We prove our system secure using the recent dual system encryption methodology where the security proof works by first converting the challenge ciphertext and private keys to a semi-functional form and then arguing security. We create new techniques to tie key components together and prevent collusion attacks between users with different global identifiers. However, in our system each component will come from a potentially different authority, where we assume no coordination between such authorities.
Prior Attribute-Based Encryption systems achieved collusion resistance when the ABE system authority “tied” together different components (representing different attributes) of a user’s private key by randomizing the key. In constructing our system, our largest technical hurdle is to make it collusion resistant. Finally, our system does not require any central authority. A user can encrypt data in terms of any boolean formula over attributes issued from any chosen set of authorities. A party can simply act as an ABE authority by creating a public key and issuing private keys to different users that reflect their attributes. In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. We propose a Multi-Authority Attribute-Based Encryption (ABE) system.
On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KP-ABE schemes. The downside of our second and third constructions is that private keys have quadratic size in the number of attributes. As an intermediate step toward this result, we describe a new efficient identity-based revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the most expressive KP-ABE realization with constant-size ciphertexts. Our final contribution is a KP-ABE realization supporting non-monotonic access structures (i.e., that may contain negated attributes) with short ciphertexts. As a second result, we show that a certain class of identity-based broadcast encryption schemes generically yields monotonic key-policy attribute-based encryption (KP-ABE) systems in the selective set model. Our first result is a ciphertext-policy attribute-based encryption (CP-ABE) scheme with O(1)O(1)-size ciphertexts for threshold access policies and where private keys remain as short as in previous systems.
This paper proposes the first attribute-based encryption (ABE) schemes allowing for truly expressive access structures and with constant ciphertext size. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exception only supports restricted forms of access policies. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data.