Publications

We construct distributed broadcast encryption and registered attribute-based encryption (ABE) that support an arbitrary polynomial of users from the succinct LWE assumption. Specifically, if we take \( \lambda \) to be the security parameter and \( N \) to be the number of users, we obtain the following:

• We obtain a distributed broadcast encryption scheme where the size of the public parameters, user public/secret keys, and ciphertexts are optimal (i.e., have size \( \mathsf{poly}(\lambda, \log N) \)). Security relies on the \( \mathsf{poly}(\lambda, \log N) \)-succinct LWE assumption. Previously, this was only known from indistinguishability obfuscation or witness encryption. All constructions that did not rely on these general tools could only support an a priori bounded number of users.

• We obtain a key-policy registered ABE scheme that supports arbitrary bounded-depth Boolean circuit policies from the \( \mathsf{poly}(\lambda, d, \log N) \)-succinct LWE assumption in the random oracle model, where \( d \) is the depth of the circuit computing the policy. The public parameters, user public/secret keys, and ciphertexts have size \( \mathsf{poly}(\lambda, d, \log N) \), which are optimal up to the \( \mathsf{poly}(d) \) factor. This is the first registered ABE scheme with nearly-optimal parameters. All previous schemes (including constructions based on indistinguishability obfuscation, witness encryption, or evasive LWE) either have ciphertexts that scale with the policy size and attribute length, or can only support a bounded number of users (with long public parameters and public keys that scale with the number of users).