Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer.

Published byRoland Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer."— Presentation transcript:

1 An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer Science Iowa State University b Symantec Corporation

2 1 Background: Data Outsourcing remote un-trusted data storage server encrypt decrypt author authorized users

3 2 ABE (Attribute-based Encryption) OR AND “Computer Science” “ISU” “PrivacyGrp @Symantec ” Access Structure Graduate student @cs.iastate retrieve decrypt retrieve decrypt X derive key based on secrets associated with his attributes

4 3 Accountability? What if the secret doc is found exposed? A trusted third-party authority should be able to find out who have accessed the data (accountability/ traceability) Meanwhile, anonymity of users should be kept from entities other than the authority (including the un-trusted storage server) OR AND “Computer Science” “ISU” “Privacy@ Symantec” Access Structure

5 4 Group Signature Scheme OR AND “Computer Science” “ISU” “Privacy@ Symantec” Access Structure group public key (gpk) A user i’s personalized private key (gsk i ) m σ m = sign(gpk, gsk i, m) Verify(gpk, σ m )=1? Record σ m (Authority is able to trace the signature to user i.) Authorized Users

6 5 Group Signature Scheme: Problem OR AND “Computer Science” “ISU” “Privacy@ Symantec” Access Structure group public key (gpk) A user i’s personalized private key (gsk i ) Access structures may be defined on the fly (when a document is outsourced) Significant communication overheads may need to set up private keys for the members of dynamic groups The groups of users satisfying the access structures are formed dynamically Authorized Users

7 6 Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design Goals Objective: ad hoc group signature scheme. Design Requirements User anonymity: A successfully verified user could be any one of the authorized users. – Ex: Access Structure = “a AND b”; a successfully-verified user could be any one owning attributes a and b. – Ex: Access Structure = “(a AND b) OR c”; a successfully- verified user could be any one owning attributes a and b, or any one owning c, and the server and other users cannot know which of the above two cases occurs. Traceability: The authority is able to trace a signature to a user.

8 7 Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design Goals Objective: ad hoc group signature scheme. Design Requirements User anonymity: A successfully verified user could be any one of the authorized users. Accountability (traceability): The authority is able to trace a signature to a user. Efficiency in communication (for group management): when a new access structure is created, no extra communication for group management (e.g., distributing keys) is required.

9 8 Our Proposal: Ad Hoc Group Signature (AdHocSign) – Key Ideas When a user joins: he/she is preloaded key materials for each attribute assigned. Storage CostCommunication Cost When a document (and associated access structure) posted to server: server is given key materials for the access structure (AS). A user’s attributes satisfy the AS Y Obtain: the user-specific and access structure-specific privacy key for group signature

10 9 Basis: Group Signature [BonehShacham’04] Complexity Assumptions: q-SDH problem Decision Linear problem x i, A i =g 1/(ζ+x i ) g, g’=g ζ user i’s private key (gsk i )public key (gpk) e(A i, g’×g ) = e(g, g) xixi bilinear mapping System-wide secret Signing: sign(gpk, gsk i, m)  σ m Verifying: verify(gpk, m, σ m )  1/0

11 10 AdHocSign: Roadmap of the Design What to do? Construct and give appropriate key materials to users and storage server, s.t., an authorized user is able to derive his/her private key as in the BS group signature scheme How? Consider a conjunction-only access structure – Ex: “a AND b” Consider a disjunction-only access structure – Ex: “a OR b” Consider a general (i.e., conjunction of disjunctive) access structure – Ex: “(a OR b) AND (c OR d)”

12 11 AdHocSign for Conjunction-only Access Structures: Intuition AND ab Access structure: T Secrets: α a, αbαb Authority Server Key materials: r a, r b Public key: g T = g g T ’ = g T ζ α a ×r a +α b ×r b User i Private key: x i Key materials: for attribute a: g i,a =g for attribute b: g i,b =g … … α a /(ζ+x i ) α b /(ζ+x i ) A i T = g i,a ×g i,b = g rbrb rara (α a ×r a +α b ×r b )/(ζ+x i ) e(A i T, g T ’×g T x i ) = e(g T, g T )

13 12 AdHocSign for Disjunction-only Access Structures: Intuition (1) OR ab Access structure: T Secrets: αa,αa, αb,αb, Authority Server Key materials: r a = r T /α a ; r b = r T /α b Public key: g T = g g T ’ = g T ζ rTrT User i Private key: x i Key materials: for attribute a: g i,a =g for attribute c: … … … α a /(ζ+x i ) A i T = g i,a = g rara r T /(ζ+x i ) e(A i T, g T ’×g T x i ) = e(g T, g T ) rTrT

14 13 AdHocSign for Disjunction-only Access Structures: Intuition (2) OR ab Access structure: T Secrets: αa,αa, αb,αb, Authority Server Key materials: r a = r T /α a ; r b = r T /α b User i Key materials: for attribute a: g i,a =g … … α a /(ζ+x i ) r T, ζ Problem: User i can derive g i,b = g i,a, r a /r b though user i does not own attribute b. Later on, user i can satisfy access structures such as “a AND b”, “b OR x”.

15 14 AdHocSign for Disjunction-only Access Structure: Intuition (3) The authority For each attribute a, multiple (instead of a single) secret numbers are picked: α a,1, α a,2, …, α a,N Each user i who owns attribute a is preloaded with N secrets (key materials): g i,a,1, g i,a,2, …, g i,a,N, where g i,a,k = g Every time when a new disjunction-only access structure, e.g., T=“a OR b”, is defined: r T is selected randomly r T,a = r T /α a,k1 and r T,b = r T /α b,k2, where α a,k1 and α b,k2 have not been used before A user i with attribute a or b should use g i,a,k1 or g i,b,k2 to derive its private key α a, k /(ζ+ x i )

16 15 AdHocSign for General Access Structures: Intuition OR cd Access structure α a,k1 Authority OR a b AND α b,k2 α c,k3 α d,k4 r T1 r T2 Server Key materials given to server: (a, k1, r T,a = r T1 / α a,k1 ) (b, k2, r T,b = r T1 / α b,k2 ) (c, k3, r T,c = r T2 / α c,k3 ) (d, k4, r T,d = r T2 / α d,k4 ) Public key: g T = g r T1 +r T2 g T ’ = g T ζ

17 16 AdHocSign for General Access Structures: Intuition User i Assume the user owns attributes a and d Key materials assigned to user i: For attribute a … g i,a,k1 = g … For attribute d … g i,d,k4 = g … α a,k1 /(ζ+x i ) α d,k4 /(ζ+x i ) Key materials provided by server: (a, k1, r T,a = r T1 / α a,k1 ) … …. (d, k4, r T,d = r T2 / α d,k4 ) A i T = g i,a,k1 × g i,d,k4 = g r T, a r T, d (r T1 +r T2 )/(ζ+x i ) Private key: (x i, A i T )

18 17 Security Features Traceability Intuitively: Storage server and/or collusive users are hard to forge valid signatures that cannot trace back to any of them, as long as the SDH problem is hard. Formally: Our proposed AdHocSign scheme is (t, q H, q S, n, m,ε) traceable if (q, t’, ε’)-SDH assumption holds, where n = q- 1, ε= 8n*sqrt(ε’q H ) + 2n/q, t’=O(tmN).

19 18 Security Features Selfless-anonymity Intuitively: Storage server and/or others are hard to determine if two signatures are pertinent to the same user or not, as long as the Decision Linear problem is hard. Formally: Our proposed AdHocSign scheme is (t, q H, q S, n, m,ε) selflessly anonymous if (t’, ε’) Decision Linear assumption holds, where ε’ = ε(1/n 2 – q S q H /p)/2.

20 19 Cost Analysis Computational cost User’s cost – Private key preparation – x exponential ops, where x is the number of disjunctive components in the access structure – typically lower than signing cost as long as x is not too large – Signing (using BS Group Signature Signing) Server’s cost – Verification (using BS Group Signature Signing) Overall: Typically less than twice of that of BS Group Signature scheme

21 20 Cost Analysis Communication cost O(L): L is the length of an access structure Storage cost O(Nx) – x - total number of attributes owned by a user – N - total number of secrets preloaded for each attribute N: the minimum number of different access structures that can be defined dynamically; in practice, more different access structures can be defined dynamically

22 21 Conclusion We design a new group signature scheme for dynamically-formed groups Selfless-anonymity Traceability No user key distribution at dynamic group forming time – at the cost of storing extra key materials when a user joins the system Applicable when: storage is cheaper than communication (cost for dynamic management of groups)

23 22 Thank you! Contacts of the authors {wzhang, chuangw}@iastate.edu Full paper: www.cs.iastate.edu/~wzhang/papers/adhocsign.pdf

24 23 Implementation Prototype development Based on jPBC (java pairing-based library) Adopting the type A curve Evaluation setup User: desktop with 1.83 GHz Genuine Intel processor and 3GB RAM Server: workstation with two 2.13 GHz Intel Xeon processors and 24 GB RAM Evaluation results BS Group Signature – Signing cost – 1.65 seconds by average – Verification cost – 0.28 seconds by average Private key computation in AdHocSign – ~0.1 second for each disjunctive component in the access structure

Download ppt "An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.

Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.
Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.

Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers Mark Shaneck Karthikeyan Mahadevan Jeff Yongdae Kim.

PRIAM: PRivate Information Access Management on Outsourced Storage Service Providers Mark Shaneck Karthikeyan Mahadevan Jeff Yongdae Kim.
Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.

Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.
By Jyh-haw Yeh Boise State University ICIKM 2013.

By Jyh-haw Yeh Boise State University ICIKM 2013.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2
A Secure Protocol for Spontaneous Wireless Ad Hoc Networks Creation.

A Secure Protocol for Spontaneous Wireless Ad Hoc Networks Creation.

Similar presentations

Ads by Google