Download presentation
Presentation is loading. Please wait.
Published byElizabeth Solomon Modified over 10 years ago
1
The user accountability/traitor tracing in attribute based encryption
Zhao Qianqian
2
What is the user accountability?
In the attribute based encryption, the user private key is completely associated with his attributes set. Each attribute can be shared by many different users. If the decryption device associated with some attribute ๐ ๐ท appears on eBay, and is alleged to be able to decrypt any ciphertexts with policies satisfied by ๐ ๐ท , no one including the ABE authorities can identify the malicious user(s) who build such a decryption device using their key(s).
3
What is the user accountability?
Because there are many different users whose attributes sets cover the set ๐ ๐ท . It is a very big challenge for the security of attribute based encryption. To design a safe and effective traitor tracing scheme has been a necessity, especially in the actual access control scheme applying the ABE. The realization of the traitor tracing is the so-called user accountability.
4
Two different levels of traceability
White-box traceability: it means that given a well-formed decryption key as input, a tracing algorithm can find the user who owns the key. Black-box traceability: it means that given a decryption black box/device, while the decryption key and even the decryption algorithm could be hidden, the tracing algorithm can still find out the malicious user whose key must have been used in constructing the decryption black box.
5
Multi-Authority Ciphertext-Policy Attribute-Based Encryption with Accountability
Jin Li, Qiong Huang, Xiaofeng Chen, Sherman S. M. Chow, Duncan S. Wong, Dongqing Xie๏ผASIACCS 2011
6
The reason of the multi-authority
The load bottleneck: all the attributes of the users need to be verified by the only authority, which is quite big burden for the system. The escrow problem: the private key of all users is issued by the authority, which means that the authority can decrypt all the ciphertexts in the system.
7
The background of the scheme
Access structure: the policy in the scheme is conjunction of AND-gates on multi-valued attributes with wildcards. Bilinear maps: let ๐บ 1 =< ๐ 1 >, ๐บ 2 =< ๐ 2 > be multiplicative cyclic groups of prime order ๐, and โฏ : ๐บ 1 ร ๐บ 2 โ ๐บ ๐ be a bilinear pairing function.
8
The specific scheme Setup: Let ๐ด 1 ,โฏ ๐ด ๐ , ๐ด ๐+1 be the (๐+1) authorities in the system. Each authority ๐ด ๐ is in charge of a disjoint set of ๐ ๐ attributes. Let the value set of the ๐-th attribute managed by authority ๐ด ๐ be ๐ ๐ = ๐ฃ ๐,๐ 1โช๐โช ๐ ๐ . Also, the set of attributes managed by authority ๐ด ๐+1 is the set of user identities, i.e., ๐ฃ ๐+1,๐ โ 0,1 for all 1โช๐โช ๐ ๐+1 =๐, the bit-length of an identity where 2 ๐ โช๐.
9
The specific scheme Setup: each authority ๐ด ๐ where 1โช๐โช ๐+1 chooses ๐ฅ ๐ โ โค ๐ โ as his private key, computes ๐ฆ ๐ = ๐ 1 ๐ฅ ๐ and sends โฏ ๐ 1 , ๐ 2 ๐ฅ ๐ to the other authorities. Then every authority can compute ๐=โฏ ๐=1 ๐+1 ๐ฆ ๐ , ๐ 2 = ๐=1 ๐+1 โฏ ๐ 1 , ๐ 2 ๐ฅ ๐ as a system public key. ่ฟไธชsystem public key็่ฎบไธๆฅ่ฏดๅ
จ็ฝๅช้่ฆไธไธชๅณๅฏ๏ผ็ถ่่ฟๆ ทไบคไบ็็ปๆๆฏๆๆ็attribute authority้ฝๅฏไปฅ่ฎก็ฎๅบ่ฟๆ ท็ไธไธช็ณป็ปๅๆฐ๏ผไฝๆฏๆๅๆไปฌๅบ็จ็ๆฏๅ่ชไบๅชไธชauthority็ๅข๏ผๅๆญฃๆๅๆฏ่ฆไฝไธบ็ณป็ปๅๆฐๅ
ฌๅผ็๏ผ้ฃไน่ฟๆ ท็ไบคไบ่ฟๆๆไนๅ๏ผ
10
The specific scheme Setup: each authority ๐ด ๐ where 1โช๐โช๐ chooses ๐ ๐,๐, ๐ฃ ๐,๐ , ๐ ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐, ๐ฃ ๐,๐ from โค ๐ โ , computes ๐ด ๐,๐, ๐ฃ ๐,๐ = ๐ 2 ๐ ๐,๐, ๐ฃ ๐,๐ 1โช๐โช ๐ ๐ , ๐ฃ ๐,๐ โ 0,1 , then also computes ๐ต ๐,๐, ๐ฃ ๐,๐ = ๐ด ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐, ๐ฃ ๐,๐ ๐ต ๐,๐, ๐ฃ ๐,๐ = ๐ด ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐, ๐ฃ ๐,๐ , ๐ต ๐,๐, ๐ฃ ๐,๐ โฒ = ๐ด ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐, ๐ฃ ๐,๐ , and publishes them as the public key component for the value ๐ฃ ๐,๐ of the ๐-th attribute.
11
The specific scheme Setup: the authority ๐ด ๐+1 randomly chooses ๐ ๐+1,๐,๐ from โค ๐ โ and computes ๐ด ๐+1,๐,๐ = ๐ 2 ๐ ๐+1,๐,๐ ๐ด ๐+1,๐,๐ = ๐ 2 ๐ ๐+1,๐,๐ 1โช๐โช๐, ๐โ 0,1 . It also chooses ๐ ๐+1,๐,๐ , ๐ ๐+1,๐,๐ from โค ๐ โ and publishes ๐ต ๐+1,๐,๐ = ๐ด ๐+1,๐,๐ ๐ ๐+1,๐,๐ and ๐ต ๐+1,๐,๐ โฒ = ๐ด ๐+1,๐,๐ ๐ ๐+1,๐,๐ as the public key of authority ๐ด ๐+1 .
12
The specific scheme Setup: each authority ๐ด ๐ 1โช๐โช ๐+1 shares a secret pseudorandom function ๐๐
๐น seed ๐ ๐ ๐ โฒ โ โค ๐ โ with each other authority ๐ด ๐ โฒ . It also chooses a PRF seed ๐ ๐ โ โค ๐ โ and computes ๐ฆ ๐ โฒ = ๐ 1 ๐ ๐ , which is sent to all other authorities. It then defines a pseudorandom function ๐๐
๐น ๐, ๐ โฒ ๐บ๐ผ๐ท = ๐ 1 ๐ ๐ ๐ ๐ โฒ ๐ ๐, ๐ , +๐ where ๐=๐ป ๐บ๐ผ๐ท and ๐ป: 0,1 ๐ โ ๐ ๐ is a collision-resistant hash function. The GID is the specific user identity.
13
The specific scheme The system public parameter is
๐ 1 , ๐ 2 ,๐,๐ป โ , ๐ฆ ๐ โฒ , ๐ด ๐,๐, ๐ฃ ๐,๐ ,๐ต ๐,๐, ๐ฃ ๐,๐ , ๐ต ๐,๐, ๐ฃ ๐,๐ โฒ 1โช๐โช ๐ ๐ , ๐ฆ ๐+1 โฒ , ๐ด ๐+1,๐,๐ , ๐ต ๐+1,๐,๐ , ๐ต ๐+1,๐,๐ โฒ 1โช๐โช๐,๐โ 0,1
14
The specific scheme AKeyGen: the user with global identity ๐บ๐ผ๐ท= ๐ผ 1 ,โฏ ๐ผ ๐ โ 0,1 ๐ first gets ๐ท ๐๐ for ๐โ ๐ by using the anonymous key-issuing protocol with the kโ๐กโ authority. In more details, the user starts ๐ independent invocations of the anonymous protocol on input ๐ฆ ๐ โฒ ๐ ๐ , ๐ 1 , ๐ฟ ๐,๐ ๐
๐,๐ , ๐ ๐,๐ , ๐ฟ ๐,๐ with the kโ๐กโ authority.
15
The specific scheme AKeyGen: where ๐
๐,๐ โ ๐ ๐ โ is randomly chosen by the authority ๐ด ๐ , and ๐ฟ ๐,๐ is 1 if ๐>๐ and โ1 otherwise, for ๐โ 1,โฏ,๐+1 \ ๐ . At the end of the protocol, the user obtains ๐ท ๐,๐ = ๐ 1 ๐
๐,๐ ๐๐
๐น ๐,๐ ๐บ๐ผ๐ท if ๐>๐, and ๐ท ๐,๐ = ๐ 1 ๐
๐,๐ /๐๐
๐น ๐,๐ ๐บ๐ผ๐ท otherwise. After interacted with all ๐+1 authorities, the user computes ๐ท= ๐ท ๐ ๐ โฒ = ๐ 1 ๐
where R= ๐
๐ ๐ โฒ (for all k, ๐ โฒ โ 1,โฏ,๐+1 ,๐โ ๐ โฒ ).
16
The specific scheme AKeyGen: to get a private key for an attribute ๐ธ ๐ โ ๐ ๐ from authority ๐, the authority ๐ด ๐ picks up random ๐ ๐,1 , ๐ ๐,2 ,โฏ, ๐ ๐, ๐ด ๐ โ1 , ๐ ๐,1 , ๐ ๐,2 ,โฏ, ๐ ๐, ๐ด ๐ โ ๐ ๐ โ and computes ๐ ๐, ๐ด ๐ = ๐ฅ ๐ โ ๐=1 ๐ด ๐ โ1 ๐ ๐,๐ โ ๐ โฒ โ 1,โฏ,๐+1 \ ๐ ๐
๐ ๐ โฒ mod p. Finally, the private key component for each eligiable attribute ๐ฃ ๐,๐ in ๐ธ ๐ is computed as
17
The specific scheme AKeyGen: ๐ 1 ๐ ๐,๐ ๐ 1 ๐ ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐ ๐ ๐,๐, ๐ฃ ๐,๐ , ๐ 1 ๐ ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐ , ๐ 1 ๐ ๐,๐, ๐ฃ ๐,๐ ๐ ๐,๐ Similarly, the private key from authority ๐ด ๐+1 is computed as ๐ 1 ๐ ๐ ๐ 1 ๐ ๐+1,๐, ๐ผ ๐ ๐ ๐ ๐ ๐ ๐ ๐ , ๐ 1 ๐ ๐+1,๐, ๐ผ ๐ ๐ ๐ , ๐ 1 ๐ ๐+1,๐, ๐ผ ๐ 1โช๐โช๐
18
The specific scheme AKeyGen: where ๐ ๐ , ๐ ๐ are randomly chosen so that ๐ ๐ = ๐ฅ ๐+1 โ ๐=1 ๐โ1 ๐ ๐ โ ๐ โฒ โ 1,2,โฏ๐ ๐
๐+1, ๐ โฒ ๐๐๐ ๐. This is the only authority who sees GID in clear.
19
The specific scheme Enc: to encrypt a message ๐โ ๐บ ๐ under the policy โ= โ 1 โโฏโ โ ๐ , the encryptor first picks random ๐ง and computes ๐ถ โฒ =๐โ ๐ ๐ง , ๐ถ 0 = ๐ 2 ๐ง .
20
The specific scheme Enc:
21
The specific scheme Enc:
22
The specific scheme Enc:
23
The specific scheme Enc:
24
The specific scheme
25
The specific scheme Trace: Suppose that there is a pirate device which is able to decrypt ciphertexts under policy โ. One can pinpoint the exact identity ๐บ๐ผ๐ท= ๐ผ 1 ,โฏ, ๐ผ ๐ incorporated in the device bit-by-bit as follows: 1. Initiate a counter ๐=1. 2. Choose a random message ๐โ ๐บ ๐ . Encrypt ๐ under the policy โ by setting the bits of the identity ๐ผ 1 =1, โฏ ๐ผ ๐ =1 and the other bits being ๐ผ ๐+1 =โฏ=โฏ ๐ผ ๐ =โ.
26
The specific scheme Trace: 3. Feed the ciphertext to the decryption device. If the message output by the device is correct, e.g. equal to ๐, increase the counter j by one and go to Step 2. Otherwise, encrypt another ๐ under the policy โ by setting the bit of the identity ๐ผ 1 =โฏ= ๐ผ ๐โ1 =1, ๐ผ ๐ =0 and the other bits being ๐ผ ๐+1 =โฏ=โฏ ๐ผ ๐ =โ.
27
The specific scheme Trace: The iteration stops until the whole identity is recovered, e.g. ๐=๐. It can be readily seen that the iteration repeats for at most ๐ times.
28
The advantage of this scheme
Public traceability: it means any user in this system can achieve this traceability and do not need other confidential information. Black-box
29
The disadvantage of this scheme
Access structure: its access policy in this system is not expressive. It is only the combination of AND-gates. The ability of pirate device: the pirate device only can decrypt the ciphertexts of the one access policy โ.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.