On Adaptively Secure Prefix Encryption Under LWE

Abstract

Prefix Encryption is a public-key encryption scheme, where ciphertexts are associated with a string y and secret keys are associated with a string x. Any secret key for which x is a prefix of y can decrypt a ciphertext associated with x. Secret keys are issued by a trusted authority, that publishes a set of public parameters used for encryption and decryption. Prefix encryption was formalized in a work of Lewko and Waters (EUROCRYPT’14) to show that certain partitioning proof techniques fail to achieve adaptive security without an exponential loss in the security reduction. This loss requires a stronger security assumption to achieve adaptive security, which is undesirable. Prefix encryption can be constructed from Hierarchical Identity-Based Encryption (HIBE) or Attribute-Based Encryption (ABE), which implies that the same partitioning techniques must incur an exponential loss in the security reduction when applied to HIBE and ABE. While it remains a long-standing open problem to achieve adaptive security with a polynomial reduction loss for HIBE or ABE under LWE, the same work showed how to obtain adaptively secure prefix encryption from adaptively secure Identity-Based Encryption. In this work, we give a construction of an adaptively secure prefix encryption scheme with a polynomial reduction loss, directly from LWE. To encrypt to a string y we derive a public key for every prefix of y from a fixed set of public parameters using lattice-based homomorphic operations, similar to previous work. Our approach differs in the secret key generation, where a secret key for x takes into account and ties together every prefix of x, and our techniques may be of independent interest. This leaves open the possibility for the secret keys to be extended in a way that could lead to adaptive security of delegation functionalities, in the future. For security, we leverage a work of Tsabary (CRYPTO’19) and extend it to obtain our result.