多媒體網路安全實驗室

Extended Attribute Based Encryption for Private Information Retrieval

Extended Attribute Based Encryption for Private Information Retrieval

指導教授：鄭錦楸、郭文中報告者 ：許偉德 日期 ： 2010/07/02

多媒體網路安全實驗室

Outline

INTRODUCTION1

PRELIMINARY2

CONSTRUCTION33

SECURITY AND PRIVACY EVALUATION44

PERFORMANCE ANALYSIS35

CONCLUSION46

多媒體網路安全實驗室

INTRODUCTIONPIR enables the sensitive data to be obtained

only if the data authorizers allow the data receivers to access to the data.

ABE(attribute based encryption):a user is identified by a certain set of attributes, and ciphertext is encrypted under another set of attributes.

多媒體網路安全實驗室

Our Contribution.EABE(Extended Attribute Based Encryption):

authorizers could authorize the data receiver separately by signing a signature.

Sender will encrypt the required data with the access structure and send the ciphertext to data receiver.

Only if the receiver gets enough authorizations which satisfy the access structure can he or she decrypts the ciphertext.

多媒體網路安全實驗室

IEABE(Improved EABE): by using the ASPIR scheme Each authorizer will generate an authorization on a

requirement which includes the receiver identity, index of the data and some other policy.

The sender will also generate a ciphertext based on the requirement and the access structure.

Receiver could retrieve the data from the ciphertext obtained through ASPIR scheme if the access structure is satisfied.

多媒體網路安全實驗室

Sahai and Waters firstly proposed a attribute based encryption (ABE) scheme called fuzzy identity based encryption scheme in 2005.

Goyal, Pandey, Sahai and Waters further defined the concept of ABE:key-policy ABE (KPABE) and ciphertext-policy ABE(CPABE). KPABE:which allows keys to be expressed by any

monotonic formula over encrypted data. CPABE:in standard model with the use of linear

secret sharing scheme (LSSS) which is also expressive and efficient.

多媒體網路安全實驗室

PRELIMINARY

A. Access structure

Definition 1 (Access Structure) Let

The sets in r are called the authorized sets, and the sets not in r are called the unauthorized sets.

},...,,{A 21 nAAA

.C then CB and B if A, C B, allfor if

monotone is 2 collection

AA

多媒體網路安全實驗室

B. Linear Secret Sharing Schemes

Definition 2 (Linear Secret-Sharing Scheme (LSSS)). A secret-sharing scheme II over a set of parities A

is called linear.

1)The shares for each party form a vector over Zp.

2) matrix generating-share thecalled matrix a exists There wlM

) and shared, be secret to theis

where),,...,,(tor column vec heconsider t(

toaccording secret theof shares of vector theis

2

2

pwp

w

Z, ...,rrZs

rrsv

s lMv

多媒體網路安全實驗室

C. Bilinear Maps

Definition 3 (Bilinear Maps).Let G and GT be two multiplicative cyclic groups

of prime order p.

多媒體網路安全實驗室

D. Decisional Bilinear Diffie-Hellman Assumption When given the adversary must

distinguish a valid tuple from a random element R in

GZa, b,s p ofgenerator a be g and randomat chosen be Let

),( cba gggg

Tabs Ggge ),(

TG

多媒體網路安全實驗室

E. participants in our scheme EABE and IEABE involve the initializer, a sender, a

receiver, and authorizers, denoted by I, S, R and

I: generates a common parameter PK and then publishes PK authentically

S: has a data d which should be authorized by an authorized set A' in an access structure

Ai generates their private/public key pair to sign message.

},...,,{A 21 nAAA

.

多媒體網路安全實驗室

In EABE,the ciphertext is generated according to the access structure The authorization from Ai generated according to

the identity of R.

In IEABE,S and/or R choose a message m to be signed as a proof of authorization.

多媒體網路安全實驗室