Presentation on theme: "The user accountability/traitor tracing in attribute based encryption"— Presentation transcript:
1The user accountability/traitor tracing in attribute based encryption Zhao Qianqian
2What is the user accountability? In the attribute based encryption, the user private key is completely associated with his attributes set. Each attribute can be shared by many different users. If the decryption device associated with some attribute 𝑆 𝐷 appears on eBay, and is alleged to be able to decrypt any ciphertexts with policies satisfied by 𝑆 𝐷 , no one including the ABE authorities can identify the malicious user(s) who build such a decryption device using their key(s).
3What is the user accountability? Because there are many different users whose attributes sets cover the set 𝑆 𝐷 . It is a very big challenge for the security of attribute based encryption. To design a safe and effective traitor tracing scheme has been a necessity, especially in the actual access control scheme applying the ABE. The realization of the traitor tracing is the so-called user accountability.
4Two different levels of traceability White-box traceability: it means that given a well-formed decryption key as input, a tracing algorithm can find the user who owns the key.Black-box traceability: it means that given a decryption black box/device, while the decryption key and even the decryption algorithm could be hidden, the tracing algorithm can still find out the malicious user whose key must have been used in constructing the decryption black box.
5Multi-Authority Ciphertext-Policy Attribute-Based Encryption with Accountability Jin Li, Qiong Huang, Xiaofeng Chen, Sherman S. M. Chow, Duncan S. Wong, Dongqing Xie；ASIACCS 2011
6The reason of the multi-authority The load bottleneck: all the attributes of the users need to be verified by the only authority, which is quite big burden for the system.The escrow problem: the private key of all users is issued by the authority, which means that the authority can decrypt all the ciphertexts in the system.
7The background of the scheme Access structure: the policy in the scheme is conjunction of AND-gates on multi-valued attributes with wildcards.Bilinear maps: let 𝐺 1 =< 𝑔 1 >, 𝐺 2 =< 𝑔 2 > be multiplicative cyclic groups of prime order 𝑝, and ℯ : 𝐺 1 × 𝐺 2 → 𝐺 𝑇 be a bilinear pairing function.
8The specific schemeSetup: Let 𝐴 1 ,⋯ 𝐴 𝑁 , 𝐴 𝑁+1 be the (𝑁+1) authorities in the system. Each authority 𝐴 𝑘 is in charge of a disjoint set of 𝑛 𝑘 attributes. Let the value set of the 𝑖-th attribute managed by authority 𝐴 𝑘 be 𝕍 𝑘 = 𝑣 𝑘,𝑖 1≪𝑖≪ 𝑛 𝑘 . Also, the set of attributes managed by authority 𝐴 𝑁+1 is the set of user identities, i.e., 𝑣 𝑁+1,𝑖 ∈ 0,1 for all 1≪𝑖≪ 𝑛 𝑁+1 =𝜌, the bit-length of an identity where 2 𝜌 ≪𝑝.
9The specific schemeSetup: each authority 𝐴 𝑘 where 1≪𝑘≪ 𝑁+1 chooses 𝑥 𝑘 ∈ ℤ 𝑝 ∗ as his private key, computes 𝑦 𝑘 = 𝑔 1 𝑥 𝑘 and sends ℯ 𝑔 1 , 𝑔 2 𝑥 𝑘 to the other authorities. Then every authority can compute 𝑇=ℯ 𝑘=1 𝑁+1 𝑦 𝑘 , 𝑔 2 = 𝑘=1 𝑁+1 ℯ 𝑔 1 , 𝑔 2 𝑥 𝑘 as a system public key.这个system public key理论上来说全网只需要一个即可，然而这样交互的结果是所有的attribute authority都可以计算出这样的一个系统参数，但是最后我们应用的是取自于哪个authority的呢？反正最后是要作为系统参数公开的？那么这样的交互还有意义吗？
10The specific schemeSetup: each authority 𝐴 𝑘 where 1≪𝑘≪𝑁 chooses 𝑎 𝑘,𝑖, 𝑣 𝑘,𝑖 , 𝑏 𝑘,𝑖, 𝑣 𝑘,𝑖 𝑐 𝑘,𝑖, 𝑣 𝑘,𝑖 from ℤ 𝑝 ∗ , computes 𝐴 𝑘,𝑖, 𝑣 𝑘,𝑖 = 𝑔 2 𝑐 𝑘,𝑖, 𝑣 𝑘,𝑖 1≪𝑘≪ 𝑛 𝑘 , 𝑣 𝑘,𝑖 ∈ 0,1 , then also computes 𝐵 𝑘,𝑖, 𝑣 𝑘,𝑖 = 𝐴 𝑘,𝑖, 𝑣 𝑘,𝑖 𝑎 𝑘,𝑖, 𝑣 𝑘,𝑖 𝐵 𝑘,𝑖, 𝑣 𝑘,𝑖 = 𝐴 𝑘,𝑖, 𝑣 𝑘,𝑖 𝑎 𝑘,𝑖, 𝑣 𝑘,𝑖 , 𝐵 𝑘,𝑖, 𝑣 𝑘,𝑖 ′ = 𝐴 𝑘,𝑖, 𝑣 𝑘,𝑖 𝑏 𝑘,𝑖, 𝑣 𝑘,𝑖 , and publishes them as the public key component for the value 𝑣 𝑘,𝑖 of the 𝑖-th attribute.
11The specific schemeSetup: the authority 𝐴 𝑁+1 randomly chooses 𝑐 𝑁+1,𝑗,𝑏 from ℤ 𝑝 ∗ and computes 𝐴 𝑁+1,𝑗,𝑏 = 𝑔 2 𝑐 𝑁+1,𝑗,𝑏 𝐴 𝑁+1,𝑗,𝑏 = 𝑔 2 𝑐 𝑁+1,𝑗,𝑏 1≪𝑗≪𝜌, 𝑏∈ 0,1 . It also chooses 𝑎 𝑁+1,𝑗,𝑏 , 𝑏 𝑁+1,𝑗,𝑏 from ℤ 𝑝 ∗ and publishes 𝐵 𝑁+1,𝑗,𝑏 = 𝐴 𝑁+1,𝑗,𝑏 𝑎 𝑁+1,𝑗,𝑏 and 𝐵 𝑁+1,𝑗,𝑏 ′ = 𝐴 𝑁+1,𝑗,𝑏 𝑎 𝑁+1,𝑗,𝑏 as the public key of authority 𝐴 𝑁+1 .
12The specific schemeSetup: each authority 𝐴 𝑘 1≪𝑘≪ 𝑁+1 shares a secret pseudorandom function 𝑃𝑅𝐹 seed 𝑠 𝑘 𝑘 ′ ∈ ℤ 𝑝 ∗ with each other authority 𝐴 𝑘 ′ . It also chooses a PRF seed 𝑎 𝑘 ∈ ℤ 𝑝 ∗ and computes 𝑦 𝑘 ′ = 𝑔 1 𝑎 𝑘 , which is sent to all other authorities. It then defines a pseudorandom function 𝑃𝑅𝐹 𝑘, 𝑘 ′ 𝐺𝐼𝐷 = 𝑔 1 𝑎 𝑘 𝑎 𝑘 ′ 𝑠 𝑘, 𝑘 , +𝑋 where 𝑋=𝐻 𝐺𝐼𝐷 and 𝐻: 0,1 𝜌 → 𝑍 𝑝 is a collision-resistant hash function.The GID is the specific user identity.
14The specific schemeAKeyGen: the user with global identity 𝐺𝐼𝐷= 𝐼 1 ,⋯ 𝐼 𝜌 ∈ 0,1 𝜌 first gets 𝐷 𝑘𝑗 for 𝑘≠𝑗 by using the anonymous key-issuing protocol with the k−𝑡ℎ authority. In more details, the user starts 𝑁 independent invocations of the anonymous protocol on input 𝑦 𝑗 ′ 𝑎 𝑘 , 𝑔 1 , 𝛿 𝑘,𝑗 𝑅 𝑘,𝑗 , 𝑠 𝑘,𝑗 , 𝛿 𝑘,𝑗 with the k−𝑡ℎ authority.
15The specific schemeAKeyGen: where 𝑅 𝑘,𝑗 ∈ 𝑍 𝑝 ∗ is randomly chosen by the authority 𝐴 𝑘 , and 𝛿 𝑘,𝑗 is 1 if 𝑘>𝑗 and −1 otherwise, for 𝑗∈ 1,⋯,𝑁+1 \ 𝑘 . At the end of the protocol, the user obtains 𝐷 𝑘,𝑗 = 𝑔 1 𝑅 𝑘,𝑗 𝑃𝑅𝐹 𝑘,𝑗 𝐺𝐼𝐷 if 𝑘>𝑗, and 𝐷 𝑘,𝑗 = 𝑔 1 𝑅 𝑘,𝑗 /𝑃𝑅𝐹 𝑘,𝑗 𝐺𝐼𝐷 otherwise. After interacted with all 𝑁+1 authorities, the user computes 𝐷= 𝐷 𝑘 𝑘 ′ = 𝑔 1 𝑅 where R= 𝑅 𝑘 𝑘 ′ (for all k, 𝑘 ′ ∈ 1,⋯,𝑁+1 ,𝑘≠ 𝑘 ′ ).
16The specific schemeAKeyGen: to get a private key for an attribute 𝔸 𝑘 ⊆ 𝕍 𝑘 from authority 𝑘, the authority 𝐴 𝑘 picks up random 𝑠 𝑘,1 , 𝑠 𝑘,2 ,⋯, 𝑠 𝑘, 𝐴 𝑘 −1 , 𝜆 𝑘,1 , 𝜆 𝑘,2 ,⋯, 𝜆 𝑘, 𝐴 𝑘 ∈ 𝑍 𝑝 ∗ and computes 𝑠 𝑘, 𝐴 𝑘 = 𝑥 𝑘 − 𝑖=1 𝐴 𝑘 −1 𝑠 𝑘,𝑖 − 𝑘 ′ ∈ 1,⋯,𝑁+1 \ 𝑘 𝑅 𝑘 𝑘 ′ mod p. Finally, the private key component for each eligiable attribute 𝑣 𝑘,𝑖 in 𝔸 𝑘 is computed as
25The specific schemeTrace: Suppose that there is a pirate device which is able to decrypt ciphertexts under policy ℙ. One can pinpoint the exact identity 𝐺𝐼𝐷= 𝐼 1 ,⋯, 𝐼 𝜌 incorporated in the device bit-by-bit as follows: 1. Initiate a counter 𝑗=1. 2. Choose a random message 𝑀∈ 𝐺 𝑇 . Encrypt 𝑀 under the policy ℙ by setting the bits of the identity 𝐼 1 =1, ⋯ 𝐼 𝑗 =1 and the other bits being 𝐼 𝑗+1 =⋯=⋯ 𝐼 𝜌 =∗.
26The specific schemeTrace: 3. Feed the ciphertext to the decryption device. If the message output by the device is correct, e.g. equal to 𝑀, increase the counter j by one and go to Step 2. Otherwise, encrypt another 𝑀 under the policy ℙ by setting the bit of the identity 𝐼 1 =⋯= 𝐼 𝑗−1 =1, 𝐼 𝑗 =0 and the other bits being 𝐼 𝑗+1 =⋯=⋯ 𝐼 𝜌 =∗.
27The specific schemeTrace: The iteration stops until the whole identity is recovered, e.g. 𝑗=𝜌. It can be readily seen that the iteration repeats for at most 𝜌 times.
28The advantage of this scheme Public traceability: it means any user in this system can achieve this traceability and do not need other confidential information.Black-box
29The disadvantage of this scheme Access structure: its access policy in this system is not expressive. It is only the combination of AND-gates.The ability of pirate device: the pirate device only can decrypt the ciphertexts of the one access policy ℙ.