Attribute-Based Encryption with Non-Monotonic Access Structures

Transcription

1 Attrbute-Based Encrypton wth Non-Monotonc Access Structures Rafal Ostrovsky UCLA Amt Saha UCLA Brent Waters SRI Internatonal ABSTRACT We construct an Attrbute-Based Encrypton (ABE) scheme that allows a user s prvate key to be epressed n terms of any access formula over attrbutes. Prevous ABE schemes were lmted to epressng only monotonc access structures. We provde a proof of securty for our scheme based on the Decsonal Blnear Dffe-Hellman (BDH) assumpton. Furthermore, the performance of our new scheme compares favorably wth estng, less-epressve schemes. Categores and Subject Descrptors: E.3 [Data Encrypton]: Publc key cryptosystems. General Terms: Securty. 1. INTRODUCTION Several dstrbuted fle and nformaton systems requre comple access-control mechansms, where access decsons depend upon attrbutes of the protected data and access polces assgned to users. Tradtonally, such access-control mechansms have been enforced by a server that acts as a trusted reference montor; the montor wll allow a user to vew data only f hs access polcy allows t. Whle the use of trusted servers allows for a relatvely straghtforward soluton, there s a large downsde to ths approach both the servers and ther storage must be trusted and reman uncompromsed. Wth the ncreasng number of worm attacks and other forms of ntruson, mantanng the securty of any partcular host s becomng ncreasngly dffcult. Ths problem s eacerbated n larger systems where senstve data must Supported n part by IBM Faculty Award, Xero Innovaton Group Award, NSF Cybertrust grant no , and U.C. MICRO grant. Ths research was supported n part by an Alfred P. Sloan Foundaton Research Fellowshp, an Intel equpment grant, and NSF ITR/Cybertrust grants , and Supported by NSF CNS and the US Army Research Offce under the CyberTA Grant No. W911NF Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. To copy otherwse, to republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. CCS 07, October 29 November 2, 2007, Aleandra, Vrgna, USA. Copyrght2007ACM /07/ $5.00. be replcated across several servers because of scalablty and survvablty concerns. A natural soluton to ths problem s to encrypt stored data n order to reduce data vulnerablty n the event that a storage server s compromsed. However, tradtonal publckey encrypton methods requre that data be encrypted to one partcular user s publc key and are unsutable for epressng more comple access control polces. 1 Attrbute-Based Encrypton. Recently, Saha and Waters [21] addressed ths ssue by ntroducng the concept of Attrbute-Based Encrypton (ABE). In an ABE systems an encryptor wll assocate encrypted data wth a set of attrbutes. An authorty wth access to the master keys wll ssue users dfferent prvate keys, where a user s prvate key s assocated wth an access structure over attrbutes and reflects the access polcy ascrbed to the user. The decrypton algorthm allows users to decrypt data usng ther ascrbed prvate key as long as ther access polcy specfed by ther prvate key permts t. The orgnal ABE constructon of Saha and Waters s somewhat lmted n that t only permts an authorty to ssue prvate keys that epress threshold access polces, n whch a certan number of specfed attrbutes need to be present n the cphertet n order for a user to decrypt. Goyal et al. [16] greatly ncreased the epressblty of Attrbute-Based Encrypton systems by creatng a new ABE scheme n whch users prvate keys can epress any monotone access formula consstng of AND, OR, or threshold gates. Whle the work of Goyal et al. s a large step forward n the capablty of Attrbute-Based Encrypton systems, one fundamental lmtaton of ther technques s that there s no satsfactory method to represent negatve constrants n a key s access formula. Ths s partcularly a problem n scenaros where conflcts of nterest naturally arse. Consder the followng eample. A unversty s conductng a peerrevew evaluaton, where each department wll be crtqued by a panel of professors from other departments. Bob, who s a member of the panel ths year from the Bology department, wll need to read (possbly senstve) comments 1 There have been several proposals for achevng greater access control from publc key systems (see, e.g. [24, 9]). However, these systems were unable to acheve the crtcal property of securty aganst colluson attacks, where multple users share ther prvate key nformaton. Indeed, smple and devastatng colluson attacks are easy to mount aganst the systems of [24, 9] nvolvng as few as two colludng users. In ths paper, we focus only on solutons that are able to provde securty aganst colluson attacks. 195

2 about other departments and assmlate them for hs wrtten revew. In an Attrbute-Based Encrypton system the comments wll be labeled wth descrptve attrbutes; for eample, a comment on the Hstory department mght be encrypted wth the attrbutes: Hstory, year=2007, dept-revew. In the Goyal et al. scheme Bob mght receve a prvate key for the polcy year=2007 AND dept-revew, whch would allow hm to see all comments from ths current year. However, n ths settng t s mportant that Bob should not be able to vew comments wrtten about hs own department. Therefore, the polcy we would actually lke to ascrbe to Bob s key s year=2007 AND dept-revew AND (NOT Bology ). One way that we mght try to handle ths ssue s to nclude eplct attrbutes that ndcate the absence of attrbutes n the cphertet. For eample, the attrbute not:bology can be ncluded n a cphertet to ndcate that the cphertet s not related to the Bology department. However, ths soluton s undesrable for two reasons. Frst, the cphertet overhead wll become huge n many applcatons as t needs to eplctly nclude negatve attrbutes for everythng that t does not relate to. The feedback about the Hstory department would need to nclude the attrbutes not:aeronautcs, not:anthropology, not:art,..., not:world Studes as well as eplct negatve attrbutes for every subject that does not descrbe the cphertet. In addton, a user encryptng a message mght not be aware of many attrbutes, and new attrbutes mght come nto use n the system after the cphertet s created. In our eample, a user creatng a comment on the Hstory department mght be unaware of a newly created Otolaryngology 2 department. The above eample llustrates the lmtatons on system desgn mposed by the nablty of current ABE systems to effectvely support negaton. Indeed, ths lmtaton appears to be a fundamental characterstc of current ABE systems, whch use technques from secret-sharng schemes as a core component of ther desgn. It s well known that secretsharng schemes are lmted to epressng monotonc access structures because a partcpatng party can always choose not to contrbute hs share and therefore act lke he s not present. Our Contrbuton. In ths work we present a new Attrbute-Based Encrypton scheme where prvate keys can represent any access formula over attrbutes, ncludng non-monotone ones. In partcular, our constructon can handle any access structure that can be represented by a boolean formula nvolvng AND, OR, NOT, and threshold operatons. As mentoned above, the man techncal obstacle we overcome s fndng a way to make use of secret sharng schemes to yeld non-monotonc access structures. At a hgh level, the techncal novelty n our work les n fndng a way to (mplctly) make a share avalable to the decryptor only f a gven attrbute s not present among the attrbutes of the cphertet. To accomplsh ths we adapt an dea from the broadcast revocaton scheme of Naor and Pnkas [18] to our settng of Attrbute-Based Encrypton based on blnear groups. Every negatve attrbute node n a key s ted to 2 Otolaryngology s the branch of medcne that specalzes n ear, nose, throat, head, and neck dsorders. a degree d polynomal (n the eponent) that was created by the authorty at setup (where d s the mamum number of attrbutes used to descrbe a cphertet). To access the secret share correspondng to ths node, the decryptor wll need to make use of at least d + 1 dfferent ponts from the polynomal n order to perform an nterpolaton, where we map attrbutes to dstnct ponts on the polynomal. The decrypton algorthm wll be able to gather d dfferent ponts of the polynomal from the attrbutes of the cphertet. To get the remanng pont, the decryptor must eamne the one pont that corresponds to the negatve attrbute n ths partcular node of the access formula. If ths attrbute s dstnct from all the attrbutes n the cphertet that s, f the attrbute s not present then the decryptor wll have d + 1 ponts of the polynomal and be able to decrypt; otherwse, f the key s attrbute appears n the cphertet, then the decrypton algorthm wll have only d ponts (one partcular pont wll have been gven twce) and the decrypton algorthm wll not be able to nterpolate the polynomal and thereby access the secret share correspondng to the node. In desgnng our constructon several challenges arse from adaptng these negaton technques whle preservng the colluson resstance features that are necessary for Attrbute- Based Encrypton systems. 1.1 Related Work Saha and Waters [21] ntroduced the concept of Attrbute- Based Encrypton, as we use the term here (see below for a bref dscusson of other related notons). In ABE systems an encrypted cphertet s assocated wth a set of attrbutes, and a user s prvate key wll reflect an access polcy over attrbutes. A user wll be able to decrypt f and only f the cphertet s attrbutes satsfy the key s polcy. Attrbute-Based Encrypton s closely related to the concept of Identty-Based Encrypton (IBE) [7, 23, 15], whch was ntroduced by Shamr n 1984 [23]. One can actually vew IBE as a specal case of ABE n whch cphertets are assocated wth one attrbute, the dentty of the recpent, and a prvate key s polcy demands that one partcular attrbute, the key holder s dentty, be present n the cphertet for decrypton. The orgnal constructon of Saha and Waters [21] was lmted to epressng threshold access polces. Goyal et al. [16] subsequently ncreased the epressblty of ABE systems by allowng the prvate key to epress any monotonc access structure over attrbutes. Other works have eamned dfferent varants of ABE. Prrett et al. [19] eamned methods for applyng the Saha- Waters system nto practce and gave an mplementaton of the constructon. Chase [13] gave a mult-authorty constructon n whch a user s key s constructed by combnng components receved from dfferent authortes. Bethencourt, Saha, and Waters [4] gave a constructon for Cphertet-Polcy Attrbute-Based Encrypton. In ther constructon the roles of the cphertets and keys are reversed n the sense that attrbutes are used to descrbe the features of a key holder, and an encryptor wll assocate an access polcy wth the cphertet. Attrbute-Based Encrypton makes use of technques from secret-sharng schemes [17, 10, 22, 5, 3]. The dea of combnng secret-sharng schemes and encrypton to acheve access control wth respect to polces has a long hstory (for some recent work n ths drecton, see [24, 9]). In ths prevous 196

3 work, what we call colluson was actually seen as a desrable feature t would be necessary for multple enttes wth dfferent attrbutes/credentals to come together n order to access encrypted data. Ths s of course problematc n our scenaro; ndeed, the elusve property of resstance to colluson attacks s consdered a defnng property of the Saha-Waters noton of ABE. 1.2 Organzaton In Secton 2 we gve background nformaton on our securty defntons and assumptons. Net, we gve our constructon n Secton 3. Then, we prove our scheme secure n Secton 4. Fnally, we conclude n Secton BACKGROUND We frst gve formal defntons for the securty of (keypolcy) Attrbute-Based Encrypton (ABE), followng [21, 16]. Then we gve background nformaton on blnear maps and our cryptographc assumpton. Fnally, we gve some background on lnear secret-sharng schemes. 2.1 Defntons Defnton 1 (Access Structure [2]). Let {P 1,..., P n} be a set of partes. A collecton A 2 {P 1,...,P n} s monotone f B, C : f B A and B C then C A. An access structure (respectvely, monotonc access structure) s a collecton (respectvely, monotone collecton) A of non-empty subsets of {P 1, P 2,..., P n},.e., A 2 {P 1,P 2,...,P n} \{ }. The sets n A are called the authorzed sets, and the sets not n A are called the unauthorzed sets. A (key-polcy) Attrbute-Based Encrypton scheme conssts of four probablstc polynomal-tme algorthms 3. Setup. Ths s a randomzed algorthm that takes no nput other than the mplct securty parameter. It outputs the publc parameters PK and a master key MK. Encrypton. Ths s a randomzed algorthm that takes as nput a message M, a set of attrbutes γ, and the publc parameters PK. It outputs the cphertet E. Key Generaton. Ths s a randomzed algorthm that takes as nput an access structure A, the master key MK, and the publc parameters PK. It outputs a decrypton key D. Decrypton. Ths algorthm takes as nput the cphertet E that was encrypted under a set γ of attrbutes, the decrypton key D for access control structure A, and the publc parameters PK. It outputs the message M f γ A. We now dscuss the securty of an ABE scheme. Followng [21, 16], we defne the selectve-set model for provng the securty of the attrbute based under chosen plantet 3 When access structure A allows short descrpton, we nsst that our algorthms are polynomal n that descrpton length. attack. Ths model can be seen as analogous to the selectve- ID model [11, 12, 6] used n dentty-based encrypton (IBE) schemes [23, 7, 15]. Selectve-Set Model for ABE Int The adversary declares the set of attrbutes, γ, that he wshes to be challenged upon. Setup The challenger runs the Setup algorthm of ABE and gves the publc parameters to the adversary. Phase 1 The adversary s allowed to ssue queres for prvate keys for many access structures A j, where γ / A j for all j. Challenge The adversary submts two equal-length messages M 0 and M 1. The challenger flps a random con b, and encrypts M b wth γ. The cphertet s passed to the adversary. Phase 2 Phase 1 s repeated. Guess The adversary outputs a guess b of b. The advantage of an adversary A n ths game s defned as Pr[b = b] 1 2. We note that the model can easly be etended to handle chosen-cphertet attacks by allowng for decrypton queres n Phase 1 and Phase 2. Defnton 2. An attrbute-based encrypton scheme s secure n the selectve-set model of securty f all polynomal tme adversares have at most a neglgble advantage n the selectve-set game. 2.2 Blnear Maps We present a few facts related to groups wth effcently computable blnear maps. Let G and G T be two multplcatve cyclc groups of prme order p. Let g be a generator of G and e be a blnear map, e : G G G T. The blnear map e has the followng propertes: 1. Blnearty: for all u, v G and a, b Z p, we have e(u a, v b ) = e(u, v) ab. 2. Non degeneracy: e(g, g) 1. We say that G s a blnear group f the group operaton n G and the blnear map e : G G G T are both effcently computable. Notce that the map e s symmetrc snce e(g a, g b ) = e(g, g) ab = e(g b, g a ). 2.3 The Decsonal Blnear Dffe-Hellman (BDH) Assumpton Let a, b, c, z Z p be chosen at random and g be a generator of G. The decsonal BDH assumpton [6, 21] s that no probablstc polynomal-tme algorthm B can dstngush the tuple (g, A = g a, B = g b, C = g c, e(g, g) abc ) from the tuple (g, A = g a, B = g b, C = g c, e(g, g) z ) wth more than a neglgble advantage. The advantage of B s Pr[B(A, B, C, e(g, g) abc ) = 0] Pr[B(A, B, C, e(g, g) z )] = 0 where the probablty s taken over the random choce of the generator g, the random choce of a, b, c, z n Z p, and the random bts consumed by B. 197

4 2.4 Lnear Secret-Sharng Schemes We wll make essental use of lnear secret-sharng schemes. We adapt our defntons from those gven n [2]: Defnton 3 (Lnear Secret-Sharng Schemes ). A secret-sharng scheme Π over a set of partes P s called lnear (over Z p) f 1. The shares for each party form a vector over Z p. 2. There ests a matr M called the share-generatng matr for Π. The matr M has l rows and n + 1 columns. For all = 1,..., l, the th row of M s labeled wth a party named P. When we consder the column vector v = (s, r 1, r 2,..., r n), where s Z p s the secret to be shared, and r 1,..., r n Z p are randomly chosen, then Mv s the vector of l shares of the secret s accordng to Π. The share (Mv) belongs to party. It s shown n [2] that every lnear secret sharng-scheme accordng to the above defnton also enjoys the lnear reconstructon property, defned as follows: Suppose that Π s an Lnear Secret-Sharng Scheme (LSSS) for the access structure A. Let S A be any authorzed set, and let I {1, 2,..., l} be defned as I = { : S}. Then, there est constants {ω Z p} I such that, f {λ } are vald shares of any secret s accordng to Π, then P I ωλ = s. Furthermore, t s shown n [2] that these constants {ω } can be found n tme polynomal n the sze of the sharegeneratng matr M. 3. OUR CONSTRUCTION In showng how to construct an Attrbute-Based Encrypton system wth non-monotone access formulas, we begn by descrbng a core constructon, n whch the we assume that every cphertet s annotated wth eactly d attrbutes. We then show how to remove that restrcton and stll acheve systems parameters that compare favorably wth the lessepressve ABE system of Goyal et al. [16]. We choose to frst descrbe our constructon n generalty; we descrbe our access polces n terms of monotonc access structures wth negatve attrbutes. (Ths wll actually allow for more general polces than non-monotone formulas.) Later, we show how to nstantate our constructons to yeld ABE schemes for any (monotone or non-monotone) boolean formula. Movng from monotonc access structures to non-monotonc access structures. As alluded to n the ntroducton we can thnk about ABE non-monotonc access structures n terms of ABE monotonc access structures wth negatve attrbutes. The challenge n desgnng our constructon wll be how to realze ths concept wthout requrng a cphertet to eplctly nclude negatve attrbutes for each attrbute not present. Before we descrbe our constructon we develop some notaton for descrbng how non-monotonc access structures can be descrbed n terms of monotonc access structures wth negatve shares, wthout blowng up the share szes. Assume we are gven a famly of lnear secret-sharng schemes {Π A } A A for a set of possble monotone access structures A. Note that, of course, all access structures n A must necessarly be monotonc because these access structures correspond to secret-sharng schemes. However, we assume that for each access structure A A, the set of partes P underlyng the access structure has the followng propertes: The names of the partes n P may be of two types: ether the name s normal (lke ) or t s prmed (lke ), and f P then P and vce versa. We wll conceptually assocate prmed partes as representng the negaton of unprmed partes. We wll sometmes wrte to refer to a party n P that may be prmed or unprmed. Then, we can defne the followng famly à of possbly non-monotonc access structures. For each access structure A A over a set of partes P, we defne a possbly nonmonotonc access structure NM(A) over the set of partes P, where P s the set of all unprmed partes n P. Frst, for every set S P we defne N( S) P as follows: Frst, all partes n S are n N( S), so S N( S). Second, for each party P such that / S, we have that N( S). Essentally, N( S) conssts of all the partes n S plus the prmes (or negaton) of all the partes n the unverse that are not ncluded n S. Fnally, we defne NM(A) by specfyng that S s authorzed n NM(A) ff N( S) s authorzed n A. The set of these NM(A) access structures s Ã. Therefore, the nonmonotonc access structure NM(A) wll have only unprmed partes n ts access sets. For each access set X n NM(A) there wll be a set n A that has the elements n X plus prmed elements for each party not n X. We wll show how to use a lnear secret sharng scheme Π for the monotonc access structure A to yeld an ABE key for the (possbly non-monotonc) access structure NM(A). Agan, we stress that the share szes of Π only depend on the sze of the non-monotonc access structure NM(A). Mathematcal Background. Let G be a blnear group of prme order p, and let g be a generator of G. In addton, let e : G G G T denote the blnear map. A securty parameter, κ, wll determne the sze of the groups. We wll also mplctly make use of Lagrange coeffcents: for any Z p and a set, S, of elements n Z p: defne,s() = Q j j S,j. We wll j assocate each attrbute wth a unque element n Z p. (Ths could be accomplshed by means of a collson-resstant hash functon H : {0, 1} Z p.) Our man constructon follows. 3.1 Man Constructon Setup(d). In the basc constructon, a parameter d specfes how many attrbutes every cphertet has. (We wll show later how ths constrant can be removed wth only a small loss n effcency.) Two secrets α, β are chosen unformly at random from Z p, and we denote g 1 = g α and g 2 = g β. In addton, two polynomals h() and q() of degree d are chosen at random subject to the constrant that q(0) = β. (There s no constrant on h().) The publc parameters PK are (g, g 1; g 2 = g q(0), g q(1), g q(2),..., g q(d) ; g h(0), g h(1),..., g h(d) ). The master key MK s α. These publc parameters defne two publcly computable functons T, V : Z p G. The functon T () maps to g2 d g h(), and the functon V () maps to g q(). Note that both g h() and g q() can be evaluated from the publc parameters 198

5 by nterpolaton n the eponent. (For further detals on how to do ths usng Lagrange coeffcents, see, e.g., [21, 16].) Encrypton (M, γ, PK). To encrypt a message M G T under a set of d attrbutes γ Z p, choose a random value s Z p and output the cphertet as E = (γ, E (1) = Me(g 1, g 2) s, E (2) = g s, {E (3) {E (4) = T () s } γ, = V () s } γ) Key Generaton (Ã, MK, PK). Ths algorthm outputs a key that enables the user to decrypt an encrypted message only f the attrbutes of that cphertet satsfy the access structure Ã. We requre that the access structure à s NM(A) for some monotonc access structure A, over a set P of attrbutes, assocated wth a lnear secret-sharng scheme Π. Frst, we apply the lnear secret-sharng mechansm Π to obtan shares {λ } of the secret α. We denote the party correspondng to the share λ as P, where s the attrbute underlyng. Note that can be prmed (negated) or unprmed (non negated). For each, we also choose a random value r Z p. The prvate key D wll consst of the followng group elements: For every such that s not prmed (.e., s a non-negated attrbute), we have D = (D (1) = g λ 2 T ()r, D (2) = g r ) For every such that s prmed (.e., s a negated attrbute), we have D = (D (3) = g λ +r 2, D (4) = V ( ) r, D (5) = g r ) The key D conssts of D for all shares. Decrypton (E, D). Gven a cphertet E and a decrypton key D, the followng procedure s eecuted: (All notaton here s taken from the above descrptons of E and D, unless the notaton s ntroduced below.) Frst, the key holder checks f γ à (we assume that ths can be checked effcently). If not, the output s. If γ Ã, then we recall that à = NM(A), where A s an access structure, over a set of partes P, for a lnear secret sharng-scheme Π. Denote γ = N(γ) A, and let I = { : γ }. Snce γ s authorzed, an effcent procedure assocated wth the lnear secret-sharng scheme yelds a set of coeffcents Ω = {ω } I such that P I ωλ = α. (Note, however, that these λ are not known to the decrypton procedure, so nether s α.) For every postve (non negated) attrbute γ (so γ), the decrypton procedure computes the followng: Z = e = e D (1) D (2), E (3), E (2) /e g λ 2 T ()r, g s /e (g r, T () s ) = e (g 2, g) sλ For every negated attrbute γ (so / γ), the decrypton procedure computes the followng: We consder the set γ = γ { }. Note that γ = d + 1 and recall that the degree of the polynomal q underlyng the functon V s d. Usng the ponts n γ as an nterpolaton set, compute Lagrangan coeffcents {σ } γ such that P γ σ q() = q(0) = β. Now, perform the followng computaton: e D (3), E (2) Z = e D (5), Q γ E (4) σ e D (4) σ, E (2) e g λ +r 2, g s = e g r, Q γ (V ()s ) σ e (V ( ) r, gs ) σ e g λ 2, gs e (g r 2, gs ) = e g r, g s P γ σq() e `g r σ q( ), g s = e (g2, g)sλ e (g, g) r sβ e(g, g) r s P γ σq() = e (g 2, g) sλ Fnally, the decrypton s obtaned by computng E Q (1) I Zω = Me(g2, g)sα e(g 2, g) sα = M Note on Effcency. We note that encrypton requres only a sngle parng, whch may be pre-computed, regardless of the number of attrbutes assocated wth a cphertet. We also note that decrypton requres two or three parngs per share utlzed n decrypton, dependng on whether the share corresponds to a non-negated attrbute or a negated attrbute, respectvely. 3.2 Amortzng the Cost of Multple Systems In practce we mght actually have several dfferent Attrbute-Based Encrypton systems run by dfferent authortes. In ths settng we mght want to mnmze the sze of the publc key materal that users need to mantan, snce each authorty wll need to post ts publc key. We can mtgate ths cost by usng a shared trusted party and applyng a smlar technque to that of the Broadcast Encrypton scheme of Boneh, Gentry, and Waters [8]. We frst observe that once the publc key materal s publshed an authorty only needs to know α n order to create prvate keys. In addton, only one element, g 1 = g α depends upon α. Therefore, a trusted party then can create all publc key materal ecept g 1. Ths publc key materal wll be shared across several dfferent systems. An authorty X that wshes to create hs own system smply chooses hs own α X prvate key and creates a publc key g 1,X = g α X. A user encryptng a cphertet under ths authorty s system wll use g 1,X n addton to the shared publc key materal. The added publc key materal for a whole new system s just one group element. 3.3 Removng Fed Attrbute Restrcton The drawback of usng our man constructon drectly n a system s that t mposes a one sze fts all restrcton n that each cphertet must have eactly d attrbutes. We descrbe how to get around these restrctons and mantan effcent performance. Frst, we note that a cphertet wll often be assocated wth s attrbutes where s s less than d, the mamum number of attrbutes n our constructon. A smple technque s for the encrypton algorthm to create d s fller attrbutes for strngs that have no semantc meanng n the system. For 199

6 a cphertet wth s real attrbutes, the encrypton algorthm can just add the attrbutes Fller:1, Fller:2, Fller: d s. A more problematc ssue s that a system wll need to accommodate cphertets that mght have a large mamum, n, number of attrbutes. Ths wll mean that cphertets wth a relatvely small number of attrbutes wll have unnecessarly hgh cphertet overhead. To mtgate ths ssue n a system we can use k dfferent constructons that respectvely accommodate d 1,..., d k attrbutes. When encryptng a cphertet wth s attrbutes the decrypton algorthm wll smply use the encrypton system wth the smallest d such that d s, and then only d s fller attrbutes wll be necessary. Consder the case when there are a mamum of n attrbutes for any cphertet. For smplcty we assume n = 2 k for some k. Then we can create a system that uses k parallel encrypton systems, where encrypton system s set up for d = 2 attrbutes. The aggregate system has performance that compares favorably wth estng systems: cphertets for s attrbutes wll have O(s) group elements, the publc key materal wll consst of O(n) group elements, and the prvate keys for an access structure of t shares wll have O(t lg(n)) group elements (a copy for each encrypton system) s kept. We pont out that all these effcency parameters, other than the prvate key sze, are dentcal to the less-epressve scheme of Goyal et al Realzng Any Access Formula Our man constructon shows how to create prvate keys that can be represented by any lnear secret-sharng scheme that uses both negatve and non negatve attrbutes. It s a relatvely straghtforward eercse to show that these technques are powerful enough to epress any access formula. To do so, we frst use repeated applcatons of DeMorgan s law to transform any access formula nto a monotonc one wth negatve attrbutes. Then, we can represent the access formula n terms of a secret-sharng scheme n a way smlar to [16]. We leave the detals of ths transformaton to Append A. 3.5 Cphertet-Polcy ABE We also note that our technques can be appled to the Cphertet-Polcy Attrbute-Based Encrypton (CP-ABE) scheme of Bethencourt, Saha, and Waters [4]. The prmary modfcaton s that the polynomal for the revocaton scheme wll be embedded by the encryptor n the negated nodes of the encrypton polcy. The attrbutes wll then be represented n the tree. One dsadvantage of the BSW scheme s that ts proof s n the generc group model. Ths stems from the fact that ther scheme allows for arbtrary access formulas n the cphertet polcy. Snce the challenge cphertet polcy may be bgger than the publc parameters, t s dffcult to program the challenge cphertet nto the publc parameters. However, for more restrcted CP-ABE schemes that are less epressve there ests schemes proved on concrete assumptons. The orgnal threshold scheme of Saha and Waters [21] was wrtten before the dstncton of Key-Polcy versus Cphertet- 4 Ths clam apples to the Large Unverse scheme of Goyal et al. that does not use the random oracle heurstc. The authors noted that n the random oracle model they can reduce the publc parameter sze. Polcy was made eplct; however, t can be nterpreted n ether way. Usng the Saha-Waters large-unverse constructon we can realze a non-monotonc CP-ABE scheme wth k-of-n threshold polces, where n s fed and k can be determned by the encryptor by usng dummy attrbutes. Prrett et al. [19] show tradeoffs that can be made between key and cphertet szes. 4. PROOF OF SECURITY We prove that the securty of our man constructon n the attrbute-based selectve-set model reduces to the hardness of the Decsonal BDH assumpton. Theorem 1. If an adversary can break our scheme wth advantage ɛ n the attrbute-based selectve-set model of securty, then a smulator can be constructed to play the Decsonal BDH game wth advantage ɛ/2. Proof: Suppose there ests a polynomal-tme adversary A that can attack our scheme n the selectve-set model wth advantage ɛ. We buld a smulator B that can play the Decsonal BDH game wth advantage ɛ/2. The smulaton proceeds as follows: We frst let the challenger set the groups G and G T wth an effcent blnear map, e. The challenger flps a far bnary con µ, outsde of B s vew. If µ = 0, the challenger sets (g, A, B, C, Z) = (g, g a, g b, g c, e(g, g) abc ); otherwse, t sets (g, A, B, C, Z) = (g, g a, g b, g c, e(g, g) z ) for random a, b, c, z. Int The smulator B runs A. A chooses the challenge set, γ, a set of d members of Z p. Setup The smulator assgns the publc parameters g 1 = A and g 2 = B, thereby mplctly settng α = a and β = b. It then chooses a random degree d polynomal f() and fes a degree d polynomal u() as follows: set u() = d for all γ and u() d for some (arbtrary) other / γ. Because d and u() are two degree d polynomals, they wll have at most d ponts n common or they are the same polynomal. Ths constructon ensures that, u() = d f and only f γ. The smulator wll now mplctly set the polynomals h and q as follows: Frst, h() = βu() + f(). Now, let s wrte γ = { 1, 2,..., d }. Then, the smulator chooses d ponts θ 1,..., θ d unformly at random from Z p, and mplctly sets q() such that q(0) = β, whle q( ) = θ for = 1, 2,..., d. Thus, the smulator outputs the followng group elements for the publc key: For = 1,..., d, t sets outputs g q() by nterpolaton n the eponent usng {θ } and B. For = 0, 1,..., d, t sets g h() = g u() 2 g f(). Observe that these values are (jontly) dstrbuted dentcally to ther dstrbuton n the actual scheme. Note that mplctly we have T () = g d +u() 2 g f(). Phase 1 A adaptvely makes requests for several access structures such that γ passes through none of them. Suppose A makes a request for the secret key for an access structure à where Ã(γ) = 0. Note that by assumpton, à s gven as NM(A) for some monotonc access structure A, over a set P of partes (whose names wll be attrbutes), assocated wth a lnear secret-sharng scheme Π. 200

7 Let M be the share-generatng matr for Π: Recall, M s a matr over Z p wth l rows and n + 1 columns. For all = 1,..., l, the th row of M s labeled wth a party named P, where s the attrbute underlyng. Note that can be prmed (negated) or unprmed (non-negated). When we consder the column vector v = (s, r 1, r 2,..., r n), where s s the secret to be shared, and r 1,..., r n Z p are randomly chosen, then Mv s the vector of l shares of the secret s accordng to Π. We make use of the followng well-known observaton about lnear secret-sharng schemes (see, e.g. [2] 5 ): If S P s a set of partes, then these partes can reconstruct the secret ff the column vector (1, 0, 0,..., 0) s n the span of the rows of M S, where M S s the submatr of M contanng only those rows that are labeled by a party n S. Note that snce Ã(γ) = 0, we know that A(γ ) = 0, where γ = N(γ). Thus, we know that (1, 0,..., 0) s lnearly ndependent of the rows of M γ. Durng key generaton, a secret sharng of the secret α = a s supposed to be selected. In ths smulaton, however, we wll choose ths sharng (mplctly) n a slghtly dfferent manner, as we descrbe now: Frst, we pck a unformly random vector v = (v 1,..., v n+1) Z n+1 p. Now, we make use of the followng smple proposton [1, 20] from lnear algebra: Proposton 1. A vector π s lnearly ndependent of a set of vectors represented by a matr N f and only f there ests a vector w such that Nw = 0 whle π w = 1. Snce (1, 0,..., 0) s ndependent of M γ, there ests a vector w = (w 1,..., w n+1) such that M γ w = 0 and (1, 0,..., 0) w = w 1 = 1. Such a vector can be effcently computed [1, 20]. Now we defne the vector u = v + (a v 1)w. (Note that u s dstrbuted unformly subject to the constrant that u 1 = a.) We wll mplctly use the shares λ = Mu. Ths has the property that for any λ such that γ, we have that λ = M u = M v has no dependence on a. Now that we have establshed how to dstrbute shares to partes, whch map to negated or non negated attrbutes, we need to show how to generate the key materal. We frst descrbe how to generate decrypton key materal correspondng to negated partes =. Note that by defnton, γ f and only f / γ. If γ, then snce / γ, we have that λ may depend lnearly on a. However, by the smulator s choces at setup, recall that q( ) = θ. The smulator now chooses r Z p at random, and mplctly sets r = λ + r. Thus, t outputs the followng: D = (D (3) = g r 2, D(4) = g θ ( λ +r ), D (5) = g λ +r ) Note that the smulator can compute the latter two of these elements usng A. If / γ, then snce γ, we have that λ s ndependent of any secrets and s completely known to the smulator. In ths case, the smulator chooses r Z p at random, and outputs the followng: D = (D (3) = g λ +r 2, D (4) = V ( ) r, D (5) = g r ) 5 Here, we are essentally eplotng the equvalence between lnear secret-sharng schemes and monotone span programs, as proven n [2]. The proof n [2] s for a slghtly dfferent formulaton, but apples here as well. Note that the smulator can compute the second element usng B; ndeed V () s publcly computable gven the publc parameters already produced by the smulaton. We now descrbe how to gve key materal correspondng to non negated partes =. The smulated key constructon technques for non negated partes s smlar to prevous work [16, 21]. If γ, then snce λ has no dependence on any unknown secrets, we smply choose r Z p, and output D = (D (1) = g λ 2 T ()r, D (2) = g r ). If / γ, then we work as follows: Let g 3 = g λ. Note that the smulator can compute g 3 usng A and g. Choose r Z p at random, and output the components of D as follows: D (1) = g D (2) = g f( ) d +u( ) 3 (g d +u( ) 1 d +u( ) 3 g r 2 g f( ) ) r The proof of the followng clam can be found n Append B. Clam 1. The smulaton above produces vald decrypton keys, that are furthermore dstrbuted dentcally to the decrypton keys that would have been produced by the ABE scheme for the same publc parameters. Challenge The adversary A, wll submt two challenge messages M 0 and M 1 to the smulator. The smulator flps a far bnary con ν, and returns an encrypton of M ν. The cphertet s output as E = (γ, E (1) = M νz, E (2) = C, {E (3) {E (4) = C f() } γ, = C θ } γ) If µ = 0 then Z = e(g, g) abc. Then by nspecton, the cphertet s a vald cphertet for the message M ν under the set γ. Otherwse, f µ = 1, then Z = e(g, g) z. We then have E (1) = M νe(g, g) z. Snce z s random, E (1) wll be a random element of G T from the adversary s vewpont and the message contans no nformaton about M ν. Phase 2 The smulator acts eactly as t dd n Phase 1. Guess A wll submt a guess ν of ν. If ν = ν the smulator wll output µ = 0 to ndcate that t was gven a vald BDH-tuple; otherwse, t wll output µ = 1 to ndcate t was gven a random 4-tuple. As shown above, the smulator s generaton of publc parameters and prvate keys s dentcal to that of the actual scheme. In the case where µ = 1 the adversary gans no nformaton about ν. Therefore, we have Pr[ν ν µ = 1] = 1. 2 Snce the smulator guesses µ = 1 when ν ν, we have Pr[µ = µ µ = 1] = 1. 2 If µ = 0 then the adversary sees an encrypton of M ν. The adversary s advantage n ths stuaton s ɛ by assumpton. Therefore, we have Pr[ν = ν µ = 0] = 1 + ɛ. Snce the 2 201

8 smulator guesses µ = 0 when ν = ν, we have Pr[µ = µ µ = 0] = 1 + ɛ. 2 The overall advantage of the smulator n the Decsonal BDH game s 1 2 Pr[µ = µ µ = 0] Pr[µ = µ µ = 1] 1 = 2 1 ( 1 + ɛ) = 1 ɛ CONCLUSIONS AND FUTURE DIREC- TIONS We presented the frst Attrbute-Based Encrypton system that supports the epresson of non-monotone formulas n key polces. We acheved ths through a novel applcaton of revocaton methods nto estng ABE schemes. In addton, the performance of our scheme compares very favorably to that of estng, less-epressve ABE systems. An mportant goal n ABE systems s to create even more epressve systems. Our work took a sgnfcant step forward by allowng key polces that can epress any access formula. Eventually, we would lke to have systems that can epress any access crcut. 6. REFERENCES [1] H. Anton and C. Rorres. Elementary Lnear Algebra, 9th Edton [2] A. Bemel. Secure Schemes for Secret Sharng and Key Dstrbuton. PhD thess, Israel Insttute of Technology, Technon, Hafa, Israel, [3] J. Benaloh and J. Lechter. Generalzed Secret Sharng and Monotone Functons. In Advances n Cryptology CRYPTO, volume 403 of LNCS, pages Sprnger, [4] J. Bethencourt, A. Saha, and B. Waters. Cphertet-polcy attrbute-based encrypton. In Proceedngs of the IEEE Symposum on Securty and Prvacy (To Appear), [5] G. R. Blakley. Safeguardng cryptographc keys. In Natonal Computer Conference, pages Amercan Federaton of Informaton Processng Socetes Proceedngs, [6] D. Boneh and X. Boyen. Effcent Selectve-ID Secure Identty Based Encrypton Wthout Random Oracles. In Advances n Cryptology Eurocrypt, volume 3027 of LNCS, pages Sprnger, [7] D. Boneh and M. Frankln. Identty Based Encrypton from the Wel Parng. In Advances n Cryptology CRYPTO, volume 2139 of LNCS, pages Sprnger, [8] D. Boneh, C. Gentry, and B. Waters. Colluson Resstant Broadcast Encrypton wth Short Cphertets and Prvate Keys. In Advances n Cryptology CRYPTO, volume 3621 of LNCS, pages Sprnger, [9] R. Bradshaw, J. Holt, and K. Seamons. Concealng comple polces wth hdden credentals. In ACM Conference on Computer and Communcatons Securty, pages , [10] E. F. Brckell. Some deal secret sharng schemes. Journal of Combnatoral Mathematcs and Combnatoral Computng, 6: , [11] R. Canett, S. Halev, and J. Katz. A Forward-Secure Publc-Key Encrypton Scheme. In Advances n Cryptology Eurocrypt, volume 2656 of LNCS. Sprnger, [12] R. Canett, S. Halev, and J. Katz. Chosen Cphertet Securty from Identty Based Encrypton. In Advances n Cryptology Eurocrypt, volume 3027 of LNCS, pages Sprnger, [13] M. Chase. Mult-authorty attrbute-based encrypton. In The Fourth Theory of Cryptography Conference (TCC 2007), [14] L. Cheung and C. Newport. Provably Secure Cphertet Polcy ABE. In ACM conference on Computer and Communcatons Securty (ACM CCS), [15] C. Cocks. An dentty based encrypton scheme based on quadratc resdues. In IMA Int. Conf., pages , [16] V. Goyal, O. Pandey, A. Saha, and B. Waters. Attrbute Based Encrypton for Fne-Graned Access Conrol of Encrypted Data. In ACM conference on Computer and Communcatons Securty (ACM CCS), [17] M. Ito, A. Sato, and T. Nshzek. Secret Sharng Scheme Realzng General Access Structure. In IEEE Globecom. IEEE, [18] M. Naor and B. Pnkas. Effcent trace and revoke schemes. In Fnancal Cryptography, pages 1 20, [19] M. Prrett, P. Traynor, P. McDanel, and B. Waters. Secure Atrrbute-Based Systems. In ACM conference on Computer and Communcatons Securty (ACM CCS), [20] V.V. Prasolov. Problems and Theorems n Lnear Algebra. Amercan Mathematcal Socety, [21] A. Saha and B. Waters. Fuzzy Identty Based Encrypton. In Advances n Cryptology Eurocrypt, volume 3494 of LNCS, pages Sprnger, [22] A. Shamr. How to share a secret. Commun. ACM, 22(11): , [23] A. Shamr. Identty Based Cryptosystems and Sgnature Schemes. In Advances n Cryptology CRYPTO, volume 196 of LNCS, pages Sprnger, [24] N. Smart. Access control usng parng based cryptography. In CT-RSA, pages , APPENDIX A. REALIZING ANY ACCESS FORMULA We show how our man constructon above can be used to realze any access formula. Any formula can be represented as an access tree T. Each nteror node, y, n the tree wll be ether a threshold gate, wth threshold k y, and num y chldren, or a NOT of a threshold gate. We also assume that the chldren of an nteror node are ordered; we let parent(y) denote the parent of node y and we let nde(y) denote whch chld node of parent(y) node y s. In addton, each leaf wll be ether an attrbute or the NOT of an attrbute. We note that usng threshold gates captures the case of AND and OR gates. We let attr(y) denote a leaf node s attrbute. We frst observe that by applyng DeMorgan s law we can transform a tree T nto a tree T so that T represents the same access scheme as T, but has only NOTs at the leaves, where the attrbutes are. The observaton follows from the 202

9 fact that a negatve k of n threshold gate s equvalent to a k + 1 of n threshold gate, where all the chldren are negated. We can transform the tree T by dong a pre-order traversal and applyng ths transformaton to all nteror nodes that are negated. The result s a tree T that only has negated leaves. For the rest of ths dscusson we assume that such a transformaton has been appled and that only the leaves of T are negated, nteror nodes wll consst only of postve threshold gates. Now we need to show how to assgn shares λ y Z p to each leaf node n a (transformed) access tree T for key generaton and whch ω y Z p values to use for a partcular decrypton. We essentally assgn each nteror node a value on a random polynomal and recurse. We begn by assgnng λ y values to all nodes n the system. Frst, we assgn the root of the tree the value λ root = α. Then, we repeat the followng process untl all nodes have been assgned. Pck an arbtrary nteror node y that has λ y defned, but where the chldren of y are undefned. Then pck a random polynomal q y() over Z p of degree k 1 wth the restrcton that q y(0) = λ y. For each chld node of z assgn λ z = q y(nde z). After ths s done the λ y values for nteror nodes can be dscarded. For Each leaf node y, λ y s a share n the scheme for attrbute attr() where the attrbute s prmed f the leaf node s negated. Fnally, suppose there s an encrypton to a set S of attrbutes and further suppose that there s a satsfyng assgnment to the access tree T of a key. Then the ω values can be derved by recursvely computng the Lagrangan coeffcents of each satsfed node n the tree. We refer the reader to the work of Goyal et al. [16] and Bethencourt, Saha, and Waters [4] for detals on ths and effcency optmzatons. B. CORRECTNESS OF SIMULATION Here we prove Clam 1. Proof: We wll establsh ths clam by a case analyss. For key materal correspondng to negated partes : If γ, then let r = λ + r. Note that r s dstrbuted unformly over Z p and s ndependent of all other varables ecept r. Then observe that D (3) = g r 2 = g λ +r 2. Also, D (4) = g θ ( λ +r ) = V ( ) r. And fnally, D (5) = g λ +r = g r. Thus, ths key materal s vald and dstrbuted correctly. If / γ, then the smulaton produces key materal usng the same procedure as the ABE scheme. For key materal correspondng to non negated partes : If γ, then the smulaton produces key materal usng the same procedure as the ABE scheme. If / γ, then to see why the smulated key materal s good, note that by our constructon of u(), the value d + u( ) wll be non-zero for all / γ. Now let r = r λ n. Note that +u( r s dstrbuted unformly ) over Z p and s ndependent of all other varables ecept r. Then, D (1) and = g f( ) d +u( ) 3 (g d +u( ) 2 g f( ) ) r λ f( ) = g d +u( ) (g d +u( ) 2 g f() ) r = g λ 2 (gd +u( ) 2 g f( ) ) = g λ 2 (gd +u( ) 2 g f() ) r = g λ 2 T ()r D (2) 1 = g d +u( ) 3 g r = g r λ d +u( ) (g d +u( ) 2 g f( ) ) r λ d +u( ) λ d +u( ) = g r 203