ABE for Circuits with Constant-Size Secret Keys and Adaptive Security.

An important theme in the research on attribute-based encryption (ABE) is minimizing the sizes of secret keys and ciphertexts. In this work, we present two new ABE schemes with constant-size secret keys, i.e., the key size is independent of the sizes of policies or attributes and dependent only on the security parameter gimel. - We construct the first key-policy ABE scheme for circuits with constant-size secret keys, vertical bar sk(f)vertical bar = poly(gimel), which concretely consist of only three group elements. The previous state-of-the-art scheme by [Boneh et al., Eurocrypt '14] has key size polynomial in the maximum depth d of the policy circuits, vertical bar sk(f)vertical bar = poly(d, gimel). Our new scheme removes this dependency of key size on d while keeping the ciphertext size the same, which grows linearly in the attribute length and polynomially in the maximal depth, vertical bar ct(x)vertical bar = vertical bar x vertical bar poly(d, gimel). - We present the first ciphertext-policy ABE scheme for Boolean formulae that simultaneously has constant-size keys and succinct ciphertexts of size independent of the policy formulae, namely, vertical bar sk(f)vertical bar = poly(gimel) and vertical bar ct(x)vertical bar = poly(vertical bar x vertical bar, gimel). Concretely, each secret key consists of only two group elements. Previous ciphertext-policy ABE schemes either have succinct ciphertexts but non-constant-size keys [Agrawal-Yamada, Eurocrypt '20, Agrawal-Wichs-Yamada, TCC '20], or constant-size keys but large ciphertexts that grow with the policy size as well as the attribute length. Our second construction is the first ABE scheme achieving double succinctness, where both keys and ciphertexts are smaller than the corresponding attributes and policies tied to them. Our constructions feature new ways of combining lattices with pairing groups for building ABE and are proven selectively secure based on LWE and in the generic (pairing) group model. We further show that when replacing the LWE assumption with its adaptive variant introduced in [Quach-Wee-Wichs FOCS '18], the constructions become adaptively secure.