Cryptanalysis of Boyen’s attribute-based encryption scheme in TCC 2013

In TCC 2013, Boyen suggested the first lattice based construction of attribute based encryption ( 𝖠𝖡𝖤 ) for the circuit class 𝖭𝖢_1 . Unfortunately, soon after, a flaw was found in the security proof of the scheme. However, it remained unclear whether the scheme is actually insecure, and if so, whether it can be repaired. Meanwhile, the construction has been heavily cited and continues to be extensively studied due to its technical novelty. In particular, this is the first lattice based 𝖠𝖡𝖤 which uses linear secret sharing schemes (LSSS) as a crucial tool to enforce access control. In this work, we show that the scheme is in fact insecure,if the scheme is instantiated by the linear secret sharing scheme specified in the paper. To do so, we provide a polynomial-time attack that completely breaks the security of the scheme. We suggest a route to fix the security of the scheme, via the notion of admissible LSSS and instantiate these for the class of DNFs. Subsequent to our work, Datta et al. (Eurocrypt 2021) provided a construction of admissible 𝖫𝖲𝖲𝖲 for 𝖭𝖢_1 and resurrected Boyen’s claimed result.