Arbitrary-State Attribute-Based Encryption with Dynamic Membership

Transcription

1 1/ 34 Arbitrary-State Attribute-Based Encryption with Dynamic Membership Speaker: Chun-I Fan Chun-I Fan, National Sun Yat-sen University, Kaohsiung Vincent Shi-Ming Huang, Industry Technology Research Institute, Hsinchu He-Ming Rung, National Taiwan University, Taipei IEEE Transactions on Computers, 2014

2 2/ 34 Outline 1 Introduction 2 Preliminaries 3 The Proposed Scheme 4 Security Proof 5 Comparisons 6 Conclusions

3 3/ 34 Public Key Infrastructure (PKI) Traditional PKI has some features: A sender should get the public key (or the identity) of the receiver in advance. The more receivers the system has, the more bandwidth it consumes. Broadcast encryption may be able to solve the problem of performance, but the sender needs to have the receiver list.

4 4/ 34 Attribute-Based Encryption (ABE) In 1993, Fiat, and Naor proposed a broadcast encryption system. In 2001, Boneh and Franklin proposed an identity-based encryption (IBE) scheme based on Weil pairing, and enhanced it by the technique from Fujisaki and Okamoto. In 2005, Sahai and Waters proposed a new type of IBE, fuzzy IBE, which was the prototype of ABE. In 2007, Baek, Susilo, and Zhou presented another fuzzy IBE with new construction.

5 Our Contribution A"melancholia"pa-ent Melancholia"Experiences He"wants"to"share"the"experiences" of"struggling"against"melancholia"on"a"pla7orm with"doctors or"any"forum with"other" male"pa-ents A9ribute:" (( Gender:"MALE "AND" MENTAL"DISORDER:"MELANCHOLIA )"" OR"( CAREER:"DOCTOR "AND" SPECIALITY:"MELANCHOLIA )) 5/ 34 Our scheme is the first one which supports dynamic membership and arbitrary-state attributes. It is CCA secure under a standard model (without using random oracles).

6 6/ 34 Dynamic Membership Expandability. A new user is able to enroll in the system. Renewability. Each user s private key, attribute set, and attribute values can be renewed and the old private keys should be useless to those ciphertexts which are encrypted after these parameters associated with the user are renewed. Revocability. A user s private key can be revoked and the revoked private keys should be useless to those ciphertexts which are encrypted after these private keys are revoked. Independence. When a user s leaving or attribute updating occurs, the other users are not required to interact with KGC (Key Generation Center) to renew their private keys.

7 7/ 34 Backgrounds Lagrange Interpolation Lagrange interpolating polynomial is a polynomial p of degree not greater than (n 1) that passes through n points (x i,y 1 ),...,(x n,y n ), and is given by p(x) = nx p j (x), wherep j (x) =y j j=1 Y k=i,...,n,k6=j x x k. x j x k For i 2 Z and S Z, the Lagrange coe cient i,s(x) is defined as i,s(x) = Y 8j2S,j6=i x i j j

8 8/ 34 Backgrounds Bilinear Mapping Let G 0, G 1,andG T be three cyclic groups of prime order q. A bilinear mapping e : G 0 G 1! G T satisfies the following properties: Bilinearity: e(ap, bq) =e(p, Q) ab, 8P 2 G 0, Q 2 G 1 and a, b 2 Z q. Non-Degeneracy: The mapping does not map all pairs in G 0 G 1 to the identity in G T. Computability: There is an e e(p, Q), 8P 2 G 0,Q2 G 1. cient algorithm to compute

9 9/ 34 Backgrounds Decisional Bilinear Di e-hellman Problem Let G 0,G 1,andG T be three cyclic groups of prime order q, P and Q be arbitrarily-chosen generators of G 0 and G 1,respectively,and e : G 0 G 1! G T be a bilinear mapping. Given (P, Q, ap, bp, cp, aq, bq, cq, Z) for some a, b, c 2 Z q and Z 2 R {e(p, Q) abc,y 2 R G T }, decide if Z = e(p, Q) abc.

10 10/ 34 Definitions Definition 1 (The DBDH Assumption) We define that an adversary C with an output b 0 2{0, 1} has advantage 0 in solving the DBDH problem if Pr[C(P, Q, ap, bp, cp, aq, bq, cq, e(p, Q) abc ) = 1] Pr[C(P, Q, ap, bp, cp, aq, bq, cq, Z) = 1] 0 where the probability is over the random choice of a, b, c 2 Z q and the random choice Z 2{e(P, Q) abc,y 2 R G T }.

11 11/ 34 An Access Tree

12 12/ 34 The Proposed Scheme Overview: Enrollment, Encryption, Decryption

13 13/ 34 The Proposed Scheme Overview: Leaving, Updating

14 14/ 34 The Proposed Scheme Setup(k) Step 1: G 0, G 1, G T with prime order q, e : G 0 G 1! G T, generator P of G 0, generator Q of G 1 Step 2:, 2 R Z q and H : {0, 1}! Z q. Step 3: Generate two default users: 1 U = {0, 1}, {v i,j } 8i2U,j2A 2 R Z q, {t i } 8i2U 2 R Z q. 2 ( {Vj = ( Q 8i2U v i,j)q} 8j2A Q {v i,j = t i 8k6=i,k2U v 1 k,j + v i,j mod q} 8i2U,8j2A. Step 4: Public parameter PK =(G 0, G 1, G T, e, H, P, Q, U = e(p, Q) ( 1), e(p, Q), {V j, {v i,j } 8i2U } 8j2A, V) The master key of KGC is MK = Q. The asymmetric setting of e can be implemented by BN-Curve which is with faster software implementations.

15 The Proposed Scheme Enrollment(A i, (m i,j) 8j2Ai,MK) 15/ 34 Step 1: r i, t i, {v i,j } 8j2A, {r i,j } 8j2Ai 2 R Z q Step 2: U = U[{i} Step 3: 8 >< >: {h i,j = H(m i,j )} 8j2Ai {V j = v i,j V j } 8j2A {v i,j = t i Q 8k6=i,k2U v 1 k,j + v i,j mod q} 8j2A {v k,j =(v k,j v k,j )v 1 i,j + v k,j mod q} 8k6=i,k2U,8j2A Step 4: Generate user i s private key D i = 8 D i = Q + t i r i Q >< {D i,j = vi,j 1 (r ip + r i,j h i,j P )} 8j2Ai {D >: i,j 0 = t ir i,j P } 8j2Ai {Di,j 00 = r ip + r i,j h i,j P } 8j2Ai Step 5: Increase V and update ({V j, {v i,j } 8i2U } 8j2A, V) in PK.

16 16/ 34 The Proposed Scheme Leaving(u) KGC increases V and updates PK as follows: {Vj = v 1 u,j V j} 8j2A {v k,j =(v k,j v k,j )v u,j + v k,j mod q} 8k6=u,k2U,8j2A Finally, it sets U = U\{u} and deletes {v u,j } 8j2A in PK.

17 17/ 34 The Proposed Scheme Updating(m 0 i,j) Step 1: vi,j 0, r0 i, r0 i,j 2 R Z q Step 2: h 0 i,j = H(m0 i,j ) Step 3: Give 8 >< >: D i = Q + t i ri 0Q D i,j = vi,j 0 1 (r0 i P + r0 i,j h0 i,j P ) {D i,k = v 1 i,k (r0 i P + r i,kh i,k P )} 8k2Ai \{j} D 0 i,j = t ir 0 i,j P D 00 i,j = r0 i P + r0 i,j h0 i,j P {D 00 i,k = r0 i P + r i,kh i,k P )} 8k2Ai \{j} to user i. Step 4: Increase V and update PK. 8 < : V j = vi,j 1 v0 i,j V j v i,j =(v i,j v i,j )+vi,j 0 mod q v k,j =(v k,j v k,j )v i,j vi,j v k,j mod q, 8k 2U\{i}

18 18/ 34 The Proposed Scheme Encryption(T,M,PK) Access tree structure construction. For the root node R: 1 s 2 R Z q and k R is the threshold value of R. 2 Randomly choose a polynomial q R of degree d R = k R 1 with q R (0) = s. 3 Assign a unique index number x for each child of R. For each internal node N other than R: 1 k N is the threshold value of N. 2 Randomly choose a polynomial q N of degree d N = k N 1 with q N (0) = q parent(n) (index(n)). 3 Assign a unique index number x for each child of node N. For each leaf node N L : Randomly choose a polynomial q NL of degree 0 with q NL (0) = q parent(nl )(index(n L )).

19 19/ 34 The Proposed Scheme Encryption Ciphertext generation: K 2 R G T and N L = {the leaves of T}. The ciphertext is CT = (T, C = e(p, Q) s K, C = sp, C 0 = U s, M = E K (M),C r = H(K M)P, {C N = q N (0)V att(n),cn 0 = q N(0)H(val(N))Q, {v i,att(n) } 8i2U } 8N2NL, V). {{v i,att(n) } 8i2U } 8N2NL can be excluded from the ciphertext.

20 20/ 34 The Proposed Scheme Decryption(CT,D i) DecryptNode(CT,D i,n): LetV j = v j P. If N is a leaf node: Let j = att(n). If j is in A i and m i,j = val(n), then DecryptNode(CT,D i,n) = e(d i,j,v i,j C N ) e(d 0 i,j,c0 N )e(d00 i,j,c N ) = e(v 1 i,j (r ip +r i,j h i,j P ),(t i v 1 j v i,j +v i,j )q N (0)v j Q) e(t i r i,j P,q N (0)h i,j Q)e(r i P +r i,j h i,j P,v j q N (0)Q) = e(v 1 i,j (r ip +r i,j h i,j P ),t i v i,j q N (0)Q+v i,j v j q N (0)Q) e(t i r i,j P,q N (0)h i,j Q)e(r i P +r i,j h i,j P,v j q N (0)Q) = e(r ip +r i,j h i,j P,t i q N (0)Q)e(r i P +r i,j h i,j P,v j q N (0)Q) e(t i r i,j P,q N (0)h i,j Q)e(r i P +r i,j h i,j P,v j q N (0)Q) = e(r ip,t i q N (0)Q)e(r i,j h i,j P,t i q N (0)Q) e(t i r i,j P,q N (0)h i,j Q) = e(p, Q) t ir i q N (0). Otherwise, DecryptNode(CT,D i,n)=?.

21 21/ 34 The Proposed Scheme Decryption If N is an internal node: 1 For each child N c of N, F Nc = DecryptNode(CT,D i,n c ). 2 Let I c be a k N -sized set containing the indexes of the child nodes N c s such that F Nc 6=? for each N c.return F N = Q 8index(N c)=z2i c F z,ic (0) N c = Q 8index(N c)=z2i c (e(p, Q) tiriq Nc (0) ) = Q 8index(N c)=z2i c (e(p, Q) tiriqparent(nc)(z) ) = Q 8index(N c)=z2i c (e(p, Q) tiriq N (z) z,ic (0) ) = e(p, Q) tiriq N (0) z,ic (0) z,ic (0). 3 If no such set exists, N is not satisfied and return F N =?.

22 22/ 34 The Proposed Scheme Decryption Call DecryptNode(CT,D i,r): A = DecryptNode(CT,D i,r) = e(p, Q) t ir i q R (0) = e(p, Q) t ir i s Compute the session key K: A C e(c,d i ) C 0 = e(p,q) t i r i s e(p,q) s K e(sp,( +t i r i )Q) e(p,q) ( 1)s = e(p,q) s e(p,q) t i r i s K e(p,q) ( s+ ( 1)s+t i r i s) = e(p,q) s+t i r i s K e(p,q) s+t i r i s = K The decryption procedure will return? if C r 6= H(K M)P. Otherwise, it returns M by computing M = D K (M).

23 23/ 34 Dynamic Membership The Enrollment algorithm: 1 Expandability The Leaving and Updating algorithms: 1 Revocability 2 Renewability 3 Independence

24 24/ 34 Security Proof Theorem The proposed CP-ABE-DM scheme is CCA DM secure under the DBDH assumption in a standard model.

25 25/ 34 Security Proof The CCA DM Game

26 Security Proof The Cipher Algorithm 26/ 34 Initially, C calls Cipher(T,R,cQ).

27 27/ 34 Comparisons Dynamic Membership: It allows an ABE system to manage member enrollment, attribute updating, and member revocation e ciently. Sender Updating: A sender must grab the newest public information before she/he encrypts a message. Receiver Updating: Areceivermustinteractwiththesystem to refresh her/his private key or retrieve the newest public information before she/he decrypts a ciphertext. No Private Key Refreshment: Members do not have to interact with the system to refresh their private keys when the membership or any of the members attributes has been changed. Arbitrary-State Attribute: The domain of each attribute is a variable-length string, not a binary bit only.

28 28/ 34 Feature Comparisons Dynamic Membership Scheme Updating Leaving ASA Special Feature Ours Yes Yes Yes No Private Key Refreshment [4] No No Yes Direct and Indirect Revocation [5] No Yes No Multi-Authority [12] No No No Dual Policy [13] No No No Multi-Authority [15] No No No Multi-Authority [7] No No No Full Logic Expression [8] No No No Key Delegation [9] No No No Multi-Authority [10] No No No -

29 29/ 34 Feature Comparisons Dynamic Membership Scheme Updating Leaving ASA Special Feature Ours Yes Yes Yes No Private Key Refreshment [11] No No No - [14] No No No - [25] No No No Full Logic Expression [26] No No No [27] No No No Multi-Authority [28] No No No Multi-Authority [29] No No No Attribute Hierarchy [30] No No Yes Unbounded Attribute [31] No No No Constant Ciphertext Size [32] No No No Multi-Authority [33] No Yes No - ASA: Arbitrary-State Attribute

30 30/ 34 Notations for Performance Comparisons Notation Meaning n the number of the members in an ABE system m the number of the attributes provided in an ABE system m c the number of attributes associated to a ciphertext m d the maximum of Cover(R) where R is the set of revoked users and m d <m m u the number of a user s attributes m a the number of authorities m or the number of OR gates of the access rule associated to aciphertext m and the number of the AND conjunction attributes of the access rule associated to a ciphertext m not the number of the NOT conjunction attributes of the access rule associated to a ciphertext DR, IR Direct Mode and Indirect Mode SA, OA Subject Attribute and Objected Attribute

31 31/ 34 Performance Comparisons: Computation Cost

32 32/ 34 Performance Comparisons: Storage and Communication Cost

33 33/ 34 Conclusions An attribute-based encryption scheme with dynamic membership has been proposed. This is the first ABE scheme which can support arbitrary-state attributes and attribute (and value) updating with Sender Updating only. It has been formally proved to be CCA secure under a standard model.

34 Q&A 34/ 34