Private-Key Hidden Vector Encryption with Key Confidentiality

Predicate encryption is an important cryptographic primitive that has been recently studied [BDOP04, BW07, GPSW06, KSW08] and that has found wide applications. Roughly speaking, in a predicate encryption scheme the owner of the master secret key K can derive secret key K̃, for any pattern vector ~k. In encrypting a message M , the sender can specify an attribute vector ~x and the resulting ciphertext X̃ can be decrypted only by using keys K̃ such that P (~x,~k) = 1, for a fixed predicate P . A predicate encryption scheme thus gives the owner of the master secret key fine-grained control on which ciphertexts can be decrypted and this allows him to delegate the decryption of different types of messages (as specified by the attribute vector) to different entities. In this paper, we give a construction for hidden vector encryption which is a special case of predicate encryption schemes introduced by [BW07]. Here the ciphertext attributes are vectors ~x = 〈x1, . . . , x`〉 over alphabet Σ, key patterns are vectors ~k = 〈k1, . . . , k`〉 over alphabet Σ ∪ {?} and we consider the Match(~x,~k) predicate which is true if and only if ki 6= ? implies xi = ki. Besides guaranteeing the security of the attributes of a ciphertext, our construction also gives security guarantees for the key patterns. We stress that security guarantees for key patterns only make sense in a private-key setting and have been recently considered by [SSW09] which gave a construction in the symmetric bilinear setting with groups of composite (product of four primes) order. In contrast, our construction uses asymmetric bilinear groups of prime order and the length of the key is equal to the weight of the pattern, thus resulting in an increased efficiency. We remark that our construction is based on falsifiable (in the sense of [BW06, Nao03]) complexity assumptions for the asymmetric bilinear setting and are proved secure in the standard model (that is, without random oracles).