Directly Revocable Key-Policy Attribute- Based Encryption with Verifiable Ciphertext Delegation

Transcription

1 Directly Revocable Key-Policy Attribute- Based Encryption with Verifiable Ciphertext Delegation Yanfeng Shi, Qingji Zheng, Jiqiang Liu, Zhen Han Beijing Jiaotong University

2 Traditional Encrypted Filesystem File 1 Owner: John File 2 Owner: Tim Encrypted Files stored on Untrusted Server Every user can decrypt its own files Files to be shared across different users? Credentials? 2

3 Key-Policy Attribute-Based Encryption File 1 Creator: John Computer Science Admissions Date: Label files with attributes File 2 Creator: Tim History Admissions Date:

4 Key-Policy Attribute-Based Encryption File 1 Creator: John Computer Science Admissions Date: Univ. Key Authority OR File 2 Creator: Tim History Admissions Date: AND Bob Computer Science Admissions 4

5 Our Work (1/4): Revocation Guarantees o Non-revoked users can decrypt data. o Revoked users can t decrypt data added in the future. o Revoked users can t decrypt data in the past. [22] (After termination, employee shouldn t be able to access anything he doesn t already have) [22] A. Sahai, H. Seyalioglu, B. Waters, Dynamic credentials and ciphertext delegation for attribute-based encryption, in: CRYPTO, 2012, pp

6 Our Work (2/4): Revocation o Non-revoked users can decrypt data. o Revoked users can t decrypt data added in the future. Direct mode: no need to update non-revoked users decryption keys. Indirect mode: need to update all the non-revoked users decryption keys.

7 Our Work (3/4): Revocation o Revoked users can t decrypt data in the past. Update the past encrypted data Traditional way: The data owner must download, decrypt, re-encrypt and upload the data stored in the cloud. Outsourcing to cloud: The cloud update the encrypted data- ciphertext delegation. Unverifiable: the process can t be accountable. Verifiable: the process can be accountable.

8 Our Work (4/4): Revocation [1] N. Attrapadung, H. Imai, Attribute-based encryption supporting direct/indirect revocation modes, in: IMA Int. Conf., 2009, pp [2] N. Attrapadung, H. Imai, Conjunctive broadcast and attribute-based encryption, in: Pairing-Based Cryptography Pairing 2009, Springer, 2009, pp [5] A. Boldyreva, V. Goyal, V. Kumar, Identity-based encryption with efficient revocation, in: ACM Conference on Computer and Communications Security, 2008, pp [22] A. Sahai, H. Seyalioglu, B. Waters, Dynamic credentials and ciphertext delegation for attribute-based encryption, in: CRYPTO, 2012, pp

9 System model Trusted authority Encrypt and Outsource outsource data user user verify Encrypt and outsource data Revocation-update ciphertext Cloud cloud sever Encrypt and Outsource data user

10 Techniques Techniques Multilinear Maps Subset cover

11 Multilinear Maps d + 3: G 0, G 1,, G d+2 order p d + 2 mappings e i : G 0 G i G i+1, i = 0,, d + 1 Properties: Given generator g 0 G 0, then g i+1 = e i g 0, g i is the generator of G i+1 e i g 0 α, g i β = e i g 0, g i αβ e i can be efficiently computed

12 Subset Cover

13 System Setup α, β R Z p, H 1 : {0,1} Z p, H 2 : {0,1} G 0, h j R Gd+1, 0 j max, max is the maximum number max y of attributes. Define Q y = h j j=0 j, y Z p pm=(e 0,, e d+1, G 0,, G d+2, g 0,, g d+2, e d+1 g 0, g d+1 α, g 0 β, H 1, H 2, h 0,, h max ) mk=(α, β)

14 Key Generation mk=(α, β) 1 α 1, v 2, v 3,, v k R Z p, set α 2, s. t. α = α 1 + α 2 mod p. 2 v = α 1, v 2, v 3,, v k, for i = 1,, l, compute λ π(i) = M i v, M is an l k matrix; (1) λ π D i = i gd+1 Q(H 1 (π(i))) r (2) r R i, D i = i g0, r i Zp ; Access control policy 3 Let P xi 0 = e 0(H 2 x i0, g 0 β ), compute Pxij = e j (H 2 x ij, P xij 1 ), where j = 1,, d. (path(uid)={x i0, x id }) Path(uid) is recorded using mullinear maps D (3) α = g 2 t d+1 P uid, D (4) = g 0 t, t R Z p ; sk= (uid, (M,π), (D i (1), D i 2 ) i [1,l], D (3), D (4) )

15 Encryption pm=(e 0,, e d+1, G 0,, G d+2, g 0,, g d+2, e d+1 g 0, g d+1 α, g 0 β, H 1, H 2, h 0,, h max ) Encrypt the massage m G d+2 under attribute set S 1 C (1) = me d+1 (g 0, g d+1 ) αs, C (2) s = g 0, s R The Z p ; Attribut (3) 2 C at = Q(H1 (at)) s e set, at S; 3 path x = x i0,, x idepth x, x i0 = root x idepth x = x, x cover R, cover(r) is the cover set of revocation list R. P xi 0 = e 0(H 2 x i0, g 0 β ), compute Pxij = e j (H 2 x ij, P xij 1 ), where j = 1,, dept x, set C x (4) = Px s. The set cover nodes cph=(s,r,c (1), C (2) (3),{C at }at S, {C (4) x }x cover(r) )

16 Decryption Part I sk= (uid, (M,π), (D i (1), D i 2 ) i [1,l], D (3), D (4) ) For each satisfied node (uid R S satisfies (M,π)) perform a computation (1) With uid R, exist a node x s. t. x path uid cover R, suppose path uid = x i0,, x idepth x,, x id, x id = uid x idepth x = x; (4) (2) Let P xidepth = C x x, compute Pxij+1 = e j+1 (H 2 x ij+1, P xij ) for j = depth x,, d 1; (3) P uid = P xid Extend ciphertext of x to uid (using multilinear maps)

17 Decryption Part II (4) S satisfies (M,π), exist c i, s. t. c i M π i S i =(1,0,,0), then K = ( e d+1(c 2 (1), D i ) e d+1 (D 2 ) c i e d+1(c 2, D (3) ) (3) i, C π(i) ) e d+1 (D 4, P uid ) (5) m = C 1 / K. π i S S satisfies (M, π) uid R

18 Update Given a new revocation list R, update as follows: If exists x cover R s. t. x = x (4) (4), set C x = Cx ; Otherwise exists x cover R s. t. x is an ancestor of x,path x = path x {x idepth x,, x idepth x }, where x idepth x = x, x idepth x = x, set P xij+1 = e j+1 (H 2 x ij+1, P (4) xij ) and C x = Px ; Let C (1) = C (1), C (2) = C (2) (3) (3), C at = Cat. Updated ciphtext: cph =(S,R,C (1), C (2) (3),{C at }at S, {C (4) x }x cover(r ) ) X 7 is the new revoked user, the ciphertext part for x 14 needs to update to x 11 and x 8

19 Verification Verify the following equations: C (1) = C (1), C (2) = C (2) (3) (3) at S, C at = Cat, x cover(r) cover R, C x (4) = Cx (4). If hold, proceed to verify whether i, s. t. η c i Check each level η 4 ) c i i=0, e depth x +1 C 2, i=1 P xi = e depth x +1 g 0, (C x where c 1,, c η R Zp, x j cover R cover R,and depth x j i, i = 1,, d. =

20