Policy-based Non-interactive Outsourcing of Computation using

Multikey FHE and CP-ABE

Michael Clear

∗

and Ciar´an McGoldrick

School of Computer Science and Statistics, Trinity College Dublin, Dublin, Ireland

Keywords:

Non-interactive Computing Delegation, Multikey FHE, CP-ABE, Homomorphic Encryption, Access Policy

Composition

Abstract:

We consider the problem of outsourced computation that operates on encrypted inputs supplied by multiple

independent parties. To facilitate ﬁne-grained access control, it would be desirable if each party could encrypt

her input under an appropriate access policy. Moreover, a party should only be authorized to decrypt the

result of a computation performed on a set of encrypted inputs if his credentials satisfy the composition of

all input policies. There has been limited success so far achieving homomorphic encryption in the functional

setting; that is, for primitives such as Ciphertext-Policy Attribute Based Encryption (CP-ABE) and Identity

Based Encryption (IBE). We introduce a new primitive that captures homomorphic encryption with support for

access policies and policy composition. We then present a generic construction using CP-ABE and multikey

Fully-Homomorphic encryption (FHE). Furthermore, we show that a CP-ABE scheme that is homomorphic

for circuits of polylogarithmic depth in some parameter m implies a CP-ABE scheme that is homomorphic for

circuits of arity m and unbounded depth.

1 INTRODUCTION

With the advent of cloud computing, there is a rapidly

expanding interest in using remote data centers to

perform large computational tasks. Many organiza-

tions do not have the computational resources to per-

form such tasks and the low cost,scalable and highly

available model offered by remote providers present

an attractive option to organizations. A signiﬁcant

downside of delegating computing jobs to the cloud

is the risk of exposure of the delegator’s sensitive

data. Indeed, sending such data in an unencrypted

form may be strictly prohibited by government and

industry policies. A number of cryptographic primi-

tives have been proposed to preserve privacy in com-

puting tasks carried out by untrusted or semi-trusted

parties. A well-known example is fully-homomorphic

encryption (FHE), which was ﬁrst realized in 2009 by

Gentry (Gentry, 2009). FHE allows us to outsource a

computation to a cloud provider in such a way that the

cloud provider can carry out the computation with-

out being able to see the inputs and outputs. Gen-

try’s construction is public-key and thus allows public

delegatability insofar as the sender(s) of inputs to the

∗

The author’s work is funded by the Irish Research

Council EMBARK Initiative.

cloud need not have access to the secret key needed

to decrypt the result. Therefore, multiple encryptors

may independently contribute data that is to be (po-

tentially) incorporated into a large remote computa-

tion.

1.1 The Problem Domain

In standard public-key FHE, there is only a single tar-

get recipient. This may be ill-suited to the needs of

a large organization. Consider a scenario where staff

have restricted access to data based on their depart-

ment and position. The organization has opted to avail

of the computational resources of a cloud provider

for the purpose of delegating sizeable computational

tasks. Each sender of data acts independently since

they are potentially unaware of other’s participation.

To comply with the organization’s privacy regula-

tions, each sender must encrypt her data under an ap-

propriate access policy that speciﬁes the credentials

a staff member must have in order to access the data

(or any derivative thereof). We assume such an access

policy is feasibly determined from the data source and

context.

The computation to be performed, and the inputs

to be used, may be decided at a later stage by a sub-

444

Clear M. and McGoldrick C..

Policy-based Non-interactive Outsourcing of Computation using Multikey FHE and CP-ABE.

DOI: 10.5220/0004534304440452

In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT-2013), pages 444-452

ISBN: 978-989-8565-73-0

 2013 SCITEPRESS (Science and Technology Publications, Lda.)

set of the senders, or another delegated authority. The

results of the computation are then subsequently re-

turned to the organization, and they should only be

accessible to a given staff member if her credentials

satisfy the cumulative policies associated with all the

inputs used.

One solution is to use public-key FHE together

with a trusted access control system (ACS), which

holds the private key for the FHE scheme. The role

of the ACS is to grant users (i.e. staff members in the

above scenario) access to a plaintext after verifying

that their credentials satisfy the policy set associated

with the corresponding ciphertext. Access control of

this form facilitates expressive policies. However,

it must be used in conjunction with a cryptographic

primitive such as a non-interactive zero-knowledge

proof system as, otherwise, unauthorized users may

collude in order to report an incorrect policy.

This approach suffers from a number of draw-

backs:

• All parties interested in a result are required to

contact the ACS, which must remain online and

exhibit high availability in order to guarantee sat-

isfactory responsiveness. The ACS may therefore

act as a bottleneck, especially under high load sce-

narios.

• Adhering to the principle of least privilege, the or-

ganization may wish to limit the capabilities of the

ACS. In particular, it may have reservations about

the ACS being compromised, and potentially pro-

viding an attacker access to all results returned

from the cloud.

• Remote users, with appropriate valid credentials,

cannot directly query the cloud for data and de-

crypt non-interactively. All requests must be

routed via the organization’s ACS.

Many of these shortcomings are ﬂexibly ad-

dressed through a functional encryption (FE) ap-

proach. In the FE setting, a trusted authority (TA)

authenticates and authorizes users by issuing them

secret keys for certain capabilities. For our pur-

poses, we deal with a special case of FE known

as ciphertext-policy attribute-based encryption (CP-

ABE) where the capabilities correspond to creden-

tials or attributes. Note that we use the term attribute

here to refer to (collectively) what some authors de-

scribe as a particular set of attributes. A user with a

secret key for an attribute a can decrypt any ciphertext

encrypted under a policy satisﬁed by a. A principal

advantage of CP-ABE over an ACS-based solution is

that once the user is issued a secret key for a, no fur-

ther interaction with the TA is required (for a certain

period of time i.e. a may be time-limited) throughout

which the user can decrypt an arbitrary number of ci-

phertexts non-interactively. The advantages of ABE

in distributed environments have been investigated in

other work, such as (Pirretti et al., 2010). Although

CP-ABE has some deﬁciencies, such as inherent es-

crow (which the ACS approach suffers from also) and

a lack of support for revocation, it is well-suited to

achieving ﬁne-grained access control with minimal

interaction.

It is not trivial to reconcile the features of FHE

and CP-ABE. There are currently no known fully-

homomorphic CP-ABE schemes. Indeed, there are

also no fully-homomorphic identity-based encryption

(IBE) schemes, which is a weaker primitive than CP-

ABE.

1.2 Contributions

In this work, we propose a syntax for a more gen-

eral primitive which seeks to capture the requirements

of the problem space described above, while incor-

porating properties from FHE and CP-ABE. We call

this primitive policy-based homomorphic encryption

(PBHE). The formulation of PBHE extends the recent

deﬁnition of multikey FHE by Lopez-Alt, Tromer and

Vaikuntanathan (L´opez-Alt et al., 2012). Central to

PBHE is the notion of access policy composition, and

we deﬁne the syntax and the correctness properties of

PBHE in terms of an algebraic structure deﬁned on

access policies. PBHE can be instantiated by any ho-

momorphic CP-ABE scheme or any standard homo-

morphic public-key cryptosystem.

Another contribution of this work is the construc-

tion of a new PBHE scheme that supports fully-

homomorphic evaluation of circuits whose input ci-

phertexts are encrypted under a bounded number of

independently-chosen policies. This scheme fulﬁlls

the requirements of the scenario outlined above for a

bounded number of senders. This bound is polyno-

mial in the security parameter.

Finally, and leveraging the work of (L´opez-Alt

et al., 2012), we prove that if a CP-ABE scheme E

is homomorphic for a class of circuits of polyloga-

rithmic depth in a parameter m (which is polynomial

in the security parameter), then there exists a scheme

′

that is homomorphic for all circuits with arity m

and with arbitrary depth. This is a signiﬁcant result as

obtaining homomorphic CP-ABE for circuits of un-

boundeddepth has been impeded by the fact that there

does not seem to be a way to employ bootstrapping in

the functional setting (non-interactively) since boot-

strapping requires encryptions of the secret key bits

to be available as part of the public key.

We note that our work in this paper is limited to

Policy-basedNon-interactiveOutsourcingofComputationusingMultikeyFHEandCP-ABE

445

the semi-honest model. In particular, we assume that

the cloud is semi-honest. We leave to future work the

challenge of securing against malicious adversaries,

especially in verifying that a function was evaluated

correctly.

1.3 Related Work

Homomorphic encryption in a multi-user setting is

considered in (Xiao et al., 2012). The authors propose

a new homomorphic symmetric encryption scheme

that is shown to be secure under a factoring assump-

tion, provided an attacker is limited to obtaining a

bounded number (polynomial in the security param-

eter) of plaintext-ciphertext pairs. The authors also

propose a system model with mutually untrusted com-

ponents that enables a master key for their scheme

to be derived from any user’s key by splitting it into

shares that are distributed to each component by a

dealer at system initialization time. However, their

solution requires interaction with a server known as

a key agent for every request/response to/from the

cloud. Furthermore, their solution does not support

any level of expressive access control.

The notion of multikey FHE was recently pre-

sented in (L´opez-Alt et al., 2012) along with a con-

crete construction based on NTRU (Hoffstein et al.,

1998). In that work, multikey FHE is used to con-

struct an “on-the-ﬂy”multi-party computation (MPC)

protocol that is secure in the malicious setting. In such

an MPC protocol, a number of parties independently

send encrypted inputs to an evaluator without interac-

tion. The evaluator then computes a function F over

the inputs and sends the encrypted result to each party.

It is then possible for the senders to run an interac-

tive MPC protocol to jointly decrypt the result, verify

each other’s participation, and verify F was honestly

computed by the evaluator. While we make use of

multikey FHE for our generic construction in Section

5 and as a basis for the syntax of PBHE in Section 4,

we address a different problem than (L´opez-Alt et al.,

2012) i.e. we do not target MPC wherein each party

wishes to keep his input secret. In our protocol, inter-

active decryption is avoided at the loss of veriﬁability.

Achieving the latter in a meaningful way is a topic for

future work.

Additional related work arises in the ABE set-

ting, such as the construction of CP-ABE (Bethen-

court et al., 2007), and in the area of access control

facilitating access policy composition (Bonatti et al.,

2002; Bruns et al., 2007; Ni et al., 2009). More re-

cently (Rao et al., 2011)’s work on policy composi-

tion has targeted real-world access control languages

like XACML (Moses et al., 2005). In our context the

objects to protect are data, and the policies are not en-

forced by a server but rather by an encryption scheme,

so it is important to note that the scope for policy com-

position is far more restrictive as it is necessary to pre-

serve semantic security.

Homomorphic encryption in the functional set-

ting was investigated recently in (Clear et al., 2013)

and a group-homomorphicIBE scheme was presented

therein. Thus far, the IBE variant of the scheme from

(Gentry et al., 2010) is the only IBE scheme to the

best of our knowledge that can compactly evaluate 2-

DNF formulae.

2 PRELIMINARIES

2.1 Notation

A quantity t is said to be negligible in a parameter κ

if it holds that t < 1/ f(κ) for all polynomials f.

If D is a random variable, the notation x

←− D de-

notes the fact that x is sampled according to the distri-

bution on D. If instead that D is a set, then the nota-

tion is understood to mean that x is uniformly sampled

from D.

2.2 Access Policies

An access policy is a predicate that grants or denies

permission to access a particular object in some spe-

ciﬁc manner. Some contexts require rich policies that

present multiple outcomes for an access. For exam-

ple, Bruns, Dantas and Huth (Bruns et al., 2007) rep-

resent a policy as a four-valuedpredicate whose range

is {grant, deny, unspeciﬁed or conﬂict}. Access con-

trol systems with these requirements typically accom-

modate many modes of access to an object. In our

case, the objects correspond to data, and it is mean-

ingful in this context to either grant or deny (mutually

exclusive) access to a datum. Therefore, we naturally

represent an access policy as a two-valued predicate.

2.3 CP-ABE Syntax

A CP-ABE scheme for a class of access policies F

deﬁned over a domain of attributes A with message

space M is a tuple of PPT algorithms (Setup, Extract,

Enc,Dec). As mentioned in the introduction, we refer

to the entity that an access policy is applied to as an

attribute instead of a set of attributes as in (Bethen-

court et al., 2007). An attribute a in a domain A may

be viewed as a set of “sub-attributes”. Accordingly,

we express access policies as predicates i.e. F ⊆ A →

SECRYPT2013-InternationalConferenceonSecurityandCryptography

446

{0,1}. The Trusted Authority (TA) runs Setup to gen-

erate the public parameters PP and a master secret

key MSK. It runs sk

← Extract(MSK,a) to derive a

secret key for an attribute a ∈ A.

There are two main deﬁnitions of semantic secu-

rity are distinguished by whether the adversary is al-

lowed to make adaptive requests for secret keys. In

the non-adaptive (IND-NA-CPA) game, a challenger

hands PP to the adversary A who can make queries to

an extraction oracle X := Extract(MSK, ·) to obtain

secret keys for certain attributes. At the end of this

phase, A chooses a target policy f

∗

∈ F and two mes-

sages m

∈ M. The challenger uniformly samples

a bit b

←− {0,1} and gives an encryption of m

under

∗

to A . Finally, A outputs a guess bit b

′

and is said

to win if b = b

′

The advantage of A is deﬁned as Pr[b

′

= b]− 1/2.

A CP-ABE scheme is said to be IND-NA-CPA secure

if every PPT adversary A has only a negligible ad-

vantage in the above game. In the adaptive variant

(IND-AD-CPA), A is also allowed to make queries to

X after the challenge ciphertext is generated.

2.4 Multikey FHE

Multikey FHE allow multiple independently-

generated keys to be used together in a homomorphic

evaluation. The syntax of multikey FHE imposes

a limit N on the number of such keys that can be

supported. Furthermore, the size of the evaluated

ciphertext does not depend on the size of the circuit

(or number of inputs), but instead on the number

of independent keys used. In order to decrypt, the

parties who have the corresponding secret keys must

collaborate in an MPC protocol.

Deﬁnition 2.1 (Based on Deﬁnition 2.1 in (L´opez-Alt

et al., 2012)). A multikey C-homomorphic scheme

family for a class of circuits C and message

space M is a family of PPT algorithms {E

(N)

(Gen,Enc,Dec,Eval)}

N>0

where E

(N)

is deﬁned as

follows:

• MKFHE.Gen takes as input the security parame-

ter 1

and outputs a tuple (pk,sk, vk) where pk is

a public key, sk is a secret key and vk is an evalu-

ation key.

• MKFHE.Enc takes as input a public key pk and a

message m ∈ M, and outputs an encryption of m

under pk.

• MKFHE.Dec takes as input N secret keys

,.. ., sk

and a ciphertext c, and outputs a mes-

sage m

′

∈ M.

• MKFHE.Eval takes as input a circuit C ∈ C, and ℓ

pairs (c

,vk

),.. ., (c

ℓ

,vk

ℓ

) and outputs a cipher-

text c

⋆

Informally, evaluation is only required to be cor-

rect if at most N keys are used in MKFHE.Eval; that

is, |{vk

,.. .,vk

ℓ

}| ≤ N. Furthermore, the size of an

evaluated ciphertext c

⋆

must only depend polynomi-

ally on the security parameter κ and the number of

keys N, and not on the size of the circuit.

The IND-CPA security game for multikey homo-

morphic encryption is the same as that for standard

public-keyencryption; note that the adversaryis given

the evaluation key vk.

3 HOMOMORPHIC CP-ABE

WITH BOUNDED

COMPOSITION

Let F be a set of valid access policies which accept

or reject members of a set of attributes A. An access

policy f ∈ F is represented as a predicate A → {0, 1}.

Recall that our goal is to facilitate joint computa-

tion on encrypted inputs contributed by multiple inde-

pendent parties, who may be unaware of each other.

Moreover, each party has the liberty to encrypt her in-

puts under an independently-chosen policy. Accord-

ingly, it is necessary to support composition of these

policies. Intuitively, one would expect that the result

of the joint computation be decryptable by users with

an attribute that satisﬁes the composite policy. There-

fore, we introduce a binary composition operation ⊙

deﬁned on F.

We begin by giving a precise deﬁnition of ho-

momorphic CP-ABE. A CP-ABE scheme is homo-

morphic for a class of circuits C if there is an ad-

ditional algorithm Eval and a composition operation

⊙ : F

→ F such that over all choices of f

,.. ., f

ℓ

∈

F, m

,.. ., m

ℓ

∈ M, c

← Enc(PP, f

),.. ., c

ℓ

←

Enc(PP, f

ℓ

) and C ∈ C, the ciphertext c

′

←

Eval(PP,C, c

,.. ., c

ℓ

) satisﬁes

• Correctness

Dec(sk

′

) = C(m

,.. ., m

ℓ

) iff f

′

(a) = 1 (1)

for any a ∈ A and sk

← Extract(MSK,a).

• Compactness

′

| = poly(κ,| f

′

|) (2)

where f

′

= f

⊙ . .. ⊙ f

ℓ

The main idea in this paper is to exploit multi-

key FHE and CP-ABE to construct a new CP-ABE

scheme that is homomorphic for a class of circuits

C of bounded arity. However, we can only achieve

Policy-basedNon-interactiveOutsourcingofComputationusingMultikeyFHEandCP-ABE

447

this for certain policy algebras (F,⊙). Let E

ABE

be a CP-ABE scheme and let E

MKFHE

be a multi-

key FHE scheme. Roughly speaking, to encrypt a

message m under policy f in our scheme, (1) a key

triple (pk,vk,sk) is generated for E

MKFHE

; (2) m is

encrypted with E

MKFHE

under pk; (3) sk is encrypted

with E

ABE

under policy f; (4) the two previous ci-

phertexts along with vk constitute the ciphertext that

is produced. Therefore, E

MKFHE

is used for hiding the

message and for homomorphic computation whereas

ABE

enforces the access policies by appropriately

hiding the secret keys for E

MKFHE

. Technically, it is

the number of compositions in our scheme that must

be bounded and not the arity of the circuits. However,

the former implies the latter due to the syntactic re-

strictions of homomorphic CP-ABE (See Section 4).

It might seem necessary that ⊙ be both commu-

tative and associative. However, we only require that

these properties hold with respect to semantics. We

say that two policies f,g ∈ F are semantically equiv-

alent, written f ∼ g, if for all attributes a ∈ A, we

have that f (a) = g(a). Formally, it is required that ∼

be a congruence relation with respect to ⊙ and that

(F/ ∼,⊙) be a commutative semigroup. In sum, the

properties that ⊙ must satisfy for any f, g,h ∈ F are

as follows:

f ⊙ g ∼ g⊙ f (3)

( f ⊙ g) ⊙ h ∼ f ⊙ (g⊙ h) (4)

( f ⊙ g)(a) ⇒ f(a) ∧ g(a) (5)

for any a ∈ A.

Note that the last property is necessary for semantic

security.

We denote the size of a policy f ∈ F by its length,

written | f| ∈ N. For some algebras, the size of poli-

cies do not always grow with composition. Consider

the following semilattices (commutative idempotent

semigroups).

• the Kronecker semilattice where ⊙ is deﬁned as:

f ⊙ g =

(

f if f = g

z otherwise

and z is a distinguished policy in F with the prop-

erty that z(a) = 0 ∀a ∈ A.

• the meet semilattice where ⊙ is deﬁned as ∧.

Using our approach as described above, we cannot

construct homomorphic CP-ABE for idempotent al-

gebras (F,⊙) because | f ⊙ f| = | f|, which implies

that the compactness condition given by 2 cannot be

satisﬁed since the ciphertexts in our scheme grow

with composition. However, we have obtained the

following result. Suppose that E

ABE

is a somewhat-

homomorphic CP-ABE scheme with a policy algebra

(F,⊙). More precisely, suppose that E

ABE

is homo-

morphic for a class of circuits C of depth that is poly-

logarithmic in the security parameter. Then there ex-

ists a CP-ABE scheme for (F,⊙) that is homomor-

phic for a class of circuits of arbitrary depth whose

arity is bounded by a ﬁxed polynomial in the security

parameter. Informally, the theorem gives us a way to

trade “breadth” (arity) for depth.

Theorem 3.1. Let E

ABE

be a CP-ABE scheme with

attribute space A, message space M

ABE

and whose

policy algebra(F,⊙) is an idempotent semigroup. Let

κ be the security parameter. Let m = poly(κ). If

ABE

is homomorphic for all circuits whose depth is

bounded from above by O(log

m), then there exists a

secure CP-ABE scheme that is homomorphic for all

circuits of arbitrary depth with at most m inputs.

The proof is deferred to the extended version

(Clear and McGoldrick, 2013) of this work.

4 POLICY-BASED

HOMOMORPHIC

ENCRYPTION

Our approach is applicable to policy algebras (F,⊙)

where the policy size always grows with composition.

An example of such an algebra is the free semigroup

∗

on a set F. Moreover, our approach can handle at

most N compositions where N is the maximum num-

ber of independent users supported by the multikey

FHE scheme E

MKFHE

. Observe that the inputs en-

crypted by the same user under the same policy need

not be composed together with ⊙. Therefore, the

scheme can handle more than N inputs, but at most

N independent policies. However, the syntax of ho-

momorphic CP-ABE is too limited to capture this ex-

emption. This fact serves to motivate the formula-

tion of a more general primitive which we refer to as

policy-based homomorphic encryption (PBHE). Our

formulation of PBHE is inﬂuenced considerably by

the deﬁnition of multikey FHE, and inherits many of

its properties.

Deﬁnition 4.1. A Policy-Based Homomorphic En-

cryption (PBHE) scheme for a class of circuits

C, a commutative semigroup of access policies

(F/ ∼, ⊙) and a set of attributes A is a fam-

ily of algorithms {E

(N)

:= (Setup,Extract,GenKey,

Enc,Dec,Eval)}

N≥1

where E

(N)

is deﬁned as follows:

SECRYPT2013-InternationalConferenceonSecurityandCryptography

448

• (PP, MSK) ← Setup(1

): Given a security pa-

rameter κ, output public parameters PP and a

master secret key MSK.

• sk

← Extract(MSK,a): Given a master secret

key MSK and an attribute a ∈ A, output a secret

key sk

for a.

• vk

← GenKey(PP, f): Given public parameters

PP and an access policy f ∈ F, output a pair of

encryption and evaluation keys (ek

,vk

) for f.

• c ← Enc(PP,ek

,m): Given public parameters

PP, an encryption key ek

for policy f, and a

plaintext m ∈ M, output a ciphertext c that en-

crypts m under policy f.

• m ← Dec(sk

,c): Given a secret key sk

for at-

tribute a ∈ A and a ciphertext c that encrypts a

message m under access policy f, output m iff

f(a) = 1 and ⊥ otherwise.

• c

′

← Eval(C,(c

,vk

),.. . ,(c

ℓ

,vk

ℓ

)): Given a cir-

cuit C ∈ C and a sequence of ℓ pairs of ciphertext

and evaluation keys, output a ciphertext c

′

For every (PP, MSK) ← Setup(1

), every col-

lection of t ≤ N access policies f

,.. ., f

∈ F, and

every collection of key-pairs K := {(ek

,vk

) ←

GenKey(PP, f

)}

i∈[t]

, every sequence of ℓ tuples

{(c

,vk

) : v

∈ [t],c

← Enc(PP, ek

)}

i∈[ℓ]

and all attributes a ∈ A and secret keys

← Extract(MSK,a), and all circuits C ∈ C,

the following properties are satisﬁed for ev-

ery c

′

= Eval(C, (c

,vk

),.. ., (c

ℓ

,vk

ℓ

) where

′

j∈{v

,...,v

ℓ

}

• Correctness:

1. vk

= vk

⇒ f

= f

for i, j ∈ [t].

2. Dec(sk

′

) = C(m

,.. ., m

ℓ

) iff f

′

(a) = 1 and

⊥ otherwise.

• Compactness: |c

′

| = poly(κ, | f

′

Informally, the ﬁrst correctness condition requires

that evaluation keys be uniquely associated with an

access policy. Besides including information neces-

sary for evaluation, which could instead be embedded

in the ciphertext, the main role of an evaluation key is

to allow ciphertexts produced by the same encryptor

to be grouped together into classes. The composition

operation is not applied among the members of such

classes according to the second correctness condition.

In other words, composition is performed on equiv-

alence classes where the equivalence relation is de-

ﬁned by equality of evaluation keys. The motivation

for this is to compensate for the non-idempotency of

an operation ⊙. For example, it may be the case that

the ciphertexts produced by the same encryptor share

information that can be exploited to assist homomor-

phic computation among them. This is exempliﬁed by

multikey FHE.

Security. The semantic security deﬁnition for PBHE

is similar to that of CP-ABE. We also refer to this as

IND-AD-CPA security. In fact, the security game is

the same as that for CP-ABE except that the adver-

sary is also given (ek,vk) ← PBHE.GenKey(PP, f

⋆

)

after it chooses a target policy f

⋆

. There is a subtlety

with respect to the ciphertexts outputted by the eval-

uation algorithm, namely ensuring that a user can de-

crypt such ciphertexts if and only if they have a secret

key for an attribute that satisﬁes the composite policy.

This is explored further in the extended version.

5 CONSTRUCTION OF PBHE

In this section, we construct a new generic PBHE

scheme that can be instantiated by an IND-AD-CPA

secure CP-ABE scheme together with any IND-CPA

secure multikey FHE scheme.

Remark. Concrete constructions of CP-ABE and

multi-key FHE already exist which fulﬁll the prop-

erties we need. Examples of the former include

(Bethencourt et al., 2007; Waters, 2011) and an ex-

ample of the latter is the NTRU-based construction

from (L´opez-Alt et al., 2012).

Let E

ABE

= (ABE.Setup,ABE.Extract,ABE.Enc,

ABE.Dec) be a CP-ABE scheme for a class

of policies F

ABE

, a set of attributes A

ABE

and a message space M

ABE

. Let {E

(N)

MKFHE

(MKFHE.Gen,MKFHE.Enc,MKFHE.Dec,

MKFHE.Eval)}

N>0

be a family of multikey fully-

homomorphic encryption schemes. In our generic

PBHE scheme, the set of attributes A is deﬁned as

A , A

ABE

. Now we need to deﬁne an algebraic

structure of access policies (F, ⊙) that obeys the

three properties given by 3, 4 and 5.

5.1 Supported Access Policies and

Composition

Deﬁne a subset F ⊆ F

ABE

that is closed under ∧. We

deﬁne (F,⊙) as the free semigroup F

∗

on F i.e. the

set of ﬁnite strings composed of elements of F. For

brevity, we will use juxtaposition instead of explicitly

writing ⊙ when representing policies in F. The se-

mantic interpretation of a policy f

... f

ℓ

∈ F is such

that the following holds

... f

ℓ

∼ f

∧ .. . ∧ f

ℓ

Moreover, the size | f| of a policy f = f

... f

ℓ

is the

sum

∑

ℓ

i=1

|. This is to be distinguished from the

length of a policy in f ∈ F, written λ( f), which is the

Policy-basedNon-interactiveOutsourcingofComputationusingMultikeyFHEandCP-ABE

449

length of the corresponding string of elements from

Note that any policy f ∈ F can be transformed into

a semantically equivalent policy f

′

with λ( f

′

) = 1.

Thus, we assume without loss of generality that this

is what the GenKey algorithm takes as input.

5.2 Key Trees

Now we show how our PBHE scheme enforces ac-

cess policies in F and how it handles composition. By

abuse of notation, we write ABE.Enc(PP, f,M) for

M /∈ M

ABE

to signify the encryption of multiple ele-

ments of M

ABE

in order to “cover” M. The analogous

notion is also assumed for decryption.

Let f be a policy in F. Our approach involves

mapping f to a binary tree τ

(which we call a key

tree) whose nodes are associated with ciphertexts in

the CP-ABE scheme. Each leaf node corresponds to

an element of F while an interior node corresponds to

the conjunction of its left and right branches. More

precisely, the leaf nodes are encryptions of the se-

cret keys for E

MKFHE

XORed with a random blinding

string. An interior node encrypts the concatenation of

the blinding strings of its child nodes XORed with a

new blinding string. Thus, in order to access the se-

cret keys at the leaves, it is necessary to decrypt from

the root down. Thus, if a user’s attribute satisﬁes the

root policy, she can decrypt every layer and eventu-

ally recover the secret keys hidden by the ciphertexts

at the leaves. Indeed, satisfying the root policy is a

sufﬁcient and necessary condition to recover any se-

cret key.

A key tree τ

for a policy f := f

... f

ℓ

consists

of a list of CP-ABE ciphertexts [ψ

]

i≤2ℓ−1

. We as-

sociate with each leaf node in τ

a unique key tuple

(pk,sk, vk) ← MKFHE.Gen(1

) in the multikey FHE

scheme. Roughly speaking, we set the leaf node of

to an encryption of sk ⊕ r under f in the CP-ABE

scheme where r is a random string of length |sk|. Ev-

ery tree is associated with such a random value, and

thus for convenience, we will sometimes refer to a

pair (r,[ψ

]

i≤2

h+1

−1

) as a “tree”.

Now to construct a key tree for a policy f, con-

sider an algorithm MkTree

⋆

which proceeds as fol-

lows:

1. On input f ∈ F, decompose f into f

... f

2. For 1 ≤ i ≤ k:

(a) Set (pk

,sk

,vk

) ← MKFHE.Gen(1

(b) Uniformly sample r

←− {0,1}

|sk

← ABE.Enc(PP,f

⊕ sk

(d) Set τ

← (r

,[ψ

]).

3. For 1 ≤ i ≤ ⌈lgk⌉:

(a) For 1 ≤ j ≤ ⌈k/2

⌉:

i. If 2j > ⌈k/2

i−1

⌉, set τ

← τ

2j−1

ii. Else set τ

← Combine(τ

2j−1

,τ

)

4. Output (τ

, (pk

,vk

),.. ., (pk

,vk

)).

where Combine is deﬁned below.

Note that we denote by MkTree the variant of

MkTree

⋆

that outputs only the ﬁrst component of the

tuple outputted by MkTree

⋆

, namely the tree τ

To combine two trees τ

:= (r,[χ

]

i≤2ℓ

−1

) and

:= (s,[ψ

]

i≤2ℓ

−1

) for policies f := f

... f

ℓ

(g :=

... g

ℓ

resp.), the following algorithm is used (we

refer to this algorithm as Combine):

1. Uniformly sample t

←− {0,1}

|rks|

2. Compute ω ← ABE.Enc(PP,f

′

∧ g

′

,⊕(r k s))

where f

′

= f

∧ .. . ∧ f

ℓ

and g

′

= g

∧ .. . ∧ g

ℓ

3. Construct the tree

(t,[ω, χ

,.. ., χ

2ℓ

−1

,ψ

,.. ., ψ

2ℓ

−1

]).

Decrypting a tree with a secret key sk

for an at-

tribute a ∈ A is deﬁned recursively:

• DecTree(sk

,(t,[ω])) =

(

[π⊕ t] if π 6= ⊥

[] otherwise

where π = ABE.Dec(sk

,ω).

•

DecTree(sk

,(t

k t

[ω] k [χ

]

i≤2ℓ

−1

k [ψ

]

i≤2ℓ

−1

)) =











DecTree(sk

,(r⊕t

,[χ

]

i≤2ℓ

−1

))

k DecTree(sk

,(s⊕ t

,[ψ

]

i≤2ℓ

−1

))

if π = (rks)

[] if π = ⊥

where π = ABE.Dec(sk

,ω).

Therefore, DecTree produces a list of secret keys for

MKFHE

, which may be empty if the attribute does not

satisfy the associated policy.

5.3 Construction

For brevity, we will assume that all policies f passed

as input to GenKey satisfy λ( f) = 1. Our PBHE

scheme E

PBHE

is deﬁned as follows:

• Setup(1

): Given a security parameter κ, gen-

erate (PP,MSK) ← ABE.Setup(1

). Output

(PP,MSK).

• Extract(MSK,a): Given a master secret key

MSK and an attribute a ∈ A, output sk

←

ABE.Extract(MSK,a).

SECRYPT2013-InternationalConferenceonSecurityandCryptography

450

• GenKey(PP, f): Given public parameters PP and

an access policy f ∈ F, run:

1. On assumption (above) f can be parsed as f

where f ∈ F.

2. Compute (τ,(pk,vk)) ← MkTree

⋆

( f).

3. Set ek ← ((pk, vk),τ).

4. Output (ek,vk).

• Enc(PP,ek

,m): Given public parameters PP, an

encryption key ek

for policy f, and a plaintext

m ∈ M, run:

1. Parse ek

as ((pk,vk),τ).

2. Compute c

∗

← MKFHE.Enc(pk,m).

3. Output c := (c

∗

,τ).

• Dec(sk

,c): Given a secret key sk

for attribute

a ∈ A and a ciphertext c that encrypts a message

m under access policy f, run:

1. Parse c as (c

∗

,τ).

2. If DecTree(sk

,τ) = [] (empty list), then output

⊥ and abort.

3. Set [sk

,.. ., sk

] ← DecTree(sk

,τ)

4. Compute m ← MKFHE.Dec(sk

,.. ., sk

∗

5. Output m.

• Eval(C,(c

,vk

),.. ., (c

ℓ

,vk

ℓ

)): Given a circuit

C ∈ C and a sequence of ℓ pairs of ciphertext and

evaluation keys, perform the following steps:

1. Parse each c

as (c

∗

,τ

2. Set V := {vk

,.. ., vk

ℓ

3. For each vk ∈ V, set C

:= {c

∗

: vk

= vk}.

4. Set T := {τ

}

i∈[ℓ]

(recall that ciphertexts en-

crypted under the same vk have the same τ com-

ponent).

5. Run Combine to recursively build a tree τ from

all elements in T.

6. Set c

∗

← MKFHE.Eval(C,(c

,vk

),.. ., (c

ℓ

,vk

ℓ

)).

7. Output (c

∗

,τ).

Theorem 5.1. If E

ABE

is an IND-AD-CPA-secure

CP-ABE scheme and E

(N)

MKFHE

is an IND-CPA-secure

multikey FHE scheme, then E

(N)

PBHE

is IND-AD-CPA-

secure.

The proof is presented in the extended version

(Clear and McGoldrick, 2013).

6 CONCLUSIONS AND FUTURE

WORK

We have initiated the study of homomorphic encryp-

tion with support for ﬁne-grained access control and

composition. Furthermore, we have proposed a syn-

tax for a primitive that captures the problem of ho-

momorphic encryption in this setting. An instantia-

tion of this primitive was presented that makes use

of both CP-ABE and multikey FHE, and shown to be

semantically secure. Given that there are currently

no known fully-homomorphic (or even somewhat-

homomorphic) CP-ABE schemes, it seems that our

construction is the only way to achieve the same goal,

albeit for a bounded number of independent users. In

future work, we hope to move beyond the semi-honest

model and tackle the problem of veriﬁability.

REFERENCES

Bethencourt, J., Sahai, A., and Waters, B. (2007).

Ciphertext-policy attribute-based encryption. In Pro-

ceedings of the 2007 IEEE Symposium on Security

and Privacy, SP ’07, pages 321–334, Washington,

DC, USA. IEEE Computer Society.

Bonatti, P., De Capitani di Vimercati, S., and Samarati, P.

(2002). An algebra for composing access control poli-

cies. ACM Trans. Inf. Syst. Secur., 5(1):1–35.

Bruns, G., Dantas, D. S., and Huth, M. (2007). A simple

and expressive semantic framework for policy com-

position in access control. In Proceedings of the 2007

ACM workshop on Formal methods in security en-

gineering, FMSE ’07, pages 12–21, New York, NY,

USA. ACM.

Clear, M., Hughes, A., and Tewari, H. (2013). Homo-

morphic encryption with access policies: Character-

ization and new constructions. In Youssef, A., Nitaj,

A., and Hassanien, A., editors, Progress in Cryptology

AFRICACRYPT 2013, volume 7918 of Lecture Notes

in Computer Science, pages 61–87. Springer Berlin

Heidelberg.

Clear, M. and McGoldrick, C. (2013). Policy-Based Non-

interactive Outsourcing of Computation using multi-

key FHE and CP-ABE. Cryptology ePrint Archive.

http://eprint.iacr.org/.

Gentry, C. (2009). Fully homomorphic encryption using

ideal lattices. Proceedings of the 41st annual ACM

symposium on Symposium on theory of computing

STOC 09, (September):169.

Gentry, C., Halevi, S., and Vaikuntanathan, V. (2010).

A Simple BGN-Type Cryptosystem from LWE. In

Gilbert, H., editor, EUROCRYPT, volume 6110 of

Lecture Notes in Computer Science, pages 506–522.

Springer.

Hoffstein, J., Pipher, J., and Silverman, J. H. (1998). NTRU:

a ring-based public key cryptosystem. Lecture Notes

in Computer Science, 1423:267–288.

L´opez-Alt, A., Tromer, E., and Vaikuntanathan, V. (2012).

On-the-ﬂy multiparty computation on the cloud via

multikey fully homomorphic encryption. In Proceed-

ings of the 44th symposium on Theory of Computing,

STOC ’12, pages 1219–1234, New York, NY, USA.

ACM.

Policy-basedNon-interactiveOutsourcingofComputationusingMultikeyFHEandCP-ABE

451

Moses, T. et al. (2005). Extensible access control markup

language (xacml) version 2.0. Oasis Standard,

200502.

Ni, Q., Bertino, E., and Lobo, J. (2009). D-algebra for com-

posing access control policy decisions. In Proceedings

of the 4th International Symposium on Information,

Computer, and Communications Security, ASIACCS

’09, pages 298–309, New York, NY, USA. ACM.

Pirretti, M., Traynor, P., McDaniel, P., and Waters, B.

(2010). Secure attribute-based systems. Journal of

Computer Security, 18(5):799–837.

Rao, P., Lin, D., Bertino, E., Li, N., and Lobo, J.

(2011). Fine-grained integration of access control

policies. Computers & Security, 30(23):91 – 107.

¡ce:title¿Special Issue on Access Control Methods and

Technologies¡/ce:title¿.

Waters, B. (2011). Ciphertext-policy attribute-based en-

cryption: An expressive, efﬁcient, and provably se-

cure realization. In Catalano, D., Fazio, N., Gennaro,

R., and Nicolosi, A., editors, Public Key Cryptogra-

phy, volume 6571 of Lecture Notes in Computer Sci-

ence, pages 53–70. Springer.

Xiao, L., Bastani, O., and Yen, I.-L. (2012). An efﬁcient

homomorphic encryption protocol for multi-user sys-

tems. IACR Cryptology ePrint Archive, 2012:193.

SECRYPT2013-InternationalConferenceonSecurityandCryptography

452