an ad hoc group signature scheme for accountable and anonymous access to outsourced data chuang wang...
TRANSCRIPT
![Page 1: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/1.jpg)
An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to
Outsourced Data
Chuang Wanga,b and Wensheng Zhanga
aDepartment of Computer ScienceIowa State UniversitybSymantec Corporation
![Page 2: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/2.jpg)
2
Background: Data Outsourcing
remote un-trusted data storage server
encrypt
decrypt
author
authorized users
![Page 3: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/3.jpg)
3
ABE (Attribute-based Encryption)
OR
AND
“Computer
Science”
“ISU”
“PrivacyGrp@Symant
ec”
Access Structure
Graduate student
@cs.iastate
retrieve
decrypt
retrieve
decrypt
X
derive key based on secrets
associated with his attributes
![Page 4: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/4.jpg)
4
Accountability?
What if the secret doc is found exposed?A trusted third-party authority should be able to find out who have accessed the data (accountability/ traceability)
Meanwhile, anonymity of users should be kept from entities other than the authority (including the un-trusted storage server)
OR
AND
“Computer
Science”
“ISU”
“Privacy@Symant
ec”
Access Structure
![Page 5: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/5.jpg)
5
Group Signature Scheme
OR
AND
“Computer
Science”
“ISU”
“Privacy@Symant
ec”
Access Structure
group public key (gpk)
A user i’s personalized private key
(gski)
m
σm = sign(gpk, gski, m)
Verify(gpk, σm)=1?Record σm
(Authority is able to trace the signature to user i.)
Authorized Users
![Page 6: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/6.jpg)
6
Group Signature Scheme: Problem
OR
AND
“Computer
Science”
“ISU”
“Privacy@Symant
ec”
Access Structure
group public key (gpk)
A user i’s personalized private key
(gski)
Access structures may be defined on the fly (when a document is outsourced)
Significant communication
overheads may need to set up private
keys for the members of dynamic
groups
The groups of users satisfying the access structures are formed
dynamically
Authorized Users
![Page 7: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/7.jpg)
7
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design
Goals
Objective: ad hoc group signature scheme.
Design RequirementsUser anonymity: A successfully verified user could be any one of the authorized users.
– Ex: Access Structure = “a AND b”; a successfully-verified user could be any one owning attributes a and b.
– Ex: Access Structure = “(a AND b) OR c”; a successfully-verified user could be any one owning attributes a and b, or any one owning c, and the server and other users cannot know which of the above two cases occurs.
Traceability: The authority is able to trace a signature to a user.
![Page 8: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/8.jpg)
8
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design
Goals
Objective: ad hoc group signature scheme.
Design RequirementsUser anonymity: A successfully verified user could be any one of the authorized users.
Accountability (traceability): The authority is able to trace a signature to a user.
Efficiency in communication (for group management):
when a new access structure is created, no extra communication for group management (e.g., distributing keys) is required.
![Page 9: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/9.jpg)
9
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Key Ideas
When a user joins: he/she is preloaded key materials for each attribute assigned.
Storage Cost
Communication Cost
When a document (and associated access structure) posted to server:
server is given key materials for the access structure (AS).
A user’s attributes satisfy the AS
Y
Obtain: the user-specific and access structure-specific privacy key for group signature
![Page 10: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/10.jpg)
10
Basis: Group Signature [BonehShacham’04]
Complexity Assumptions:q-SDH problemDecision Linear problem
xi, Ai=g 1/(ζ+xi) g, g’=g
ζ
user i’s private key (gski)
public key (gpk)
e(Ai, g’×g ) = e(g, g) xibilinear mapping
System-wide secret
• Signing: sign(gpk, gski, m) σm
• Verifying: verify(gpk, m, σm) 1/0
![Page 11: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/11.jpg)
11
AdHocSign: Roadmap of the Design
What to do?Construct and give appropriate key materials to users and storage server, s.t., an authorized user is able to derive his/her private key as in the BS group signature scheme
How?Consider a conjunction-only access structure
– Ex: “a AND b”Consider a disjunction-only access structure
– Ex: “a OR b”Consider a general (i.e., conjunction of disjunctive) access structure
– Ex: “(a OR b) AND (c OR d)”
![Page 12: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/12.jpg)
12
AdHocSign for Conjunction-only Access Structures: Intuition
AND
a b
Access structure: T
Secrets:
αa , αb Authority
Server
Key materials: ra, rbPublic key:
• gT = g
• gT’ = gT
ζ
αa×ra+αb×rb
User i
Private key:
• xi
Key materials:
• for attribute a: gi,a=g
• for attribute b: gi,b=g
• … …
αa/(ζ+x i)
αb/(ζ+x i)
<T=“a AND b”; ra, rb>
• AiT = gi,a ×gi,b = grbra (αa×ra+αb×rb)/(ζ+x i)
e(AiT, gT’×gT
xi) = e(gT, gT)
![Page 13: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/13.jpg)
13
AdHocSign for Disjunction-only Access Structures: Intuition (1)
OR
a b
Access structure: T
Secrets:
αa, αb,Authority
Server
Key materials:
ra= rT/αa ; rb= rT/αb
Public key:
• gT = g
• gT’ = gT
ζ
rT
User i
Private key:
• xi
Key materials:
• for attribute a: gi,a=g
• for attribute c: …
• … …
αa/(ζ+x i)
<T=“a OR b”; ra, rb>
• AiT = gi,a =
g
ra rT/(ζ+x i)
e(AiT, gT’×gT
xi) = e(gT, gT)
rT
![Page 14: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/14.jpg)
14
AdHocSign for Disjunction-only Access Structures: Intuition (2)
OR
a b
Access structure: T
Secrets:
αa, αb,Authority
Server
Key materials:
ra= rT/αa ; rb= rT/αb
User i
Key materials:
• for attribute a: gi,a=g
• … …
• … …
αa/(ζ+x i)
<T=“a OR b”; ra, rb>
rT, ζ
Problem: User i can derive gi,b = gi,a,
<T=“a OR b”; ra, rb>
ra/rb
though user i does not own attribute b.
Later on, user i can satisfy access structures such as “a AND b”, “b OR x”.
![Page 15: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/15.jpg)
15
AdHocSign for Disjunction-only Access Structure: Intuition (3)
The authorityFor each attribute a, multiple (instead of a single) secret
numbers are picked: αa,1, αa,2, …, αa,N Each user i who owns attribute a is preloaded with N secrets (key materials):gi,a,1, gi,a,2, …, gi,a,N, where gi,a,k = g
Every time when a new disjunction-only access structure, e.g., T=“a OR b”, is defined:
rT is selected randomly
rT,a = rT/αa,k1 and rT,b = rT/αb,k2, where αa,k1 and αb,k2 have not been used before
A user i with attribute a or b should use gi,a,k1 or gi,b,k2 to derive its private key
αa, k/(ζ+ xi)
![Page 16: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/16.jpg)
16
AdHocSign for General Access Structures: Intuition
OR
c d
Access structure
αa,k1
Authority
OR
a b
AND
αb,k2 αc,k3 αd,k4
rT1 rT2
Server
Key materials given to server:(a, k1, rT,a = rT1/αa,k1)
(b, k2, rT,b = rT1/αb,k2)
(c, k3, rT,c = rT2/αc,k3)
(d, k4, rT,d = rT2/αd,k4)
Public key:
• gT = grT1+rT2
• gT’ = gTζ
![Page 17: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/17.jpg)
17
AdHocSign for General Access Structures: Intuition
User i
Assume the user owns attributes a and d
Key materials assigned to user i:
• For attribute a
• …
• gi,a,k1 = g
• …
• For attribute d
• …
• gi,d,k4 = g
• …
αa,k1/(ζ+xi)
αd,k4/(ζ+xi)
Key materials provided by server:(a, k1, rT,a = rT1/αa,k1)
… ….
(d, k4, rT,d = rT2/αd,k4)
AiT = gi,a,k1 × gi,d,k4
= g
rT, a rT, d
(rT1+rT2)/(ζ+xi)
Private key: (xi, AiT)
![Page 18: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/18.jpg)
18
Security Features
TraceabilityIntuitively: Storage server and/or collusive users are hard to forge valid signatures that cannot trace back to any of them, as long as the SDH problem is hard.
Formally: Our proposed AdHocSign scheme is (t, qH, qS, n, m,ε) traceable if (q, t’, ε’)-SDH assumption holds, where n = q-1, ε= 8n*sqrt(ε’qH) + 2n/q, t’=O(tmN).
![Page 19: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/19.jpg)
19
Security Features
Selfless-anonymityIntuitively: Storage server and/or others are hard to determine if two signatures are pertinent to the same user or not, as long as the Decision Linear problem is hard.
Formally: Our proposed AdHocSign scheme is (t, qH, qS, n, m,ε) selflessly anonymous if (t’, ε’) Decision Linear assumption holds, where ε’ = ε(1/n2 – qSqH/p)/2.
![Page 20: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/20.jpg)
20
Cost Analysis
Computational costUser’s cost
– Private key preparation– x exponential ops, where x is the number of disjunctive
components in the access structure – typically lower than signing cost as long as x is not too
large– Signing (using BS Group Signature Signing)
Server’s cost– Verification (using BS Group Signature Signing)
Overall: Typically less than twice of that of BS Group Signature scheme
![Page 21: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/21.jpg)
21
Cost Analysis
Communication costO(L): L is the length of an access structure
Storage costO(Nx)
– x - total number of attributes owned by a user – N - total number of secrets preloaded for each attribute
N: the minimum number of different access structures that can be defined dynamically; in practice, more different access structures can be defined dynamically
![Page 22: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/22.jpg)
22
Conclusion
We design a new group signature scheme for dynamically-formed groups
Selfless-anonymity
Traceability
No user key distribution at dynamic group forming time – at the cost of storing extra key materials when a user
joins the system
Applicable when: storage is cheaper than communication (cost for dynamic management of groups)
![Page 23: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/23.jpg)
Thank you!
Contacts of the authors{wzhang, chuangw}@iastate.edu
Full paper:www.cs.iastate.edu/~wzhang/papers/adhocsign.pdf
![Page 24: An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649e845503460f94b8666d/html5/thumbnails/24.jpg)
24
Implementation
Prototype developmentBased on jPBC (java pairing-based library)Adopting the type A curve
Evaluation setupUser: desktop with 1.83 GHz Genuine Intel processor and 3GB RAMServer: workstation with two 2.13 GHz Intel Xeon processors and 24 GB RAM
Evaluation resultsBS Group Signature
– Signing cost – 1.65 seconds by average– Verification cost – 0.28 seconds by average
Private key computation in AdHocSign– ~0.1 second for each disjunctive component in the access structure