In TCC 2013, Boyen suggested the first lattice based construction of attribute based encryption (\(\mathsf {ABE}\)) for the circuit class \({\mathsf {NC}}_1\). Unfortunately, soon after, a flaw was found in the security proof of the scheme. However, it remained unclear whether the scheme is actually insecure, and if so, whether it can be repaired. Meanwhile, the construction has been heavily cited and continues to be extensively studied due to its technical novelty. In particular, this is the first lattice based \(\mathsf {ABE}\) which uses linear secret sharing schemes (LSSS) as a crucial tool to enforce access control. In this work, we show that the scheme is in fact insecure,if the scheme is instantiated by the linear secret sharing scheme specified in the paper. To do so, we provide a polynomial-time attack that completely breaks the security of the scheme. We suggest a route to fix the security of the scheme, via the notion of admissible LSSS and instantiate these for the class of DNFs. Subsequent to our work, Datta et al. (Eurocrypt 2021) provided a construction of admissible \(\mathsf {LSSS}\) for \({\mathsf {NC}}_1\) and resurrected Boyen’s claimed result.

在 TCC 2013 中，Boyen为电路类\({\mathsf {NC}}_1\)提出了第一个基于格的基于属性的加密 ( \(\mathsf {ABE}\) ) 构造。不幸的是，不久之后，在该计划的安全证明中发现了一个缺陷。然而，目前尚不清楚该方案是否真的不安全，如果是，是否可以修复。同时，由于其技术新颖性，该结构已被大量引用并继续被广泛研究。特别是，这是第一个基于格的\(\mathsf {ABE}\)它使用线性秘密共享方案（LSSS）作为实施访问控制的关键工具。在这项工作中，我们证明了该方案实际上是不安全的，如果该方案是由论文中指定的线性秘密共享方案实例化的。为此，我们提供了一种完全破坏方案安全性的多项式时间攻击。我们建议通过可允许LSSS的概念来修复方案的安全性，并为 DNF 类实例化这些。在我们的工作之后，Datta 等人。(Eurocrypt 2021)为\({\mathsf {NC}}_1\ ) 提供了可接受的\(\mathsf {LSSS}\)构造，并恢复了 Boyen 声称的结果。