An Ad Hoc Group Signature Scheme for
Accountable and Anonymous Access to
Outsourced Data
Chuang Wanga,b and Wensheng Zhanga
aDepartment
of Computer Science
Iowa State University
bSymantec Corporation
Background: Data Outsourcing
author
remote un-trusted data storage
server
encrypt
decrypt
authorized
users
1
ABE (Attribute-based Encryption)
retrieve
decrypt
OR
AND
“Computer
Science”
“ISU”
“PrivacyGrp
@Symantec
”
derive key based
on secrets
associated with
his attributes
Graduate student
@cs.iastate
Access Structure
retrieve
X
decrypt
2
Accountability?
OR
AND
“Computer
Science”
“Privacy@
Symantec”
“ISU”
Access Structure
What if the secret doc is found exposed?
A trusted third-party authority should be able to find out who
have accessed the data (accountability/ traceability)
Meanwhile, anonymity of users should be kept from entities other
than the authority (including the un-trusted storage server)
3
Group Signature Scheme
m
group public key
(gpk)
OR
AND
“Computer
Science”
σm = sign(gpk, gski, m)
A user i’s
personalized
private key
(gski)
Verify(gpk, σm)=1?
Record σm
(Authority is able to
trace the signature
to user i.)
“Privacy@
Symantec”
“ISU”
Access Structure
Authorized Users
4
Group Signature Scheme: Problem
group public key
(gpk)
Access structures may be defined
on the fly (when a document is
outsourced)
A user i’s
personalized
private key
(gski)
The groups of users satisfying
the access structures are formed
dynamically
OR
Significant
communication
AND
overheads may need to
“Privacy@
set up private keys for
Symantec”
the members of
“Computer
“ISU”
Science”
dynamic groups
Access Structure
Authorized Users
5
Our Proposal: Ad Hoc Group Signature
(AdHocSign) – Design Goals
Objective: ad hoc group signature scheme.
Design Requirements
User anonymity: A successfully verified user could be any one of
the authorized users.
– Ex: Access Structure = “a AND b”; a successfully-verified
user could be any one owning attributes a and b.
– Ex: Access Structure = “(a AND b) OR c”; a successfullyverified user could be any one owning attributes a and b, or
any one owning c, and the server and other users cannot know
which of the above two cases occurs.
Traceability: The authority is able to trace a signature to a user.
6
Our Proposal: Ad Hoc Group Signature
(AdHocSign) – Design Goals
Objective: ad hoc group signature scheme.
Design Requirements
User anonymity: A successfully verified user could be any one of
the authorized users.
Accountability (traceability): The authority is able to trace a
signature to a user.
Efficiency in communication (for group management):
when a new access structure is created, no extra communication
for group management (e.g., distributing keys) is required.
7
Our Proposal: Ad Hoc Group Signature
(AdHocSign) – Key Ideas
Storage Cost
When a user joins:
he/she is preloaded
key materials for each
attribute assigned.
Communication Cost
When a document (and associated
access structure) posted to server:
server is given key materials for the
access structure (AS).
A user’s attributes satisfy the AS
Y
Obtain: the user-specific and access structure-specific
privacy key for group signature
8
Basis: Group Signature [BonehShacham’04]
Complexity Assumptions:
q-SDH problem
Decision Linear problem
System-wide secret
user i’s private key (gski)
public key (gpk)
xi, Ai=g1/(ζ+xi)
bilinear mapping
g, g’=gζ
x
e(Ai, g’×g i ) = e(g, g)
• Signing: sign(gpk, gski, m)  σm
• Verifying: verify(gpk, m, σm)  1/0
9
AdHocSign: Roadmap of the Design
What to do?
Construct and give appropriate key materials to users and
storage server, s.t., an authorized user is able to derive
his/her private key as in the BS group signature scheme
How?
Consider a conjunction-only access structure
– Ex: “a AND b”
Consider a disjunction-only access structure
– Ex: “a OR b”
Consider a general (i.e., conjunction of disjunctive) access
structure
– Ex: “(a OR b) AND (c OR d)”
10
AdHocSign for Conjunction-only Access
Structures: Intuition
Access
structure: T
a
Authority
Key materials: ra, rb
AND
b
Secrets: αa , αb
Private key:
• xi
Public key:
α ×r +α ×r
• gT = g a a b b
ζ
• gT’ = gT
Server
<T=“a AND b”; ra, rb>
• AiT = gi,ara ×gi,brb = g (αa×ra+αb×rb)/(ζ+x i)
Key materials:
α /(ζ+x i)
• for attribute a: gi,a=g a
α /(ζ+x i)
• for attribute b: gi,b=g b
User i • … …
e(AiT, gT’×gTxi) = e(gT, gT)
11
AdHocSign for Disjunction-only Access
Structures: Intuition (1)
Key materials:
Access
structure: T
OR
a
Authority
Secrets: αa, αb,
ra= rT/αa ; rb= rT/αb
b
rT
Private key:
• xi
• AiT = gi,ara = grT/(ζ+x i)
Key materials:
α /(ζ+x i)
• for attribute a: gi,a=g a
Public key:
r
• gT = g T
ζ
• gT’ = gT
Server
<T=“a OR b”; ra, rb>
e(AiT, gT’×gTxi) = e(gT, gT)
• for attribute c: …
User i • … …
12
AdHocSign for Disjunction-only Access
Structures: Intuition (2)
Key materials:
Access
structure: T
OR
a
Authority
Secrets: αa, αb,
ra= rT/αa ; rb= rT/αb
b
Server
rT, ζ
Key materials:
<T=“a OR b”; ra, rb>
• for attribute a: gi,a=g αa/(ζ+x i)
•……
User i • … …
r /r
Problem: User i can derive gi,b = gi,aa, b
though user i does not own attribute b.
Later on, user i can satisfy access
structures such as “a AND b”, “b OR x”.
13
AdHocSign for Disjunction-only Access
Structure: Intuition (3)
The authority
For each attribute a, multiple (instead of a single) secret
numbers are picked: αa,1, αa,2, …, αa,N
Each user i who owns attribute a is preloaded with N
secrets (key materials):
gi,a,1, gi,a,2, …, gi,a,N, where gi,a,k = gαa, k/(ζ+ xi)
Every time when a new disjunction-only access
structure, e.g., T=“a OR b”, is defined:
rT is selected randomly
rT,a = rT/αa,k1 and rT,b = rT/αb,k2, where αa,k1 and αb,k2 have
not been used before
A user i with attribute a or b should use gi,a,k1 or gi,b,k2 to
derive its private key
14
AdHocSign for General Access
Structures: Intuition
Access structure
AND
rT1
rT2
OR
OR
Authority
a
αa,k1
b
c
d
αb,k2
αc,k3
αd,k4
Key materials given to server:
(a, k1, rT,a = rT1/αa,k1)
(b, k2, rT,b = rT1/αb,k2)
(c, k3, rT,c = rT2/αc,k3)
(d, k4, rT,d = rT2/αd,k4)
Public key:
• gT = grT1+rT2
• gT’ = gTζ
Server
15
AdHocSign for General Access
Structures: Intuition
Assume the user owns attributes a and d
User i
Key materials assigned to user i:
• For attribute a
•…
• gi,a,k1 = gαa,k1/(ζ+xi)
Key materials provided by server:
(a, k1, rT,a = rT1/αa,k1)
… ….
(d, k4, rT,d = rT2/αd,k4)
•…
• For attribute d
•…
• gi,d,k4 = gαd,k4/(ζ+xi)
•…
rT, a
r
AiT = gi,a,k1
× gi,d,k4T, d
= g(rT1+rT2)/(ζ+xi)
Private key: (xi, AiT)
16
Security Features
Traceability
Intuitively: Storage server and/or collusive users are hard to
forge valid signatures that cannot trace back to any of them, as
long as the SDH problem is hard.
Formally: Our proposed AdHocSign scheme is (t, qH, qS, n,
m,ε) traceable if (q, t’, ε’)-SDH assumption holds, where n = q1, ε= 8n*sqrt(ε’qH) + 2n/q, t’=O(tmN).
17
Security Features
Selfless-anonymity
Intuitively: Storage server and/or others are hard to
determine if two signatures are pertinent to the same user
or not, as long as the Decision Linear problem is hard.
Formally: Our proposed AdHocSign scheme is (t, qH, qS, n,
m,ε) selflessly anonymous if (t’, ε’) Decision Linear
assumption holds, where ε’ = ε(1/n2 – qSqH/p)/2.
18
Cost Analysis
Computational cost
User’s cost
– Private key preparation
– x exponential ops, where x is the number of disjunctive
components in the access structure
– typically lower than signing cost as long as x is not too
large
– Signing (using BS Group Signature Signing)
Server’s cost
– Verification (using BS Group Signature Signing)
Overall: Typically less than twice of that of BS Group
Signature scheme
19
Cost Analysis
Communication cost
O(L): L is the length of an access structure
Storage cost
O(Nx)
– x - total number of attributes owned by a user
– N - total number of secrets preloaded for each attribute
N: the minimum number of different access structures that can
be defined dynamically; in practice, more different access
structures can be defined dynamically
20
Conclusion
We design a new group signature scheme for
dynamically-formed groups
Selfless-anonymity
Traceability
No user key distribution at dynamic group forming time
– at the cost of storing extra key materials when a user
joins the system
Applicable when: storage is cheaper than communication
(cost for dynamic management of groups)
21
Thank you!
Contacts of the authors
{wzhang, chuangw}@iastate.edu
Full paper:
www.cs.iastate.edu/~wzhang/papers/adhocsign.pdf
22
Implementation
Prototype development
Based on jPBC (java pairing-based library)
Adopting the type A curve
Evaluation setup
User: desktop with 1.83 GHz Genuine Intel processor and 3GB RAM
Server: workstation with two 2.13 GHz Intel Xeon processors and 24
GB RAM
Evaluation results
BS Group Signature
– Signing cost – 1.65 seconds by average
– Verification cost – 0.28 seconds by average
Private key computation in AdHocSign
– ~0.1 second for each disjunctive component in the access structure
23