fully secure multi-authority ciphertext -policy attribute-based encryption without random oracles

28
Fully Secure Multi-authority Ciphertext-Policy Attribute- Based Encryption without Random Oracles Zhen Liu 1,2 1 Shanghai Jiao Tong University, Shanghai, China 2 City University of Hong Kong, Hong Kong SAR, China Joint work with Zhenfu Cao, Qiong Huang, Duncan S. Wong, and Tsz Hon Yuen 16 th European Symposium on Research in Computer Security (ESORICS) 2011, 12-14 September 2011, Leuven, Belgium

Upload: aislin

Post on 25-Feb-2016

117 views

Category:

Documents


4 download

DESCRIPTION

Fully Secure Multi-authority Ciphertext -Policy Attribute-Based Encryption without Random Oracles. Zhen Liu 1,2 1 Shanghai Jiao Tong University, Shanghai, China 2 City University of Hong Kong, Hong Kong SAR, China Joint work with Zhenfu Cao, Qiong Huang, Duncan S. Wong, - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

Fully Secure Multi-authority Ciphertext-Policy Attribute-Based Encryption

without Random OraclesZhen Liu1,2

1 Shanghai Jiao Tong University, Shanghai, China2 City University of Hong Kong, Hong Kong SAR, China

Joint work with Zhenfu Cao, Qiong Huang, Duncan S. Wong, and Tsz Hon Yuen

16th European Symposium on Research in Computer Security (ESORICS) 2011, 12-14 September 2011, Leuven, Belgium

Page 2: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

2

OutlineIntroductionHistoryMotivationOur ResultsBackgroundOur scheme

Page 3: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

3

Introduction: What is CP-ABE? CP-ABE is a tool for implementing fine-grained access

control over encrypted data, and is conceptually similar to traditional access control methods such as Role-Based Access Control.

A user is described by a set of descriptive attributes, and a corresponding private key is issued to the user by an authority.

During encryption, an encryptor associates an access policy over attributes with the ciphertext.

If and only if the attributes of a user satisfy the access policy of the ciphertext, the user can decrypt the ciphertext .

Page 4: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

4

Introduction: What is CP-ABE?

𝑈Dept.: CS, EE, … Type: PhD Stud., Alumni, …Gender: Male, FemaleBirth Year: 1980, 1981, ……………

𝑃𝐾

𝑀𝑆𝐾

, , …, , …, , …,, …………..

Storage Server(Untrusted)

OR

AND

ALUMNIPDH

CS

𝒫=𝐶𝑆 𝐴𝑁𝐷 ( h𝑃 𝐷𝑂𝑅 𝐴𝐿𝑈 )

M

𝐶=𝐸𝑛𝑐(𝑃𝐾 ,𝒫 ,𝑀 ) 𝑆𝐴={𝐶𝑆 , h𝑃 𝐷}

𝑆𝐵={𝐸𝐸 , h𝑃 𝐷 }

𝑆𝐾 𝑆 𝐴

𝑆𝐾 𝑆𝐵

satisfies

does not satisfy

Page 5: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

5

Introduction: What is CP-ABE?-- Collusion-resistant

OR

AND

ALUMNIPDH

CS

𝒫=𝐶𝑆 𝐴𝑁𝐷 ( h𝑃 𝐷𝑂𝑅 𝐴𝐿𝑈 )

𝑆𝐵={𝐸𝐸 , h𝑃 𝐷 }𝑆𝐾 𝑆𝐵

If none of the users can decrypt a ciphertext individually, they still can’t even if they work together.

𝑆𝑇={𝐶𝑆 ,𝑈𝑛𝐺}𝑆𝐾 𝑆𝑇

Page 6: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

6

Introduction: What is CP-ABE?-- Definition

• . is implicitly included in .

• .• If and only if satisfies , can be recovered.

Page 7: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

7

Introduction: Why needs MA-CP-ABE? It might not be realistic to have one single authority to

manage all attributes. [SW05] E.g., an encryptor may want to share data with users who are

computer science alumni of University X and currently working as an engineer for Company Y. i.e., the access policy is

In a desired Multi-Authority CP-ABE (MA-CP-ABE) system, different domains of attributes are managed by different authorities. An encryptor can encrypt messages with any access policy over the entire attribute universe.

Page 8: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

8

History: Existing CP-ABE Schemes Goyal et al. [GPSW06]: CP-ABE notion. Bethencourt, Sahai and Waters [BSW07] : The first CP-ABE

scheme. Cheung and Newport [CN07] Goyal et al. [GJPS08] Waters [Waters08/11] Lewko et al.[LOSTW10] Okamoto and Takashima[OT10]

are proposed to achieve better and better expressiveness, efficiency and security.

[Waters08/11] and [LOSTW10]: expressive (any monotone access structure); efficient; and secure. The two constructions are very similar, and the difference is that [Waters08/11] is on prime order group while [LOSTW10] is on composite order group. [Waters08/11] is selectively secure and [LOSTW10] is adaptively secure.

Page 9: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

9

History: Existing MA-CP-ABE Schemes Müller et al. [MKE09]: One Central Authority (CA) and

Multiple Attribute Authorities (AAs). • Selectively secure. • Key Escrow: The CA can decrypt all ciphertexts.

Lewko and Waters [LW11] : Multiple AAs • The AAs operate independently from each other. • Adaptively secure, in the random oracle model.• Key Escrow: Each AA can decrypt the ciphertexts whose

policy can be satisfied by the AA’s attribute domain.

Page 10: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

10

MotivationConstruct an MA-CP-ABE system

Different attribute domains are managed by different authorities.

Expressiveness, efficiency and security are not weaker than that of the single-authority CP-ABE in [LOSTW10]: Expressiveness: Support any monotone access structure over the

entire attribute universe; Efficiency: similar to that of [LOSTW10]; Security: adaptively secure in the standard model.No authority can independently decrypt any

ciphertext.

Page 11: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

11

Our ResultsWe constructed a new MA-CP-ABE system.

Multiple CAs and Multiple AAs. The CAs issue identity-related keys to users but do not involve in

any attribute-related operations. The AAs issue attribute-related keys to users. Each AA manages a different attribute domain, and operates

independently from other AAs. A party may easily join the system as an AA by registering itself

to the CAs and publishing its attribute-related parameters. The expressiveness, efficiency and security are

comparable to that of the single-authority CP-ABE scheme in [LOSTW10].

No authority can independently decrypt any ciphertext.

Page 12: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

12

Our ResultsLOSTW10

(SA-) CP-ABELW11

MA-CP-ABEOurs

MA-CP-ABE

Standard Model

Multi-Authority

Prevent Decryption by Individual Authority PartiallySize of Ciphertext

Size of Secret key

Pairing Computation of Decryption

Size of Public key

: The number of CAs. : The number of AAs.

Page 13: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

13

The rest of this presentation…

1. Bilinear map and access structure2. Our construction3. Extensions

Page 14: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

14

Background Bilinear map:

where and are three distinct primes; and are cyclic groups of order ; is a map such that

(1) Bilinear: (2) Non-Degenerate: , such that has order in .

LSSS: Any monotone access structure can be realized by a Linear Secret-Share Scheme (LSSS). An LSSS is a labeled matrix , where is a matrix over and labels each row with a share holder. E.g.,

(2,2)

BA

D

C

(2,3)

Page 15: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

15

Our MA-CP-ABE Scheme: IdeaStart from the single authority CP-ABE of [LOSTW10]:

are chosen randomly, is a generator of . .

are chosen randomly.,. are chosen randomly. Constants satisfy .

Page 16: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

16

Our MA-CP-ABE Scheme: Idea .

are chosen randomly.Have no relation with attributes

Bind all attribute-related keys of a user together;Prevent collusion attack from different users (Distinct random for each user);

Ideas: Separate the single authority to one CA and multiple AAs CA is responsible for choosing and generating for users; When a user submits his to an AA, the AA generates by using .

Problem: is submitted to AA by the user, so that two users (e.g., Bob and Tom) can launch a collusion attack by submitting the same .

Solution: Use digit signature to bind and the identity of a user together.

Page 17: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

17

Our MA-CP-ABE Scheme: IdeaOne-CA-Multi-AA

. .

,.

Page 18: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

18

Our MA-CP-ABE Scheme: IdeaOne-CA-Multi-AA Problem:In the One-CA-Multi-AA system, the CA holds the value of , so that it can decrypt all ciphertexts.

Introduce multiple CAs: CA1, , CAD . Each CAd chooses independently, and publishes to the public parameters. In algorithm, .Implicitly, we have set that . Only when all CAs collude together, can they decrypt a ciphertext.

Multi-CA-Multi-AA

Page 19: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

𝑈 𝐾

𝐶 𝐴𝐷

𝐴 𝐴𝐾

User

𝐶 𝐴1

𝑈 1

𝐴 𝐴1…………

Page 20: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

20

Our MA-CP-ABE Scheme: IdeaNaive Multi-CA-Multi-AA

.||

.,.

Page 21: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

21

Our MA-CP-ABE Scheme: IdeaNaive Multi-CA-Multi-AA Problem:

When an attacker corrupts a CA, collusion attack can be launched. E.g., . CA1 is corrupted by Bob and Tom, while CA2 is still secure. In such a case, Bob and Tom should not be able to decrypt a ciphertext with policy . However,

Bob obtains from CA2 ; then obtains from AA1 ; They set , and submit this to AA2 . AA2 is cheated and believes that this “ is legal, because Bob and Tom control CA1 so that they can generate the valid signature. Then AA2 generates by using this , which is actually for . For the ciphertext, they can reconstruct by using . --- COLLUSION ATTACK WORKS.

Our MA-CP-ABE

Page 22: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

22

Our MA-CP-ABE Scheme: IdeaNaive Multi-CA-Multi-AA Solution: Each time CAd generates , it must show the knowledge of to AAk . We addressed this by reusing the CP-ABE scheme of [LOSTW10].

Our MA-CP-ABE

𝐶 𝐴1 𝐶 𝐴2

𝐴 𝐴1 𝐴 𝐴2

𝑣1,1 ,𝑣1,2 𝑣2,1 ,𝑣2,2

𝑉 𝑘 ,𝑑=𝑔𝑣𝑘 , 𝑑

User

registers to ; uses as the public key corresponding

to “attribute (k,d)”

When visits , regards as the “attributes” of

the user

Page 23: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

23

Our MA-CP-ABE Scheme: IdeaNaive Multi-CA-Multi-AA Our MA-CP-ABE

When visits , regards as the “attributes” of the user:

takes the place of

uses to show to that the corresponding is generated honestly.

[LOSTW10].

[Ours]., .

Page 24: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

24

ConclusionWe constructed an MA-CP-ABE system, where Different domains of attributes are managed by different attribute

authorities, which operate independently from each other. No authority can independently decrypt any ciphertext.

LOSTW10(SA-) CP-ABE

LW10MA-CP-ABE

OursMA-CP-ABE

Standard Model

Multi-Authority

Prevent Decryption by Individual Authority PartiallySize of Ciphertext

Size of Secret key

Pairing Computation of Decryption

Size of Public key

Page 25: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

25

Extensions Large attribute universe construction:

The size of public key is linear in . It can be avoided by using the idea of interpolation.

Improving performance and reliability of the system: In this paper, is used to distribute to CAs. It is a -

threshold policy, so that all CAs must remain active.

In the full version of this paper, general -threshold policy is used. Only when CAs are involved, they can decrypt a ciphetext. The system works as long as no more than Δ − D CAs fail.

Page 26: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

26

References• [SW05] Sahai, A., Waters, B.: Fuzzy identity-based encryption.

EUROCRYPT 2005. • [GPSW06] Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based

encryption for finegrained access control of encrypted data. ACM CCS 2006.

• [BSW07] Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. IEEE Symposium on Security and Privacy, 2007

• [CN07] Cheung, L., Newport, C.C.: Provably secure ciphertext policy abe. ACM CCS 2007

• [GJPS08] Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded Ciphertext Policy Attribute Based Encryption. ICALP 2008, Part II.

• [Waters08/11] Waters, B.: Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. PKC 2011

• [LOSTW10]Lewko, A.B., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: Attribute-based encryption and (Hierarchical) inner product encryption. EUROCRYPT 2010.

Page 27: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

27

Reference• [OT10] Okamoto, T., Takashima, K. : Fully secure functional encryption

with general relations from the decisional linear assumption. CRYPTO 2010.

• [MKE09] M¨uller, S., Katzenbeisser, S., Eckert, C.: On multi-authority ciphetext-policy attribute-based encryption. Bulletin of the Korean Mathematical Society 2009.

• [LW11] Lewko, A., Waters, B.: Decentralizing attribute-based encryption. EUROCRYPT 2011.

Page 28: Fully Secure Multi-authority  Ciphertext -Policy Attribute-Based Encryption  without Random Oracles

28

Thanks.

Q&A