The present invention relates generally to encryption, and more particularly to outsourcing the decryption of functional encryption ciphertexts.
Encryption has typically been implemented as a method for one user to encrypt data to another specific user (target recipient), such that only the target recipient can decrypt and read the message. In many applications, a more advantageous method is to encrypt data according to some policy, as opposed to a specified set of target recipients. In practice, however, implementing policy-based encryption on top of a traditional public key mechanism poses a number of difficulties. A user encrypting data, for example, will need a mechanism to look up all parties that have access credentials or attributes that match his set of target recipients. If a party's credentials themselves are restricted (for example, the set of users with special authorizations), the look-up mechanism itself can be difficult to implement. Problems also arise if a party gains credentials after data has been encrypted and stored.
Attribute-based encryption (ABE) for public key encryption allows users to encrypt and decrypt messages based on user attributes. A user, for example, can create a ciphertext that can be decrypted only by other users with attributes satisfying (“Faculty” OR (“PhD Student” AND “Qualifying Exams Completed”)). Because of the expressiveness of ABE, ABE is currently being considered for many cloud storage and computing applications. A disadvantage of ABE, however, is its efficiency: the size of the ciphertext and the time required to decrypt it grows with the complexity of the access formula. Attribute-based encryption is one example of a functional encryption system, which more generally supports restricted secret keys that enable a key holder to learn a specific function of the encrypted data and nothing else.