We construct the first decentralized multi-authority attribute-based encryption (𝖬𝖠-𝖠𝖡𝖤) scheme
for a non-trivial class of access policies whose security is based (in the random oracle model) solely on
the Learning With Errors (LWE) assumption. The supported access policies are ones described by 𝖣𝖭𝖥
formulas. All previous constructions of 𝖬𝖠-𝖠𝖡𝖤 schemes supporting any non-trivial class of access policies
were proven secure (in the random oracle model) assuming various assumptions on bilinear maps.
In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. A party can simply
act as a standard ABE authority by creating a public key and issuing private keys to different users that
reflect their attributes. A user can encrypt data in terms of any 𝖣𝖭𝖥 formulas over attributes issued
from any chosen set of authorities. Finally, our system does not require any central authority. In terms
of efficiency, when instantiating the scheme with a global bound 𝑠 on the size of access policies, the sizes
of public keys, secret keys, and ciphertexts, all grow with 𝑠.
Technically, we develop new tools for building ciphertext-policy ABE (𝖢𝖯-𝖠𝖡𝖤) schemes using LWE.
Along the way, we construct the first provably secure 𝖢𝖯-𝖠𝖡𝖤 scheme supporting access policies in
𝖭𝖢1
that avoids the generic universal-circuit-based key-policy to ciphertext-policy transformation. In
particular, our construction relies on linear secret sharing schemes with new properties and in some sense
is more similar to 𝖢𝖯-𝖠𝖡𝖤 schemes that rely on bilinear maps. While our 𝖢𝖯-𝖠𝖡𝖤 construction is not
more efficient than existing ones, it is conceptually intriguing and further we show how to extend it to
get the 𝖬𝖠-𝖠𝖡𝖤 scheme described above.
