Paper 2023/1947

Using Predicate Extension for Predicate Encryption to Generically Obtain Chosen-Ciphertext Security and Signatures

Marloes Venema, University of Wuppertal
Leon Botros, Radboud University Nijmegen
Abstract

Predicate encryption (PE) is a type of public-key encryption that captures many useful primitives such as attribute-based encryption (ABE). Although much progress has been made to generically achieve security against chosen-plaintext attacks (CPA) efficiently, in practice, we also require security against chosen-ciphertext attacks (CCA). Because achieving CCA-security on a case-by-case basis is a complicated task, several generic conversion methods have been proposed, which typically target different subclasses of PE such as ciphertext-policy ABE. As is common, such conversion methods may sacrifice some efficiency. Notably, for ciphertext-policy ABE, all proposed generic transformations incur a significant decryption overhead. Furthermore, depending on the setting in which PE is used, we may also want to require that messages are signed. To do this, predicate signature schemes can be used. However, such schemes provide a strong notion of privacy for the signer, which may be stronger than necessary for some practical settings at the cost of efficiency. In this work, we propose the notion of predicate extension, which transforms the predicate used in a PE scheme to include one additional attribute, in both the keys and the ciphertexts. Using predicate extension, we can generically obtain CCA-security and signatures from a CPA-secure PE scheme. For the CCA-security transform, we observe that predicate extension implies a two-step approach to achieving CCA-security. This insight broadens the applicability of existing transforms for specific subclasses of PE to cover all PE. We also propose a new transform that incurs slightly less overhead than existing transforms. Furthermore, we show that predicate extension allows us to create a new type of signatures, which we call PE-based signatures. PE-based signatures are weaker than typical predicate signatures in the sense that they do not provide privacy for the signer. Nevertheless, such signatures may be more suitable for some practical settings owing to their efficiency or reduced interactivity. Lastly, to show that predicate extensions may facilitate a more efficient way to achieve CCA-security generically than existing methods, we propose a novel predicate-extension transformation for a large class of pairing-based PE, covered by the pair and predicate encodings frameworks. In particular, this yields the most efficient generic CCA-conversion for ciphertext-policy ABE.

Note: This is an updated version of the following paper: https://eprint.iacr.org/2022/1436 Compared to the old version, this paper also introduces signatures.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. IACR CiC 2024 vol 1
Keywords
predicate encryptionchosen-ciphertext securitysignaturesidentity-based encryptionattribute-based encryption
Contact author(s)
venema @ uni-wuppertal de
l botros @ cs ru nl
History
2024-03-29: revised
2023-12-22: received
See all versions
Short URL
https://ia.cr/2023/1947
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1947,
      author = {Marloes Venema and Leon Botros},
      title = {Using Predicate Extension for Predicate Encryption to Generically Obtain Chosen-Ciphertext Security and Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1947},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1947}},
      url = {https://eprint.iacr.org/2023/1947}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.