Fully Secure Hidden Vector Encryption

Abstract

Predicate encryption is an important cryptographic primitive (see [3,5,9,11]) that enables fine-grained control on the decryption keys. Roughly speaking, in a predicate encryption scheme the owner of the master secret key Msk can derive secret key SkP, for any predicate P from a specified class of predicates ℙ. In encrypting a message M, the sender can specify an attribute vector ${\ensuremath{\vec x}}$ and the resulting ciphertext $\tilde X$ can be decrypted only by using keys SkP such that $P({\ensuremath{\vec x}})=1$. Security is modeled by means of a game between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$ that sees the public key, is allowed to ask for keys of predicates P of his choice and gives two challenge vectors${\ensuremath{\vec x}}_0$ and ${\ensuremath{\vec x}}_1$. $\mathcal{A}$ then receives a challenge ciphertext (an encryption of a randomly chosen challenge vector) and has to guess which of the two challenge vectors has been encrypted. The adversary $\mathcal{A}$ is allowed to ask queries even after seeing the challenge ciphertext. In the unrestricted queries model, it is required the adversary $\mathcal{A}$ to ask for keys of predicates P that do not discriminate the two challenge vectors; that is, for which $P({\ensuremath{\vec x}}_0)=P({\ensuremath{\vec x}}_1)$. It can be readily seen that this condition is necessary. In this paper, we consider hidden vector encryption (HVE in short), a notable case of predicate encryption introduced by Boneh and Waters [5] and further developed in [16,10,15]. In a HVE scheme, the ciphertext attributes are vectors ${\ensuremath{\vec x}}=\langle x_1,\ldots,x_\ell\rangle$ of length l over alphabet Σ, keys are associated with vectors ${\ensuremath{\vec y}}=\langle y_1,\ldots,y_\ell\rangle$ of length l over alphabet Σ∪{⋆} and we consider the ${\sf Match}({\ensuremath{\vec x}},{\ensuremath{\vec y}})$ predicate which is true if and only if, for all i, yi≠⋆ implies xi=yi. In [5], it is shown that HVE implies predicate encryption schemes for conjunctions, comparison, range queries and subset queries. We describe also constructions of secure predicate encryption for Boolean predicates that can be expressed as k-CNF and k-DNF (for any constant k) over binary variables. Our main contribution is a very simple, in terms of construction and security proof, implementation of the HVE primitive that can be proved fully secure against probabilistic polynomial-time adversaries in the unrestricted queries model under non-interactive constant sized (that is independent of l) hardness assumptions on bilinear groups of composite order. Our proof employs the dual system methodology of Waters [18], that gave one of the first fully secure construction in this area, blended with a careful design of intermediate security games that keep into account the relationship between challenge ciphertext and key queries.