An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer Science Iowa State University b Symantec Corporation

1 Background: Data Outsourcing remote un-trusted data storage server encrypt decrypt author authorized users

2 ABE (Attribute-based Encryption) OR AND “Computer Science” “ISU” ” Access Structure Graduate retrieve decrypt retrieve decrypt X derive key based on secrets associated with his attributes

3 Accountability? What if the secret doc is found exposed? A trusted third-party authority should be able to find out who have accessed the data (accountability/ traceability) Meanwhile, anonymity of users should be kept from entities other than the authority (including the un-trusted storage server) OR AND “Computer Science” “ISU” Symantec” Access Structure

4 Group Signature Scheme OR AND “Computer Science” “ISU” Symantec” Access Structure group public key (gpk) A user i’s personalized private key (gsk i ) m σ m = sign(gpk, gsk i, m) Verify(gpk, σ m )=1? Record σ m (Authority is able to trace the signature to user i.) Authorized Users

5 Group Signature Scheme: Problem OR AND “Computer Science” “ISU” Symantec” Access Structure group public key (gpk) A user i’s personalized private key (gsk i ) Access structures may be defined on the fly (when a document is outsourced) Significant communication overheads may need to set up private keys for the members of dynamic groups The groups of users satisfying the access structures are formed dynamically Authorized Users

6 Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design Goals Objective: ad hoc group signature scheme. Design Requirements User anonymity: A successfully verified user could be any one of the authorized users. – Ex: Access Structure = “a AND b”; a successfully-verified user could be any one owning attributes a and b. – Ex: Access Structure = “(a AND b) OR c”; a successfully- verified user could be any one owning attributes a and b, or any one owning c, and the server and other users cannot know which of the above two cases occurs. Traceability: The authority is able to trace a signature to a user.

7 Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design Goals Objective: ad hoc group signature scheme. Design Requirements User anonymity: A successfully verified user could be any one of the authorized users. Accountability (traceability): The authority is able to trace a signature to a user. Efficiency in communication (for group management): when a new access structure is created, no extra communication for group management (e.g., distributing keys) is required.

8 Our Proposal: Ad Hoc Group Signature (AdHocSign) – Key Ideas When a user joins: he/she is preloaded key materials for each attribute assigned. Storage CostCommunication Cost When a document (and associated access structure) posted to server: server is given key materials for the access structure (AS). A user’s attributes satisfy the AS Y Obtain: the user-specific and access structure-specific privacy key for group signature

9 Basis: Group Signature [BonehShacham’04] Complexity Assumptions: q-SDH problem Decision Linear problem x i, A i =g 1/(ζ+x i ) g, g’=g ζ user i’s private key (gsk i )public key (gpk) e(A i, g’×g ) = e(g, g) xixi bilinear mapping System-wide secret Signing: sign(gpk, gsk i, m)  σ m Verifying: verify(gpk, m, σ m )  1/0

10 AdHocSign: Roadmap of the Design What to do? Construct and give appropriate key materials to users and storage server, s.t., an authorized user is able to derive his/her private key as in the BS group signature scheme How? Consider a conjunction-only access structure – Ex: “a AND b” Consider a disjunction-only access structure – Ex: “a OR b” Consider a general (i.e., conjunction of disjunctive) access structure – Ex: “(a OR b) AND (c OR d)”

11 AdHocSign for Conjunction-only Access Structures: Intuition AND ab Access structure: T Secrets: α a, αbαb Authority Server Key materials: r a, r b Public key: g T = g g T ’ = g T ζ α a ×r a +α b ×r b User i Private key: x i Key materials: for attribute a: g i,a =g for attribute b: g i,b =g … … α a /(ζ+x i ) α b /(ζ+x i ) A i T = g i,a ×g i,b = g rbrb rara (α a ×r a +α b ×r b )/(ζ+x i ) e(A i T, g T ’×g T x i ) = e(g T, g T )

12 AdHocSign for Disjunction-only Access Structures: Intuition (1) OR ab Access structure: T Secrets: αa,αa, αb,αb, Authority Server Key materials: r a = r T /α a ; r b = r T /α b Public key: g T = g g T ’ = g T ζ rTrT User i Private key: x i Key materials: for attribute a: g i,a =g for attribute c: … … … α a /(ζ+x i ) A i T = g i,a = g rara r T /(ζ+x i ) e(A i T, g T ’×g T x i ) = e(g T, g T ) rTrT

13 AdHocSign for Disjunction-only Access Structures: Intuition (2) OR ab Access structure: T Secrets: αa,αa, αb,αb, Authority Server Key materials: r a = r T /α a ; r b = r T /α b User i Key materials: for attribute a: g i,a =g … … α a /(ζ+x i ) r T, ζ Problem: User i can derive g i,b = g i,a, r a /r b though user i does not own attribute b. Later on, user i can satisfy access structures such as “a AND b”, “b OR x”.

14 AdHocSign for Disjunction-only Access Structure: Intuition (3) The authority For each attribute a, multiple (instead of a single) secret numbers are picked: α a,1, α a,2, …, α a,N Each user i who owns attribute a is preloaded with N secrets (key materials): g i,a,1, g i,a,2, …, g i,a,N, where g i,a,k = g Every time when a new disjunction-only access structure, e.g., T=“a OR b”, is defined: r T is selected randomly r T,a = r T /α a,k1 and r T,b = r T /α b,k2, where α a,k1 and α b,k2 have not been used before A user i with attribute a or b should use g i,a,k1 or g i,b,k2 to derive its private key α a, k /(ζ+ x i )

15 AdHocSign for General Access Structures: Intuition OR cd Access structure α a,k1 Authority OR a b AND α b,k2 α c,k3 α d,k4 r T1 r T2 Server Key materials given to server: (a, k1, r T,a = r T1 / α a,k1 ) (b, k2, r T,b = r T1 / α b,k2 ) (c, k3, r T,c = r T2 / α c,k3 ) (d, k4, r T,d = r T2 / α d,k4 ) Public key: g T = g r T1 +r T2 g T ’ = g T ζ

16 AdHocSign for General Access Structures: Intuition User i Assume the user owns attributes a and d Key materials assigned to user i: For attribute a … g i,a,k1 = g … For attribute d … g i,d,k4 = g … α a,k1 /(ζ+x i ) α d,k4 /(ζ+x i ) Key materials provided by server: (a, k1, r T,a = r T1 / α a,k1 ) … …. (d, k4, r T,d = r T2 / α d,k4 ) A i T = g i,a,k1 × g i,d,k4 = g r T, a r T, d (r T1 +r T2 )/(ζ+x i ) Private key: (x i, A i T )

17 Security Features Traceability Intuitively: Storage server and/or collusive users are hard to forge valid signatures that cannot trace back to any of them, as long as the SDH problem is hard. Formally: Our proposed AdHocSign scheme is (t, q H, q S, n, m,ε) traceable if (q, t’, ε’)-SDH assumption holds, where n = q- 1, ε= 8n*sqrt(ε’q H ) + 2n/q, t’=O(tmN).

18 Security Features Selfless-anonymity Intuitively: Storage server and/or others are hard to determine if two signatures are pertinent to the same user or not, as long as the Decision Linear problem is hard. Formally: Our proposed AdHocSign scheme is (t, q H, q S, n, m,ε) selflessly anonymous if (t’, ε’) Decision Linear assumption holds, where ε’ = ε(1/n 2 – q S q H /p)/2.

19 Cost Analysis Computational cost User’s cost – Private key preparation – x exponential ops, where x is the number of disjunctive components in the access structure – typically lower than signing cost as long as x is not too large – Signing (using BS Group Signature Signing) Server’s cost – Verification (using BS Group Signature Signing) Overall: Typically less than twice of that of BS Group Signature scheme

20 Cost Analysis Communication cost O(L): L is the length of an access structure Storage cost O(Nx) – x - total number of attributes owned by a user – N - total number of secrets preloaded for each attribute N: the minimum number of different access structures that can be defined dynamically; in practice, more different access structures can be defined dynamically

21 Conclusion We design a new group signature scheme for dynamically-formed groups Selfless-anonymity Traceability No user key distribution at dynamic group forming time – at the cost of storing extra key materials when a user joins the system Applicable when: storage is cheaper than communication (cost for dynamic management of groups)

22 Thank you! Contacts of the authors {wzhang, Full paper:

23 Implementation Prototype development Based on jPBC (java pairing-based library) Adopting the type A curve Evaluation setup User: desktop with 1.83 GHz Genuine Intel processor and 3GB RAM Server: workstation with two 2.13 GHz Intel Xeon processors and 24 GB RAM Evaluation results BS Group Signature – Signing cost – 1.65 seconds by average – Verification cost – 0.28 seconds by average Private key computation in AdHocSign – ~0.1 second for each disjunctive component in the access structure