \(i \in [\ell ]\), \(S[i] = 1\) if \(i \in S\). According to [33], we can embed subset predicate into inner-product predicate. Thus, by Lemma 2 and Corollary 1. we have

$$\begin{aligned} R^{\textsf{IP}} \xrightarrow [(g_P, g_C, g_K)]{\textsf{SIMRSO}} R^{\textsf{SP}}, R^{\textsf{NIP}} \xrightarrow [(g_P, g_C, g_K)]{\textsf{SIMRSO}} \textsf{Neg}(R^{\textsf{SP}}), \end{aligned}$$

where

$$\begin{aligned} \begin{array}{ll} g_P((\ell )) &{} = (\ell ); \\ g_C(X) &{} = ( 1\oplus X[1], \dots , 1\oplus X[\ell ]); \\ g_K(Y) &{} = Y. \end{array} \end{aligned}$$

Besides, it is easy to see that

$$\begin{aligned} R^{\textsf{IP}} \xrightarrow [(g_P, g_C, g_K)]{\textsf{SIMRSO}} \mathsf {Dual(}R^{\textsf{SP}}) \end{aligned}$$

and

$$\begin{aligned} R^{\textsf{NIP}} \xrightarrow [(g_P, g_C, g_K)]{\textsf{SIMRSO}} \textsf{Neg}(\textsf{Dual}(R^{\textsf{SP}})), \end{aligned}$$

where

$$\begin{aligned} \begin{array}{ll} g_P((\ell )) &{} = (\ell ); \\ g_C(X) &{} = X; \\ g_K(Y) &{} = ( 1\oplus Y[1], \dots , 1\oplus Y[\ell ]). \end{array} \end{aligned}$$

Appendix B: Maps \(F = (f_P, f_C, f_K)\) for various predicate families

In this section, we present methods for designing maps tailored to various predicate families. Using the generic construction described in Sect. 4, we can obtain several cryptographic primitives with SIM-RSO-CPA security. This approach serves as an alternative to obtain these primitives, rather than acquiring them through the SIM-RSO-CPA secure CPABE scheme detailed in Sect. 5.

1.1 B.1: Inner-product encryption

An inner-product encryption scheme is a PE scheme supporting the following predicate family:

• \(\kappa = (\ell ),\) for some \(\ell \in \mathbb {N}\).

• \(\mathbb {X}_\kappa = \mathbb {Y}_\kappa = \mathbb {Z}_p^{\ell }\).

• \(R_\kappa ^{\textsf{IP}}(X, Y) = 1 \Longleftrightarrow \langle X, Y \rangle = 0\), where \(\langle \cdot , \cdot \rangle \) denotes the inner product operation.

We then define the maps \(F^{\textsf{IP}} = (f_P, f_C, f_K)\) for inner-product predicate as follows:

$$\begin{aligned} \begin{array}{ll} f_P((\ell )) &{} = (\ell + 2); \\ f_C(X, \alpha ) &{} = ( X, 1 \oplus \alpha , \alpha ) \in \mathbb {Z}_p^{\ell +2};\\ f_K(Y, r) &{} = (Y, r, 1 \oplus r) \in \mathbb {Z}_p^{\ell +2}. \end{array} \end{aligned}$$

Following the definition of \(F^{\textsf{IP}}\), we have

$$\begin{aligned} \begin{array}{ll} \langle f_C(X, \alpha ), f_K(Y, r) \rangle &{} = \langle ( X, 1 \oplus \alpha , \alpha ), (Y, r, 1 \oplus r) \rangle \\ &{} = \langle X, Y \rangle + \langle 1\oplus \alpha , r \rangle + \langle \alpha , 1\oplus r \rangle \\ &{} = \langle X, Y \rangle + r(1 \oplus \alpha ) + \alpha (1 + r) \\ &{} = \langle X, Y \rangle + (r \oplus r \cdot \alpha ) + (\alpha \oplus \alpha \cdot r). \end{array} \end{aligned}$$

For \(\alpha , r \in \{0,1\}\), since

$$\begin{aligned} \alpha = r \Longleftrightarrow \alpha = \alpha \cdot r = r, \end{aligned}$$

we have

$$\begin{aligned} \langle f_C(X, \alpha ), f_K(Y, r) \rangle = \langle X, Y \rangle + (r \oplus r \cdot \alpha ) + (\alpha \oplus \alpha \cdot r) = \langle X, Y \rangle , \end{aligned}$$

and thus \( R_{f_P(\kappa )}^{\textsf{IP}}(f_C(X, \alpha ), f_K(Y, r)) = R^{\textsf{IP}}(X,Y)\). Besides, when \(\alpha \ne r\), i.e., \(\alpha = 1 \oplus r\), we have that

$$\begin{aligned} \left\{ \begin{array}{ll} r(1\oplus \alpha ) &{} = r \cdot r; \\ \alpha (1\oplus r)) &{} = (1\oplus r) \cdot (1\oplus r). \end{array} \right. \end{aligned}$$

Since either \(r \cdot r = 1\) or \((1\oplus r) \cdot (1\oplus r) = 1\), we have that

$$\begin{aligned} \langle f_C(X, \alpha ), f_K(Y, r) \rangle = \langle X, Y \rangle + (r \oplus r \cdot \alpha ) + (\alpha \oplus \alpha \cdot r) = \langle X, Y \rangle + 1. \end{aligned}$$

We can see that, since \(\mathbb {X}_\kappa = \mathbb {Y}_\kappa = \mathbb {Z}_p^{\ell }\),

$$\begin{aligned} \Pr [R_{f_P(\kappa )}^{\textsf{IP}}( f_C(X, \alpha ), f_K(Y, r) )=0 \mid \langle X, Y \rangle \ne 0] = \Pr [\langle X, Y \rangle = p-1]. \end{aligned}$$

Moreover, we have that \(\Pr [\langle X, Y \rangle = p-1] = \textsf{negl}(\lambda )\) when X, Y are uniformly distributed in \(\mathbb {Z}_p^{\ell }\). To achieve the uniform randomness, we can choose \(\alpha , \beta \xleftarrow {\$} \mathbb {Z}_p\), and set \(X' \leftarrow \alpha X, Y' \leftarrow \beta Y\). It is easy to verify that \(\langle X, Y \rangle = 0\) if and only if \(\langle X', Y' \rangle = 0\).

According to [32], we can embed several primitives into inner-product encryption, e.g., IBE. By using Lemma 2, we can immediately obtain those primitives with SIM-RSO-CPA security.

1.2 Non-zero inner-product encryption

A non-zero inner-product encryption scheme is a PE scheme supporting the predicate family \(R^{\textsf{NIP}} = \textsf{Neg}(R^{\textsf{IP}})\). We can define the maps \(F^{\textsf{NIP}} = (f_P, f_C, f_K)\) as follows:

$$\begin{aligned} \begin{array}{ll} f_P((\ell )) &{} = (2\ell ); \\ f_C(X, \alpha ) &{} = ((1-\alpha )X, \alpha X) \in \mathbb {Z}_p^{2\ell };\\ f_K(Y, r) &{} = ((1-r) Y, rY) \in \mathbb {Z}_p^{2\ell }. \end{array} \end{aligned}$$

Following the definition of \(F^{\textsf{NIP}}\), we have

$$\begin{aligned} \langle f_C(X, \alpha ), f_K(Y, r) \rangle&= \langle ((1-\alpha ) X, \alpha X), ((1-r) Y, rY)\rangle \\ {}&= ((1-\alpha ) \cdot (1-r) + \alpha \cdot r) \cdot \langle X, Y\rangle . \end{aligned}$$

For \(\alpha , r \in \{0, 1\}\), we have

$$\begin{aligned}(1-\alpha ) \cdot (1-r) + \alpha \cdot r = \left\{ \begin{array}{ll} 1, &{}~~\text {if}~~\alpha = r; \\ 0, &{}~~\text {if}~~\alpha \ne r. \end{array} \right. \end{aligned}$$

Therefore, we have

$$\begin{aligned} \langle f_C(X, \alpha ), f_K(Y, r) \rangle = \left\{ \begin{array}{cl} \langle X, Y \rangle &{}~~\text {if}~~ \alpha = r;\\ 0 &{} ~~\text {if}~~ \alpha \ne r. \end{array} \right. \end{aligned}$$

Moreover, by applying Lemma 2 and Corollary 1, we can obtain negated IBE, negated BE, etc., with SIM-RSO-CPA security.

1.3 B.3: Hidden vector encryption

We have already detailed the embedding relationships in Appendix A.1, in this section, we further propose a more efficient map \(F^{\textsf{HV}}=(f_P, f_C, f_K)\) for hidden vector predicate:

$$\begin{aligned} \begin{array}{ll} f_P((\ell _1, \ell _2)) &{} = (\ell _1 + 1, \ell _2); \\ f_C(X, \alpha ) &{} = ( X, \alpha ) \in (\Sigma )^{\ell _1 +1};\\ f_K(Y, r) &{} = (Y, r) \in (\Sigma _*)^{\ell _1 +1}. \end{array} \end{aligned}$$

In particular, we require that \(\{0, 1\} \subset \Sigma \). Following the relation for HVE, one can easily see that \(F^{\textsf{HV}}\) satisfies the requirements defined in Sect. 4.1. Note that our maps are more efficient than those proposed by Katz et al. in terms of the vector length, which may usually affect the ciphertext length or private key size.