Attribute-Based Encryption for Circuits

<jats:p> In an attribute-based encryption (ABE) scheme, a ciphertext is associated with an ℓ-bit <jats:italic>public index</jats:italic> ind and a message <jats:italic>m</jats:italic> , and a secret key is associated with a Boolean predicate <jats:italic>P</jats:italic> . The secret key allows decrypting the ciphertext and learning <jats:italic>m</jats:italic> if and only if <jats:italic>P</jats:italic> (ind) = 1. Moreover, the scheme should be secure against collusions of users, namely, given secret keys for polynomially many predicates, an adversary learns nothing about the message if none of the secret keys can individually decrypt the ciphertext. </jats:p> <jats:p> We present attribute-based encryption schemes for circuits of any arbitrary polynomial size, where the public parameters and the ciphertext grow linearly with the depth of the circuit. Our construction is secure under the standard learning with errors (LWE) assumption. Previous constructions of attribute-based encryption were for Boolean formulas, captured by the complexity class <jats:italic>NC</jats:italic> <jats:sup>1</jats:sup> . </jats:p> <jats:p> In the course of our construction, we present a new framework for constructing ABE schemes. As a by-product of our framework, we obtain ABE schemes for polynomial-size branching programs, corresponding to the complexity class <jats:italic>LOGSPACE</jats:italic> , under quantitatively better assumptions. </jats:p>