Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption

In this paper, we present two fully secure functional encryption schemes. Our first resultis a fully secure attribute-based encryption (ABE) scheme. Previous constructions of ABEwere only proven to be selectively secure. We achieve full security by adapting the dualsystem encryption methodology recently introduced by Waters and previously leveraged toobtain fully secure IBE and HIBE systems. The primary challenge in applying dual systemencryption to ABE is the richer structure of keys and ciphertexts. In an IBE or HIBE system,keys and ciphertexts are both associated with the same type of simple object: identities. Inan ABE system, keys and ciphertexts are associated with more complex objects: attributesand access formulas. We use a novel information-theoretic argument to adapt the dualsystem encryption methodology to the more complicated structure of ABE systems. Weconstruct our system in composite order bilinear groups, where the order is a product ofthree primes. We prove the security of our system from three static assumptions. Our ABEscheme supports arbitrary monotone access formulas.Our second result is a fully secure (attribute-hiding) predicate encryption (PE) schemefor inner-product predicates. As for ABE, previous constructions of such schemes wereonly proven to be selectively secure. Security is proven under a non-interactive assumptionwhose size does not depend on the number of queries. The scheme is comparably efficientto existing selectively secure schemes. We also present a fully secure hierarchical PE schemeunder the same assumption. The key technique used to obtain these results is an elaboratecombination of the dual system encryption methodology (adapted to the structure of innerproduct PE systems) and a new approach on bilinear pairings using the notion of dualpairing vector spaces (DPVS) proposed by Okamoto and Takashima.∗Supported by a National Defense Science and Engineering Graduate Fellowship.†Research supported in part from NSF grants 0830803, 0627781, 0716389, 0456717, and 0205594, an equipmentgrant from Intel, and an Okawa Foundation Research Grant‡Supported by NSF CNS-0716199, CNS-0915361, and CNS-0952692, Air Force Office of Scientific Research(AFO SR) under the MURI award for “Collaborative policies and assured information sharing” (Project PRE-SIDIO), Department of Homeland Security Grant 2006-CS-001-000001-02 (subaward 641), and the Alfred P.Sloan Foundation