Using Ciphertext Policy Attribute Based Encryption worldcomp- ?· Using Ciphertext Policy Attribute…

Download Using Ciphertext Policy Attribute Based Encryption worldcomp- ?· Using Ciphertext Policy Attribute…

Post on 28-Aug-2018




0 download

Embed Size (px)


<ul><li><p>Using Ciphertext Policy Attribute Based Encryption for </p><p>Verifiable Secret Sharing </p><p>Nishant Doshi 1, Devesh Jinwala</p><p> 2 </p><p>1,2 Computer Engineering Department, S V National Institute of Technology, Surat, India </p><p>{, </p><p>} </p><p>Abstract - Threshold secret sharing schemes are used to </p><p>divide a given secret by a dealer in parts such that no less </p><p>than the threshold number of shareholders can reconstruct the </p><p>secret. However, these schemes are susceptible to the </p><p>malicious behavior of a shareholder or a dealer. To prevent </p><p>such attacks, it is necessary to make a provision for </p><p>verification of the integrity of the shares distributed by the </p><p>dealer. Such verification would ensure fair reconstruction of </p><p>the secret. In this paper, we present a novel approach for </p><p>verifiable secret sharing wherein the dealer and the </p><p>shareholders are not assumed to be honest. Our proposed </p><p>scheme uses attribute based encryption (ABE) to provide </p><p>verifiability and for the semantically correct reconstruction of </p><p>the secret. We call the new protocol as AB-VSS (Attribute </p><p>Based Verifiable Secret Sharing). </p><p>Keywords: Attribute, Attribute based cryptography, Network </p><p>Security, Verifiable secret sharing. </p><p>1 Introduction </p><p> In modern cryptography, the security of a cipher is </p><p>heavily dependent on the secrecy of the cryptographic key </p><p>used by the cipher. Hence, the key is required to be carefully </p><p>guarded - needs to be stored super-securely. Obviously, one of </p><p>the most secure ways to do so is to keep the key in a single </p><p>well-guarded location. However, once the well-guarded </p><p>location is compromised, the system fails completely. Hence, </p><p>the other extreme is to distribute the secret at multiple </p><p>locations. However, such a de-centralized approach increases </p><p>the vulnerability to failure and makes the task of the potential </p><p>attackers a bit easier. Additionally, in real world, the </p><p>stakeholders and the key distributor may not trust each other. </p><p>Secret sharing then, appears to be a good solution to deal with </p><p>such problems. In secret sharing, a secret is distributed and </p><p>shared across a number of shareholders with the caveat that, </p><p>no less a designated number of shareholders would be able to </p><p>reconstruct the secret. Secret sharing as such is a bit of </p><p>misnomer. In secret sharing, the shares of a secret are </p><p>distributed among a set of participants, and not the entire </p><p>secret, to deal with the mutual mistrust. Hence, the scheme be </p><p>better termed as threshold secret sharing. </p><p> Adi Shamir [1] and G. Blakley [2] in 1979 </p><p>independently introduced the concept of the threshold secret </p><p>sharing. As per these proposals, a dealer D who holds a secret </p><p>s would distribute it amongst n shareholders in such a way </p><p>that a quorum of less than t shareholders cannot regenerate the </p><p>secret. That is, any combination of at least t shareholders is </p><p>required to regenerate the same secret correctly. An interesting </p><p>real-world example to illustrate this scenario was given in the </p><p>Time Magazine as per which, the erstwhile USSR used a two-</p><p>out-of-three access control mechanism to control their nuclear </p><p>weapons in the early 1980s. The three parties, viz. the </p><p>President, the Defense Minister and the Defense Ministry, </p><p>were involved to execute this scheme. </p><p> Shamirs threshold secret sharing scheme [1] has </p><p>been extensively studied in the literature. The Shamirs </p><p>threshold secret sharing scheme is information theoretic </p><p>secure but it does not provide any security against cheating; as </p><p>it assumes that the dealer and shareholders are honest. </p><p>However, in real world one may encounter the dealers and the </p><p>shareholders in an otherwise. A misbehaving dealer can </p><p>distribute inconsistent shares to the participants or </p><p>misbehaving shareholders can submit fake shares, during </p><p>reconstruction. To prevent such malicious behavior of </p><p>cheaters, we need a Verifiable Secret Sharing(VSS) scheme. </p><p>The VSS was first proposed in 1985 by Benny Chor et al [3]. </p><p>In their scheme, the validity of shares distributed by a dealer </p><p>is verified by shareholders without being revealed any </p><p>information about the secret. The initial VSSs were interactive </p><p>verifiable secret sharing schemes that it required interaction </p><p>amongst the dealer and the shareholders to verify the validity </p><p>of shares [4]. This scheme used homomorphism and </p><p>probability encryption function. However, as we observe this </p><p>scheme only verifies the share provided by dealer to </p><p>shareholders and does not verify the shares at secret </p><p>reconstruction time. The interaction required itself imposes </p><p>enormous amount of extra overhead on the dealer, as a single </p><p>dealer may have to deal with a large number of shareholders. </p><p>Later, non-interactive verifiable secret sharing schemes were </p><p>proposed to remove the extra overhead on the dealer [5][6][7]. </p><p> The non-interactive VSS proposed by Paul Feldman </p><p>in [5] relies on the share proving its own validity. The one </p><p>proposed in [6] tries to verify the reconstructed secret by </p><p>maximally matching the secret. This scheme works in the </p><p>same was as [1] when a threshold numbers of parts are given </p><p>to reconstruct secret. The scheme proposed in [7] suggests </p><p>iterating the process of secret sharing m times with one secret </p><p>as S and others as dummy secrets - so with each shareholder </p><p>there are m shares. This approach increases storage </p><p>requirements, communication and computation cost. The </p><p>schemes in [8] [9] are based on the use of a hashing function. </p><p>The flaws in these schemes are already discussed in [10]. </p><p> Thus, as per our observations, these schemes assume </p><p>that the dealer is honest and the shareholders accept their </p><p>shares without any verification. The shareholders simply </p></li><li><p>cannot identify cheaters in the system. The existing </p><p>approaches for verifiable secret sharing either verify the </p><p>shares, distributed by a dealer or submitted by shareholders </p><p>for secret reconstruction, or verify the reconstructed secret but </p><p>not both. </p><p> In order to verify shares, a dealer either transfers </p><p>some additional information like check vectors [11] or </p><p>certificate vectors or it uses different encryption mechanisms. </p><p>If the VSSs do not use the check vectors or certificate vectors, </p><p>the security of such schemes depend on the intractability of a </p><p>number theoretic problem in one way or another. If the </p><p>scheme uses check vector or certificate vectors, then it </p><p>increases an extra overhead on a dealer to compute and </p><p>distribute that extra information among a large number of </p><p>participants. </p><p> In this paper, we use and extend the verifiable secret </p><p>sharing approach to not only verify the validity of shares </p><p>distributed by a dealer but to verify the shares submitted by </p><p>shareholders for secret reconstruction, and to verify the </p><p>reconstructed secret. We use the notions of the Attribute Based </p><p>Encryption to deal with the limitations of the existing schemes </p><p> at the same time offering user verification, secret </p><p>distribution and secret regeneration using valid threshold </p><p>secret parts. </p><p> In the scheme proposed in [12] the problem of </p><p>cheater detection is discussed when there are cheaters in </p><p>n=2t-1 shareholders. However, this scheme is vulnerable to </p><p>attacks. In the scheme proposed in [13], an Elliptic Curve </p><p>Cryptography based approach is used for VSS. However, this </p><p>scheme requires the dealer to hide the secret in a secure place. </p><p>Hence, if the dealer is compromised the secret is also lost </p><p>forever. As compared in our approach anyone having </p><p>threshold shares can regenerate the secret. In the scheme </p><p>proposed in [14], the Chinese Remainder Theorem (CRT) is </p><p>used for devising secret sharing. However, a malicious </p><p>shareholder can change its own share and submit a fake share </p><p>and help reconstruct a fake secret rendering the scheme </p><p>useless. </p><p> Thus, as compared our scheme that employs the notions </p><p>of the Attribute Based Encryption is free from all these </p><p>attacks. In fact, as per our modest belief, ours is the first </p><p>attempt at using the Attribute Based Encryption for the </p><p>purpose of secret sharing. </p><p>1.1 Attribute Based Cryptography (ABC) </p><p> In this section, we review the state of the art in ABC </p><p>and discuss the justification of the scheme used in our </p><p>approach. </p><p> The ABC has actually been motivated from the Identity </p><p>Based Encryption, which in turn was motivated by </p><p>overcoming the limitations of the certificate management in </p><p>the traditional Public Key Cryptography. The basic focus in </p><p>ABC is on using some of the publicly known attributes of a </p><p>user as his public key. In the traditional IBE systems, the </p><p>identity of a user is specified using either the name, the email </p><p>ID, or the network address a string of characters. This </p><p>makes it cumbersome to establish the necessary correlation </p><p>between a users identity (in his private key) and the same </p><p>associated in the ciphertext that he intends to decrypt. This is </p><p>so, because even slight mismatch would render the match as a </p><p>failure. Hence, in a variant of the traditional IBE, the identity </p><p>is specified in the form of descriptive attributes. In the first of </p><p>such scheme proposed as Fuzzy Identity Based Encryption </p><p>(FIBE) in [15], a user with identity W could decrypt the </p><p>ciphertext meant for a user with identity W, if and only if </p><p>|W - W| &gt; d, where d is some threshold value defined </p><p>initially. </p><p> In [16], the authors propose more expressive ABE </p><p>schemes in the form of two different systems viz. Key Policy </p><p>Attribute Based Encryption (KP-ABE). In KP-ABE, a </p><p>ciphertext is associated with a defined set of attributes and </p><p>users secret key is associated with a defined policy </p><p>containing those attributes. Hence, the secret key could be </p><p>used successfully only if the attribute access structure policy </p><p>defined in the key matches with the attributes in the </p><p>ciphertext. As compared, to the same the authors in [17] </p><p>propose a fully functional Ciphertext Policy Attribute Based </p><p>Encryption (CP-ABE) in which a users secret key is </p><p>associated with a defined set of attributes and the ciphertext is </p><p>associated with a defined policy. One of the limitations of CP-</p><p>ABE schemes is that the length of ciphertext is dependent on </p><p>the number of attributes. That is, with s being the number of </p><p>attributes involved in the policy, the ciphertext length is O(s3). </p><p> In [18], the authors propose another CP-ABE which had </p><p>positive or negative attributes. But the decryption policies in </p><p>this are limited to AND gate only. In [19][20], the authors first </p><p>overcome the limitation due to the ciphertext length and </p><p>propose a constant size ciphertext </p><p> Motivated from these efforts, in our scheme we use the </p><p>approach proposed in [17]. For large number of shares we can </p><p>use the concept of [19][20]. [21] had used time specific </p><p>encryption in which they use time as attribute and time limit </p><p>condition in policy so user can decrypt ciphertext if they have </p><p>valid attributes at right time. </p><p> In VSS we can add time attribute if we want that the </p><p>secret must be regenerated at a specific time only. After that </p><p>time passes the secret becomes invalid. For example during </p><p>war we can generate secret key to fire missile and add the </p><p>specific time limit so after the war is over the secret to fire </p><p>missile will become invalid itself. And if we want that at the </p><p>time of secret generation or verification user must be at a </p><p>particular location then we can consider an extra attribute </p><p>location in our proposed scheme. If same dealer has more </p><p>than one set of n shareholders and if two shareholders from </p><p>different sets will exchange their secret key which is based on </p><p>hash value of share, then the given attack is not possible in our </p><p>approach because if shareholder exchange key then the new </p><p>key cannot pass the policy. </p><p>Organization of the paper: The rest of the paper is organized </p><p>as follows. The second section will explain preliminaries </p><p>which we are used throughout the paper. In the third section </p><p>our proposed approach for verifiable secret sharing will be </p><p>introduced and we will analyze it in the fourth section as well </p><p>show a snapshot using the CPABE toolkit. The last section </p><p>concludes the paper followed by the references. </p></li><li><p>2 Preliminaries </p><p>2.1 Notations </p><p> Most cryptographic protocols require randomness, for </p><p>example generating random secret key. We use x RA to </p><p>represent the operation of selecting an element x randomly </p><p>and uniformly from an element set A. We use to denote the </p><p>NULL output. This paper deals with the computational </p><p>security setting where security is defined based on the string </p><p>length. For N where N is the set of natural numbers, 1 </p><p>denotes the strings of length . If x is a string then | x |denotes </p><p>its length, e.g. |1 |=. </p><p>2.2 Secret sharing </p><p> Divide some secret into parts and </p><p>distribute them among a set of shareholders in such a way </p><p>that for any threshold value t , the knowledge of any t or </p><p>more parts computes easily but the </p><p>knowledge of any t -1 or fewer Si parts leaves S completely </p><p>undetermined. Such a scheme is called threshold </p><p>secret sharing scheme [1]. </p><p>2.3 CP-ABE construction [7] </p><p>The CP-ABE toolkit consists of the following four algorithms </p><p>as follows. </p><p>1. Setup: It will take implicit security parameter and output the public parameter PK and a master key MK. </p><p>2. KeyGen(MK, S) : The key generation algorithm run by CA, takes as input the master key of CA and the set of </p><p>attributes for user, then generate the secret key SK. </p><p>3. Encrypt (PK, M, A): The encryption algorithm takes as input the message M, public parameter PK and access </p><p>structure A over the universe of attributes. Generate the </p><p>output CT such that only those users who had valid set of </p><p>attributes which satisfy the access policy can only able to </p><p>decrypt. Assume that the CT implicitly contains access </p><p>structure A. </p><p>4. Decrypt(PK,CT,SK) : The decrypt algorithm run by user takes input the public parameter, the ciphertext CT </p><p>contains access structure A and the secret key SK contain </p><p>of user attribute set S. if S satisfies the access tree then </p><p>algorithm decrypt the CT and gives M otherwise gives </p><p>. </p><p>3 Proposed approach for VSS </p><p>3.1 Share Generation and Distribution Phase </p><p>Input: Secret S GF (p) and a public hash function H Output: Shares of the secret S, Si Where i = 1, 2, 3, ...,n </p><p>1. Dealer D chooses a large prime p max(S, n ) </p><p>2. Then it selects random independent coefficients, </p><p> where </p><p>3. Select the random polynomial and set </p><p>. </p><p>4. Compute the share of the secret for each shareholder and distribute the pair to each shareholder. We </p><p>assume that every user has only one attribute </p><p> where . </p><p>=KeyGen(MK,A) where MK=master key of dealer </p><p>A=attribute set for ith</p><p> user </p><p>5. Dealer makes policy for access tree structure as follow policy=Encrypt(PK,M,T) where PK=public key of dealer, </p><p>M=Message and T=Tree structure </p><p>Here policy makes on condition </p><p>6. Dealer broadcasts policy and t in public file. 7. Each ith shareholder verifies their share by Decrypt </p><p>(policy, ). If message M successfully decrypted then </p><p>use...</p></li></ul>


View more >