7.1. Introduction

In this chapter, we present encryption schemes with fine-grained access to the encrypted plaintext, as opposed to the all-or-nothing access achieved by traditional public-key encryption schemes. These are referred to as attribute-based encryption schemes (ABE). Namely, in an ABE scheme, the setup generates a public key and a so-called master secret key. The public key can be used by anyone to encrypt a plaintext associated with a policy access that can be represented for instance as a Boolean formula. There is an additional algorithm that given as input the master secret key and an attribute generates a user secret key (for that specific attribute). Decryption takes a ciphertext and a user secret key, and succeeds in recovering the plaintext if and only if the attribute of the user secret key satisfies the formula embedded in the ciphertext. If an adversary gets hold of some user secret keys, where none which is supposed to decrypt, then the confidentiality of the encrypted plaintext is preserved.

We present here ABE schemes from pairing groups (which are described at length in Chapter 5). We follow a modular approach, where the ABE is obtained starting with a simple statistical primitive called predicate encoding that only satisfies a weak notion of security (only secure when one user secret key is corrupted), which is then generically transformed into a secret-key ABE, that is, an ABE ...