Abstract: We construct the first (key-policy) attribute-based encryption (ABE)
system with short secret keys: the size of keys in our system depends
only on the depth of the policy circuit, not its size. Our constructions
extend naturally to arithmetic circuits with arbitrary fan-in gates
thereby further reducing the circuit depth. Building on this ABE system
we obtain the first reusable circuit garbling scheme that produces
garbled circuits whose size is the same as the original circuit
plus an additive $poly(k,d)$ bits, where $k$ is the security parameter
and $d$ is the circuit depth. All previous constructions incurred a
multiplicative $poly(k)$ blowup.
We construct our attribute-based system using a new mechanism we call
fully key-homomorphic encryption which is a public-key system that
lets anyone translate a ciphertext encrypted under a public-key
$\vec{pk}=(pk_1,...,pk_n)$ into a ciphertext encrypted under
the public-key $(f(\vec{pk}),f)$ of the same plaintext, for any
efficiently computable $f$. We show that this mechanism gives an ABE
with short keys. Security of our construction relies on the subexponential
hardness of the learning with errors problem.
We also present a second (key-policy) ABE, using multilinear maps,
with short ciphertexts: an encryption to an attribute vector $\vec{x}$
is the size of $\vec{x}$ plus $poly(k,d)$ additional bits. This gives a
reusable circuit garbling scheme where the garbled input is short.
Joint work with Dan Boneh, Craig Gentry, Shai Halevi, Valeria
Nikolaenko, Gil Segev, Vinod Vaikuntanathan, and Dhinakaran Vinayagamurthy