Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Revocation Systems with Very Small Private Keys

advertisement 
Revocation Systems with Very
Small Private Keys
Allison Lewko
Amit Sahai
Brent Waters
The University of Texas
at Austin
University of California,
Los Angeles
The University of Texas
at Austin
Broadcast Encryption [FN’93]
Public Params
MSK
ID1
Ciphertext
ID2
Sender
ID3
Revocation
Receivers
Simple Solution – Long Ciphertexts
Encrypt to each user
ID1
ID2
ID3
ID4
Problem: very inefficient
Revocation
S = Set of Revoked
Users
S
Message
Public Params
Encryption
(short) CT – not readable
by users in S
Revocation System Algorithms
Setup
MSK
Public Params
KeyGen(MSK, ID)
ID
Encrypt(S, PP,M)
Decrypt(S,CT, ID, SKID)
S
M, when ID  S
Security Threat: Collusion
ID1
ID2
Revoked Users May Collude
Adaptive Security Definition
Challenger
Setup
Challenge
Key Queries
Attacker
Public Params
MSK
ID1
ID1
Encrypt(Mb, PP, S)
ID2
M0, M1, S
ID2
Revoked set S must include all queried users
Attacker must guess b
Our Two Equations Technique
Example: revoking ID*
User ID
Known values
aID + b = c
aID* + b = d
Unknown values
ID = ID*
Dependent equations
User ID*
can’t solve
Revoking Many Users
Revoking ID1, … ,IDr
r pairs of equations:
a1ID + b1 = c1
a2ID + b2 = c2
ith revoked user
can’t solve
a
ID
th
r
i pair

+ br = cr
a1ID1 + b1 = d1
a2ID2 + b2 = d2

arIDr + br = dr
Problem: Collusion
Revoked users ID1 and ID2 collude:
ID1
a2ID1 + b2 = c2
a2ID2 + b2 = d2
ID2
a2, b2
a1, b1
a1ID2 + b1 = c1
a1ID1 + b1 = d1
Together, they can solve everything!
Solution: Personalized Unknowns
Unknowns depend on user’s key
ID1
-a2, -b2
Needs -a1, -b1
Computes -a2, -b2
~
a1, ~
b1 ID2
Computes ~
a1, ~
b1
Needs ~
a2, ~
b2
Summary of Our Technique
ID1
S = {ID1, … , IDr}
ID2
Message M
ID3
Split into r shares
ID4
Preventing Collusion
What if revoked users try to
combine their shares?
Private keys personalize reconstruction:
Everyone is doing a different puzzle
Our System
 Public key: O(1) group elements
 Private keys: O(1) group elements
 Ciphertext: O(r) group elements (r = # revoked users)
 Adaptive security from simple assumptions
Why Key Size Matters
 Small Public Keys:
 Public Key does not grow with number of users
 Adding new users does not require changing public key
 Small Private Keys:
 Easily stored on small receiving devices
 Reduced memory cost
(Only private key needed for decryption)
 Efficient Attribute-Based Encryption with nonmonotonic access formulas
Previous Systems
Some Previous Systems:
[KD’98, NP’00, NNL’01, DF’02, BGW’05,
DPP’07, GW’09]
All of these have: (n = # users in the system, r = #
revoked users)
Private key size at least (log n) or
Public key size at least (r) or (n)
Most proven selectively secure (weaker security)
Our Systems
 Simple version
 proven selectively secure from new non-interactive
assumption
 Second version
 proven adaptively secure from Decisional Linear and
Decisional Bilinear Diffie-Hellman Assumptions
Our System (simple version)
Setup: G – group of order p with bilinear map e
Public Key:
Master Secret Key:
Personalization
KeyGen(MSK, ID):
Private Key for ID:
Encrypt(PK, M, S):
split into pieces
Ciphertext:
Decrypt(S, CT, ID, SKID):
fails for ID = IDi
How It Works
e(C0, D0) = e(gs, g®gtb2) = e(g,g)®s e(g,g)stb2
Blinding factor
Personalized by t
e(g,g)stb2 = e(g,g)s1tb2  e(g,g)srtb2
Solve for using
e(D1, C1,1) = e((gbIDh)t, gbs1)
= e(g,g) b2ts1ID e(h,g)tbs1
e(D2,C1,2) = e(g-t,(gb2 ID1hb)s1)
= e(g,g)-b2t s1ID1 e(g,h)-tbs1
How It Works
Two equations in two unknowns (atbs1 and b2ts1):
(let h = ga)
b2ts1ID + atbs1 = c1 and b2ts1ID1 + atbs1 = c2
If ID  ID1, equations are independent
– solve for unknowns
If ID = ID1, equations are dependent
– cannot solve for atbs1 and b2ts1
How It Works - Summary
 User IDi won’t be able to compute the i-th share
 All non-revoked users can decrypt,
All revoked users cannot
 Collusion among revoked users won’t help
since they have different t values
Adaptive Security from Simple Assumptions
 Our Simple System
– selectively secure under a new assumption
Techniques of our simple system
+
Dual System Encryption [W’09]
=
 System that is adaptively secure under Decisional Linear
and Decisional Bilinear Diffie-Hellman Assumptions
ABE with Non-Monotonic Access Formulas [OSW’07]
Attribute-Based Encryption:
Ciphertexts: associated with attributes
{A, B, D}
Secret Keys: associated with access formulas
(A Ç B) Æ : C
Decryption:
(A Ç B) Æ : C
{A, B, D} satisfies (AÇB)Æ: C
{A, B, D}
M
ABE with Non-Monotonic Access Formulas
Strategy: combine monotonic ABE with Revocation
:C
Negated attribute
Revoked user
Small keys for Revocation - needed to prevent large blowup of
key size for the ABE scheme
Previous Systems
Non-Monotonic ABE: [OSW’07]
 Adapted [NP’00] revocation scheme to
monotonic ABE scheme of [GPSW’06]
 Private key size for ABE multiplied by O(log n),
where n = max # attributes per ciphertext
Non-Monotonic ABE
Blinding factor for revocation: e(g,g)®s
For each negated attribute : A:
®
replace by
Secret share of ® for :
Applying this with our simple scheme gives
non-monotonic ABE without O(log n) blowup
A
Summary
 Small Keys and strong security achieved simultaneously
 More efficient non-monotonic ABE
Questions?
Related documents
Significant Concepts in the MYP
Significant Concepts in the MYP
Primary Years Program
Primary Years Program
Williams - International Technology and Engineering Educators
Williams - International Technology and Engineering Educators
Things Fall Apart by Chinua Achebe
Things Fall Apart by Chinua Achebe
Lecture Note 1 (English)
Lecture Note 1 (English)
Contemporary World Sec. 5 D` O* venons Nous?, Que
Contemporary World Sec. 5 D` O* venons Nous?, Que
Automated Security Testing with Formal Threat Models
Automated Security Testing with Formal Threat Models
Integrating_Career_Awareness
Integrating_Career_Awareness
11CS10010
11CS10010
Haggis 2.1 - Mathematical & Computer Sciences
Haggis 2.1 - Mathematical & Computer Sciences
Download
advertisement