适于任意深度电路结构的紧致属性基广播加密方案

Compact Attribute-Based Broadcast Encryption Scheme for General Circuits with Arbitrary Depth

为了简化传统的公钥加密体制,Shamir于1984年提出了基于身份的加密方案.属性密码学由身份密码学发展而来,利用用户属性信息和相应的访问控制策略来替代机制中需要身份参与的运算.基于一般电路来表示访问策略及构造相关的属性密码方案是目前的研究热点和难点.2013年Garg等人利用多线性映射和一般电路来描述访问策略,首次给出了基于一般电路能抵抗回溯攻击的属性基加密方案.受限伪随机函数的概念于2013年提出,利用其安全性功能,可以将其与双线性和多线性映射、不可区分性混淆、同态加密等技术相结合,在多种场景得到应用.如何将受限伪随机函数与其他密码技术相结合来构造新兴的密码协议和方案成为受限伪随机函数研究的重要课题.基于Garg等人的方案并将受限伪随机函数与基于电路的属性基相结合,文中基于现有的多线性映射给出了一个基于任意深度的一般电路访问结构的广播加密方案.主要创新点在于该方案的一般电路节点的深度l′不需要固定于电路的最大深度l,只需要满足条件l′<l即可,实现了一般电路中节点的跨层输入.该方案密文较短,与其他方案相比是密文紧致的,此外该方案不需要广播加密中的报头部件.该方案在标准模型下基于多线性判定性Diffie-Hellman假设被证明是具有选择安全性的.尽管在2016年的欧洲密码年会上,Hu等人给出了攻破基于分级编码系统实现多线性映射方法的具体方案,但是基于多线性映射的构造和相关安全性模型仍在进一步完善和发展中.我们相信下阶段会有更实用安全的多线性映射实现方法,因此目前基于多线性映射原语的各类理论研究和实现方案仍具有较大的研究意义.

Identity-based encryption(IBE)scheme was proposed by Shamir in 1984 in order to simplify the traditional public key cryptography.Attributed-based encryption scheme is a special type of IBE.The identities could be replaced by the attributes and the corresponding access control policy.Designing access structure and related attribute-based encryption schemes for general circuit is difficult and has been a hot topic.It is really an interesting work to design schemes that be able to realize decryption policies representable as polynomial-size circuits.Based on the existence of multilinear maps,Garg et al.provided the first construction of attribute-based encryption(ABE)for general circuits which could resist the backtracking attack in 2013.Similarly,ourconstructions are based on the existence of multilinear maps and it could resist the backtracking attack.The concept of constrained pseudorandom functions(CPRF)were introduced in 2013,since then it had got a wide range of research.With the corresponding security feature,constrained pseudorandom function could be combined with other technologies such as the bilinear and multilinear maps,indistinguishability obfuscation and homomorphic encryption etc.and to be applied in a variety of application situation.Associating with the Garg's scheme and constrained pseudorandom functions,we propose an attribute-based broadcast encryption scheme for general circuits with arbitrary depth.In this scheme the depth of the general circuits l′could be smaller than the maximal depth l,instead of equaling to the maximum and achieve cross layer output.Our main construction exposition is for circuits that are layed and monotonic as usual.How to construct a nonmonotonic access structure is the next step in this research.Comparing to the existing works,the advantages of our scheme are short ciphertext and featuring compactness without adding the broadcast header.Essentially it is a symmetric broadcast encryption scheme and associated with constrained pseudorandom functions.Furthermore our construction is of the key-policy form that the encryption algorithm takes in the description of attributes and message and the key generation algorithm takes in the description of a circuit.Our scheme is proved to be selective security in the standard model under the multilinear decisional Diffie-Hellman assumption.We would have a further exploring on its application scenarios and try to improve its efficiency.Since 2013 multilinear maps serve as a basis for a wide range of cryptographic applications.However,it was found to be insecure in the face of so-called zeroizing attacks that crucially relied on the ability of the adversary to create encodings of 0 by Hu and Jia(Eurocrypt'16)in 2016.This result provides a new opportunity for the study of the realization and application of multi-linear maps in other directions.Some researchers proposed new "weak multilinear map models"that could capture all known polynomial-time attacks on GGH13.We believe that the related results open a stimulating opportunity to study new constructions using a multilinear map abstraction.There would be more practical and secure schemes appeared and building ABE for circuits based on multilinear maps would be one of the most exciting challenges.