Fully Secure Multi-authority
Ciphertext-Policy Attribute-Based Encryption
without Random Oracles
Zhen Liu1,2
1 Shanghai
Jiao Tong University, Shanghai, China
2 City University of Hong Kong, Hong Kong SAR, China
Joint work with Zhenfu Cao, Qiong Huang, Duncan S. Wong,
and Tsz Hon Yuen
16th European Symposium on Research in Computer Security (ESORICS) 2011,
12-14 September 2011, Leuven, Belgium
Outline
Introduction
History
Motivation
Our Results
Background
Our scheme
2
Introduction: What is CP-ABE?
 CP-ABE is a tool for implementing fine-grained access
control over encrypted data, and is conceptually similar to
traditional access control methods such as Role-Based
Access Control.
 A user is described by a set of descriptive attributes, and a
corresponding private key is issued to the user by an
authority.
 During encryption, an encryptor associates an access policy
over attributes with the ciphertext.
 If and only if the attributes of a user satisfy the access policy
of the ciphertext, the user can decrypt the ciphertext .
3
Introduction: What is CP-ABE?
𝑃𝐾𝐶𝑆 , 𝑃𝐾𝐸𝐸 , …
𝑃𝐾𝑃ℎ𝐷 , 𝑃𝐾𝐴𝐿𝑈 , …
𝑃𝐾𝑀 , 𝑃𝐾𝐹 , …
𝑃𝐾1980, 𝑃𝐾1981 , …
……
…..
𝑃𝐾
𝑈
𝑀𝑆𝐾
Dept.: CS, EE, …
Type: PhD Stud., Alumni, …
Gender: Male, Female
Birth Year: 1980, 1981, …
……
……
𝑆𝐾𝑆𝐴
𝐶 = 𝐸𝑛𝑐(𝑃𝐾, 𝒫, 𝑀)
𝑆𝐴 satisfies 𝒫
𝑆𝐴 = {𝐶𝑆, 𝑃ℎ𝐷}
M
Storage Server
(Untrusted)
AND
𝑆𝐵 = {𝐸𝐸, 𝑃ℎ𝐷}
OR
CS
PDH
ALUMNI
𝒫 = 𝐶𝑆 𝐴𝑁𝐷 (𝑃ℎ𝐷 𝑂𝑅 𝐴𝐿𝑈)
𝑆𝐵 does not satisfy 𝒫
𝑆𝐾
4 𝑆𝐵
Introduction: What is CP-ABE?
-- Collusion-resistant
If none of the users can decrypt a ciphertext individually,
they still can’t even if they work together.
𝑆𝐾𝑆𝐵
𝑆𝐵 = {𝐸𝐸, 𝑃ℎ𝐷}
AND
OR
CS
PDH
ALUMNI
𝒫 = 𝐶𝑆 𝐴𝑁𝐷 (𝑃ℎ𝐷 𝑂𝑅 𝐴𝐿𝑈)
𝑆𝐾𝑆𝑇
𝑆𝑇 = {𝐶𝑆, 𝑈𝑛𝐺}
5
Introduction: What is CP-ABE?
-- Definition
•
•
•
•
𝑆𝑒𝑡𝑢𝑝 𝜆, 𝑈 ⟶ 𝑃𝐾, 𝑀𝑆𝐾.
𝐸𝑛𝑐𝑟𝑦𝑝𝑡 𝑃𝐾, 𝒫, 𝑀 ⟶ 𝐶𝑇. 𝒫 is implicitly included in 𝐶𝑇.
𝐾𝑒𝑦𝐺𝑒𝑛(𝑃𝐾, 𝑀𝑆𝐾, 𝑆) ⟶ 𝑆𝐾𝑆 .
𝐷𝑒𝑐𝑟𝑦𝑝𝑡 𝑃𝐾, 𝑆𝐾𝑆 , 𝐶𝑇 ⟶ 𝑀 𝑜𝑟 ⊥. If and only if 𝑆 satisfies 𝒫, 𝑀
can be recovered.
6
Introduction: Why needs MA-CP-ABE?
 It might not be realistic to have one single authority to
manage all attributes. [SW05]
 E.g., an encryptor may want to share data with users who are
computer science alumni of University X and currently working as an
engineer for Company Y. i.e., the access policy is 𝒫 =
𝑈𝑛𝑖𝑣𝑋. 𝐶𝑆 𝐴𝑁𝐷 𝑈𝑛𝑖𝑣𝑋. 𝐴𝐿𝑈 𝐴𝑁𝐷 𝐶𝑜𝑚𝑝𝑌. 𝐸𝑛𝑔𝑖𝑛𝑒𝑒𝑟
 In a desired Multi-Authority CP-ABE (MA-CP-ABE) system,
different domains of attributes are managed by different
authorities. An encryptor can encrypt messages with any
access policy over the entire attribute universe.
7
History: Existing CP-ABE Schemes
 Goyal et al. [GPSW06]: CP-ABE notion.
 Bethencourt, Sahai and Waters [BSW07] : The first CP-ABE
scheme.
 Cheung and Newport [CN07]
are proposed to
 Goyal et al. [GJPS08]
achieve
better
and
 Waters [Waters08/11]
better expressiveness,
 Lewko et al.[LOSTW10]
 Okamoto and Takashima[OT10] efficiency and security.
[Waters08/11] and [LOSTW10]: expressive (any monotone access structure);
efficient; and secure. The two constructions are very similar, and the
difference is that [Waters08/11] is on prime order group while [LOSTW10] is
on composite order group. [Waters08/11] is selectively secure and
[LOSTW10] is adaptively secure.
8
History: Existing MA-CP-ABE Schemes
 Müller et al. [MKE09]: One Central Authority (CA) and
Multiple Attribute Authorities (AAs).
• Selectively secure.
• Key Escrow: The CA can decrypt all ciphertexts.
 Lewko and Waters [LW11] : Multiple AAs
• The AAs operate independently from each other.
• Adaptively secure, in the random oracle model.
• Key Escrow: Each AA can decrypt the ciphertexts whose
policy can be satisfied by the AA’s attribute domain.
9
Motivation
Construct an MA-CP-ABE system
 Different attribute domains are managed by different
authorities.
 Expressiveness, efficiency and security are not weaker
than that of the single-authority CP-ABE in [LOSTW10]:
 Expressiveness: Support any monotone access structure over the
entire attribute universe;
 Efficiency: similar to that of [LOSTW10];
 Security: adaptively secure in the standard model.
 No authority can independently decrypt any ciphertext.
10
Our Results
We constructed a new MA-CP-ABE system.
 Multiple CAs and Multiple AAs.
 The CAs issue identity-related keys to users but do not involve in
any attribute-related operations.
 The AAs issue attribute-related keys to users.
 Each AA manages a different attribute domain, and operates
independently from other AAs.
 A party may easily join the system as an AA by registering itself
to the CAs and publishing its attribute-related parameters.
 The expressiveness, efficiency and security are
comparable to that of the single-authority CP-ABE
scheme in [LOSTW10].
 No authority can independently decrypt any ciphertext.
11
Our Results
LOSTW10
(SA-) CP-ABE
LW11
MA-CP-ABE
Ours
MA-CP-ABE
Standard Model
Multi-Authority
Prevent Decryption by
Individual Authority
Partially
Size of Ciphertext
𝟐𝒍 + 𝟐
𝟑𝒍 + 𝟏
𝟐𝒍 + 𝟐
Size of Secret key
𝑺 +𝟐
|𝑺|
𝑺 + 𝑫(𝑲 + 𝟐)
𝟐 𝑰 +𝟏
𝟐|𝑰|
𝟐 𝑰 +𝟏
𝑼 +𝟑
𝟐|𝑼|
𝑼 +𝟑+𝑫
Pairing Computation
of Decryption
Size of Public key
𝐷: The number of CAs.
𝐾: The number of AAs.
12
The rest of this presentation…
1. Bilinear map and access structure
2. Our construction
3. Extensions
13
Background
 Bilinear map:
 𝑁 = 𝑝1 𝑝2 𝑝3 where 𝑝1 , 𝑝2 and 𝑝3 are three distinct primes;
 𝐺 and 𝐺𝑇 are cyclic groups of order 𝑁;
 𝑒: 𝐺 × 𝐺 → 𝐺𝑇 is a map such that
 (1) Bilinear: ∀ 𝑔, ℎ ∈ 𝐺, 𝑎, 𝑏 ∈ 𝑍𝑁 , e g a , hb = e g, h
ab ;
 (2) Non-Degenerate: ∃𝑔 ∈ 𝐺, such that 𝑒(𝑔, 𝑔) has order 𝑁 in 𝐺𝑇 .
 LSSS: Any monotone access structure can be realized by a Linear SecretShare Scheme (LSSS). An LSSS is a labeled matrix (𝐴, 𝜌), where 𝐴 is a 𝑙 × 𝑛
matrix over 𝑍𝑝∗ and 𝜌 labels each row with a share holder. E.g.,
(2,2)
1 1 1 𝐴
1 1 2
 1 1 3 𝐵
𝐶
(2,3)
D
1 2 0 𝐷
A
B
C
14
Our MA-CP-ABE Scheme: Idea
Start from the single authority CP-ABE of [LOSTW10]:
 𝑆𝑒𝑡𝑢𝑝 𝜆, 𝑈 → 𝑃𝐾, 𝑀𝑆𝐾.
𝑃𝐾: 𝑁, 𝑔, ℎ, 𝑒 𝑔, 𝑔 𝛼 ,
𝑇𝑎𝑡𝑡 = 𝑔 𝑠𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑈 ; 𝑀𝑆𝐾: 𝛼, 𝑋3
 𝑔, ℎ ∈ 𝐺𝑝1 𝑎𝑛𝑑 𝛼, 𝑠𝑎𝑡𝑡 ∈ 𝑍𝑁 are chosen randomly, 𝑋3 is a generator of 𝐺𝑝3 .
 𝐾𝑒𝑦𝐺𝑒𝑛 𝑃𝐾, 𝑀𝑆𝐾, 𝑆 → 𝑆𝐾 = (𝐾, 𝐿, 𝐾𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑆 ).
𝐾=
𝑔𝛼 ℎ𝑟 𝑅0 ,
𝐿=
𝑔𝑟 𝑅0′
𝑟
,
𝐾𝑎𝑡𝑡 = 𝑇𝑎𝑡𝑡 𝑅𝑎𝑡𝑡 ∀ 𝑎𝑡𝑡 ∈ 𝑆.
 𝑟 ∈ 𝑍𝑁 , 𝑎𝑛𝑑 𝑅0 , 𝑅0′ , 𝑅𝑎𝑡𝑡 ∈ 𝐺𝑝3 are chosen randomly.
 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 𝑃𝐾, 𝐴, 𝜌 , 𝑀 → 𝐶𝑇.
𝐶 = 𝑀 ⋅ 𝑒 𝑔, 𝑔
𝛼 𝑠, 𝐶′
= ℎ 𝑠 , 𝐶𝑥 = ℎ 𝐴𝑥 ⋅𝑣 𝑇𝜌
𝑥
−𝑟𝑥
, 𝐶𝑥′ = 𝑔𝑟𝑥 ∀𝑥 ∈ {1,2 … , 𝑙}.
 𝑠, 𝑟𝑥 ∈ 𝑍𝑁 are chosen randomly.
 𝐷𝑒𝑐𝑟𝑦𝑝𝑡 𝑃𝐾, 𝐶𝑇, 𝑆𝐾 → 𝑀.
𝐶 ⋅
𝜌 𝑥 ∈𝑆
 Constants {𝑤𝑥 } satisfy
𝑒 𝐶𝑥 , 𝐿 𝑒
𝐶𝑥′ , 𝐾𝜌 𝑥
𝑒 𝐶′, 𝐾
𝑥∈𝐼 𝑤𝑥 𝐴𝑥
= (1,0, … , 0).
𝑤𝑥
= 𝑀.
15
Our MA-CP-ABE Scheme: Idea
 𝐾𝑒𝑦𝐺𝑒𝑛 𝑃𝐾, 𝑀𝑆𝐾, 𝑆 → 𝑆𝐾 = (𝐾, 𝐿, 𝐾𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑆 ).
𝐾 = 𝑔𝛼 ℎ𝑟 𝑅0 ,
𝐿 = 𝑔𝑟 𝑅0′ ,
𝑟
𝐾𝑎𝑡𝑡 = 𝑇𝑎𝑡𝑡 𝑅𝑎𝑡𝑡 ∀ 𝑎𝑡𝑡 ∈ 𝑆.
 𝑟 ∈ 𝑍𝑁 , 𝑎𝑛𝑑 𝑅0 , 𝑅0′ , 𝑅𝑎𝑡𝑡 ∈ 𝐺𝑝3 are chosen randomly.
Have no relation with attributes
Bind all attribute-related keys of a user
together;
Prevent collusion attack from different
users (Distinct random 𝑟 for each user);
𝑟
𝐾𝑎𝑡𝑡 = 𝑇𝑎𝑡𝑡
𝑅𝑎𝑡𝑡 = 𝑔𝑟 𝑠𝑎𝑡𝑡 𝑅𝑎𝑡𝑡 = 𝐿𝑠𝑎𝑡𝑡 𝑅𝑎𝑡𝑡 /𝑅0′
′
= 𝐿𝑠𝑎𝑡𝑡 𝑅𝑎𝑡𝑡
Ideas:
 Separate the single authority to one CA and multiple AAs
 CA is responsible for choosing 𝑟 and generating 𝐾 𝑎𝑛𝑑 𝐿 for users;
 When a user submits his 𝐿 to an AA, the AA generates 𝐾𝑎𝑡𝑡 by using
𝐿 𝑎𝑛𝑑 𝑠𝑎𝑡𝑡 .
Problem: 𝐿 is submitted to AA by the user, so that two users (e.g., Bob and Tom)
can launch a collusion attack by submitting the same 𝐿.
Solution: Use digit signature to bind 𝐿 and the identity of a user together.
16
Our MA-CP-ABE Scheme: Idea
One-CA-Multi-AA
 𝐶𝐴𝑆𝑒𝑡𝑢𝑝 𝜆 → 𝐶𝑃𝐾, 𝐶𝑀𝑆𝐾.
𝐶𝑃𝐾: 𝑁, 𝑔, ℎ, 𝑒 𝑔, 𝑔 𝛼 ,
𝑇𝑎𝑡𝑡 = 𝑔 𝑠𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑈, 𝑋3 , 𝑣𝑒𝑟𝑘; 𝑀𝑆𝐾: 𝛼, 𝑠𝑖𝑔𝑘
 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 𝑘, 𝑈𝑘 → 𝐴𝑃𝐾𝑘 , 𝐴𝑀𝑆𝐾𝑘 .
𝐴𝑃𝐾𝑘 : 𝑁, 𝑔, ℎ, 𝑒 𝑔, 𝑔 𝛼 ,
𝑇𝑎𝑡𝑡 = 𝑔 𝑠𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑈𝑘 ; 𝐴𝑀𝑆𝐾𝑘 : 𝑠𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑈𝑘
 𝐶𝐾𝑒𝑦𝐺𝑒𝑛 𝑔𝑖𝑑 → (𝐾, 𝐿, 𝐾𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑆 ).
𝐾 = 𝑔𝛼 ℎ𝑟 𝑅0 ,
𝐿 = 𝑔𝑟 𝑅0′ ,
𝑟
𝐾𝑎𝑡𝑡 = 𝑇𝑎𝑡𝑡 𝑅𝑎𝑡𝑡 ∀ 𝑎𝑡𝑡 ∈ 𝑆.
𝜎 = 𝑠𝑖𝑔𝑛(𝑠𝑖𝑔𝑘, 𝑔𝑖𝑑||𝐿 )
 𝐴𝐾𝑒𝑦𝐺𝑒𝑛 𝐿, 𝜎, 𝑎𝑡𝑡 → 𝐾𝑎𝑡𝑡 .
𝐾 = 𝑔𝛼 ℎ𝑟 𝑅0 ,
𝐿 = 𝑔𝑟 𝑅0′ ,
𝐾𝑎𝑡𝑡 = 𝐿𝑠𝑎𝑡𝑡 𝑅𝑎𝑡𝑡
 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 𝐶𝑃𝐾, 𝐴𝑃𝐾𝑘 , 𝐴, 𝜌 , 𝑀 → 𝐶𝑇.
𝐶 = 𝑀 ⋅ 𝑒 𝑔, 𝑔
𝛼 𝑠, 𝐶′
= ℎ 𝑠 , 𝐶𝑥 = ℎ 𝐴𝑥 ⋅𝑣 𝑇𝜌
𝑥
−𝑟𝑥
, 𝐶𝑥′ = 𝑔𝑟𝑥 ∀𝑥 ∈ {1,2 … , 𝑙}.
17
Our MA-CP-ABE Scheme: Idea
One-CA-Multi-AA
 Problem:
Multi-CA-Multi-AA
In the One-CA-Multi-AA system, the CA holds the value of 𝛼, so that it can
decrypt all ciphertexts.
 Solution
Introduce multiple CAs: CA1, …, CAD . Each CAd chooses 𝛼𝑑
independently, and publishes 𝑒 𝑔, 𝑔 𝛼𝑑 to the public parameters.
In 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 algorithm, 𝐶 = 𝑀 ⋅ 𝑒 𝑔, 𝑔 𝛼𝑑 𝑠 .
Implicitly, we have set that 𝛼 = 𝛼1 + 𝛼2 + ⋯ + 𝛼𝐷 .
 Only when all CAs collude together, can they decrypt a ciphertext.
18
𝐶𝐴𝐷
𝐶𝐴1
……
𝐴𝐴𝐾
𝐴𝐴1
𝑈1
User 𝑔𝑖𝑑
𝑆𝑔𝑖𝑑 = {𝑎1 , 𝑎2 }
𝑎1 ∈ 𝑈1 , 𝑎2 ∈ 𝑈𝐾
……
𝑈𝐾
Our MA-CP-ABE Scheme: Idea
Naive Multi-CA-Multi-AA
 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝 𝜆 → 𝐺𝑃𝐾: 𝑁, 𝑔, ℎ, 𝑋3
 𝐶𝐴𝑆𝑒𝑡𝑢𝑝 𝑑 → 𝐶𝑃𝐾𝑑 : 𝑒 𝑔, 𝑔 𝛼𝑑 , 𝑣𝑒𝑟𝑘𝑑 ; 𝐶𝑀𝑆𝐾𝑑 : 𝛼𝑑 , 𝑠𝑖𝑔𝑘𝑑
 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 𝑘, 𝑈𝑘 → 𝐴𝑃𝐾𝑘 : 𝑇𝑎𝑡𝑡 = 𝑔 𝑠𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑈𝑘 ; 𝐴𝑀𝑆𝐾𝑘 : 𝑠𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑈𝑘
 𝐶𝐾𝑒𝑦𝐺𝑒𝑛 𝑔𝑖𝑑, 𝑑 → (𝐾𝑔𝑖𝑑,𝑑 , 𝐿𝑔𝑖𝑑,𝑑 ).
𝐾𝑔𝑖𝑑,𝑑 = 𝑔𝛼𝑑 ℎ𝑟𝑔𝑖𝑑,𝑑 𝑅0 , 𝐿𝑔𝑖𝑑,𝑑 = 𝑔𝑟𝑔𝑖𝑑,𝑑 𝑅0′ , 𝜎𝑔𝑖𝑑,𝑑 = 𝑠𝑖𝑔𝑛(𝑠𝑖𝑔𝑘𝑑 , 𝑔𝑖𝑑 || d|| 𝐿𝑔𝑖𝑑,𝑑 )
 𝐴𝐾𝑒𝑦𝐺𝑒𝑛 {𝐿𝑔𝑖𝑑,𝑑 , 𝜎𝑔𝑖𝑑,𝑑 |𝑑 = 1,2, … , 𝐷}, 𝑎𝑡𝑡 → {𝐾𝑎𝑡𝑡,𝑔𝑖𝑑,𝑑 }.
𝑠
𝑎𝑡𝑡
𝐾𝑎𝑡𝑡,𝑔𝑖𝑑,𝑑 = 𝐿𝑔𝑖𝑑,𝑑
𝑅𝑎𝑡𝑡,𝑔𝑖𝑑,𝑑 ,
𝑑 = 1,2, … 𝐷
 𝐸𝑛𝑐𝑟𝑦𝑝𝑡 𝑃𝐾, 𝐴, 𝜌 , 𝑀 → 𝐶𝑇.
𝐶=𝑀⋅
𝑒 𝑔, 𝑔
𝛼𝑑 𝑠 , 𝐶 ′
= ℎ 𝑠 , 𝐶𝑥 = ℎ 𝐴𝑥 ⋅𝑣 𝑇𝜌
𝑥
−𝑟𝑥
, 𝐶𝑥′ = 𝑔𝑟𝑥 ∀𝑥 ∈ {1,2 … , 𝑙}.
 𝐷𝑒𝑐𝑟𝑦𝑝𝑡 𝑃𝐾, 𝐶𝑇, 𝑆 → 𝑀.
𝜌 𝑥 ∈𝑆
𝑑=1 𝑡𝑜 𝐷
𝑒 𝐶𝑥 , 𝐿𝑔𝑖𝑑,𝑑 𝑒
𝑒
𝐶𝑥′ , 𝐾𝜌 𝑥 ,𝑔𝑖𝑑,𝑑
𝐶 ′ , 𝐾𝑔𝑖𝑑,𝑑
𝑤𝑥
=
𝑑=1 𝑡𝑜 𝐷
1
𝑒 𝑔, 𝑔
𝛼𝑑 𝑠 .
20
Our MA-CP-ABE Scheme: Idea
Naive Multi-CA-Multi-AA
Our MA-CP-ABE
 Problem:
 When an attacker corrupts a CA, collusion attack can be launched.
 E.g., 𝐷 = 2, 𝐾 = 2. 𝑎1 ∈ 𝑈1 , 𝑎2 ∈ 𝑈2 . 𝑆𝐵 = 𝑎1 , 𝑆𝑇 = {𝑎2 }. CA1 is corrupted by
Bob and Tom, while CA2 is still secure. In such a case, Bob and Tom should
not be able to decrypt a ciphertext with policy (𝑎1 𝐴𝑁𝐷 𝑎2 ). However,
 Bob obtains 𝐾𝐵𝑜𝑏,2 , 𝐿𝐵𝑜𝑏,2 from CA2 ; then obtains 𝐾𝑎1,𝐵𝑜𝑏,2 from AA1 ;
 They set 𝐿 𝑇𝑜𝑚,1 = 𝐿𝐵𝑜𝑏,2 , and submit this 𝐿 𝑇𝑜𝑚,1 to AA2 . AA2 is cheated
and believes that this “𝐿 𝑇𝑜𝑚,1 " is legal, because Bob and Tom control
CA1 so that they can generate the valid signature. Then AA2 generates
"𝐾𝑎2 ,𝑇𝑜𝑚,1 " by using this "𝐿 𝑇𝑜𝑚,1 ", which is actually "𝐾𝑎2 ,𝐵𝑜𝑏,2 " for
"𝐿𝐵𝑜𝑏,2 “.
 For the ciphertext, they can reconstruct 𝑒 𝑔, 𝑔 𝛼2𝑠 by using
𝐾𝐵𝑜𝑏,2 , 𝐿𝐵𝑜𝑏,2 , {𝐾𝑎1,𝐵𝑜𝑏,2 , 𝐾𝑎2,𝐵𝑜𝑏,2 }. --- COLLUSION ATTACK WORKS.
21
Our MA-CP-ABE Scheme: Idea
Our MA-CP-ABE
Naive Multi-CA-Multi-AA
 Solution: Each time CAd generates 𝐿𝑔𝑖𝑑,𝑑 = 𝑔𝑟𝑔𝑖𝑑,𝑑 𝑅′, it must show the knowledge
of 𝑟𝑔𝑖𝑑,𝑑 to AAk . We addressed this by reusing the CP-ABE scheme of [LOSTW10].
𝐶𝐴1
When 𝑔𝑖𝑑 visits 𝐶𝐴𝑑 ,
𝐶𝐴𝑑 regards 𝑆𝑑 as the
“attributes” of the user
User 𝑔𝑖𝑑
𝑆1 = { 1,1 , 2,1 , … , (𝐾, 1)}
𝑆2 = 1,2 , 2,2 , … , 𝐾, 2
𝑆𝑑 = { 1, 𝑑 , 2, 𝑑 , … , (𝐾, 𝑑)}
𝐶𝐴2
𝐴𝐴𝑘 registers 𝑉𝑘,𝑑 to 𝐶𝐴𝑑 ;
𝐶𝐴𝑑 uses 𝑉𝑘,𝑑 as the
public key corresponding
to “attribute (k,d)”
𝑉𝑘,𝑑 = 𝑔𝑣𝑘,𝑑
𝑉1,1 = 𝑔𝑣1,1
𝑉1,2 = 𝑔𝑣1,2
𝑉2,1 = 𝑔𝑣2,1
𝑉2,2 = 𝑔𝑣2,2
𝐴𝐴1
𝐴𝐴2
𝑣1,1 , 𝑣1,2
𝑣2,1 , 𝑣2,2
22
Our MA-CP-ABE Scheme: Idea
Our MA-CP-ABE
Naive Multi-CA-Multi-AA
 [LOSTW10]𝐾𝑒𝑦𝐺𝑒𝑛 𝑃𝐾, 𝑀𝑆𝐾, 𝑆 → 𝑆𝐾 = (𝐾, 𝐿, 𝐾𝑎𝑡𝑡 ∀𝑎𝑡𝑡 ∈ 𝑆 ) .
𝐾=
𝑔𝛼 ℎ𝑟 𝑅0 ,
𝐿=
𝑔𝑟 𝑅0′
,
𝑟
𝐾𝑎𝑡𝑡 = 𝑇𝑎𝑡𝑡 𝑅𝑎𝑡𝑡 ∀ 𝑎𝑡𝑡 ∈ 𝑆.
When 𝑔𝑖𝑑 visits 𝐶𝐴𝑑 , 𝐶𝐴𝑑 regards 𝑆𝑑
= { 1, 𝑑 , 2, 𝑑 , … (𝐾, 𝑑)}
as the “attributes” of the user:
𝑉𝑘,𝑑 takes the place of 𝑇𝑎𝑡𝑡
 [Ours]𝐶𝐾𝑒𝑦𝐺𝑒𝑛 𝑔𝑖𝑑, 𝑑 → (𝐾𝑔𝑖𝑑,𝑑 , 𝐿𝑔𝑖𝑑,𝑑 , Γ𝑔𝑖𝑑,𝑑,𝑘 𝑓𝑜𝑟 𝑘 = 1 𝑡𝑜 𝐾).
𝐾𝑔𝑖𝑑,𝑑 = 𝑔𝛼𝑑 ℎ𝑟𝑔𝑖𝑑,𝑑 𝑅0 , 𝐿𝑔𝑖𝑑,𝑑 = 𝑔𝑟𝑔𝑖𝑑,𝑑 𝑅0′ ,
Γ𝑔𝑖𝑑,𝑑,𝑘 = 𝑉𝑘,𝑑
𝑟𝑔𝑖𝑑,𝑑
(𝑘 = 1 𝑡𝑜 𝐾),
𝜎𝑔𝑖𝑑,𝑑 = 𝑠𝑖𝑔𝑛(𝑠𝑖𝑔𝑘𝑑 , 𝑔𝑖𝑑|| 𝑑|| 𝐿|| Γ𝑔𝑖𝑑,𝑑,1 || … ||Γ𝑔𝑖𝑑,𝑑,𝐾 ) .
𝐶𝐴𝑑 uses Γgid,d,k to show to 𝐴𝐴𝑘 that the corresponding 𝐿𝑔𝑖𝑑,𝑑 is generated
honestly.
23
Conclusion
We constructed an MA-CP-ABE system, where
 Different domains of attributes are managed by different attribute
authorities, which operate independently from each other.
 No authority can independently decrypt any ciphertext.
LOSTW10
(SA-) CP-ABE
LW10
MA-CP-ABE
Ours
MA-CP-ABE
Standard Model
Multi-Authority
Prevent Decryption by
Individual Authority
Partially
Size of Ciphertext
𝟐𝒍 + 𝟐
𝟑𝒍 + 𝟏
𝟐𝒍 + 𝟐
Size of Secret key
𝑺 +𝟐
|𝑺|
𝑺 + 𝑫(𝑲 + 𝟐)
𝟐 𝑰 +𝟏
𝟐|𝑰|
𝟐 𝑰 +𝟏
𝑼 +𝟑
𝟐|𝑼|
𝑼 +𝟑+𝑫
Pairing Computation
of Decryption
Size of Public key
24
Extensions
 Large attribute universe construction:
 The size of public key is linear in |𝑈|.
 It can be avoided by using the idea of interpolation.
 Improving performance and reliability of the
system:
 In this paper, 𝛼 = 𝛼1 + 𝛼2 + ⋯ + 𝛼𝐷 is used to
distribute 𝛼 to 𝐷 CAs. It is a (𝐷, 𝐷)-threshold policy, so
that all CAs must remain active.
 In the full version of this paper, general 𝐷, Δ -threshold
policy is used. Only when 𝐷 CAs are involved, they can
decrypt a ciphetext. The system works as long as no
more than Δ − D CAs fail.
25
References
• [SW05] Sahai, A., Waters, B.: Fuzzy identity-based encryption.
EUROCRYPT 2005.
• [GPSW06] Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based
encryption for finegrained access control of encrypted data. ACM CCS
2006.
• [BSW07] Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attributebased encryption. IEEE Symposium on Security and Privacy, 2007
• [CN07] Cheung, L., Newport, C.C.: Provably secure ciphertext policy abe.
ACM CCS 2007
• [GJPS08] Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded Ciphertext
Policy Attribute Based Encryption. ICALP 2008, Part II.
• [Waters08/11] Waters, B.: Ciphertext-policy attribute-based encryption:
An expressive, efficient, and provably secure realization. PKC 2011
• [LOSTW10]Lewko, A.B., Okamoto, T., Sahai, A., Takashima, K., Waters, B.:
Fully secure functional encryption: Attribute-based encryption and
(Hierarchical) inner product encryption. EUROCRYPT 2010.
26
Reference
• [OT10] Okamoto, T., Takashima, K. : Fully secure functional encryption
with general relations from the decisional linear assumption. CRYPTO
2010.
• [MKE09] M¨uller, S., Katzenbeisser, S., Eckert, C.: On multi-authority
ciphetext-policy attribute-based encryption. Bulletin of the Korean
Mathematical Society 2009.
• [LW11] Lewko, A., Waters, B.: Decentralizing attribute-based encryption.
EUROCRYPT 2011.
27
Thanks.
Q&A
28