Instant Ebook Access, One Click Away – Begin at ebooknice.

com

(Ebook) Attribute-based Encryption (ABE) by

Jianbin Gao

https://ebooknice.com/product/attribute-based-encryption-
abe-52982546

OR CLICK BUTTON

DOWLOAD EBOOK

Get Instant Ebook Downloads – Browse at https://ebooknice.com

 Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...

Start reading on any device today!

(Ebook) Attribute-Based Encryption and Access Control by Dijiang Huang, Qiuxiang

Dong, Yan Zhu ISBN 9780815381358, 0815381352

https://ebooknice.com/product/attribute-based-encryption-and-access-
control-11290394

ebooknice.com

(Ebook) Vagabond, Vol. 29 (29) by Inoue, Takehiko ISBN 9781421531489, 1421531488

https://ebooknice.com/product/vagabond-vol-29-29-37511002

ebooknice.com

(Ebook) Smart Cities: Blockchain-Based Systems, Networks, and Data by Jianbin Gao,
Qi Xia, Bonsu Adjei-Arthur, Kwame Omono Asamoah ISBN 9781032265575, 1032265574

https://ebooknice.com/product/smart-cities-blockchain-based-systems-networks-
and-data-46083392

ebooknice.com

(Ebook) Boeing B-29 Superfortress ISBN 9780764302725, 0764302728

https://ebooknice.com/product/boeing-b-29-superfortress-1573658

ebooknice.com
(Ebook) Harrow County 29 by Cullen Bunn, Tyler Crook

https://ebooknice.com/product/harrow-county-29-53599548

ebooknice.com

(Ebook) Jahrbuch für Geschichte: Band 29 ISBN 9783112622223, 3112622227

https://ebooknice.com/product/jahrbuch-fur-geschichte-band-29-50958290

ebooknice.com

(Ebook) 29, Single and Nigerian by Naijasinglegirl ISBN 9781310004216, 1310004218

https://ebooknice.com/product/29-single-and-nigerian-53599780

ebooknice.com

(Ebook) Organometallic Chemistry, Volume 29 by M. Green ISBN 0854043284

https://ebooknice.com/product/organometallic-chemistry-volume-29-2440106

ebooknice.com

(Ebook) Communication Yearbook 29 by Pamela J. Kalbfleisch (ed.) ISBN 9780805855814,

0805855815

https://ebooknice.com/product/communication-yearbook-29-5293350

ebooknice.com
Attribute-based Encryption (ABE)
 IEEE Press
445 Hoes Lane
Piscataway, NJ 08854

IEEE Press Editorial Board

Sarah Spurgeon, Editor in Chief

Jón Atli Benediktsson Behzad Razavi Jeffrey Reed

Anjan Bose Jim Lyke Diomidis Spinellis
James Duncan Hai Li Adam Drobot
Amin Moeness Brian Johnson Tom Robertazzi
Desineni Subbaram Naidu Ahmet Murat Tekalp
Attribute-based Encryption (ABE)

Foundations and Applications within Blockchain and

Cloud Environments

Qi Xia
University of Electronic Science and Technology of China, China

Jianbin Gao
University of Electronic Science and Technology of China, China

Isaac Amankona Obiri

University of Electronic Science and Technology of China, China

Kwame Omono Asamoah

University of Electronic Science and Technology of China, China

Daniel Adu Worae

University of Electronic Science and Technology of China, China
Copyright © 2024 by The Institute of Electrical and Electronics Engineers, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222
Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com.
Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons,
Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/
go/permission.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or
its affiliates in the United States and other countries and may not be used without written permission. All other
trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product
or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing
this book, they make no representations or warranties with respect to the accuracy or completeness of the contents
of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose.
No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies
contained herein may not be suitable for your situation. You should consult with a professional where appropriate.
Further, readers should be aware that websites listed in this work may have changed or disappeared between when
this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or
any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer
Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317)
572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be
available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Names: Gao, Jianbin, author.

Title: Attribute-based encryption (ABE) : foundations and applications
within blockchain and cloud environments / Jianbin Gao [and four
others].
Description: Hoboken, New Jersey : Wiley-IEEE Press, [2024] | Includes
index.
Identifiers: LCCN 2023036768 (print) | LCCN 2023036769 (ebook) | ISBN
9781119989356 (cloth) | ISBN 9781119989363 (adobe pdf) | ISBN
9781119989370 (epub)
Subjects: LCSH: Public key cryptography. | Blockchains (Databases)
Classification: LCC TK5102.94 .G365 2024 (print) | LCC TK5102.94 (ebook)
| DDC 005.8/24–dc23/eng/20230824
LC record available at https://lccn.loc.gov/2023036768
LC ebook record available at https://lccn.loc.gov/2023036769

Cover design: Wiley

Cover image: © Blackboard/Shutterstock

Set in 9.5/12.5pt STIXTwoText by Straive, Chennai, India

 v

Contents

About the Authors xiii

Preface xv
Acknowledgments xvii

Part I Attribute-Based Encryption (ABE) 1

1 Foundation of Attribute-Based Encryption 3

1.1 Introduction 3
1.1.1 Symmetric Encryption 4
1.1.2 Asymmetric Key Encryption 4
1.1.3 Identity-Based Encryption 5
1.2 Functional Encryption 7
1.2.1 Applications of Attribute-Based Encryption 8
1.2.2 Problems with Attribute-Based Encryption 9
1.2.3 A Brief History of Security Proof of Functional Encryption 9
1.2.4 Dual System of Encryption 10
1.2.5 Summary 11
References 12

2 Mathematical Background 15
2.1 Group Theory 15
2.1.1 Law of Composition 15
2.1.2 Groups 15
2.1.3 Subgroups 16
2.1.4 Homomorphisms 17
2.1.5 Cyclic Group 17
2.2 Ring Theory 20
2.2.1 Ideals and Quotient Rings 21
2.2.2 Euler’s Totient Function 22
2.2.3 Polynomial Rings 22
2.2.4 Irreducible and Monic Polynomials 22
2.2.5 Field Theory 23
2.2.5.1 Quotient Field 24
2.2.6 Field Characteristic 24
vi Contents

2.2.7 Algebraic Extension Fields 24

2.3 Elliptic Curves 24
2.3.1 Plane Curve 24
2.3.2 Group Operations on Elliptic Curves 26
2.3.2.1 Point Addition 26
2.3.2.2 Point Doubling 27
2.4 Divisors and Bilinear Map 28
2.4.1 Divisors 28
2.4.2 The Degree and Support of D 29
2.4.3 The Divisor of a Function f on E 29
2.4.4 Equivalence of Divisors 30
2.4.5 Bilinear Map 31
2.4.6 Weil Pairing 31
2.4.7 Miller’s Algorithm 32
2.4.8 The Tate Pairing 34
2.5 Summary 36
References 36

3 Attribute-Based Encryption 37
3.1 Introduction 37
3.2 Basic Components of ABE Construction 39
3.2.1 Secret-Sharing Schemes 39
3.2.2 Polynomial Interpolation 41
3.2.2.1 Polynomials Over the Reals 41
3.2.2.2 Polynomials Modulus P 44
3.2.3 Shamir Secret Sharing 45
3.2.4 Verifiable Secret Sharing (VSS) 47
3.2.4.1 Algorithm for Converting Access Structure Into LSSS Matrix 47
3.2.4.2 Access Structure Example 48
3.2.4.3 Algorithms in Attribute-Based Encryption 49
3.2.5 Properties of Attribute-Based Encryption 51
3.2.6 Prime Order Group 51
3.3 Cryptographic Hard Assumptions 51
3.3.1 Composite Order Bilinear Groups 54
3.3.2 Complexity Assumptions 55
3.4 Provable Security 56
3.5 Security Notions 57
3.5.1 Summary 57
References 58

4 Data Access Control 61

4.1 Introduction 61
4.1.1 Coarse-Grained 62
4.1.2 Fine-Grained Access Control 63
4.1.3 Importance of Fine-Grained Access Control 64
4.2 Concerns About Cloud-Based Access Control that Are Trustworthy 65
4.2.1 Encryption Access Control 65
 Contents vii

4.2.2 Requirements for Encryption-Based Access Control 67

4.3 Summary 67
References 68

5 Selective Secure ABE Schemes Based on Prime Order Group 69

5.1 Introduction 69
5.1.1 Selective Security Model for KP-ABE 70
5.1.2 Selective Security Model for CP-ABE 70
5.1.3 ABE Schemes 71
5.2 The KP-ABE Scheme 71
5.2.1 Concrete Scheme Construction 71
5.2.2 Security Proof 73
5.3 The CP-ABE Scheme 74
5.3.1 Concrete Scheme Construction 74
5.3.2 Security Proof 76
5.4 Summary 77
References 77

6 Fully Secure ABE Schemes Based on Composite and Prime Order Groups 79
6.1 Introduction 79
6.2 A Fully Secure CP-ABE from Composite Order Group 81
6.2.1 CP-ABE Construction 82
6.2.2 Adaptive Security Proof 83
6.2.2.1 Description of Hybrids 83
6.2.3 Security Proof 84
6.3 A Fully Secure KP-ABE Scheme Based on Dual Vector Space 84
6.3.1 KP-ABE Construction 85
6.3.2 Adaptive Security 87
6.3.3 Security Proof 88
6.4 KP-ABE Scheme Based on Matrix 89
6.4.1 The Scheme 89
6.4.2 Adaptive Security 90
6.4.3 Security Proof 91
6.5 Summary 91
References 92

Part II Concepts of Blockchain Technology 95

7 Blockchain Technology 97
7.1 Introduction 97
7.1.1 History 97
7.1.2 Preliminary Concepts of Blockchain Technology 98
7.1.3 Characteristics of Blockchain 100
7.1.4 Evolution and Types of Blockchain 104
7.1.4.1 The Blockchain 1.0 104
7.1.4.2 Blockchain 2.0 104
viii Contents

7.1.4.3 Blockchain 3.0 105

7.1.5 Permissionless vs Permissioned Blockchains 105
7.1.6 Types of Blockchain 105
7.2 Architecture of Blockchain 106
7.2.1 Architecture of Blockchain 1.0 (Cryptocurrencies) 106
7.2.2 Block 106
7.2.3 Node 107
7.2.4 Types of Blockchain Nodes 107
7.2.5 Consensus 110
7.3 Architecture of Blockchain 2.0 (Smart Contracts) 110
7.3.1 Introduction to Smart Contracts 110
7.3.2 How Smart Contracts Work 111
7.3.3 Example of Smart Contract 111
7.3.4 Uses of Smart Contracts 111
7.3.5 Advantages of Smart Contracts 112
7.3.6 Limitations of Smart Contracts 112
7.4 Architecture of Blockchain 3.0 (Blockchain Applications) 113
7.4.1 Consensus Mechanism 113
7.5 Blockchain 4.0 118
7.5.1 Blockchain 4.0 Applications 119
7.5.2 Metaverse 119
7.5.3 Industrial Revolution 4.0 120
7.5.4 Blockchain 4.0 for Businesses 120
References 120

8 Scaling-Out Blockchains with Sharding 125

8.1 Introduction 125
8.1.1 Scalability Trilemma 126
8.1.2 Nakamoto-Based – Monoxide – Chu-ko-nu Mining 128
8.1.3 Elastico 128
8.1.4 OmniLedger 129
8.1.5 Rapid Chain 130
8.1.6 Learnings 131
8.1.7 General Improvements 132
8.1.7.1 Reducing Transaction Latency 133
8.1.7.2 Inter-Communication Protocol 133
8.1.7.3 Shards Ledger Pruning 134
8.1.7.4 Decentralized Bootstrapping 134
8.1.7.5 Securing the Epoch Reconfiguration 134
8.1.7.6 Sharded Smart Contract 135
8.1.7.7 Replay Attacks and Defenses Against Cross-Shard Protocols 135
8.2 Off-Chain Solution: Layer 2 Solutions 136
8.2.1 State Channels 136
8.2.2 Side Chains of the Plasma 138
8.2.3 Problems with Data Accessibility 139
8.3 Rollups 139
 Contents ix

8.3.1 Rollups Based on Zero Knowledge 140

8.3.2 Proofs of Zero-Knowledge 140
8.3.3 Protocol Schnorr 142
8.3.4 Protocol Pedersen 143
8.3.5 zk-SNARKs 144
8.4 Summary 144
References 145

Part III Applying Blockchain with Real-Time Technologies 147

9 Blockchain Technology for Supply Management 149

9.1 Introduction 149
9.1.1 System Design 153
9.1.2 System Architecture 153
9.1.3 Entities of the System 154
9.1.3.1 Users 154
9.1.4 Smart Contract Control 157
9.1.5 Blockchain Network 157
9.1.5.1 Processing Nodes 157
9.1.5.2 System Application Layer 158
9.1.5.3 Storage Infrastructure 158
9.1.6 System Decryption 158
9.1.7 Blocks 159
9.1.7.1 Block Design 160
9.2 System Flow 163
9.2.1 System Advantages 163
9.2.2 Conclusion 164
References 165

10 Satellite Communication 167

10.1 Introduction 167
10.1.1 Low-Orbit Constellation Communication Networks 169
10.1.2 Interstellar Link Length 171
10.1.3 Model of Satellite Motion 171
10.1.4 Edge Computing Technologies 172
10.2 Analysis of Edge Computing Requirements of Low-Orbit Constellation
Communication Networks 175
10.2.1 Design of Edge Computing Architecture for Low-Orbit Constellation Communication
Networks 175
10.2.2 Satellite 176
10.2.3 System Entities 180
10.2.4 System Process Flow 180
10.2.5 Security Properties 183
10.3 Summary 183
References 183
x Contents

11 Foundation of Information-Centric Communication 185

11.1 Introduction 185
11.2 Information-Centric Communication 185
11.3 Name-Based Routing of Content 187
11.4 Benefits of Using ICN 187
11.5 Cost-Efficient and Scalable Distribution of Content Design Principles 189
11.6 ICN Design Challenges 190
11.6.1 Content Naming 190
11.6.2 Caching of Content 191
11.6.3 Data Integrity 192
11.6.4 Resolution System’s Scalability and Name-Based Routing 192
References 193

12 Security Overall in Information-Centric Networks 195

12.1 Introduction 195
12.2 Content-Centric Network (CCN) Architecture 195
12.3 Naming System Design 197
12.4 Secure Naming Scheme for Information-Centric Networks 198
12.5 Data Transmission – Content Delivery 198
12.6 Traffic Load in Network Caching 199
12.6.1 Store Unique Naming of Content in Caches 200
12.6.2 Storage Limitation in Caching Space Devices 201
12.7 Content’s Freshness Detection 201
12.8 ICN Security 201
12.9 Attacks in ICN Architectures 202
12.10 ICN Attributes to Ensure Security Threats 204
12.11 Traffic Analysis and Prediction 204
12.12 Some Key Problem Statements 205
12.13 Blockchain-Based ICN Scheme Improvement 206
12.13.1 Protection Against DDos 206
12.14 A Secured Information-Centric Network Based on Blockchain 206
12.14.1 Blockchain-Based ICN Structure 207
12.14.1.1 Data Integrity 207
12.15 Attribute-Based Encryption Scheme for the Information-Centric Network 208
12.15.1 Applying Ciphertext-Policy ABE (CP-ABE) Scheme in ICN 209
12.15.2 System Design of CP-ABE Scheme in ICN 210
References 212

13 Subscriber Data Management System Based on Blockchain 215

13.1 Introduction 215
13.1.1 Motivation 216
13.1.2 Problem Statement 216
13.1.3 Contributions 216
13.2 Literature Review 217
13.3 System Design Description 217
13.3.1 Assumptions 217
 Contents xi

13.3.2 Ciphertext-Policy Attribute-Based Encryption (CP-ABE) 218

13.3.3 CP-ABE Construction 218
13.3.4 System Components 219
13.3.4.1 Data Subscribers (DSs) 219
13.3.4.2 Data Providers (DPs) 220
13.3.4.3 Key Generation and Distribution Center (KGDC) 220
13.3.4.4 IPFS Distributed Storage 220
13.3.4.5 Blockchain Platform 220
13.3.5 Process Description 222
13.3.5.1 Subscriber Registration 224
13.3.5.2 Subscriber Data Storage 224
13.3.5.3 Subscriber Data Request 224
13.3.6 Benefits of Proposed Design 225
13.3.7 Security Requirements 226
13.4 Summary 227
References 227

14 A Secure Data-Sharing Blockchain-Based Crowdfunding System 229

14.1 Introduction 229
14.2 Literature Review 231
14.2.1 Present-Day Centralized Crowdfunding 231
14.2.2 Crowdfunding Models 233
14.2.3 Problems of Traditional Crowdfunding 234
14.2.4 Blockchain-Based Crowdfunding 234
14.2.5 Advantages of Blockchain-Based Crowdfunding 235
14.3 Proposed System 236
14.3.1 System Model 236
14.3.1.1 Key Components 237
14.3.2 System Framework Overview 238
14.3.2.1 Application Layer 239
14.3.2.2 Blockchain Layer 239
14.3.2.3 Data Storage Layer 239
14.3.3 System Assumptions and Threat Model 240
14.3.4 Process Description 240
14.3.5 Smart Contract Interactions 241
14.3.5.1 User Registration Contract (URC) 241
14.3.5.2 User Verification Contract (UVC) 241
14.3.5.3 Project Data Access Contract (PDAC) 241
14.3.6 Concrete Implementation 241
14.3.6.1 User Register 242
14.3.6.2 Data Encrypt 242
14.3.6.3 Data Search 242
14.3.6.4 Fine-Grained Access Authorization 242
14.3.6.5 Data Decrypt 243
14.3.6.6 Transaction Confirmation 243
14.3.7 Security Requirements 243
xii Contents

14.3.7.1 Fine-Grained Access Control 243

14.3.7.2 Key Counterfeiting 243
14.3.7.3 Data Integrity 244
14.4 Summary 244
References 244

Index 247
 xiii

About the Authors

Qi Xia
Orcid id: 0000-0003-2245-2588
Qi Xia received the BSc, MSc, and PhD degrees in computer science from the University Electronic
Science and Technology of China (UESTC), Chengdu, China, in 2002, 2006, and 2010, respectively.
She is a Professor with the UESTC. She is currently the Deputy Director of the Cyberspace Security
Research Centre, the Executive Director of the Blockchain Research Institute, the Executive
Director of the Big Data Sharing and Security Engineering Laboratory of Sichuan province,
and a Chief Scientist with YoueData Company Limited. She serves as the Principal Investigator
of the National Key Research and Development Program of China in Cyber Security and has
overseen the completion of more than 30 high-profile projects. She was a Visiting Scholar with the
University of Pennsylvania (UPenn), Philadelphia, PA, USA, from 2013 to 2014. She has authored
or coauthored more than 40 academic papers. Her research interests include network security
technology and its application, big data security, and blockchain technology and its application.
Dr. Xia has won the second place at the National Scientific and Technological Progress Awards in
2012. She is a member of the CCF blockchain committee.

Jianbin Gao
Orcid id: 0000-0001-7014-6417
Jianbin Gao received the PhD degree in computer science from the University Electronic Science
and Technology of China (UESTC), Chengdu, China, in 2012. He was a Visiting Scholar with the
University of Pennsylvania, Philadelphia, PA, USA, from 2009 to 2011. He is currently an Associate
Professor with UESTC.

Isaac Amankona Obiri

Orcid id: 0000-0002-1642-0291
Isaac Amankona Obiri received his Master’s and PhD in Computer Science and Technology
from the University Electronic Science and Technology of China (UESTC), Chengdu, China,
in 2022.
xiv About the Authors

Kwame Omono Asamoah

Orcid id: 0000-0001-7361-1986
Kwame Omono Asamoah received a B.Sc. degree in computer science from the Kwame Nkrumah
University of Science and Technology, Ghana, in 2014. He continued his academic journey
by obtaining his master’s degree in computer science and technology from the University of
Electronic Science and Technology of China in 2018. Subsequently, he pursued his doctoral degree
in computer science and technology from the University of Electronic Science and Technology
of China, successfully completing it in 2022. He is currently a postdoctoral fellow at Zhejiang
Normal University, where he actively engages in cutting-edge research. His current research
interests encompass a wide range of topics, including blockchain technology, big data security,
and educational technology.

Daniel Adu Worae

Orcid id: 0000-0002-6774-2725
Daniel Adu Worae received his BSc degree in Computer Engineering from the Kwame Nkrumah
University of Science and Technology, Kumasi, Ghana, in 2020. He is currently pursuing his
Master’s degree in Computer Science and Technology at the University of Electronic Science
and Technology of China (UESTC). His research interests include blockchain technology and its
application, network and information security, cryptography, and computer networks.
 xv

Preface

In the last few decades, information and communication technology (ICT) devices and services
have become central to our lives, fundamentally changing areas such as health, communication,
travel, business, and recreation. Traditional ICT systems share and store sensitive data in untrusted
networks. Thus, these sensitive data must be encrypted before being uploaded to a cloud server and
a fine-grained access control must be supported when sharing sensitive data.
Since the emphasis is on multi-user data sharing, and the data encryptor does not know
the identities of the data users in advance, symmetric encryption, asymmetric encryption, and
identity-based encryption are impractical. The attribute-based encryption (ABE) schemes are
excellent for multi-user data-sharing scenarios in which the identity of the data users is unknown
in advance. ABE employs an access structure based on attributes in either the ciphertext or the
secret key, and it is able to provide fine-grained access control with the guarantee that a user can
only decrypt a message if they satisfy the constraints imposed by the access structure.
While blockchain technology has just recently become associated with new means of manag-
ing financial assets, its possibilities are practically limitless. Blockchain is a particularly promising
and revolutionary technology because it reduces risk, eliminates fraud, and provides scalable trans-
parency for a wide range of applications. Therefore, ABE schemes based on blockchain can achieve
immense number of advantages including transparency, accountability, and data immutability.
This book provides guidelines for the current research and future trends in various areas asso-
ciated with ABE and its integration with blockchain applications in cloud environments so that
researchers get ready reference. It is expected that researchers and readers will get adequate infor-
mation on these subjects, and the book will be helpful in their research endeavors. We’ll look at
the basic concepts of ABE, from the background knowledge, to specific constructions, theoretic
proofs, and applications. Blockchain technology; practical aspects of what makes a blockchain, the
inherent vulnerabilities of a decentralized network in the real world, the secret key for encryption
and decryption and how to apply blockchain with real-time technologies.

November 2022 Qi Xia, China

Jianbin Gao, China
Isaac Amankona Obiri, Ghana
Daniel Adu Worae, Ghana
 xvii

Acknowledgments

First, we would like to thank all the contributing authors. Without their work, this book would
not have been possible. Namely, our thanks to Juan Wang, Yunbo Ding, Dr. Edson Tavares, and
Dr. Christian Cobblah. We also thank them for cross-reading one another’s chapters and providing
fruitful feedback that has helped improve each chapter, and thus the book as a whole.
This work was supported by the Basic Strengthening Program (2021-JCJQ-JJ-0463), the scientific
and technological innovation talents of Sichuan Province (2023JDRC0001), the Fundamental
Research Funds for the Central Universities, the National Natural Science Foundation of China
(No. U22B2029), and Shenzhen Research Program (No. JSGG20210802153537009).
 1

Part I

Attribute-Based Encryption (ABE)

 3

Foundation of Attribute-Based Encryption

1.1 Introduction
What is encryption? Encryption is a key concept in cryptography. To explain the meaning of
encryption, let us consider the following scenario without being blown away by the whims of
mathematics.
Imagine your friend Bob is organizing a back-alley chess game. Bob does not want anyone to
come into his shady gambling den without authorization, so he issues you a pass with the phrase
“Knock and wait.” When you knock on the right sleazy door, the bouncer asks for the pass in
a genre-savvy baritone. You can get in if you say the right phrase. Otherwise, your entry will be
denied, and you will stay outside in the metaphorical rain.
To stretch the analogy, Bob can alter the pass each time he hosts a chess game. Knowing the
passphrase for the day, you can share it with one of your acquaintances or some of your friends
in the criminal investigation bureau. In cryptography, the pass is referred to as a secret key. When
plaintext is combined with a secret key, cryptography offers a black box that converts plaintext to
ciphertext. The ciphertext is unreadable junk to those without the right secret key. On the other
hand, those with a valid secret key can recover the plaintext from a given ciphertext back. The
process involved in transforming plaintext into ciphertext is referred to as encryption. Succinctly
put, encryption is the cryptographic mechanism of converting information into a secret code that
conceals the true meaning of the transformed information (ciphertext). When an unauthorized
party intercepts ciphertext, the intruder must determine which algorithm and keys were used to
encrypt the message. The computation complexity required in decoding a ciphertext without a valid
secret key is what makes encryption a crucial security tool.
Encryption has been a longstanding technique to secure sensitive data. Historically, it was used
by governments and militaries. Encryption is used in modern times to secure data stored on com-
puters and storage devices and data in transit across networks. Prior to the advent of public key
cryptography, it was widely assumed that for two users to transmit data securely, they would need
to establish a mutually held secret key. While this may be acceptable for certain small or close-knit
groups, it is infeasible for larger networks, such as the Internet of today, which has billions of users.
Diffie and Hellman [1] proposed a novel concept in public key cryptography over thirty years ago,
where two parties can securely communicate without sharing a prior mutual secret, dramatically
upsetting common knowledge held at the time. Public key encryption is a crucial tool today. It is
widely used in developing tools ranging from secure web communication (e.g. secure shell [SSH],

Attribute-based Encryption (ABE): Foundations and Applications within Blockchain and Cloud Environments, First Edition.
Qi Xia, Jianbin Gao, Isaac Amankona Obiri, Kwame Omono Asamoah, and Daniel Adu Worae.
© 2024 The Institute of Electrical and Electronics Engineers, Inc. Published 2024 by John Wiley & Sons, Inc.
4 1 Foundation of Attribute-Based Encryption

secure sockets layer [SSL]) to disk encryption and a secure software patch distribution. Before the
introduction of functional encryption, there were widely held views that:
1. Encryption is a method of sending a message or data to a single entity with a secret key.
2. Access to encrypted data is all or nothing – one can either decrypt and read the entire plaintext
or learn nothing about the plaintext other than its length.
These views determined the method used for computation of ciphertext and secret key before they
were modified by functional encryption. Functional encryption enables a data encryptor to encrypt
data with a boolean function, such that only a decryptor with the correct private key can recover
the plaintext if the boolean function returns true. Before delving into the details of functional
encryption and how it is a superior encryption technique, we will explore the earlier encryption
techniques.

1.1.1 Symmetric Encryption

Howbeit, data can be encrypted with symmetric key encryption mechanisms. The symmetric key
encryption algorithm uses only one secret key, referred to as a session key, to encipher and decipher
information [2]. As seen in Figure 1.1, one secret key is required to cipher and decipher information
in symmetric encryption. A key can be a number, a word, or a random sequence of letters. The key
is used to scramble the plaintext of a message into unreadable content (ciphertext) and recover the
content. Therefore, the session key must be shared in advance between the sender and recipient
prior to its usage in the encryption method. Symmetric encryption includes advanced encryption
standard (AES), RC4, data encryption standard (DES), RC5, and RC6. Encryption schemes like
AES-128, 192, and 256 are the most extensively used symmetric algorithms.
The inherent problem with the symmetric encryption is that a session key must be exchanged
between the data owner and data users in advance before a symmetric key encryption algorithm
can be used [3]. However, it is impossible to know every potential data user in advance to share
data with them in multi-user data sharing systems. Even if the data owner does, it has to encrypt
the data repeatedly with each session key shared with the multiple data users in the system. There
are as many as ((n − 1)n∕2) key pairs to be managed in an extensive network. Consequently, key
management will undoubtedly involve high storage overhead.

1.1.2 Asymmetric Key Encryption

Symmetric encryption has existed for a very long time, whereas asymmetric encryption is very
recent. For data encryption and decryption, asymmetric encryption requires two keys, namely

Plaintext Ciphertext Plaintext

Encryption Decryption

Alice Bob

Secret key Secret key

Figure 1.1 Symmetric encryption.

 1.1 Introduction 5

Plaintext Ciphertext Plaintext

Encryption Decryption

Alice Bob

Bob's public key Bob's private key

Figure 1.2 Asymmetric encryption.

public and private keys. The public keys are used for data encryption, whereas the private keys
are required for data decryption. Asymmetric encryption enables parties to preserve sensitive
information in an encrypted format on a public network, such as the Internet, without exchanging
a session key in advance. Asymmetric encryption ensures that only the authorized recipient
with the proper private key can decipher the encrypted messages. The use of two related keys
in asymmetric encryption increases security, as anyone with the secret key can decipher the
message. Anyone can send a message to any user using their public key, which is accessible to
the public.
As illustrated in Figure 1.2, the public key and private key are utilized to encrypt and decrypt
a message, respectively. There is no need to protect the public keys because they are accessible
to the whole public. However, the private key must be kept secret such that only the end user
knows it; otherwise, any entity with knowledge of the private key can decrypt any communica-
tion encrypted with the corresponding public key. Using an asymmetric key for communication is
substantially more secure than a symmetric key. Well-known asymmetric key encryption methods
include EIGamal and Rivest–Shamir–Adleman (RSA).
To prevent man-in-the-middle attacks, asymmetric encryption relies on the public key infrastruc-
ture to associate a user’s public key with a certificate. This certificate is “signed” by the Certificate
Authority (CA), the digital equivalent of a notary. It is evident that the CA plays a significant role
in the public key infrastructure (PKI) model since this approach is founded on the premise that the
CA is true, trustworthy, and legitimate. Therefore, a hacker who takes control of a CA can use it to
generate fake certificates and impersonate any public key.
Over the years, there have been repeated breaches of CA firms, including DigiNotar, GlobalSign,
Comodo, and Digicert Malaysia. These attacks were a direct result of the commoditization of cer-
tificates, in which smaller, less qualified businesses have gained a larger proportion of the market
for certificate authorities.
Asymmetric key encryption schemes also have some drawbacks similar to symmetric key encryp-
tion schemes. For example, the data owner must obtain each data user’s public key, encrypt the data
multiple times, and store multiple copies of the data in the cloud.

1.1.3 Identity-Based Encryption

Imagine a corporate email system in which the employees send encrypted communications. Alice
discovers Bob’s public key, writes a message, encrypts it in an email, and sends the email to Bob.
However, Bob wrote his private key in his notebook, which he left at an airport. Or maybe Bob’s pri-
vate key was stored on his phone, and one of his children dropped it in the drain. Now that Bob has
6 1 Foundation of Attribute-Based Encryption

Plaintext Ciphertext Plaintext

Encryption Decryption

Alice Bob

Identity (bob@gmail.com) Bob’s private key

Figure 1.3 Identity-based encryption.

a new phone, he tries to read all of Alice’s emails and discovers that he cannot. Without a private
key, there are no emails that can be read. However, as is synonymous with key and door systems,
when the lone key to a lock is lost, the entire lock must be replaced. Digital cryptosystems are no dif-
ferent; public and private keys are generated as a pair, and it is impossible to generate one from the
other, just as it is impossible to construct a key from a lock. Bob must therefore generate a new pair
of public and private keys, upload the new public key to the corporate directory, and inform every-
one that the previous public key is no longer valid. As shown in Figure 1.3, if Alice does not detect
this change, she will continue to send Bob encrypted emails using his previous public key, and Bob
will continue to be unable to read them. It turns out that this is a widespread issue in cryptography
systems – individuals are lousy at managing keys. In 1984, a cryptographer named Adi Shamir [4]
came up with a brilliant concept: what if the firm itself managed the keys? He believed that the
entire concept of public keys was excessively onerous and wished that individuals would use some-
thing more memorable: their identities (like a name or email). To send an email to Bob, simply use
bob@email.com as the recipient’s public key. This concept is known as Identity-Based Encryp-
tion. In 2001, Dan Boneh and Matt Franklin [5] developed a system that is currently regarded as
the most viable implementation of identity-based encryption to date. Identity-based encryption
permits anyone within an organization to encrypt text using the identity of another user.
Identity-based encryption (IBE) altered the conventional notion of public-key cryptography by
enabling the public-key to be any string, such as the recipient’s email address. This means that a
sender with access to the system’s public parameters can encrypt a message using, for instance, the
text-value of the recipient’s name or email address as the key. The Private Key Generator provides
the decryption key to the recipient (PKG). In order to function, the PKG first publishes a master
public key and stores the associated master private key (referred to as the master key). Given the
master public key, any party can derive the identity’s public key by combining the master public key
with the identity value. The person authorized to use the identity ID contacts the PKG to receive
their corresponding private key, which is created using the master private key.
Consequently, parties can encrypt messages (or check signatures) without exchanging keys
beforehand. This is especially beneficial in situations when pre-distribution of authenticated keys
is impractical or impossible owing to technological limitations. However, IBE system has the same
drawbacks as symmetric and asymmetric key encryption schemes, which makes it impractical
for application in scenarios involving numerous users, particularly when the data owner is aware
of the identities of all potential data users in advance. Also, if a Private Key Generator (PKG) is
compromised, all communications protected for the lifespan of the public–private key pair utilized
by that server are compromised as well. This makes the PKG an extremely desirable target for
attackers. To reduce the risk posed by a hacked server, the master private–public key pair could
 1.2 Functional Encryption 7

be replaced with a new key pair that is independent. Nonetheless, this creates a key-management
issue in which all users must possess the most recent public key for the server.

1.2 Functional Encryption

We will now describe a scenario to vividly highlight the challenges associated with data sharing
and the need for functional data encryption. We consider data sharing among multiple entities.
The entities in the data scenarios comprise the following:

1. Data owner: This entity is the custodian of data that he/she would like to share with other
people. He/she might have generated the data him or herself or has acquired the data from data
producers such as IoT devices. The data owner can be a single entity, such as a patient, who
wants to share their PHRs with a medical doctor for disease diagnosis and treatment, or a large
organization, such as a hospital, which intends to share a medical record with a team of doctors
in order to find an antidote to a disease outbreak. The data this entity is sharing is sensitive; it
is usually encrypted offline before the data is outsourced to the cloud server.
2. Data users: The data users’ domain is made up of all the authorized recipients of the data as
defined by the data owner. The users not only comprise people but devices as well. They access
the outsourced data through the cryptographic service provider (CSP).
3. Cloud service provider: This entity specializes in data sharing and storage. It stores the
owner’s encrypted data, which is received through a secure communication connection. It is
a semi-trusted entity since it is considered that it will offer its services successfully, but it may
attempt to read data.

Here, we consider a hypothetical data sharing between a patient and medical doctors. The
patient is the data owner, while the medical doctors are the data users. Let’s suppose a patient
known as Bob is suffering from a rare disease known as “Achalasia,” and he wants to share his
Personal Health Records (PHRs) with a specialized doctor in rare disease treatment who can
provide medical service to him. In this scenario, Bob does not know beforehand who is actually
available to provide the medical care he needs. Since PHRs are sensitive, Bob wants only medical
doctors with certain credentials to access his data. So, Bob may encrypt the data over attributes
such as (“medical doctor,” “rare disease,” and “City A”). Attribute-based encryption (ABE) allows
only doctors in City A who specialize in rare diseases and are in close proximity to Bob’s location
to access his PHRs. The scenario of multiple users sharing data is depicted in Figure 1.4.
Traditionally, this kind of expressive access control has been enforced by a trusted server [6].
The server is entrusted with acting as a reference monitor, ensuring that a user has the proper

Doctor 1
Data encrypted over attributes:
Medical doctor, rare disease, and city A Encrypted data

Patient (data owner) Doctor N

Cloud service provider

Medical doctors (data users)

Figure 1.4 Multiple users data sharing scenario.

8 1 Foundation of Attribute-Based Encryption

certification before granting access to records or files. On the other hand, cloud servers are
progressively storing data in a distributed manner over multiple cloud partners. Data replication
across multiple locations has reliability and performance benefits. However, using multiple cloud
data storage services has a high probability of one of the servers being compromised to expose the
outsourced data. Hence, we would require the storage of sensitive data in encrypted form, so that
the data remains private even if one of the hosting servers is compromised.
The idea of users having access to different segments of a ciphertext depending on the scope
of access privileges was not considered in the domain of public key cryptography. However, with
the emergence of “cloud” applications due to the improvement of computer networks and com-
puting power, the concepts of public key encryption became wholly insufficient. For example, in
many cases, a decryption policy must be specified in the ciphertext, and only those who meet the
policy can decrypt. Depending on the decryptor’s authority, we might only wish to grant access to a
function of the plaintext. Consider a cloud service that stores encrypted photographs as a concrete
example. An attacker might try to break into the cloud server to gain access to photographs with a
specific face to extort money. As a result, the cloud requires a password-protected secret key that
decrypts the target face’s photographs but does not divulge any information about other images.
More generally, the secret key may only expose a function of the plaintext image, such as a blurred
image with the exception of the target face. Such tasks are incompatible with traditional public-key
cryptography.
Functional encryption provides a new perspective of public key cryptosystems that offer an
excellent balance of flexibility, efficiency, and security. A functional encryption scheme associates
ciphertexts with descriptive values x, secret keys with descriptive values y, and a function f (x, y),
that defines what a user with a key for value y should learn from a ciphertext with value x.
Attribute-based encryption (ABE), first presented by Sahai and Waters in [7], is a well-known
form of functional encryption in which the ciphertext and secret key are determined by an access
structure specified over attributes and subsets of attributes. A key can decrypt ciphertexts if the
associated set of attributes meets the related access policy. ABE schemes are classified into two
types: Ciphertext-Policy ABE (CP-ABE), in which access policies are embedded in ciphertexts and
keys are associated with sets of attributes, and Key-Policy ABE (KP-ABE), which is the inverse of
CP-ABE in which keys are associated with access policies and ciphertexts are associated with sets
of attributes.
This section will explain techniques for developing provably secure functional encryption
systems. We will concentrate on ABE schemes as an application. We will provide background
information on the history of functional encryption and prior work in this field before presenting
the summary.

1.2.1 Applications of Attribute-Based Encryption

ABE is beneficial in a range of applications. It can be used to enable fine-grained access control
in public cloud computing while sharing encrypted data. Also, it can be used in the encryption
of log data. Instead of encrypting each chunk of a log with all of the recipients’ keys, the log can
be encrypted selectively with attributes that match the recipients’ attributes. The ABE primitive
can be used for broadcast encryption to reduce the high cost of key management overhead. In
vector-driven search engine interfaces, ABE techniques can be utilized. ABE provides a quick and
easy technique to do a nearest-neighbor search across an encrypted database. Therefore, it can be
used for biometric authentication as well. Because biometrics are inherently noisy, authentication
should be effective when the supplied biometric is close to the user’s credential in the system. The
error-tolerance property of the ABE scheme can enable a private key (computed from a biometric
 1.2 Functional Encryption 9

measurement) to decrypt a ciphertext encrypted with a slightly different measurement of the same
biometric.

1.2.2 Problems with Attribute-Based Encryption

The following are the key challenges impeding the deployment of the ABE scheme in systems.

● Central trust: Attribute-based encryption necessitates reliance on a centralized authority – the

Private Key Generator (similar to Identity-Based Encryption). Hence, it is suitable for the busi-
ness environments. There have been some scholarly studies in the literature on a more distributed
version termed “Decentralized Attribute-based Encryption” (DABE); however, these schemes do
not completely decentralize ABE. Instead, they expand the number of potential trust roots com-
parable to the CA architecture used on the web. This approach even makes the ABE scheme less
secure.
● Speed: For attribute-based encryption, the creation of an access structure is required. The expres-
siveness of the access structure leads to expensive computation during decryption, which is the
worst place to be slow because decryption is usually the most common process we perform
against encryption. ABE scheme is roughly 20 times slower than classical symmetric encryption.
This is related to ABE’s expensive mathematical construct, such as bilinear pairing, exponenti-
ation, and multiplication operations. Furthermore, the ABE scheme gets more computationally
expensive as the number of attributes on a given access structure increases.
● Malicious users revocation: ABE systems suffer from the non-existence of malicious users
revocation mechanisms. Revocation is more challenging in attribute-based systems, given that
each attribute possibly belongs to multiple different users. Revoking attributes cannot revoke
a specific identified malicious user but automatically revokes all the users in the system who
shared the revoked attributes. Thus, revocation on attributes or attribute sets cannot accurately
exclude malicious users.

1.2.3 A Brief History of Security Proof of Functional Encryption

Shamir’s Identity-Based Encryption (IBE) [4] is credited with the invention of functional encryp-
tion. An identity-based encryption method allows any string to serve as a “public key,” rather than
requiring public keys to be created in tandem with secret keys. For instance, a user can send an
encrypted message to a recipient specified by an email address without requiring the recipient to
have an established public key. Secret keys are associated with strings (also known as “identities”)
must be obtained from a central authority who holds the master secret key. Suppose we want to
impose a hierarchical structure on keys. In that case, we can generalize identity-based encryption
to hierarchical identity-based encryption (HIBE), in which individuals can delegate secret keys to
their subordinates.
There are inherent issues in providing security proof for functionality like IBE, which requires
generating several secret keys from a single master secret key for different users. It is not enough
to prevent one user from maliciously exploiting his own secret key to decrypt a ciphertext meant
for another user; a robust security concept must also address collusion attacks, in which a group of
users conspire to decipher a ciphertext encrypted to an identity outside of the group. To simulate
such attacks, we imagine an adversary that is capable of acquiring a large number of secret keys and
selecting the associated identities adaptively. At some stage, the adversary must select one identity
to attack (for which no secret key has been collected), and it may then obtain keys for any additional
10 1 Foundation of Attribute-Based Encryption

identities. This necessitates security reduction to balance two competing goals: the simulator must
be powerful enough to give the attacker as many keys as it adaptively seeks, but it must also be
devoid of essential knowledge gained from the attacker’s success.
The first security proofs for IBE schemes relied on the random oracle model, a heuristic that treats
a fixed function as if it were truly random. The first security proofs presented in the standard model
(which did not rely on such a heuristic) reached a weaker notion of security known as selective
security. The selective security approach requires the attacker to choose the target of the attack
before viewing the system’s public settings. Because this is an unrealistic constraint, establishing
selective security should be viewed as a step toward achieving comprehensive security rather than
as an end in itself.
The concept of selective security makes a lot of sense in the context of the partitioning proof
technique used by early research in IBE and HIBE. A partitioning proof splits all possible identities
into two categories: those for which the simulator can generate secret keys and those that cannot.
This gives the simulator a clear method to balance its competing aims, which include ensuring
that all of the adversary’s key requests are within the set of keys the simulator may make and that
the attacked identity is inside the complement. Because the simulator already knows who is being
attacked, the selective model makes the security proof much easier. The selective model enables a
simulator to create a perfect partition, with the attacked identity being the only one for which the
simulator cannot generate the secret key.
Waters [8] and Boneh and Boyen [9] overcame the requirement for selectivity to obtain an IBE
security proof in the standard model. The security proof in [10] instructs the simulator to “guess”
a partition and abort if the attacker attempts to exceed its bounds. The rich structure of more
advanced schemes like HIBE and ABE, on the other hand, appears to doom using selective security
proof owing to exponential security loss, as one must estimate a partition that preserves the partial
ordering provided by the powers allocated to the individual keys.
Meanwhile, progress on attributed-based encryption systems slowed to a halt at selective security
in the standard model. With the Sahai and Waters introduction of attribute-based systems [7], the
subsequent ABE schemes in [11–15] only offered security proofs in the selective model.
Waters developed the dual system encryption approach [10] in response to the relative stagnation
in proving methodology for functional encryption systems. Under conventional assumptions, his
early work produced fully secure and efficient IBE and HIBE systems. Lewko and waters presented
a more elegant implementation of dual system encryption in [16], allowing for even more efficiency
gains in the context of HIBE. Lewko et al. [17] expanded the dual system encryption methods to
obtain the standard model’s first fully secure ABE systems. Okamoto and Takashima [18] used
the basic and relatively conventional Decisional Linear Assumption (DLIN) to reach comparable
results in a follow-up study. We will continue to explore the dual system encryption methodology
in subsequent works [16, 19, 20] to provide a clear insight into a stronger security proof.

1.2.4 Dual System of Encryption

These works investigate the rich structure of composite order bilinear groups, which differs from
prime order bilinear groups in several ways, most notably the inclusion of orthogonal subgroups
of coprime orders. A composite order bilinear group has the structure of a direct product of prime
order subgroups up to isomorphism so that each group member can decompose as the product of
components from the individual subgroups. However, computing such a decomposition becomes
challenging when the group order is hard to factor. Because of their orthogonality, these sub-
groups can serve as independent spaces, allowing a system designer to employ them in various ways
 1.2 Functional Encryption 11

without compromising their validity. The idea behind security is that these subgroups are virtually
inseparable: given a random group element, determining which subgroups contribute non-trivial
components should be difficult.
Although composite order bilinear groups offer appealing properties, it would be preferable to
derive the same functionality and strong guarantees from other assumptions, particularly the DLIN
in prime order bilinear groups. Working with prime order bilinear groups rather than composite
order bilinear groups has various advantages. First, we can achieve security using the more com-
mon decisional linear assumption. Second, we can build considerably more efficient systems with
the same security standards. This is because the difficulties of factoring the group order are often
used to provide security in composite order groups. This requires using large group orders, which
in turn slows down pairing computations significantly.
Okamoto and Takashima developed the framework of dual pairing vector spaces in prime order
bilinear groups [21, 22]. They observed that dual pairing vector spaces could be used to implement
the same proof techniques under the standard Decisional Linear Assumption [18, 23]. Working
in prime order groups is advantageous since the group orders can be much smaller, so pairing
computations can be much faster. In [24], Lewko further developed the connection between the
dual pairing vector space framework based on the prior approach in the composite order setting.
Their efforts have yielded a practical understanding of how to move dual system encryption
proofs between composite and prime order settings. However, the reliance on q-type assumptions
(size assumptions that grow with some parameter q) is a disadvantage of the proving technique
provided in [24]. Many q-type assumptions are known to become stronger as q increases [25],
and such dynamic and complex assumptions are not well understood in general). Obiri et al. [26]
have recently improved the methodologies for establishing adaptive security for attribute-based
encryption using static assumptions like the decisional linear assumption and the three-party
Diffie–Hellman assumption. The advantage of the scheme in [26] is that it allows arbitrary
attribute reuse in the access policy without increasing the size of the ciphertext proportion to the
number of times an attribute appears in the access policy. However, because the approach depends
on the dual vector subspace assumption, it necessitates large public parameters to achieve full
security. Also, the authors in [27, 28] suggested another method for creating security proofs for
the dual system of ABE schemes based on the matrix Diffie–Hellman assumption. This technique
has proven to be beneficial because it is more efficient and more compact than dual vector space
schemes.
This book focuses on using dual systems of encryption proof to construct adaptive, secure
attribute-based encryption. This book provides readers with a thorough overview of the
components that go into creating a dual ABE system of encryption proofs in:
● Composite bilinear groups
● Dual pairing vector space framework (prime order bilinear group)
● Matrix pairing framework (prime order bilinear group)
After reading the book, the readers will learn which bilinear groups (composite order or prime
order) to use in designing a new cryptographic scheme.

1.2.5 Summary
In this chapter, we covered the concepts of encryption and functional encryption and a brief his-
tory of functional encryption. This chapter’s purpose is to provide a historical development of how
the current technique for creating adaptive security of ABE schemes based on a dual system of
12 1 Foundation of Attribute-Based Encryption

encryption in the standard model came to be. We also investigated why ABE schemes were required
because previous encryption methods could not provide fine-grained access control over encrypted
data. Finally, we also investigated the need to construct an adaptive (fully) secure ABE scheme in
prime order groups instead of composite order groups.

References

1 Diffie, W. and Hellman, M.E. (1977). Special feature exhaustive cryptanalysis of the NBS data
encryption standard. Computer 10 (6): 74–84.
2 Simmons, G.J. (1979). Symmetric and asymmetric encryption. ACM Computing Surveys (CSUR)
11 (4): 305–330.
3 Boonkrong, S. (2021). Public key infrastructure. In: Authentication and Access Control, 31–43.
Berkeley, CA: Apress.
4 Shamir, A. (1984). Identity-based cryptosystems and signature schemes. In: Workshop on the
Theory and Application of Cryptographic Techniques, 47–53. Berlin, Heidelberg: Springer-Verlag.
5 Boneh, D. and Franklin, M. (2001). Identity-based encryption from the Weil pairing. In: Annual
International Cryptology Conference, 213–229. Berlin, Heidelberg: Springer-Verlag.
6 Sulaiman, O.K. and Saripurna, D. (2021). Network security system analysis using access control
list (ACL). IJISTECH (International Journal of Information System & Technology) 5 (2): 192–197.
7 Sahai, A. and Waters, B. (2005). Fuzzy identity-based encryption. In: Annual International Con-
ference on the Theory and Applications of Cryptographic Techniques, 457–473. Berlin, Heidelberg:
Springer-Verlag.
8 Waters, B. (2005). Efficient identity-based encryption without random oracles. In: Annual
International Conference on the Theory and Applications of Cryptographic Techniques, 114–127.
Berlin, Heidelberg: Springer-Verlag.
9 Boneh, D. and Boyen, X. (2004). Secure identity based encryption without random oracles. In:
Annual International Cryptology Conference, 443–459. Berlin, Heidelberg: Springer-Verlag.
10 Waters, B. (2009). Dual system encryption: realizing fully secure IBE and HIBE under simple
assumptions. In: Annual International Cryptology Conference, 619–636. Berlin, Heidelberg:
Springer-Verlag.
11 Cheung, L. and Newport, C. (2007). Provably secure ciphertext policy ABE. Proceedings of the
14th ACM Conference on Computer and Communications Security, 456–465.
12 Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006). Attribute-based encryption for
fine-grained access control of encrypted data. Proceedings of the 13th ACM Conference on Com-
puter and Communications Security, 89–98.
13 Goyal, V., Jain, A., Pandey, O., and Sahai, A. (2008). Bounded ciphertext policy attribute based
encryption. In: International Colloquium on Automata, Languages, and Programming, 579–591.
Berlin, Heidelberg: Springer-Verlag.
14 Ostrovsky, R., Sahai, A., and Waters, B. (2007). Attribute-based encryption with non-monotonic
access structures. Proceedings of the 14th ACM Conference on Computer and Communications
Security, 195–203.
15 Waters, B. (2011). Ciphertext-policy attribute-based encryption: an expressive, efficient, and
provably secure realization. In: International Workshop on Public Key Cryptography, 53–70.
Berlin, Heidelberg: Springer-Verlag.
 References 13

16 Lewko, A. and Waters, B. (2010). New techniques for dual system encryption and fully secure
HIBE with short ciphertexts. In: Theory of Cryptography Conference, 455–479. Berlin, Heidel-
berg: Springer-Verlag.
17 Lewko, A., Okamoto, T., Sahai, A. et al. (2010). Fully secure functional encryption:
attribute-based encryption and (hierarchical) inner product encryption. In: Annual Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques, 62–91. Berlin,
Heidelberg: Springer-Verlag.
18 Okamoto, T. and Takashima, K. (2010). Fully secure functional encryption with general rela-
tions from the decisional linear assumption. In: Annual Cryptology Conference, 191–208. Berlin,
Heidelberg: Springer-Verlag.
19 Lewko, A., Rouselakis, Y., and Waters, B. (2011). Achieving leakage resilience through
dual system encryption. In: Theory of Cryptography Conference, 70–88. Berlin, Heidelberg:
Springer-Verlag.
20 Lewko, A. and Waters, B. (2011). Decentralizing attribute-based encryption. In: Annual Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques, 568–588. Berlin,
Heidelberg: Springer-Verlag.
21 Okamoto, T. and Takashima, K. (2008). Homomorphic encryption and signatures from vector
decomposition. In: International Conference on Pairing-Based Cryptography, 57–74. Berlin,
Heidelberg: Springer-Verlag.
22 Okamoto, T. and Takashima, K. (2009). Hierarchical predicate encryption for inner-products. In:
International Conference on the Theory and Application of Cryptology and Information Security,
214–231. Berlin, Heidelberg: Springer-Verlag.
23 Okamoto, T. and Takashima, K. (2013). Decentralized attribute-based signatures. In: Interna-
tional Workshop on Public Key Cryptography, 125–142. Berlin, Heidelberg: Springer-Verlag.
24 Lewko, A. (2012). Tools for simulating features of composite order bilinear groups in the prime
order setting. In: Annual International Conference on the Theory and Applications of Crypto-
graphic Techniques, 318–335. Berlin, Heidelberg: Springer-Verlag.
25 Cheon, J.H. (2006). Security analysis of the strong Diffie-Hellman problem. In: Annual Inter-
national Conference on the Theory and Applications of Cryptographic Techniques, 1–11. Berlin,
Heidelberg: Springer-Verlag.
26 Obiri, I.A., Xia, Q., Xia, H. et al. (2020). A fully secure KP-ABE scheme on prime-order bilinear
groups through selective techniques. Security and Communication Networks, 2020: Article ID
8869057.
27 Kowalczyk, L. and Wee, H. (2020). Compact adaptively secure ABE for NC1 NC1 from k-Lin.
Journal of Cryptology 33 (3): 954–1002.
28 Tomida, J., Kawahara, Y., and Nishimaki, R. (2021). Fast, compact, and expressive
attribute-based encryption. Designs, Codes and Cryptography 89 (11): 2577–2626.
 15

Mathematical Background

2.1 Group Theory

Groups are one of the fundamental concepts in modern algebra. A group is a set together with
an operation that combines two elements to form a third element which contains an identity
element and inverse and satisfies certain natural properties such as associativity, cancellation, and
solvability properties. In the field of cryptography, group theory is the most practical approach
to take when constructing encryption systems. When it comes to cryptographic schemes that
are based on integers, group theory is absolutely necessary for selecting prime numbers and the
corresponding inverses for the purpose of scheme construction. In particular with the construction
of Rivest–Shamir–Adleman (RSA) encryption, the theory is necessary for computing inverses in
order to generate users’ public and private information. This is because RSA encryption thrives on
public and private keys.

2.1.1 Law of Composition

Let G represent a set. A map: G × G → G is referred to as a law of composition. For all the elements
x, y ∈ H the image of the pair (x, y) under the law of composition will be represented as x ⋅ y. If a
multiplicative notation is used, we also write xy.
Let G be a set and ⋅ denotes the law of composition. The law of composition is called associative
if (w ⋅ v) ⋅ u = w ⋅ (v ⋅ u) holds for all u, v, w ∈ G. It is called commutative if w ⋅ v = v ⋅ w holds for all
v, w ∈ G.

2.1.2 Groups

Definition 2.1 Let G represents any non-empty set and: G × G → G be a law of composition. We
say that G forms a group in terms of the operation, if all the following conditions are satisfied:
1. Closure: For elements a, b ∈ G, a ⋅ a ∈ G.
2. Existence of identity: There exists an element e ∈ G such that for all a ∈ G, a ⋅ e = e ⋅ a = a.
3. Associativity: For all elements a, b, c ∈ G, we have (a ⋅ b) ⋅ c = a ⋅ (b ⋅ c).
4. Existence of inverse: For an element a ∈ G, there exist a ∈ G such that a ⋅ b = b ⋅ a = e.
5. Cancellation: For all elements a, b, c ∈ G, if a ⋅ b = a ⋅ c or if b ⋅ a = c ⋅ a, then b = c.
6. Solvability: For all elements a, b ∈ G, there exists an element c ∈ G with a ⋅ c = b, and an
element d ∈ G with d ⋅ a = b.

Attribute-based Encryption (ABE): Foundations and Applications within Blockchain and Cloud Environments, First Edition.
Qi Xia, Jianbin Gao, Isaac Amankona Obiri, Kwame Omono Asamoah, and Daniel Adu Worae.
© 2024 The Institute of Electrical and Electronics Engineers, Inc. Published 2024 by John Wiley & Sons, Inc.
16 2 Mathematical Background

Example 2.1
1. (ℤ, +) is a group with identity element 0.
2. (ℤ∖{0}, ⋅) is not a group. Only 1 and −1 are invertible.

Definition 2.2 We say a group G is an Abelian group if ab = ba ∀ a, b ∈ G; else, the group G is

non-Abelian group, i.e. ∃ a, b ∈ G such that ab ≠ ba.

Definition 2.3 The order of group g ∈ G, represented by |g|, is the smallest positive integer (if
it exists) n such that gn = g ⋅ g ⋅ · · · g = e (identity element of G). If such an integer does not exist,
n times
the element g is said to have infinite order. To compute the order of an element g in a group G,
simply find the sequence g, g2 , g3 … , until the first time the identity e is obtain. If identity e is never
obtained, the order of g becomes infinite.

Example 2.2
1. In (ℤ, +) the order of 0 is 1 and the order of any non-zero element is ∞. For any non-zero element
‘a’ (where ‘a’ is an integer that is not equal to 0), the order is infinite (∞). This is because, in the
additive group of integers, there is no positive integer ‘n’ such that n + a = 0, except when ‘a’
is 0. In other words, no matter how many times you add a non-zero integer ‘a’ to itself, you will
never reach the identity element 0.
2. For G = (ℤ∖6ℤ, +) and H = (ℤ∖6ℤ, ⋅) the orders are as follows:

As shown in Table 2.1, the smallest positive integer k with gk = 1 is the order of an element g ∈ G,
denoted by ordG (g). If there is no such k, ordG (g) is set to ∞. Torsion elements are group elements
with a finite order. The cardinality of a group is defined by its order, ord(G) . If a group has prime
order, the group is cyclic.

2.1.3 Subgroups
Let a group G have the operation ⋅ with an identity element e, where the inverse of an element
g ∈ G is denoted g−1 . A subgroup H of G is a nonempty subset of G with two properties:
1. if g, h are in H, then g ⋅ h is in H; and
2. if g is in H, so is g−1 .

Table 2.1 Order of groups.

g ordG (g) ordG (g)

0 1 –
1 6 1
2 3 –
3 2 –
4 3 –
5 6 2
 2.1 Group Theory 17

Definition 2.4 A subset H of a group G is considered to be a subgroup of G if H itself forms a

group under the operation of G. If H is a subgroup of G, then it is represented by H ≤ G. Further
to show that H is a proper subgroup of G (proper in the sense of containment), we use H < G.
The subset e of G is trivially a subgroup of G.
H ≤ G ⇔ for any a, b ∈ H, ab−1 ∈ H
In other words, H is a subset of G, which is closed under multiplication and inverse.

2.1.4 Homomorphisms
Homomorphisms are maps that preserve the structure of two algebraic structures. They allow for
the investigation of the interaction between various structures. A homomorphism for a group is
defined as follows:

Definition 2.5 A homomorphism between two groups (G, ⋅), (G′ , ∗) is a map f ∶ G → G′ with
f (g) ⋅ f (h) = f (g ∗ h), where g, h ∈ G. If f is bijective, we call f an isomorphism.

A group homomorphism is a map that retains the operation between two groups. This implies
that the group homomorphism maps the first group’s identity element to the second group’s iden-
tity element and the inverse of a first-group element to the inverse of its image.
The neutral element, f (1G ) = 1G′ , is preserved by group homomorphisms. Monomorphism refers
to an injective group homomorphism. Epimorphism is when a group homomorphism is subjective.
A bijective group homomorphism is an isomorphism. A group homomorphism that maps a group
to itself is called endomorphism. Automorphism is an isomorphism that is also an endomorphism.
If groups have an isomorphism between two groups, they are called isomorphic group and we write
G ≅ G′ .

2.1.5 Cyclic Group

A cyclic group is a collection of elements in which each member is a power of a fixed element. As
a result, a cyclic group G can be generated by a fixed element g, with each member in G having the
form gi for some integer i.

Definition 2.6 A group (G, ⋅) is a cyclic if

G = ⟨g⟩ = {gi ∶ i ∈ ℤ} for some g ∈ G.
The order of g is the smallest positive integer n such that gn = 1. If there exists no positive integer n
such that gn = 1, then g has infinite order. In the case of an abelian group with + operation, 0 is
the identity element, the order of the positive integer n has ng = 0. For an element g ∈ G, the set of
elements generated by g is denoted by ⟨g⟩ and comprises all elements of the form gk for all k ∈ ℤ.
This set is a subgroup of G.

Example 2.3
1. The group (ℤ, +) is cyclic and generated by 1.
2. The group (ℚ, +) is not cyclic and is generated by the infinitely large set {1∖n!|n ∈ ℕ}.
18 2 Mathematical Background

Theorem 2.1 For an element a ∈ G, ⟨a−1 ⟩ = ⟨a⟩. If a is a generator of cyclic group (also denoted as
⟨a⟩) then ⟨a−1 ⟩ is also a generator of that group.

Proof: Let b ∈ ⟨a⟩ such that b = ⟨ak ⟩ for some k ∈ ℤ. Then b = ak = (a−k )−1 = (a−1 )−k ∈ ⟨a−1 ⟩.
Since b ∈ ⟨a⟩ is arbitrary, ⟨a⟩ ⊆ ⟨a−1 ⟩. Then, it implies that ⟨a−1 ⟩ ⊆ ⟨(a−1 )−1 ⟩ = ⟨a⟩. Hence, we have
⟨a⟩ = ⟨a−1 ⟩. ◽

Example 2.4 A single element generates a cyclic group. Here are two motivating examples:
1. Addition can form a group of numbers generated by 1. By this, we mean that element 1 can
be combined with itself to generate the complete set of integers under the group operation and
inverses. If n is a positive integer, ℤn is acyclic group of order n generated by 1. The element 1
generates ℤ7 , since
1 + 1 mod 7 = 2
1 + 1 + 1 mod 7 = 3
1 + 1 + 1 + 1 mod 7 = 4
1 + 1 + 1 + 1 + 1 mod 7 = 5
1 + 1 + 1 + 1 + 1 + 1 mod 7 = 6
1 + 1 + 1 + 1 + 1 + 1 + 1 mod 7 = 0
In other words, by adding 1 to itself, it will eventually get back to 0. The element 3 also gener-
ates ℤ7 :
3 + 3 mod 7 = 6
3 + 3 + 3 mod 7 = 2
3 + 3 + 3 + 3 mod 7 = 5
3 + 3 + 3 + 3 + 3 mod 7 = 1
3 + 3 + 3 + 3 + 3 + 3 mod 7 = 4
3 + 3 + 3 + 3 + 3 + 3 + 3 mod 7 = 0
2. The “same” group can be represented in multiplicative notation as follows: ℤ7 = {1, a, a2 , a3 , a4 ,
a5 , a6 }. In this form, a is a generator of ℤ7 . It turns out that in ℤ7 = {0, 1, 2, 3, 4, 5, 6}, 3 and 5
are capable of generating the entire group set as follows:
31 mod 7 = 3
32 mod 7 = 2
33 mod 7 = 6
34 mod 7 = 4
35 mod 7 = 5
36 mod 7 = 1

51 mod 7 = 5
52 mod 7 = 4
53 mod 7 = 6
 2.1 Group Theory 19

54 mod 7 = 2
55 mod 7 = 3
56 mod 7 = 1

Lemma 2.1 Let G = ⟨a⟩ denote a finite cyclic group with order n. Then, the powers {1, a, … , an−1 }
are unique.

Proof: Since a has order n and the elements a, a2 , … , an−1 are all different from 1, then the pow-
ers of {1, a, a2 , … , an−1 } are unique. Assume that ai = aj where 0 ≤ j < i < n, then 0 < j − i < n
and ai−j = 1 which is contrary to the prior observation. Hence, the powers {1, a, a2 , … , an−1 } are
unique. ◽

Theorem 2.2 Consider a as an element of the group G. Then, the cyclic subgroup a has two possi-
bilities:

Case 2.1 The cyclic subgroup a is finite. In this instance, the smallest positive integer n exists
such that an = 1, and we have:
1. ak = 1 if and only if n|k.
2. ak = am if and only ifk ≡ m(mod n).
3. ⟨a⟩ = {1, a, a2 , … , an−1 } and the elements 1, a, a2 , … , an−1 are unique.
Case 2.2 The cyclic subgroup ⟨a⟩ is infinite. Then
1. ak = 1 if and only if k = 0.
2. ak = am if and only if k = m.
3. ⟨a⟩ = {… , a−3 , a−2 , a−1 , 1, a, a2 , a3 , … } and all the exponents of a are unique.
Proof: Case 2.1: Suppose ⟨a⟩ is finite and the elements a, a2 , a3 , … are not unique. Let ak = am with
k < m and an = 1, where n is the smallest positive integer.
1. If n|k, then for some q ∈ n, k = qn. If ak = aqn = (an )q = 1q = 1. Conversely, for ak = 1, write
k = qn + r with 0 ≤ r ≤ n using the division algorithm. Then ar = ak (an )−q = 1(1)−q = 1. Since
r < n, unless r = 0, this contradicts minimality of n. Hence, r = 0 and k = an , n|k.
2. ak = am , if and only if ak−m = 1. Now, use step 1.
3. Obviously, {1, a, a2 , … , an−1 } ⊆ ⟨a⟩. To prove the other inclusion, let g ∈ ⟨a⟩ with g = ak , where
k ∈ ℤ. As in step 1, use the division algorithm to write k = qn + r, where 0 ≤ r ≤ n − 1. Then
g = ak = aqn+r = (an )q ar = 1q ar = ar ∈ {1, a, a2 , … , an−1 }
which demonstrates that ⟨a⟩ ⊆ {1, a, a2 , … , an−1 }, and hence that
⟨a⟩ = {1, a, a2 , … , an−1 }.
Eventually, assume that ak = am , where 0 ≤ k ≤ m ≤ n − 1. Then am−k = 1 and 0 ≤ m − k < n.
This shows that m − k = 0 because n is the smallest positive exponent of a which is equal to 1.
Therefore, all of the elements 1, a, a2 , … , an−1 are unique.
Case 2.2 The proof of infinite group is as follows:
1. For ak = 1 if k = 0. Also, ak = 1, if k ≠ 0, then a−k = (ak )−1 = 1−1 . Hence an = 1 for some n > 0,
which shows that ⟨a⟩ is finite by the proof of Case 2.1 step 3, contrary to the hypothesis in this
case. Thus, ak = 1 implies that k = 0.
20 2 Mathematical Background

2. ak = am if and only if ak−m=1 . Now use step 1.

3. ⟨a⟩ = {ak ∶ k ∈ ℤ} by definition of ⟨a⟩, so all that remains is to check that these exponents are
unique. But this is the content of Lemma 2.1.
◽

Note that if a is an element of a group G, then its order is the lowest positive integer n such that
an = 1, which is denoted o(a) = n. If no such positive integer exists, we claim that a has infinite
order, indicated by o(g) = ∞. According to Theorem 2.2, the order of an element a and the order of
the cyclic subgroup formed by a are the same.

Theorem 2.3 A cyclic group has cyclic subgroups. If G = ⟨a⟩ is cyclic, then a|G|∕d can generate
exactly one subgroup of order d for any divisor d of |G|.

Proof: Let |G| = dn. Then 1, an , a2n , … , a(d−1)n are unique and form a cyclic subgroup ⟨a⟩ of
order d. Therefore, let H = {1, a1 , … , ad−1 } denote a subgroup of G for some d dividing G. Then
for all i, ai = ak for some k, and since every element has order dividing |H|, adi = akd = 1. Hence
kd = |G|m = ndm for some m, and we have ai = anm so each ai is in fact an exponent of an . This
shows that it must be one of the d subgroups already described. ◽

Theorem 2.4 Every composite order group has its own set of subgroups.

Proof: Let G has a group of composite order such that 1 ≠ a ∈ G. If ⟨a⟩ ≠ G, we are done, else the
subgroup ⟨ad ⟩ for every divisor d of |G|. ◽

2.2 Ring Theory

A ring is an algebraic structure that generalizes fields in mathematics: multiplication does not have
to be commutative, and multiplicative inverses do not have to exist. In other words, a ring is a set of
binary operations with properties analogous to integer addition and multiplication. Non-numerical
objects such as square matrices, functions, polynomials, and power series can be used as ring
elements as well as numbers such as integers or complex numbers. Many of the concepts discussed
here are straightforward generalizations of properties found in ℤ, which is often regarded as the
quintessential example of a ring.

Definition 2.7 A set R with two binary operations (multiplication ⋅) and (addition +) is called a
ring if all the three axioms listed below, known as the ring axioms, are satisfied.
1. (R, +) is an abelian group, which means that:
a. Associativity: For all elements x, y, z ∈ R, we have (x + y) + z = x + (y + z).
b. Commutativity: For all elements x, y ∈ R, we have x + y = y + x.
c. Additive identity: There exists an element 0 ∈ R such that x + 0 = x for all x ∈ R.
d. Additive inverse: For any element x ∈ R there exists −x ∈ R such that x + (−x) = 0.
2. (R, ⋅) is a monoid, which means that:
a. Associativity: For all elements x, y, z ∈ R, we have (x ⋅ y) ⋅ z = x ⋅ (y ⋅ z).
b. Multiplicative identity: There exists an element 1 ∈ R such that x ⋅ 1 = x and 1 ⋅ x = x for
any element x ∈ R.
 2.2 Ring Theory 21

3. Multiplication is distributive concerning addition, meaning that:

a. Left distributivity property: For all the elements x, y, z ∈ R, we have x ⋅ (y + z) = (x ⋅ y) +
(x ⋅ z).
b. Right distributivity property: For all the elements x, y, z ∈ R, we have (x + y) ⋅ z = (x ⋅ z) +
(y ⋅ z).
{ }
Example 2.5 Let the set Z∕6Z = 0, 1, … , 5 with the following operations:

1. The addition a + b ∈ ℤ∕6ℤ is the remainder when the integer a + b is divided by 6. For instance,
5 + 3 = 2 and 5 + 5 = 4.
2. The multiplication a ⋅ b ∈ ℤ∕6ℤ is the remainder when the integer a is divided by 6. For
instance, 5 ⋅ 3 = 3 and 5 ⋅ 5 = 1.
Then ℤ∕6ℤ is a ring: each axiom follows from the associated axiom for ℤ. If a is an integer, the
remainder of a when divided by 6 may be considered as an element of ℤ∕6ℤ, and this element is
often referred to as “a mod 6” or a, which is consistent with the notation for 0, 1, 2, 3, 4, 5. The
additive inverse of any a ∈ ℤ∕6ℤ is −x. For example, −4 = −4 = 1.

(R, +) is called a commutative ring, and (R, ⋅) is also referred to as a commutative ring. The ring is
called an integral domain if the product of every two non-zero elements in a commutative ring is
also non-zero. R• denotes the set of all non-zero members of a ring.

2.2.1 Ideals and Quotient Rings

Ideals are specialized subsets of rings. They generalize the features of specific subsets of integers,
such as even numbers.

Definition 2.8 An ideal which is denoted as I is a nonempty subset of R such that if the tuples
(x, y) are in I, then x + y is in I, and if x is in I and r is in R, then both xr and rx are in I. An ideal I
is said to be closed under addition if rI ⊂ I and Ir ⊂ I for all r in R.

Example 2.6
1. Consider x as an element in a commutative ring, R, and let ⟨x⟩ = {xr ∶ r ∈ R} be an ideal in R.
Obviously, ⟨x⟩ is nonempty as 0 = x0 and x = x1 can be found in ⟨x⟩. The addition of any two
elements in ⟨x⟩ is also in ⟨x⟩ since xr + xr ′ = x(r + r ′ ). The inverse of xr is −xr = x(−r) ∈ ⟨x⟩.
Eventually, if we compute the product of the element xr ∈ ⟨x⟩ with any element, y ∈ R, we can
obtain y(xr) = x(yr). Hence, ⟨x⟩ satisfies the definition of an ideal.
2. Let R denote a ring such that r ∈ R. The set rR = {rx|x ∈ R} comprises all multiples of r that
forms an ideal. An element x ∈ R is contained in rR if and only if x is divisible by r. If an ideal
I can be written as rR for some r ∈ R, then the ideal is referred to as principal. The situation is
fairly straightforward in ℤ, because all of ideals in ℤ are principal.

Ideals can be used to make new rings out of the existing ones. Let I denote an ideal of a ring R.
Then an equivalence relation ∼I can be defined as follows: If and only if a∼I b, and a − b ∈ R. The
quotient ring of R modulo I is then set to R∕I = R∕∼q .

Example 2.7 Consider the prime number p and the number ℤ. The quotient ring modulo pℤ can
then be constructed. Instead of working with the ℤ∕pℤ equivalence classes, we can easily express
it as the set {0, … , p − 1} where all operations are performed in modulo p.
22 2 Mathematical Background

2.2.2 Euler’s Totient Function

The totient function 𝜙(n), also known as Euler’s totient function, can be referred to as the number
of non-negative integers ≤ n that are relatively prime to (that is, do not share any factor with)
n, where 1 is treated as being relatively prime to all numbers. For example, 𝜙(24) has eight
totatives of (1, 5, 7, 11, 13, 17, 19, and 23). The number n − 𝜙(n) is referred to as the cototient of
n provided the number of positive integers ≤ n have at least one prime factor which is common
with n.
{
ℕ→ℕ
Definition 2.9 The map 𝜙 ∶ is called Euler’s totient function. In other words,
n → |ℤ∕nℤX |
Euler’s totient function counts the number of coprime positive integers ≤ n. It satisfies 𝜙(pk ) and
(pk−1 )(p − 1), and coprime 𝜙(mn) = 𝜙(m)𝜙(n) with p ∈ ℙ and k ∈ ℕ and coprimes m, n ∈ ℕ.

2.2.3 Polynomial Rings

From any commutative ring it is feasible to form a canonical ring extension, the polynomial ring.

Definition 2.10 Let R denote a commutative ring. The ring of polynomials in variables X1 , … , Xn
over R is as follows:
R[X1 , … , Xn ] =
{ }
∑ w1 wn
aw1 , … , awn X1 … Xn |aw1 ,…,wn ∈ R ∀ w1 , … , wn ∈ ℕ0
w1 ,…,wn ∈ℕ0

The multiplication is defined by the standard polynomial multiplication, and the addition is also
defined by the component-wise summation. The coefficient ring R is a subring of the polynomial
ring R[X1 , … , Xn ]. The degree of a polynomial f ∈ R[X1 , … , Xn ] is defined as
{ n }
∑
deg(f ) = max wj |aw1 , … , awn ≠ 0 .
j=1

If f = 0, we can fix deg(f ) = −∞.

2.2.4 Irreducible and Monic Polynomials

Irreducible polynomials are those that cannot be factored into non-constant polynomials, such as
f = gh for g, h ∈ R[X] with either g ∈ R or h ∈ R. In ℤ, the concept of irreducibility is analogous to
∑d−1
the concept of prime numbers. If the polynomial has the form f = X d + j=0 aj X j , then it is referred
to as monic.

Cyclotomic polynomial
Cyclotomic polynomials are irreducible polynomials with integer coefficients which divide X n −
1 ∈ ℤ[X] for some n ∈ ℕ.

Definition 2.11 Let n ∈ ℕ. An irreducible polynomial f ∈ ℤ[X] is referred to as the n-th cyclo-
tomic polynomial if:
 2.2 Ring Theory 23

1. f |X n − 1, and
2. f ∤ X k−1 for any k < n.
The n-th cyclotomic polynomial is distinct and is represented by Φn .

Example 2.8 If n is a prime number, then

∑
n−1
Φn (x) = 1 + x + x2 + · · · + xn−1 = xk .
k=0

If n = 2p where p is an odd prime number, then

∑
p−1
Φ2p (x) = 1 − x + x2 − · · · + xp−1 = (−x)k .
k=0

For n up to 10, the cyclotomic polynomials are given as follows:

Φ1 (x) = x − 1
Φ2 (x) = x + 1
Φ3 (x) = x2 + x + 1
Φ4 (x) = x2 + 1
Φ5 (x) = x4 + x3 + x2 + x + 1
Φ6 (x) = x2 − x + 1
Φ7 (x) = x6 + x5 + x4 + x3 + x2 + x + 1
Φ8 (x) = x4 + 1
Φ9 (x) = x6 + x3 + 1
Φ10 (x) = x4 − x3 + x2 − x + 1

2.2.5 Field Theory

Fields are algebraic structures with the ability to add, subtract, multiply, and divide. They are rings
with a multiplicative inverse for each non-zero element, allowing division by non-zero elements.
Cryptography frequently uses finite fields. Fields are also needed to describe the algebraic geometry
concepts.

Definition 2.12 A field is a set F with two composition laws + and ⋅ such that
1. (F, +) is a commutative group;
2. (F × , ⋅), where F × = F∖{0} is a commutative group;
3. the distributive law holds.

As a result, a field is a nonzero commutative ring with an inverse for each nonzero element. In
particular, it is an integral domain. At least two unique elements, 0 and 1, are present in a field.
F2 = ℤ∖2ℤ = {0, 1} is the smallest and one of the essential fields. A subfield, denoted as S, within
a field F, can be defined as a subring that remains closed when taking inverses. It inherits the
structure of a field from that of F.
24 2 Mathematical Background

2.2.5.1 Quotient Field

Let R denote an integral domain and let Q be the smallest field with R embedded into Q (which
can be called quotient field or field of fractions). The construction of this field can be done in the
same fashion as ℚ can be constructed from ℤ: for n ∈ R, m ∈ R• look at the formal quotient mn . The
n n′ n n′ nm′ +n′ m
two quotients m
and m′
are equal when m′ n = n′ m. The addition of m
+ m′
is performed as mm′
n′ nn′
while the multiplication mn ⋅ m′
is performed as mm′
.

Example 2.9 The field of fractions of the ring of integers is the field of rationals: ℚ = Frac(ℤ).

2.2.6 Field Characteristic

There is a ring homomorphism: 𝜓 ∶ Z → K for any field K, with 𝜓(1) = 1K . K has the characteris-
tic 0 if 𝜓 is injective. On the other hand, if 𝜓 is not injective, there exists a prime p ∈ ℙ such that
𝜓(p) = 0, and it is the smallest positive integer that fulfills this property. K is said to have charac-
teristic p in this scenario. The characteristic of a field K is denoted by char (K). Also, if K has the
characteristic p, then K contains an isomorphic copy of 𝔽p .

2.2.7 Algebraic Extension Fields

Take two fields, K and L, such that K ⊂ L. If there exists a non-constant polynomial f ∈ K[X]∖K
such that f (𝛼) = 0, then an element 𝛼 ∈ L is considered as algebraic over K. L is also considered
as an algebraic extension of K if every element of L is algebraic over K. Else, L is a transcendental
extension of K.
K-vector space can also be seen as an extension field L over K. The extension degree of L is denoted
as [L ∶ K], and it is the K-vector space dimension of L. The extension degree is finite if the field
extension is algebraic.

2.3 Elliptic Curves

The theory of elliptic curves is extensive, diverse, and complex. Our purpose here is not to give a
comprehensive overview of the theory, but rather to provide the fundamentals needed to under-
stand the cryptographic application of elliptic curves. We will introduce algebraic geometry con-
cepts like divisors and rational functions along the way, which will come in helpful later when we
define bilinear pairings. Finding specific “pairing-friendly” curves will also be discussed in this
chapter.

2.3.1 Plane Curve

A plane curve is considered as a curve in a plane, which can be either a Euclidean plane, an affine
plane, or a projective plane. An implicit equation of the form p(x, y) = 0 for some specific function
p can be used to represent a plane curve.
A plane curve X is the set of zeros in the plane F 2 of a bivariate polynomial, p(x, y). We write

X = {(x, y)} ∈ F 2 ∶ p(x, y) = 0}.

 2.3 Elliptic Curves 25

We can define a plane curve to include points that are appended to the plane but not in it. Points at
infinity, often known as basis points, are such points. The letter  will be used to represent a point
at infinity. The plane curve can now be written as
X = {(x, y)} ∈ F 2 ∶ p(x, y) = 0} ∪ {}.
We will concentrate on non-singular plane curves, which are plane curves described by
non-singular polynomials. To clarify, a singular point of the bivariate polynomial p(x, y), we write
a point P = (x, y) such that
𝜗p(x, y) 𝜗p(x, y)
= = p(x, y) = 0.
𝜗x 𝜗y
If the polynomial p(x, y) contains no singular points in F or any finite extension of F, it is called a
nonsingular polynomial. A curve X defined by the zeros of a nonsingular polynomial is called non-
singular (projective/smooth) curve. The genus of a plane ( curve is)used to characterize the curve’s
d−1
properties. The genus of a nonsingular curve is given g = .
2

Definition 2.13 An elliptic curve, E, over the field F, is a plane curve with genus 1given by the
set of zeros of a nonsingular, smooth, bivariate polynomial of the form
p(x, y) = y2 + a1 xy + a3 y − x3 − a2 x2 − a4 x − a6
in addition to the point at the infinity , where a1 , … , a6 ∈ F. The polynomial in the above equation
is in the Weierstrauss form.

We can observe that requiring E to be smooth essentially means that the equations:
a1 y = 3x2 + 2a2 x + a4
2y + a1 x + a3 = 0

cannot simultaneously satisfy any (X, Y ) ∈ E(F), where F represents the algebraic closure of F.
Whenever the field characteristic exceeds three, the appropriate change of variables (particularly
x → x − 13 ) can express the elliptic curve E as

E ∶ y2 = x3 + ax + b.
The elliptic curve E is represented by the short Weierstrauss form. In this situation, requiring the
curve to be smooth basically implies requiring the cubic on the right-hand side not to have mul-
tiple roots. This is valid if the discriminant of x3 + ax + b, which is −(4a3 + 27b2 ), nonzero. For
cryptography purposes, we are interested in the curve over a prime field. However, if we plot such
an elliptic curve over ℤp , we get nothing approximating a curve. However, nothing prohibits us
from displaying an elliptic curve equation over the set of real numbers.

Example 2.10 In Figure 2.1 the elliptic curve y2 = x3 − 3x + 3 is shown over the real numbers.

The figure clearly shows that elliptic curves are not ellipses. They are used to estimate the circum-
ference of ellipses, hence the name. The elliptic curve in figure is symmetric about√ the x-axis. This
is strongly related to the fact that for all xi values on the elliptic curve, both yi = xi3 + a ⋅ xi + b
√
and y′i = − xi3 + a ⋅ xi + b are the solutions. Second, there is one point where the y-axis intersects
Discovering Diverse Content Through
Random Scribd Documents
And late to ours, the favour'd one of God—
But, now, the ruler of an anchor'd realm,
She throws aside the sceptre—leaves the
helm,
And, amid incense and high spiritual hymns,
Laves in quadruple light her angel limbs.

Now happiest, loveliest in yon lovely Earth,

Whence sprang the "Idea of Beauty" into
birth,
(Falling in wreaths thro' many a startled star,
Like woman's hair 'mid pearls, until, afar,
It lit on hills Achaian, and there dwelt)
She looked into Infinity—and knelt.
Rich clouds, for canopies, about her curled—
Fit emblems of the model of her world—
Seen but in beauty—not impeding sight
Of other beauty glittering thro' the light—
A wreath that twined each starry form
around,
And all the opal'd air in colour bound.

All hurriedly she knelt upon a bed

Of flowers: of lilies such as rear'd the head
On the fair Capo Deucato, and sprang
So eagerly around about to hang
Upon the flying footsteps of——deep pride—
Of her who lov'd a mortal—and so died.
The Sephalica, budding with young bees,
Upreared its purple stem around her knees:
—
And gemmy flower, of Trebizond misnam'd—
Inmate of highest stars, where erst it
sham'd
All other loveliness:—its honied dew
(The fabled nectar that the heathen knew)
Deliriously sweet, was dropp'd from Heaven.
And fell on gardens of the unforgiven
In Trebizond—and on a sunny flower
So like its own above that, to this hour,
It still remaineth, torturing the bee
With madness, and unwonted reverie:
In Heaven, and all its environs, the leaf
And blossom of the fairy plant in grief
Disconsolate linger—grief that hangs her
head,
Repenting follies that full long have fled,
Heaving her white breast to the balmy air,
Like guilty beauty, chasten'd and more fair:
Nyctanthes too, as sacred as the light
She fears to perfume, perfuming the night:
And Clytia, pondering between many a sun,
While pettish tears adown her petals run:
And that aspiring flower that sprang on
Earth,
And died, ere scarce exalted into birth,
Bursting its odorous heart in spirit to wing
Its way to Heaven, from garden of a king:
And Valisnerian lotus, thither flown
From struggling with the waters of the
Rhone:
And thy most lovely purple perfume, Zante!
Isola d'oro!—Fior di Levante!
And the Nelumbo bud that floats for ever
With Indian Cupid down the holy river—
Fair flowers, and fairy! to whose care is
given
To bear the Goddess' song, in odours, up to
Heaven

"Spirit! thou dwellest where,

In the deep sky,
 The terrible and fair,
In beauty vie!
Beyond the line of blue—
The boundary of the star
Which turneth at the view
Of thy barrier and thy bar—
Of the barrier overgone
By the comets who were cast
From their pride and from their throne
To be drudges till the last—
To be carriers of fire
(The red fire of their heart)
With speed that may not tire
And with pain that shall not part—
Who livest—that we know—
In Eternity—we feel—
But the shadow of whose brow
What spirit shall reveal?
Tho' the beings whom thy Nesace,
Thy messenger hath known
Have dream'd for thy Infinity
A model of their own—
Thy will is done, O God!
The star hath ridden high
Thro' many a tempest, but she rode
Beneath thy burning eye;
And here, in thought, to thee—
In thought that can alone
Ascend thy empire and so be
A partner of thy throne—
By wingèd Fantasy,
My embassy is given,
Till secrecy shall knowledge be
In the environs of Heaven."

She ceas'd—and buried then her burning

cheek
Abash'd, amid the lilies there, too seek
A shelter from the fervour of His eye;
For the stars trembled at the Deity.
She stirr'd not—breath'd not—for a voice
was there
How solemnly pervading the calm air!
A sound of silence on the startled ear
Which dreamy poets name "the music of the
sphere."
Ours is a world of words: Quiet we call
"Silence"—which is the merest word of all.
All Nature speaks, and ev'n ideal things
Flap shadowy sounds from visionary wings—
But ah! not so when, thus, in realms on high
The eternal voice of God is passing by,
And the red winds are withering in the sky:
—
Al Aaraaf
 "What tho' in worlds which sightless cycles
run
Linked to a little system, and one sun—
Where all my life is folly and the crowd
Still think my terrors but the thunder cloud,
The storm, the earthquake, and the ocean-
wrath—
(Ah! will they cross me in my angrier path?)
What tho' in world which hold a single sun
The sands of Time grow dimmer as they
run,
Yet thine is my resplendency, so given
To bear my secrets thro' the upper Heaven
Leave tenantless thy crystal home, and fly,
With all thy train, athwart the moony sky—
Apart—like fire-flies in the Sicilian night,
And wing to other worlds another light!
Divulge the secrets of thy embassy
To the proud orbs that twinkle—and so be
To ev'ry heart a barrier and a ban
Lest the stars totter in the guilt of man!"

Up rose the maiden in the yellow night,

The single-moonèd eve!—on Earth we plight
Our faith to one love—and one moon adore
—
The birth-place of young Beauty had no
more.
As sprang that yellow star from downy hours
Up rose the maiden from her shrine of
flowers,
And bent o'er sheeny mountains and dim
plain
Her way, but left not yet her Therasaean
reign.

PART II.

High on a mountain of enamell'd head—

Such as the drowsy shepherd on his bed
Of giant pasturage lying at his ease,
Raising his heavy eyelid, starts and sees
With many a mutter'd "hope to be forgiven"
What time the moon is quadrated in Heaven
—
Of Rosy head that, towering far away
Into the sunlight ether, caught the ray
Of sunken suns at eve—at noon of night,
While the moon danc'd with the fair stranger
light
Uprear'd upon such height arose a pile
Of gorgeous columns on th' unburthen'd air,
Flashing from Parian marble that twin smile
Far down upon the wave that sparkled
there,
And nursled the young mountain in its lair.
Of molten stars their pavement, such as fall
Thro' the ebon air, besilvering the pall
Of their own dissolution, while they die—
Adorning then the dwellings of the sky.
A dome, by linked light from Heaven let
down,
Sat gently on these columns as a crown—
A window of one circular diamond, there,
Look'd out above into the purple air,
And rays from God shot down that meteor
chain
And hallow'd all the beauty twice again,
Save when, between th' Empyrean and that
ring,
Some eager spirit flapp'd his dusky wing.
But on the pillars Seraph eyes have seen
The dimness of this world: that greyish
green
That Nature love's the best for Beauty's
grave
Lurk'd in each cornice, round each architrave
—
And every sculptur'd cherub thereabout
That from his marble dwelling peerèd out,
Seem'd earthly in the shadow of his niche—
Achaian statues in a world so rich?
Friezes from Tadmor and Persepolis—
From Balbec, and the stilly, clear abyss
Of beautiful Gomorrah! O, the wave
Is now upon thee—but too late to save!

Sound loves to revel in a summer night:

Witness the murmur of the grey twilight
That stole upon the ear, in Eyraco,
Of many a wild star-gazer long ago—
That stealeth ever on the ear of him
Who, musing, gazeth on the distant dim,
And sees the darkness coming as a cloud—
Is not its form—its voice—most palpable and
loud?

But what is this?—it cometh, and it brings

A music with it—'tis the rush of wings—
A pause—and then a sweeping, falling strain
And Nesace is in her halls again.
From the wild energy of wanton haste
Her cheeks were flushing, and her lips
apart;
And zone that clung around her gentle waist
 Had burst beneath the heaving of her
heart.
Within the centre of that hall to breathe,
She paused and panted, Zanthe! all
beneath,
The fairy light that kiss'd her golden hair
And long'd to rest, yet could but sparkle
there.

Young flowers were whispering in melody

To happy flowers that night—and tree to
tree;
Fountains were gushing music as they fell
In many a star-lit grove, or moon-lit dell;
Yet silence came upon material things—
Fair flowers, bright waterfalls and angel
wings—
And sound alone that from the spirit sprang
Bore burthen to the charm the maiden sang:

"'Neath the blue-bell or streamer—

Or tufted wild spray
That keeps, from the dreamer,
The moonbeam away—
Bright beings! that ponder,
With half closing eyes,
On the stars which your wonder
Hath drawn from the skies,
Till they glance thro' the shade, and
Come down to your brow
Like——eyes of the maiden
Who calls on you now—
Arise! from your dreaming
In violet bowers,
To duty beseeming
 These star-litten hours—
And shake from your tresses
Encumber'd with dew
The breath of those kisses
That cumber them too—
(O! how, without you, Love!
Could angels be blest?)
Those kisses of true Love
That lull'd ye to rest!
Up!—shake from your wing
Each hindering thing:
The dew of the night—
It would weigh down your flight;
And true love caresses—
O, leave them apart!
They are light on the tresses,
But lead on the heart.
Al Aaraaf
Ligeia! Ligeia!
My beautiful one!
Whose harshest idea
Will to melody run,
O! is it thy will
On the breezes to toss?
Or, capriciously still,
Like the lone Albatross,
Incumbent on night
(As she on the air)
To keep watch with delight
On the harmony there?

Ligeia! wherever
Thy image may be,
No magic shall sever
Thy music from thee.
Thou hast bound many eyes
In a dreamy sleep—
But the strains still arise
Which thy vigilance keep—
The sound of the rain,
Which leaps down to the flower—
And dances again
In the rhythm of the shower—
The murmur that springs
From the growing of grass
Are the music of things—
But are modell'd, alas!—
Away, then, my dearest,
Oh! hie thee away
To the springs that lie clearest
Beneath the moon-ray—
To lone lake that smiles,
 In its dream of deep rest,
At the many star-isles
That enjewel its breast—
Where wild flowers, creeping,
Have mingled their shade,
On its margin is sleeping
Full many a maid—
Some have left the cool glade, and
Have slept with the bee—
Arouse them, my maiden,
On moorland and lea—
Go! breathe on their slumber,
All softly in ear,
Thy musical number
They slumbered to hear—
For what can awaken
An angel so soon,
Whose sleep hath been taken
Beneath the cold moon,
As the spell which no slumber
Of witchery may test,
The rhythmical number
Which lull'd him to rest?"

Spirits in wing, and angels to the view,

A thousand seraphs burst th' Empyrean thro'
Young dreams still hovering on their drowsy
flight—
Seraphs in all but "Knowledge," the keen
light
That fell, refracted, thro' thy bounds, afar,
O Death! from eye of God upon that star:
Sweet was that error—sweeter still that
death—
Sweet was that error—even with us the
breath
Of Science dims the mirror of our joy—
To them 'twere the Simoom, and would
destroy—
For what (to them) availeth it to know
That Truth is Falsehood—or that Bliss is
Woe?
Sweet was their death—with them to die
was rife
With the last ecstasy of satiate life—
Beyond that death no immortality—
But sleep that pondereth and is not "to
be"—
And there!—oh! may my weary spirit dwell—
Apart from Heaven's Eternity—and yet how
far from Hell!
What guilty spirit, in what shrubbery dim,
Heard not the stirring summons of that
hymn?
But two: they fell: for Heaven no grace
imparts
To those who hear not for their beating
hearts.
A maiden-angel and her seraph-lover—
O! where (and ye may seek the wide skies
over)
Was Love, the blind, near sober Duty
known?
Unguided Love hath fallen—'mid "tears of
perfect moan."

He was a goodly spirit—he who fell:

A wanderer by moss-y-mantled well—
A gazer on the lights that shine above—
A dreamer in the moonbeam by his love:
What wonder? for each star is eye-like
there,
And looks so sweetly down on Beauty's hair
—
And they, and ev'ry mossy spring were holy
To his love-haunted heart and melancholy.
The night had found (to him a night of woe)
Upon a mountain crag, young Angelo—
Beetling it bends athwart the solemn sky,
And scowls on starry worlds that down
beneath it
Here sat he with his love—his dark eye bent
With eagle gaze along the firmament:
Now turn'd it upon her—but ever then
It trembled to the orb of Earth again.

"Ianthe, dearest, see—how dim that ray!

How lovely 'tis to look so far away!
She seem'd not thus upon that autumn eve
I left her gorgeous halls—nor mourn'd to
leave.
That eve—that eve—I should remember well
—
The sun-ray dropp'd in Lemnos, with a spell
On th' arabesque carving of a gilded hall
Wherein I sate, and on the draperied wall—
And on my eyelids—O the heavy light!
How drowsily it weigh'd them into night!
On flowers, before, and mist, and love they
ran
With Persian Saadi in his Gulistan:
But O that light!—I slumber'd—Death, the
while,
Stole o'er my senses in that lovely isle
So softly that no single silken hair
Awoke that slept—or knew that he was
there.
"The last spot of Earth's orb I trod upon
Was a proud temple called the Parthenon;
More beauty clung around her column'd wall
Than ev'n thy glowing bosom beats withal,
And when old Time my wing did disenthral
Thence sprang I—as the eagle from his
tower,
And years I left behind me in an hour.
What time upon her airy bounds I hung,
One half the garden of her globe was flung
Unrolling as a chart unto my view—
Tenantless cities of the desert too!
Ianthe, beauty crowded on me then,
And half I wish'd to be again of men."

"My Angelo! and why of them to be?

A brighter dwelling place is here for thee—
And greener fields than in yon world above,
And woman's loveliness—and passionate
love."

"But, list, Ianthe! when the air so soft

Fail'd, as my pennon'd spirit leapt aloft,
Perhaps my brain grew dizzy—but the world
I left so late was into chaos hurl'd—
Sprang from her station, on the winds apart,
And roll'd, a flame, the fiery Heaven
athwart.
Methought, my sweet one, then I ceased to
soar
And fell—not swiftly as I rose before,
But with a downward, tremulous motion
thro'
Light, brazen rays, this golden star unto!
Nor long the measure of my falling hours,
For nearest of all stars was thine to ours—
Dread star! that came, amid a night of
mirth,
A red Daedalion on the timid Earth."

"We came—and to thy Earth—but not to us

Be given our lady's bidding to discuss:
We came, my love; around, above, below,
Gay fire-fly of the night we come and go,
Nor ask a reason save the angel-nod
She grants to us, as granted by her God—
But, Angelo, than thine grey Time unfurl'd
Never his fairy wing o'er fairier world!
Dim was its little disk, and angel eyes
Alone could see the phantom in the skies,
When first Al Aaraaf knew her course to be
Headlong thitherward o'er the starry sea—
But when its glory swell'd upon the sky,
As glowing Beauty's bust beneath man's
eye,
We paused before the heritage of men,
And thy star trembled—as doth Beauty
then!"

Thus, in discourse, the lovers whiled away

The night that waned and waned and
brought no day.
They fell: for Heaven to them no hope
imparts
Who hear not for the beating of their hearts.
TO F——S S. O——D
[Mrs. Frances Sargent Osgood]

Thou wouldst be loved?—then let thy heart

From its present pathway part not!
Being everything which now thou art,
Be nothing which thou art not.
So with the world thy gentle ways,
Thy grace, thy more than beauty,
Shall be an endless theme of praise,
And love—a simple duty.
 BRIDAL BALLAD
The ring is on my hand.
And the wreath is on my brow;
Satin and jewels grand
Are all at my command,
And I am happy now.

And my lord he loves me well;

But, when first he breathed his vow,
I felt my bosom swell—
For the words rang as a knell,
And the voice seemed his who fell
In the battle down the dell,
And who is happy now.

But he spoke to re-assure me,

And he kissed my pallid brow,
While a reverie came o'er me,
And to the church-yard bore me,
And I sighed to him before me,
Thinking him dead D'Elormie,
"Oh, I am happy now!"

And thus the words were spoken,

And this the plighted vow,
And, though my faith be broken,
And, though my heart be broken,
Here is a ring, as token
That I am happy now!

Would God I could awaken!

 For I dream I know not how!
And my soul is sorely shaken
Lest an evil step be taken,—
Lest the dead who is forsaken
May not be happy now.
Bridal Ballad
 TO MY MOTHER
[His Mother-in-law, Mrs. Clemm.]

Because I feel that, in the Heavens above,

The angels, whispering to one another,
Can find, among their burning terms of love,
None so devotional as that of "Mother,"
Therefore by that dear name I long have
called you—
You who are more than mother unto me,
And fill my heart of hearts, where Death
installed you
In setting my Virginia's spirit free.
My mother—my own mother, who died early,
Was but the mother of myself; but you
Are mother to the one I loved so dearly,
And thus are dearer than the mother I
knew
By that infinity with which my wife
Was dearer to my soul than its soul-life.
 TO HELEN
["Helen" was Mrs. Stannard, whose death also inspired Lenore.]

Helen, thy beauty is to me

Like those Nicean barks of yore,
That gently, o'er a perfumed sea,
The weary, wayworn wanderer bore
To his own native shore.

On desperate seas long wont to roam,

Thy hyacinth hair, thy classic face,
Thy Naiad airs have brought me home
To the glory that was Greece,
And the grandeur that was Rome.

Lo! in yon brilliant window-niche

How statue-like I see thee stand,
The agate lamp within thy hand!
Ah, Psyche, from the regions which
Are Holy Land!
To Helen
THE VALLEY OF UNREST
Once it smiled a silent dell
Where the people did not dwell;
They had gone unto the wars,
Trusting to the mild-eyed stars,
Nightly, from their azure towers,
To keep watch above the flowers,
In the midst of which all day
The red sunlight lazily lay.
Now each visitor shall confess
The sad valley's restlessness.
Nothing there is motionless—
Nothing save the airs that brood
Over the magic solitude.
Ah, by no wind are stirred those trees
That palpitate like the chill seas
Around the misty Hebrides!
Ah, by no wind those clouds are driven
That rustle through the unquiet Heaven
Uneasily, from morn till even,
Over the violets there that lie
In myriad types of the human eye—
Over the lilies there that wave
And weep above a nameless grave!
They wave:—from out their fragrant tops
Eternal dews come down in drops.
They weep:—from off their delicate stems
Perennial tears descend in gems.
The Valley of Unrest
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com