Thesis PDF

Attribute Based Cryptology
A Project Report
submitted by
SUBHASHINI VENUGOPALAN
in partial fulfilment of the requirements

for the award of the degree of
MASTER OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

INDIAN INSTITUTE OF TECHNOLOGY MADRAS
April 2011
THESIS CERTIFICATE
This is to certify that the thesis titled Attribute Based Cryptology, submitted
by Subhashini Venugopalan, to the Indian Institute of Technology, Madras, for
the award of the degree of Master of Technology, is a bona fide record of the
research work done by her under our supervision. The contents of this thesis, in
full or in parts, have not been submitted to any other Institute or University for
the award of any degree or diploma.
Prof. C. Pandu Rangan

Research Guide
Professor
Dept. of Computer Science and Engg
IIT-Madras, 600 036
Place: Chennai
Date: 30 April 2011
To the memory of my grandparents
This work is licensed under the Creative Commons Attribution 3.0 License.
ACKNOWLEDGEMENTS
I am deeply indebted to Prof. C. Pandu Rangan for his inspiration, support and guid-
ance throughout my course here. His passion and enthusiasm for teaching, sharing his
knowledge and motivating students has not only amazed me, but has made an admirer of
everyone who has been taught by him. To me, he has been more than a research advisor,
his advice on topics ranging from philosophy to sports have benefited and enriched me
in several ways. Whenever I have approached him to discuss ideas for my project, or
any generic problem, or even something personal, I have always found an eager listener.
He has also been a fun and enthusiastic partner to discuss various puzzles and riddles.
I’m grateful to him for being very supportive in letting me pursue my interests outside
of academics, and encouraging me to learn and read widely. I’m happy to be a part
of his lab which is a treasure house of knowledge and a place that offers an excellent
environment for research. Not to forget, his sense of humour, and his jovial and affec-
tionate nature have made the lab a lively and fun place to be in. I’m grateful for this
opportunity and look forward to continue my interactions with him in future.
I would like to express my gratitude to Sharmi and Vivek with whom I have had
many insightful discussions, which have bettered my understanding of various topics
in cryptography. My debates with Sharmi were thoroughly enjoyable and have been
rewarding in terms of the sheer number of ideas that have resulted from them. My other
labmates, Akash, Bhargav, Billy, Chaya, Esha, Prateek, Preetha ma’am, and Sangeetha
have been a wonderful peer group to bounce off thoughts on various topics academic
and otherwise. The company of Bhargav, Pandu Rangan sir, and Venkie (of Microsoft
Research) always results in some rib-tickling jokes that have had the lab rolling with
laughter for days on end. Bhargav, apart from being the entertainer, along with Chaya
are great companions to brainstorm on math games and puzzles as well. All of these
people along with former labmates Sai, Shinku and Swarun have made my time in the
TCS lab stimulating and memorable.
I’d like to extend my thanks to Dr. Shankar Balachandran; his dedication and energy
are infectious, and I’m glad I had the opportunity to be his teaching assistant for 3
semesters. Working with him has been a delightful experience. I am also grateful to
Dr. Narayanaswamy for the interesting interactions we have had, and for the time and
energy he has devoted to me. I also take this opportunity to thank Professors Kamakoti,
Krishna Sivalingam, Kamala Krithivasan, Sreenivasa Kumar, Hema Murthy, Dr. Shailesh
Vaya, and Dr. Alan Davy who have all made my courses here pleasurable. I thank my
faculty advisors Prof. Janakiram and Dr. Madhu Mutyam; and also Dr. Ashish , Dr.
Chandra Sekhar, Prof. Siva Ram Murthy, and Dr. Ravindran for their constant support
and words of encouragement. Special thanks to Dr. Jayalal for instituting the theory
seminars which are exciting and informative. I am grateful to the entire computer science
department for their words of appreciation and the faith they have shown in me.
My thanks also goes to all my batchmates who have made the atmosphere in my
classes lively and thought provoking. Special mention to Smruthi and her wonderful circle
of friends who have made my life at IITM complete. Last, but most importantly, I’m
grateful to my parents, sister, and family for their love, blessings and support throughout
this endeavour.
i
ABSTRACT
KEYWORDS: attribute based, cryptosystems, encryption, signatures, effi-

cient, multi-level, threshold, security.
The problems of confidentiality, authenticity and anonymity have been studied

for long in cryptography, and the notion of provable security is the foundation
for most, if not all, modern cryptographic research. With great advancements
in technology, there is also a need to define and view these concepts of security
under various dimensions. One such recent dimension of security is the attribute
based view that has been conceived by the requirements in a distributed setting.
Attribute based encryption and signature schemes have been developed in order
to give a more fine grained access control. Presently attribute-based systems have
wide applicability in a number of new decentralized settings and address some
exciting problems. In this thesis we propose an efficient attribute-based encryp-
tion(ABE) scheme , with support for multi-level threshold predicates.We also dis-
cuss regarding the security of some attribute-based signature(ABS) schemes and
give the construction for a threshold ABS scheme based on a novel approach.
In this work we first look at ABE. Anonymous access control is a very de-
sirable property in various applications, e.g. encrypted storage in distributed
environments; and attribute based encryption is a cryptographic scheme that is
targeted to achieve this property. ABE is an encryption mechanism that is useful
in settings where the list of users may not be known apriori. Here, all users may
possess some credentials, and these are used to determine access control and also
provide a reasonable degree of anonymity with respect to the user’s identity. Ci-
phertext policy attribute based encryption is a scheme that gives a natural way
to separate the credentials from the access policy and cleverly combine them at a
later stage to provide secure access to protected data. In most ABE schemes the
size of the ciphertext is quite large and is of the order of the number of attributes.
In this work we present our approach for a multi-level threshold attribute based
encryption which is independent of the number of attributes.
Secondly, we consider ABS schemes. Attribute-based signatures allow users
possessing a set of credentials to sign documents; although the credentials of the
signer can be verified, signers can still continue to retain a reasonable degree of
anonymity. This thesis discusses certain aspects regarding the security of some
attribute based signature schemes. In particular we show multiple breaks in the
existing threshold attribute based signature schemes in [LAS+ 10]. We first claim
that the scheme is not secure since it allows, a signer without sufficient attributes
- to satisfy the threshold of the access policy to sign a document and pass the
necessary verification. Then, we show that a signer possessing keys for some
attributes can perform universal forgery and produce a signature that can satisfy
ii
the threshold for a set of attributes she does not possess. Finally, we show a total
break in the system, where the attacker can act as the key generating authority
and use her knowledge of the secret key to generate private keys for other users.
We also include examples of the attacks to highlight the flaws of this scheme and
other schemes appearing in [LK08, SSN09, KABPR10, LK10] which have the same
or a similar key construct.
Our next move aims at overcoming the above mentioned attacks. For that, we
propose a novel threshold ABS scheme based on the concept of ring signatures.
Ring signatures [RST01] enable a signer to keep her identity hidden within the
identities of a group of n people who form the ring. We use this as a foundation
and create a threshold ABS scheme, where the signer has to keep a threshold
of t attributes, in her possession, anonymous from a given set of n∗ attributes.
Previous ABS schemes were largely derived from ideas in the encryption(ABE)
schemes. This thesis proffers a new ABS scheme based on ring signatures and
lends attribute-based signatures a different outlook.
iii
TABLE OF CONTENTS
ACKNOWLEDGEMENTS i
ABSTRACT ii
LIST OF TABLES viii
LIST OF FIGURES ix
ABBREVIATIONS x
NOTATION xi
1 Introduction 1
1.1 Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . 1
1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . . . . . . 4
1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 Efficient ciphertext-size threshold ABE . . . . . . . . . . 6
1.4.2 Security of threshold ABS . . . . . . . . . . . . . . . . . 6
1.4.3 New threshold ABS scheme . . . . . . . . . . . . . . . . 7
1.5 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . 7
2 Preliminaries 9
2.1 Bilinear Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Computational Diffie-Hellman Assumption . . . . . . . . 9
2.2.2 Decisional Diffie-Hellman Assumption . . . . . . . . . . . 9
2.2.3 Computational Bilinear Diffie-Hellman Assumption. . . . 10
2.2.4 Decisional Bilinear Diffie-Hellman Assumption . . . . . . 10
iv
2.2.5 Decision Linear Assumption . . . . . . . . . . . . . . . . 10
2.2.6 Bilinear Diffie-Hellman Exponent Assumption . . . . . . 10
2.2.7 Augmented Multi-sequence of Exponents D-H Problem . 10
2.3 Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.1 Linear secret sharing schemes . . . . . . . . . . . . . . . 11
2.3.2 Shamir’s secret sharing scheme . . . . . . . . . . . . . . 12
2.3.3 Lagrange interpolation . . . . . . . . . . . . . . . . . . . 12
2.4 Primitives for Attribute-based Encryption and Signatures . . . . 13
2.4.1 CP-ABE scheme algorithms . . . . . . . . . . . . . . . . 13
2.4.2 ABS algorithms . . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Waters’ signature . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.6 Forking Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Existing Threshold Attribute-based Cryptosystems 17

3.1 Inception of Attribute Based Encryption . . . . . . . . . . . . . 17
3.2 CP-ABE Schemes with Efficient Ciphertext-Size . . . . . . . . . 19
3.3 Development of Attribute Based Signatures . . . . . . . . . . . 21
3.4 Threshold Attribute-Based Signatures . . . . . . . . . . . . . . . 22
4 Efficient Multi-level Threshold CP-ABE 25

4.1 Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.4 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.4.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.2 Generating the keys . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Encrypting a message . . . . . . . . . . . . . . . . . . . . 31
4.4.4 Decrypting the ciphertext . . . . . . . . . . . . . . . . . 32
v
5 On The Security of Attribute Based Signatures 35
5.1 Efficient Threshold ABS Scheme . . . . . . . . . . . . . . . . . . 35
5.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.1.2 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.1.3 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.4 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.5 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.2 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.3 Preliminaries for the attack . . . . . . . . . . . . . . . . 37
5.2.4 Attack 1: Forgery without satisfying threshold . . . . . . 39
5.2.5 Attack 2: Universal forgery . . . . . . . . . . . . . . . . 40
5.2.6 Attack 3: Total break - impersonating key issuing authority 41
5.3 Attacks on schemes with similar key construct . . . . . . . . . . 41
5.3.1 Total break on attribute based ring signature scheme . . 42
5.3.2 Break on threshold attribute based signature scheme . . 42
5.3.3 Attack on ABS with multiple attribute authorities . . . . 43
5.3.4 Attack on multi-level threshold ABS scheme . . . . . . . 46
5.3.5 Total break on hidden ABS without anonymity revocation 48
5.4 Summary of attacks . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.5 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6 New Threshold Attribute-Based Signature Scheme 50

6.1 Underlying Ring Signature . . . . . . . . . . . . . . . . . . . . . 51
6.1.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . 51
6.2 New ABS Scheme Construction . . . . . . . . . . . . . . . . . . 52
6.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.3 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.4 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
vi
6.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.3.1 Security Notions . . . . . . . . . . . . . . . . . . . . . . 56
6.3.2 Modified Computational Bilinear Diffie-Hellman Assump-
tion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.3 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.4 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.4 Advantages of the new approach . . . . . . . . . . . . . . . . . . 62
7 Conclusions and Directions for Future Work 64

7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
7.1.1 Threshold CP-ABE . . . . . . . . . . . . . . . . . . . . . 64
7.1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . 65
7.1.3 Threshold ABS - New Directions . . . . . . . . . . . . . 65
7.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
A Detailed Analysis of Proof 67

A.1 Sign Oracle Correctness . . . . . . . . . . . . . . . . . . . . . . 67
A.1.1 Verification analysis . . . . . . . . . . . . . . . . . . . . . 68
A.2 Correctness of Solving CBDH . . . . . . . . . . . . . . . . . . . 69
References 70
LIST OF TABLES
3.1 Comparison of PK, SK and ciphertext sizes . . . . . . . . . . . 20
5.1 Table summarizing the attacks . . . . . . . . . . . . . . . . . . . 48
viii
LIST OF FIGURES
1.1 Representation of the access policy as a tree. . . . . . . . . . . . 2

1.2 Threshold access policy to represent 3-out-of(“Colonel”, “Major”,
“Navy”, “Op-X”, “Op-Y” , “Op-Z”). . . . . . . . . . . . . . . . . . 3
4.1 Multi-level threshold tree. . . . . . . . . . . . . . . . . . . . . . 25

4.2 Access tree structure for a multi-level predicate. . . . . . . . . . 30
4.3 Examples of access tree satisfaction. . . . . . . . . . . . . . . . . 31
4.4 Encryption - Generating shares using the Shamir’s secret sharing
idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.1 Ring ABS where each alleged member of the ring has 4 attributes. 50
ix
ABBREVIATIONS
ABE Attribute-Based Encryption
ABGS Attribute Based Group Signature
ABS Attribute-Based Signature
aMSE-DDH Augmented Multi-sequence of Exponents Diffie-Hellman Assump-

tion
CBDH Computational Bilinear Diffie-Hellman Assumption
CDH Computational Diffie-Hellman Assumption
CMA Chosen Message Attack
CP-ABE Ciphertext-Policy Attribute Based Encryption
CPA Chosen Plaintext Attack
DBDH Decisional Bilinear Diffie-Hellman Assumption
DDH Decisional Diffie-Hellman Assumption
DLIN Decision Linear Assumption
KP-ABE Key-Policy Attribute Based Encryption
LSSS Linear Secret Sharing Schemes
m-CBDH modified Computational Bilinear Diffie-Hellman Assumption
MK Master Secret Key
MSP Monotone Span Program
NIWI Non-Interactive Witness Indistinguishability
NIZK Non-Interactive Zero Knowledge
PK Public Key
q-BDHE q-Bilinear Diffie-Hellman Exponent Assumption
SK Secret Key
t-ABS threshold Attribute Based Signature
TA Trusted Authority
x
NOTATION
G, G1 , G2 , GT Cyclic groups of prime order p

g Generator of group G
p, q Large primes
e(·, ·) A bilinear pairing
∆i,S (x) Co-efficient for Lagrange’s interpolation
T Multi-level threshold circuit
Zp Finite field of prime order p
CT Ciphertext
⊥ Null
D User’s signing secret keys
σ Signature
Υ Signing Predicate (policy)
C Challenger
A Adversary
k, λ Security parameter
m Message
msk Master secret key
params Public Parameters
xi
CHAPTER 1
Introduction
A public-key cryptosystem comprises of mechanisms to provide confidentiality,

through public key encryption, and authenticity, through digital signatures. In
such a system, the parties involved in communication - sender and receiver -
maintain a pair of keys each, in order to perform either of the two operations of
encryption or signing. Depending on the application, there have been a variety of
public key cryptosystems proposed. A recent addition to this assortment is the
attribute based system. Unlike in traditional cryptography where the intended
recipient or the signer’s identity is clearly known, in an attribute based systems
one only needs to specify the attributes or credentials of the recipient(s) or the
signer in the form of a predicate that is to be satisfied. This feature enables secure
data sharing even in a decentralized setting, providing both fine-grained control
on access and some degree of anonymity for the participants. In this thesis, we will
look at attribute-based systems with special focus on those that support threshold
predicates.
1.1 Attribute-Based Encryption

There are several settings where a user would want to give access to documents
based on certain credentials or the position/role of a person. This may be com-
parable with ‘Views’ in a database. We would want different kind of users of the
database to be able to see only those contents that are relevant to them. Similarly,
in a distributed setting where all the data may be stored in a server, the server
might allow access to files and documents based on some predefined access control
policy, for instance, clients may have to provide proper certification to retrieve
specific files. In such cases, if the data(storage) in the database or server is com-
promised, then although it may be in the encrypted form, anyone who has access
to the database or server may be able to retrieve all information including those
documents that may not be relevant to them. To be more specific, any normal
user of the database who gets his/her hands on the compromised data may now
be able to get those files which were restricted and whose access was determined
by some application in the database or server.
ABE. ABE was first introduced by Sahai and Waters in [SW05, GPSW06]. It
provides a mechanism by which we can ensure that even if the storage is com-
promised, the loss of information will only be minimal. What attribute based
encryption does is that, it effectively binds the access-control policy to the data
and the users(clients) instead of having a server mediating access to files. To
understand this better, we will take a closer look at what constitutes an attribute-
based system, with particular attention to ABE.
Access Policy. An access control policy would be a policy that defines the kind
of users who would have permissions to read the documents. e.g In an academic
setting, grade-sheets of a class may be accessible only to a professor handling the
course and some teaching assistants (TAs) of that course. We can express such a
policy in terms of a predicate:
( (Professor ∧ CS dept.) (M.tech student ∧ CS-410 TA ∧ CS dept.) )

W
OR
AND AND
Prof CS M.Tech CS CS410-TA
Figure 1.1: Representation of the access policy as a tree.
We will call the various credentials (or variables) of the predicate as attributes
and the predicate itself which represents the access policy as the access-structure.
In the example here the access structure is quite simple. But in reality, access
policies may be quite complex and may involve a large number of attributes.
Properties. There are two major features to attribute based encryption:

1. It has the capacity to address complex access control policies.
2. The exact list of users need not be known apriori. Knowledge of the access
policy is sufficient.
Also, an important property that attribute based encryption schemes must

satisfy is that of collusion resistance. Collusion resistance means that, if 2 or
more users possessing different keys combine to decrypt the ciphertext, they will be
successful if and only if any one of the users could have decrypted it individually.
In other words, even if multiple parties collude, they should not be able to decrypt
the ciphertext unless one of them was able to decrypt it completely by herself.
These properties ensure that only users possessing the right keys have access to
the information. Moreover, as the encryption is based on the access-structure it
implicitly assures anonymous access control.
2
Types of ABE. ABE can be categorized in to two types depending on whether
the attributes are embedded in the ciphertext or whether the access-structure is
embedded in the ciphertext. The first is the Key-policy based ABE (KP-ABE)
which was infact the initial form of attribute based encryption that was developed.
It was originally introduced in [SW05] and later by Goyal et al. in [GPSW06] and
by Ostrovsky et al. [OSW07]. In KP-ABE they encrypt the attributes along with
the data and give the access structure to each user as part of their secret key. But
attribute based encryption is more applicable in the regular world if the access-
structure can be embedded in the ciphertext and the users can have their attributes
saved in their secret keys. This second form of ABE is known as ciphertext-policy
based (CP-ABE) and was introduced by Bethencourt et al. [BSW07]. Both these
initial schemes [GPSW06, BSW07] were largely based on the secret sharing scheme
developed by Shamir [Sha79]. However, it is ciphertext policy based ABE that has
become more popular in later schemes like in [CN07, GJPS08, NYO09, GNSN10]
and others. This might be largely due to the fact that CP-ABE represents a
natural and more intuitive way to view attribute based encryption.
Threshold. In this thesis we will be targeting threshold access policies. Let’s

take an example to understand what a threshold predicate is. Say Bob wants to
encrypt and send a message to people who have atleast 3 out of 6 properties - {
Colonel, Major, Navy, Op-X, Op-Y , Op-Z }. i.e The recipient should have any 3 of
the properties: a) Colonel, b) Major, c) Navy, d) worked in operation-X, e) worked
in operation-Y, f) worked in operation-Z . For instance, a person who successfully
decrypts the message may be an army major with experience in operations X and
Y. Equivalently, the message can be opened by a naval colonel who has worked in
operation Z. Thus 3 is just a minimum threshold of the attributes that must be
satisfied by the recipient. In general, if the threshold is (t, n); then the decryptor
must have t or more of the specified n attributes.
3-of-6
Colonel Major Navy Op-X Op-Y Op-Z
Figure 1.2: Threshold access policy to represent 3-out-of(“Colonel”, “Major”,

“Navy”, “Op-X”, “Op-Y” , “Op-Z”).
The above figure [1.2] is an example where the threshold gate is a single pred-
3
icate. A regular access policy may consist of just a single threshold gate or there
may be even predicates where the threshold gate is a sub-node under some other
operation like AND or OR.
We will look at attribute based encryption and threshold CP-ABE schemes in
greater detail in Chapter(3) of this thesis.
1.2 Attribute Based Signatures

There are several situations where one may need to obtain some permissions or a
signature from an authority having certain credentials, but it may be immaterial
as to who the specific authorizer is. For example, Alice may need an approval
from a major in the army or a captain in the navy but it may not matter as to
who exactly gave her the permissions. There are also other situations where one
may need to prove that they possess specific credentials but would not want to
reveal all their personal details in doing so. Let’s take an example where Bob, a
captain in the navy, is going to a secret officers meet. He wouldn’t want to reveal
more about himself except to prove that he is an officer who is within his rights
in attending the meet. These are cases where attribute based signatures can be
useful.
ABS. Attribute based signature is a cryptographic primitive in which users pro-

duce signatures based on some predicate of attributes, using keys issued by one
or more attribute authorities. ABS has largely been inspired by attribute based
encryption schemes [GPSW06, BSW07, Wat08]. Attribute based systems are ap-
plicable in settings where there is a need for a complex policy to govern the access
of a document or provide authentication. These systems are also privacy-friendly
since they deal with the attributes of a user and not with any direct identity that is
associated with the signer. In this sense, ABS is similar to signature variants like
Group signatures [Cam97], Ring signatures [RST01] and Mesh signatures [Boy07].
The dominant idea of all these signature primitives is that they allow the signer
fine-grained control over the amount of personal information exposed. However,
it is important to note that a valid ABS signature guarantees that only a per-
son possessing the required attributes that satisfy the predicate can produce a
signature.
Signing policy. A notable feature of ABS is that, unlike other signature schemes
attribute based systems are capable of supporting complex predicate policies. For
instance, some permissions can be approved only by a person who is: ((Major)
AND (in Army OR Navy)) OR (Captain AND in Operation-Star) OR (Com-
mander AND in Operation-X) . Moreover, a valid signature based on the above
predicate would only indicate one of the four possibilities for the signer: a) Major
in Army or b) Major in Navy or c) Captain in Operation-Star or d) Commander in
Operation-X; but it would not reveal which of these the signer actually is. Also, a
person who is not any of the four would not be able to produce a valid signature.
4
We would like to remark here that, signing policies are similar to access policies
and both of them are predicates on some attributes.
Collusion. Another important property of attribute based systems is collusion

resistance. This essentially means that multiple parties cannot collude and com-
bine all their attributes to produce a valid signature if any one party could not
do it individually. For example, a commander in the airforce and a captain in
operation-X should not be able to somehow combine their attributes to produce
a valid signature for the above predicate.
1.3 Motivation
In our thesis we look at threshold ABE and ABS schemes. The most appealing
fact about threshold gates is that they are very expressive and encompass the
other common AND and OR gate access structures as well.
In most of the existing ABE schemes, the size of the ciphertext is very large,
it is usually in the order of the number of attributes under consideration. Most
efficient schemes with expressive access control have ciphertext size proportional
to the number of attributes involved [Wat08]. There have also been works on
constant size CP-ABE schemes. A good number of the constant size ciphertext
schemes are applicable only to some restricted access structures that use only AND
gates [ZH10, EMN+ 09]; and those that support threshold, like the work of Herranz
et al. [HLR10], are suitable only in the case where the predicate has a single gate
(threshold or otherwise). This motivates us to work towards obtaining a more
expressive, multi-level threshold CP-ABE whose ciphertext-size is independent of
the number of attributes.
Aside from that, endeavors in ABE have also spurned attribute based signa-
tures. Hence, it is not surprising that attribute based signature constructions have
properties like collusion resistance and predicate policies similar to that of ABE;
additionally, they borrow some of the building blocks, like secret sharing, to en-
gender these features. Our study on threshold attribute-based signature schemes
have led us to observe that, unlike in most threshold ABE constructions, threshold
ABS schemes using secret sharing give the signer more secret components (in the
form of dummy attributes) than he/she should possess. Primary objective of that
is to enable the signer with more components so as to reveal less about his/her
identity and give a greater degree of anonymity. This instigates us to probe the
schemes from an adversarial standpoint and inspires us to make a detailed study
on the security aspects of ABS schemes.
5
1.4 Contributions
1.4.1 Efficient ciphertext-size threshold ABE
A part of this work focuses on an approach to get a multi-level threshold CP-ABE

where the ciphertext size is independent of the number of attributes. The multi-
level threshold access structure is more expressive and can be used to represent
complex access control policies. To be more specific, this access predicate can
have a threshold gate at every level of the access tree i.e. we can have a node
as a threshold-gate and further, even the children of that node can be threshold
nodes until we reach the leaves which form the attributes. We propose a scheme
that supports such an access structure and at the same time is efficient in terms of
the number of ciphertext components. The main advantage of such a multi-level
threshold structure is that, the threshold-gate can also be converted to just AND
or OR gate. Hence, a scheme that can support threshold gates at every level
of the access tree, can essentially be transformed to suit any complicated access
predicate, making it highly expressive. In addition, the size of the ciphertext in
our scheme depends on the complexity of the access policy as opposed to the
cardinality of the universe of attributes.
1.4.2 Security of threshold ABS
In the second part of this thesis we show attacks on the threshold attribute based
signature scheme proposed by Li et al. [LAS+ 10]. We claim that the scheme is
insecure since,
• a signer who does not possess the necessary number of attributes to satisfy
the threshold of the predicate can still produce a valid signature.
• a signer with some attributes, completely unrelated to the attributes of the

predicate can perform universal forgery.
• an attacker can find a total break in the system and obtain a component of
the secret key with which she can pose as the key generating authority.
Since our attack is based on the key construct in the scheme, we show that
one or more of these breaks also hold for the following schemes which have similar
key generation algorithm:
a) The ABS scheme with multiple attribute authorities, which is the second
scheme proposed in [LAS+ 10];
b) Attribute based ring signature scheme in [LK08];
c) The threshold attribute based signature by Shahandashti et al. [SSN09] which

is derived based on [LK08];
d) ABS for multi-level threshold circuits by Kumar et al. [KABPR10] and
6
e) Hidden attribute-based signatures without anonymity revocation by [LK10].
We also give our observations on why these attacks are applicable on these
schemes and mention our inferences.
1.4.3 New threshold ABS scheme
This thesis also proffers a novel approach to threshold attribute based signatures.
Our approach is based on ring signature schemes and looks at forming a ring
of aggregated sets of attributes. Using this idea, we provide a threshold ABS
construction based on the efficient ID-based ring signature scheme in [CYH05].
We have shown the security of our scheme in the random oracle model.
1.5 Organization of the Thesis

In Chapter 2, we begin with the formal definitions and fundamental concepts
needed to follow attribute-based encryption and signature schemes . We dis-
cuss some preliminaries and then proceed to the hardness assumptions used in
select ABE and ABS proofs. We then present the basic ideas on which thresh-
old attribute-based cryptosystems are built on, like Shamir’s secret sharing and
Waters’ signature.
Chapter 3 contains the development of attribute-based encryption, signatures
and some applications. It is a survey of the literature related to our problems.
We devote specific sections for efficient ciphertext-size CP-ABE schemes and show
how each of them compare with respect to their key and ciphertext sizes. We also
discuss threshold ABS schemes at length and introduce our interest in working in
this area.
In chapter 4, we present the details for a multi-level threshold CP-ABE scheme
and give our approach to solve the problem. We start by providing the exact model
of the access structure that we intend to facilitate and then give the algorithms
for encryption and decryption. We also illustrate our scheme with the help of an
example.
Chapter 5 looks at the security of some attribute-based signature schemes. We
take the particular case of the efficient threshold ABS scheme proposed by Li et
al. in [LAS+ 10] and show that an adversary can not only create forgeries but
also get a part of the secret component which can be used to impersonate the
key-generating authority. We also look at other ABS schemes which incorporate
a similar mechanism for key-generation and demonstrate the attacks in each of
them. We conclude the chapter with our observations on the vulnerabilities of
these schemes.
In chapter 6, we propose a new threshold ABS scheme based on the concept
of ring signatures. We explain how we imbibe the spirit of ring signatures to the
threshold ABS problem and then follow it with the construction of the scheme.
7
Then, we prove our scheme to be unforgeable in the random oracle model. We
also mention an interesting new property, controlled partial anonymity, that arises
out of our approach.
In chapter 7, we presents our conclusions and potential directions for future
work. We also summarize the problems we discuss and the solutions that this
thesis has to offer along with their relevance in the current computing world.
8
CHAPTER 2
Preliminaries
2.1 Bilinear Pairing

Let G1 , G2 , GT be multiplicative groups of prime order p. The elements g1 ∈ G1
and g2 ∈ G2 are generators of G1 and G2 respectively. A bilinear pairing is a map
e : G1 × G2 → GT with the following properties:
1. Bilinear: e(g1 a , g2 b ) = e(g1 , g2 )ab for all g1 ∈ G1 ,g2 ∈ G2 , where a, b ∈ Zp .
2. Non-degenerate: There exists g1 ∈ G1 and g2 ∈ G2 such that e(g1 , g2 ) 6= 1;

in other words, the map does not send all pairs in G1 × G2 to the identity
in GT .
3. Computability: There is an efficient algorithm to compute e(g1 , g2 ) for all

g1 ∈ G1 and g2 ∈ G2 .
2.2 Hardness Assumptions
2.2.1 Computational Diffie-Hellman Assumption
Let G be a cyclic multiplicative group and g be it’s generator. The computational

diffie-hellman(CDH) assumption holds in G if, given g, g a , g b ∈ G for unknown
a, b ∈ Z∗p , it is computationally infeasible to compute g ab .
We say that the (t, )-CDH assumption holds in G if no adversary running in
time less than t can solve the CDH problem with success probability greater than
, where is negligible.
2.2.2 Decisional Diffie-Hellman Assumption
Let G be a cyclic multiplicative group and g be it’s generator. Given two tuples
c0 = (g, g a , g b , g ab ) and c1 = (g, g a , g b , g c ) for random a, b, c ∈ Z∗p . The (t, )-
DDH assumption holds in G if there is no probabilistic polynomial-time adversary
whose probability of successfully distinguishing between the tuples c0 and c1 is
better than 21 + , where is negligible.
2.2.3 Computational Bilinear Diffie-Hellman Assumption.
Let e : G × G → GT be an efficiently computable bilinear map, where G has prime

order p. The computational bilinear diffie-hellman(CBDH) assumption is said to
hold in G if, given elements {P, aP, bP, cP }, then no probabilistic polynomial-time
adversary can compute e(P, P )abc with non-negligible advantage, where a, b, c ∈R
Z∗p and generator P ∈ G are chosen independently and uniformly at random.
2.2.4 Decisional Bilinear Diffie-Hellman Assumption

order p. The decisional bilinear diffie-hellman(DBDH) assumption is said to hold
in G if no probabilistic polynomial-time adversary is able to distinguish the tuples
c0 = (g, g a , g b , g c , e(g, g)abc ) and c1 = (g, g a , g b , g c , e(g, g)z ) with non-negligible
advantage, where a, b, c, z ∈R Z∗p and generator g ∈ G are chosen independently
and uniformly at random.
2.2.5 Decision Linear Assumption

order p with generator g. The decision-linear (DLIN) assumption holds in G if,
given the elements (g a , g b , g ra , g sb , g t ) ∈ G , for a random choice of a, b, r, s ∈ Zp ,
it is computationally infeasible to determine whether t = r + s or t is random in
Zp .
2.2.6 Bilinear Diffie-Hellman Exponent Assumption

i
order p with generator g. Let a, s ∈ Zp be chosen at random. Let gi denote g a .
The q-Bilinear diffie-hellman exponent(q-BDHE) assumption holds in G if, given
the following vector of 2q + 1 elements, y = (g, g1 , · · · , gq , gq+2 , · · · , g2q , g s ) (note
that the gq+1 is not in the list); it is infeasible for a polynomial time adversary to
q+1
compute e(g, g)a s .
2.2.7 Augmented Multi-sequence of Exponents Diffie Hell-

man Problem
We present this problem as defined by Herranz et al. [HLR10]. Let G1 , G2 , GT

be multiplicative groups of prime order p, and let e : G1 × G2 → GT be a non-
degenerate and efficiently computable bilinear map. Let g1 be a generator of G1
and g2 be a generator of G2 . Let ˜l, m̃, t̃ be three integers. The (˜l, m̃, t̃)-augmented
multi-sequence of exponents decisional Diffie-Hellman problem ((˜l, m̃, t̃)-aMSE-
DDH) related to the group triplet (G1 , G2 , GT ) is as follows:
10
Input: the vector →
−
x l̃+m̃ = (x1 , · · · , xl̃+m̃ ) whose components are pairwise dis-
tinct elements of (Z/pZ)∗ which define the polynomials
l̃
Y l̃+
Y m̃
f (x) = (X + xi ) and g(x) = (X + xi ) ,
i=1 i=l̃+1
the values
l̃+t̃−2 κ·γ·f (γ)
g1 , g1γ , · · · , g1γ , g1 (2.1)
l̃+t̃−2
g1ωγ , · · · , g1ωγ (2.2)
αγ l̃+t̃
g1α , g1αγ , · · · , g1 (2.3)
m̃−2 κ·g(γ)
g2 , g2γ , · · · , g2γ , g2 (2.4)
ωγ m̃−1
g2ω , g2ωγ , · · · , g2 (2.5)
αγ 2m̃−t̃+3
g2α , g2αγ , · · · , g2 (2.6)
where κ, α, γ, ω are unknown random elements of (Z/pZ)∗ , and finally an element

T ∈R GT (chosen uniformly at random).
Output: a bit b.
The problem is correctly solved if the output is b = 1 when T = e(g1 , g2 )κ·f (γ)
or if the output is b = 0 when T is a random value from GT . In other words, the
goal is to distinguish if T is a random value or if it is equal to e(g1 , g2 )κ·f (γ) .
The aMSE-DDH assumption holds if there is no probabilistic polynomial-
time adversary who can distinguish between a T chosen randomly from GT and
e(g1 , g2 )κ·f (γ) with non-negligible probability.
2.3 Secret Sharing
2.3.1 Linear secret sharing schemes
Attribute based cryptosystems make substantial use of LSSS (linear secret sharing
schemes) . We borrow the following definition from Waters’ work in [Wat08].
A secret-sharing scheme Π over a set of parties P is called linear (over Zp ) if
1. The shares for each party form a vector over Zp .
2. There exists a matrix M with l rows and n columns called the share-
generating matrix for Π. For all i = 1, · · · , l, the i’th row of M we let
the function ρ defined the party labeling row i as ρ(i). When we consider
the column vector v = (s, r2 , · · · , rn ), where s ∈ Zp is the secret to be shared,
and r2 , · · · , rn ∈ Zp are randomly chosen, then M v is the vector of l shares
of the secret s according to Π. The share (M v)i belongs to party ρ(i).
11
It is further shown that every linear secret sharing-scheme according to the
above definition also enjoys the linear reconstruction property, defined as follows:
Suppose that Π is an LSSS for the access structure A. Let S ∈ A be any authorized
set, and let I ⊂ {1, 2, · · · , l} be defined as I = {i : ρ(i) ∈ S}. Then, there exist
constants {ωPi ∈ Zp }i∈I such that, if {λi } are valid shares of any secret s according
to Π, then i∈I ωi λi = s. Furthermore, these constants {ωi } can be found in time
polynomial in the size of the share-generating matrix M .
2.3.2 Shamir’s secret sharing scheme
Shamir’s secret sharing scheme is a linear secret sharing scheme. Since this thesis
discusses threshold attribute-based cryptosystems and our ABE construction also
makes use of this idea, we make a brief presentation of this scheme here.
Shamir’s secret sharing is a form of secret sharing where a secret (S) is divided
into n parts and each part is given to one of the participants. The idea is that,
only if all (or t, as in the case of threshold) participants combine their shares
meaningfully will they be able to reconstruct the original secret. It is important
to note here that, if fewer than n (or t, as in the case of threshold) participants
co-operate they must not be able to retrieve the secret.
Let us look at the case where we want to use (t, n) threshold to share the secret
S. Without loss of generality we can assume S to be an element in a finite field
F. We know that it takes t points to define a polynomial of degree t − 1. Shamir’s
secret sharing uses this idea to give the shares. We can now look at the scheme
as an algorithm:
Algorithm 1 Shamir’s secret sharing

1: Choose t − 1 co-efficients a1 , · · · , at−1 ∈R F
2: Set a0 = S
3: Construct polynomial f (x) = a0 + a1 x + a2 x2 + · · · + at−1 xt−1
4: Sharing: Evaluate the polynomial at n points
5: Set each party’s share as (i, f (i))
6: Reconstruction: Get the share of t or more parties
7: Use Lagrange’s interpolation (Section[2.3.3]) to evaluate f (0) and get S.
We note here that, with fewer than t shares it is highly improbable to recon-
struct the original polynomial exactly. Hence, by combining the shares of less than
t parties, no one gets any clue on the secret S. But when t or more parties of the
n combine, then we are able to get S precisely.
2.3.3 Lagrange interpolation
Let q(x) be a d − 1 degree polynomial with each of it’s co-efficients as elements

of Zp . Then, given any set S of d points and the evaluation of the polynomial at
these points, q(a1 ), · · · , q(ad ); we can use Lagrange’s interpolation to compute q(i)
12
for any i ∈ Zp . We define the Lagrange coefficient ∆i,S of q(i) Q
in the computation
of q(j) for j ∈ Zp and a set, S, of elements in Zp as ∆i,S (j) = k∈S,k6=i j−k
i−k
. Thus,
X Y j−k
q(j) = q(i)∆i,S (j), where ∆i,S (j) =
i∈S k∈S,k6=i
i−k
2.4 Primitives for Attribute-based Encryption and

Signatures
2.4.1 CP-ABE scheme algorithms

• Setup. A randomized algorithm Setup(k) takes in as input a security
parameter and provides a set of public parameters (P K) and the master key
values (M K) .
• Encryption. The algorithm Enc(M, T , P K) is a randomized algorithm

that takes as input the message M to be encrypted, the access structure
T which needs to be satisfied and the public parameters P K to output
the ciphertext CT . We can say, that the encryption algorithm embeds the
access structure in the ciphertext such that only those users with attributes
satisfying T will be able to decrypt and retrieve the message M.
• Key-Generation. The KeyGen(M K, P K, A) algorithm takes as input

the master key values M K, the public parameters P K and the attribute set
A of the user, and outputs for the user a set of decryption keys SK which
confirms the users possession of all the attributes in A and no other external
attribute.
• Decryption. The decryption algorithm Dec(CT , SK, P K) takes as in-

put the ciphertext CT , the user secret keys SK and the public parameters
P K, and it outputs the encrypted message M, if and only if the attributes
A embedded in SK satisfy the access structure T which was used while
encrypting the ciphertext CT . i.e If T (A) = 1 then message M is output
else, it outputs ⊥.
2.4.2 ABS algorithms

• Setup. A randomized algorithm Setup(k) takes in as input a security
parameter and provides a set of public parameters params and the master
secret key values M K .
• Key-Generation. The algorithm Key-Gen( ω, M K, params) is a ran-

domized algorithm that takes as input ω which are the attributes of the
user, the master secret key M K and public parameters params. It gives as
output a set of secret keys D corresponding to the attributes of the user; D
would indicate that the user has all the attributes in the set ω. This phase
is sometimes also known as key-extraction phase.
13
• Sign. The Sign(m, Υ, D) algorithm takes as input the message m, the
signing policy or predicate Υ and the secret key of the signer D. It outputs
the signature σ on message m, which indicates that the signer has a set of
attributes that satisfy the predicate Υ.
• Verify. The verification algorithm Ver(σ, Υ, params, m) takes as input the

signature σ, the predicate Υ, the public parameters params and the message
m. And the verification test passes, if and only if the subset of attributes ω
of the signer embedded in σ satisfy the access structure Υ which was used
while signing. i.e If Υ(ω) = 1 then verification passes, else it outputs ⊥.
2.5 Waters’ signature

The ABS schemes we discuss in this thesis make extensive use of Waters’ signature
[Wat05] for generating keys in the key-extraction phase, for each of the user’s
attributes. Here, we will take a quick look at the signature scheme. The following
algorithms constitute the scheme:
• Setup(λ)
– Let G1 , G2 and GT be multiplicative groups of prime order p where
bilinear map function is efficient. And, e : G1 × G2 → GT
– n = |m|, length of the message
– Pick g ∈R G1 and g2 , u0 , u1 , u2 , · · · , un ∈R G2 .
– Set g1 = g α where α ∈R Z∗p
– Public parameters params are g, g1 , g2 , u0 , {ui }i∈{1,··· ,n}
– SK = α
• Sign(m, SK)
– Let m = m1 m2 · · · mn ∈ {0, 1}n and r ∈R Z∗p
Q mi r
n
α 0
– σ1 = g2 u ui
i=1
– σ2 = g r
• Verify(m, σ = (σ1 , σ2 ))
n
?
– Check e(g, σ1 ) = e(g1 , g2 ) · e(σ2 , u0 um
Q
i )
i
i=1
– Note here that inorder for the verification to pass it is necessary for g2α
to be in σ1 . That ensures the use of the secret key α.
14
Modification. The above scheme is proved secure in the standard model. A
modified simpler version of this is used in most of the ABS schemes where the
n
sign on the message, u0 uimi is replaced by a simple hash as H(m) and the rest
Q
i=1
of the procedure remains the same. This modified scheme is proven secure in the
random oracle model. We will look at the changes to the scheme and an intuition
towards the proof.
• Setup(λ) It remains the same except that a new hash function is defined
and the ui components are not chosen.
– A hash function H : {0, 1}∗ → G1
– Public parameters params are H and g, g1 = g α , g2 ∈ G
– SK = α
• Sign(m, SK)
– σ1 = g2α H(m)r
– σ2 = g r
• Verify(m, σ = (σ1 , σ2 ))
?
– Check e(g, σ1 ) = e(g1 , g2 ) · e(σ2 , H(m))
Proof Sketch. The proof for this is given in the random oracle model. The
security of this signature is reduced to solving the CDH problem. That is, given
the tuple g, A = g a and B = g b , we need to obtain g ab using an attacker who can
break the above signature scheme.
First we set α = a and g2 = g b , hence g1 = A and g2 = B. Now, inorder to
give the signature on a message m, we will set H(m) = g bxm where xm ∈R Z∗p and
then pick a random r and assume that there exists an r0 such that r0 = r − a/xm .
Then we give the signature as:
−1
σ1 = g rbxm σ2 = g r A xm
To see how this is the same as what a genuine signer would give:
0
σ1 = g2a H(m)r = g ab (g bxm )r−a/xm = g ab g rbxm −ab = g rbxm
0 −a −1
σ2 = g r = g r−a/xm = g r g xm = g r A xm
Now, we will see how it is possible for the challenger to solve CDH with the
components given by the forger. Note that, when a chosen message m∗ is given
for hashing, the challenger will out put as hash just g xm∗ . If the adversary asks
a signature on that message(m∗ ) then, the challenger will abort. But, if the
adversary gives a signature on the message m∗ :
∗ ∗
σ1 = g ab H(m∗ )r σ2 = g r
15
Then challenger does the following:
∗ ∗
σ1 g ab H(m∗ )r g ab g r xm∗
= ∗ = = g ab
(σ2 )xm∗ g r xm ∗ g r∗ xm∗
This allows the challenger to solve the CDH problem with the help of a forger
on this scheme.
2.6 Forking Lemma

We make use of the forking lemma to give the proof for unforgeability of the
threshold attribute based signature that we propose in Chapter(6). Here, we will
first present the conditions that are necessary for a ring signature to be consid-
ered generic and then define the forking lemma for generic ring signatures. The
definitions are borrowed from those given by Herranz et al. in [HS04].
Generic Ring Signature. We denote by H(·), a cryptographic hash function
that outputs k bits, where k is the security parameter. Consider a group of n
ring members. Now, given the input message m, a generic ring signature scheme
produces a tuple (m, R1 , · · · , Rn , h1 , · · · , hn , σ), where R1 , · · · , Rn (randomness)
take their values randomly in a large set G in such a way that Ri 6= Rj for all
i 6= j, hi is the hash value of (m, Ri ), for 1 ≤ i ≤ n, and the value σ is fully
determined by R1 , · · · , Rn , h1 , · · · , hn and the message m.
Another required condition is that no Ri can appear with probability greater
than 2/2k , where k is the security parameter. This condition can be achieved by
choosing the set G as large as necessary.
Forking lemma. The forking lemma for adaptive chosen message attacks with
respect to generic ring signature schemes, as given in [HS04] is as follows. Let
A be a probabilistic polynomial time Turing machine whose input only consists
of public data. We denote by qh and qs , the number of queries that A can ask
to the random oracle and to some real signers of the ring, respectively. Assume
that, within time bound T, A produces with non-negligible probability , a valid
ring signature (m, R1 , R2 , · · · , Rn , h1 , · · · hn , σ). Suppose, the valid ring signature
can be simulated with a polynomially indistinguishable distribution of probabil-
ity, without knowing any of the secret keys of the ring , within a time bound
of Ts . Then there exists another probabilistic polynomial time Turing machine
which can, by a replay of attacker A where the interactions with the signer are
simulated, produce two valid ring signatures (m, R1 , R2 , · · · , Rn , h1 , · · · hn , σ) and
(m, R1 , R2 , · · · , Rn , h01 , · · · h0n , σ 0 ) such that hj 6= h0j , for some j ∈ {1, · · · , n} and
hi = h0i for all i = 1, · · · , n such that i 6= j, within a bounded time and non-
negligible probability.
16
CHAPTER 3
Existing Threshold Attribute-based Cryptosystems
In this chapter we will briefly view the emergence of attribute based cryptosystems
and the problems they address. We will make a survey of existing literature
on attribute based encryption and signature schemes with particular focus on
those constructions that support threshold predicates. This chapter also pays
specific attention to cipher-text policy ABE schemes and motivates our study on
constructions that are efficient in terms of the ciphertext length. We will also
remark on some of the similarities in threshold ABS and ABE constructions here.
3.1 Inception of Attribute Based Encryption

The notion of attribute-based encryption was first introduced by Sahai and Wa-
ters [SW05] in their work titled Fuzzy Identity-based encryption. Here, they viewed
identities as a set of attributes and extended identity based encryption by making
it more fine-grained. Their construction allows attributes to be defined by arbi-
trary strings. In order to generate the keys for each identity and distribute it in
the attributes, their scheme uses the idea of Shamir’s secret sharing. The scheme
is proved secure in the selective-ID model by showing a reduction to the Decisional
Bilinear Diffie-Hellman assumption. They also pose the problem of whether at-
tributes can be certified by multiple authorities, i.e different attributes are given
by different authorities instead of one single attribute authority.
KP-ABE. The concept of ABE became more formal with the work of Goyal et
al. [GPSW06]. They established the first key-policy attribute-based encryption.
Although, their concept is reminiscent of secret sharing schemes, they were the
first to define the idea of collusion-resistance, where they disallow parties from co-
operating inorder to decrypt the ciphertext. They also use the tree-access structure
to represent the predicate policy that allows a user to decrypt the message. Their
scheme also highlights fine-grained access control that can be provided by ABE
schemes. They use the concepts of LSSS and monotone span programs to develop
the scheme. As in [SW05] their scheme is also proved secure by reduction to
DBDH in the selective-ID model. The authors suggest the applicability of their
scheme for encryption of audit logs and broadcast encryption. They leave the task
of creating a scheme that provides better anonymity as an open problem. i.e. An
encryption scheme that does not require one to reveal all the necessary attributes
required by the decryptor very precisely.
CP-ABE. CP-ABE which came up next addressed the issue of anonymity to

some extent and actually gave a different kind of expressibility to attribute-based
systems. The first ciphertext-policy ABE scheme was developed by Bethencourt
et al. [BSW07]. Their definition of tree-access structure and the secret sharing
concept was largely borrowed from [GPSW06]. However, CP-ABE was a more
intuitive representation of ABE. The scheme in [BSW07] also supported threshold
gates at every node of the tree. With CP-ABE, there was now better scope for
providing stronger anonymity to decryptors. Since only the access structure is
made public and the attributes that a user has is not required to be revealed to
others, it gives a greater sense of privacy to the decryptor. However, the major
drawback of this scheme is that, it is proved to be secure only in the generic group
heuristic and does not reduce to any of the known hardness assumptions. The
authors felt that a challenging line of work would be to come up with a provably
secure system (may be different from CP-ABE and KP-ABE) that could probably
have more elegant forms of expression.
CCA secure. This was soon followed by Cheung and Newport [CN07] propos-
ing a provably secure CP-ABE scheme. Inorder to give a secure scheme, they
considered only those access structures with AND gates. However, their scheme
added support for negated attributes, in the words of the authors, their construc-
tion was for access structures with AND gates on positive and negative attributes.
They were able to give the proof for chosen plaintext (CPA) security by reducing
it to the DBDH problem. Further, they use the Cannetti-Halevi-Katz technique to
convert their scheme to a chosen ciphertext (CCA) secure scheme. Their work also
shows possible directions to extend the idea for threshold ABE and construction
of hierarchical attributes.
Non-monotone. Soon after that, Ostrovsky et al. [OSW07] proposed a KP-

ABE scheme that could support non-monotone access structures. In the previous
schemes, if an encryptor wanted to specify the negation of an attribute in the pred-
icate then (s)he had to have both the attribute and it’s negation for all attributes
in the universal set. However, Ostrovsky et al’s scheme gave a more elegant con-
struction to overcome that problem. They were able to give more expressiveness
to their predicates by employing revocation methods in their ABE scheme. They
also give a sketch of how to obtain the same property in a CP-ABE construction.
The authors prove their scheme to be secure by reducing it to the DBDH problem.
They also give a lead on how the idea can be used to realize any access formula.
Recipient-anonymous. The open problem of designing a more privacy-friendly

ABE, which was posed by [GPSW06] was answered by Nishide et al. [NYO09].
They presented ABE schemes that partially hid the access structures. This was,
in a sense, the first attempt to give privacy not only to the decryptor but also to
the predicate which is used in creating the ciphertext. Since it was the first step
towards recipient anonymity their scheme employed only the AND gate access
structure. The schemes are proved to be secure using the DBDH and DLIN
assumptions. They also discuss on how attributes can be added to the universe
(which is usually fixed during the setup phase) after secret keys are generated.
18
3.2 CP-ABE Schemes with Efficient Ciphertext-
Size
With attribute-based schemes gaining significance and relevance in various modern
decentralized environments, the foremost challenge was to make it more efficient
inorder to reduce the communication costs. This instigated the research commu-
nity to now focus on schemes that were more size-conserving. Almost all the initial
schemes had the number of keys and ciphertext components proportional to the
number of attributes. In most of the practical large-scale applications where the
universe of attributes can be numerous, the previous ABE schemes would result
in a huge set of keys for each user and an immensely lengthy ciphertext. It is at
this time that efficient ciphertext size CP-ABE schemes gained importance.
Efficient. The pioneering steps towards efficient CP-ABE was taken up by Wa-
ters in [Wat08]. The scheme proposed in that work was more efficient than all
previous schemes both in terms of the size of the components (key and cipher-
text) and also in the running time. Waters gave the construction of a CP-ABE
scheme that made use of LSSS to express access control and it was proved secure
in the standard model. In the same paper, the author provides two additional
constructions, which make a small compromise with respect to performance but
are proved secure in the decisional bilinear Diffie-Hellman exponent assumption
and the DBDH assumption. To see the improvement that their scheme offered
empirically, let us denote the number of attributes in the universe as nU , number
of attributes possessed by the user(recipient) as nr and that used by the sender
in encryption of the access structure as ns . Then, Waters’ scheme gives nU + nr
secret key components and nU × nS ciphertext components. In comparison with
the other schemes this reduced the number of components by atleast half.
Constant-size AND. Taking efficiency as the new challenge, Emura et al.

[EMN+ 09] gave the first CP-ABE scheme with constant size ciphertext. Their
construction uses the idea of summing up the master keys inorder to get a con-
stant size ciphertext and hence, their scheme supported only AND-gate predicate
structures. However, their scheme allowed multi-valued attributes as part of the
universe set of attributes. Their work was proved secure by reduction to the
DBDH assumption. Although this scheme had large number of public and master
secret key components, which was comparable to previous schemes like [NYO09],
the number of user secret key components are just two and the ciphertext compo-
nents are just three! In effect, their work was a tremendous improvement in terms
of ciphertext size, secret key size as well as the running time of the encryption and
decryption algorithms. More importantly it was the first time that there was an
ABE construction with a ciphertext size that was independent of the number of
attributes.
Constant-size non-monotone. Building on that, Zhou and Huang [ZH10] pro-

posed another constant-size CP-ABE scheme. Their scheme also supported multi-
19
valued attributes with wildcards. In addition to that, they were also able to
incorporate non-monotone access structures and have both positive and negative
attributes in their construction. However, as with [EMN+ 09], they could only
account for AND gates in the predicate. The primary focus of their scheme was
to enable attribute-based broadcast encryption, and they modified their construc-
tion to also create a scheme for broadcast encryption. The secret key size in their
scheme is proportional to the number of attributes involved, but the ciphertext
components is limited to three, excluding the access structure that is also passed to
the receiver. Their scheme was proved secure by reducing to the q-BDHE assump-
tion. They also show that their broadcast encryption scheme reduces the storage
overhead to a value proportional to the number of users and is independent of the
number of attributes.
Constant-size threshold. In the mean while, the task of coming up with a

constant-size CP-ABE scheme which supported more complex access structures
(other than AND gates) was accomplished by Herranz et al. [HLR10]. They
proposed an elegant constant size ciphertext CP-ABE that supported threshold
access policies. Since it was a threshold scheme it could also be used to represent
AND and OR gates as well. The work in [HLR10] makes use of a novel aggregate
function proposed originally by Delerablée and Pointcheval [DP08]. The aggregate
function acts similar to summing of the keys as in Emura et al.’s work [EMN+ 09].
When it comes to comparing the size-efficiency, like in [ZH10], the size of the
secret key is proportional to the number of attributes but the ciphertext consists
of just 3 components. Their scheme was proved secure by reducing it to the a-
MSE-DDH (augmented multi-sequence of exponents diffie-hellman) assumption.
One shortcoming of this scheme is that, it supports only a single threshold gate
and there does not seem to be an easy way to extend it to incorporate multi-level
threshold access structures.
Comparison. Here is a table comparing the key and ciphertext sizes in the
papers discussed. This is a modified extension to the table given in [EMN+ 09].
Paper PK SK Ciphertext
[SW05] n|G1 | + |GT | nu |G1 | nT |G1 | + |GT |
[GPSW06] n|G1 | + |GT | nu |G1 | nT |G1 | + |GT |
[CN07] (3n + 1)|G1 | + |GT | (2n + 1)|G1 | (n + 1)|G1 | + |GT |
[BSW07] 3|G1 | + |GT | (2n + 1)|G1 | (2nu + 1)|G1 | + |GT |
[NYO09] (2N 0 + 1)|G1 | + |GT | (3n + 1)|G1 | (2N 0 + 1)|G1 | + |GT |
[Wat08] 2|G1 | + |GT | (1 + n + nu )|G1 | (1 + nT n)|G1 | + |GT |
[EMN+ 09] (2N 0 + 3)|G1 | + |GT | 2|G1 | 2|G1 | + |GT |
[ZH10] (6n + 1)|G1 | (3nu + 1)|G1 | 2|G1 | + |GT |
(n − 1)|Zp | + |GT | +
[HLR10] (n + nu )|G1 | 1|G1 | + 1|G2 | + 1|GT |
(2n + 1)|G1 |
Table 3.1: Comparison of PK, SK and ciphertext sizes
20
Here n denotes the total number of attributes in the universe set. nu de-
notes the attributes possessed
Pn by the user; nT denote the attributes in the access-
0
structure and N = i=1 ni which is the possible subsets of attributes. And
G1 , G2 , and GT is a triple of groups on which the bilinear map is efficiently com-
putable.
Our work. In our work, we try to extend the work of Herranz et al. [HLR10] and
combine it with [BSW07] to support better access policies. The first part of this
thesis will look at a CP-ABE scheme that can support multi-level threshold access
structures. Although, the scheme does not result in a constant sized ciphertext, it
will look at generating a ciphertext whose length is independent of the number of
attributes involved. Infact it is dependent on the size of the predicate and more
precisely, the number of leaf nodes in the tree-structure of the access policy.
3.3 Development of Attribute Based Signatures

The work on attribute based signature schemes began only after ABE schemes
became more prominent. Attribute based signatures, like the encryption schemes,
have a natural property of anonymity which can enhance some authorization appli-
cations. Initial ABS schemes were largely motivated by the constructions in ABE
schemes and in particular were influenced by the CP-ABE schemes of [GPSW06]
and [GJPS08] due to their support for a wide range of access policies.
ABGS. ABS was introduced into group signatures by Khader [Kha07b]. In

their work on attribute based group signatures, they built their scheme on the
tree structure defined in Goyal et al. [GPSW06]. They extended the concept
of identity-based group signatures to an attribute based signature in order to
associate additional credentials to a signer (member of the group) and at the
same time prevent collusion among group members. They base their construction
on the concepts of secret sharing and linear encryption. They prove their scheme
to be CPA-secure in the random-oracle model with the help of the q-strong Diffie-
Hellman assumption, the DLIN assumption and the forking lemma. In a second
work [Kha07a] by the same authors, they extended their first scheme to include the
idea of revoking attributes. They base their revocation capability on the paper by
Boneh and Sacham [BS04]. However, the security of this extended paper is similar
to their first attribute based group signature paper.
Formalization of ABS. Although Khader [Kha07b] gave the notion of at-

tribute based signatures, the first formal definition of ABS was given by Maji et
al. [MPR08]. They also defined the properties of strong unforgeability and strong
privacy(to the signer) that an attribute-based signature must provide. Their con-
struction uses monotone span programs (MSP) to represent access policies. Their
scheme also discusses the feature of unlinkability, where, given multiple signa-
tures by the same signer, they cannot be identified as being signed by the same
21
party. The authors further provide a second scheme inorder to account for mul-
tiple attribute authorities (multi-authority). The security of their schemes rely
on the generic group model. The authors further propose applicability of ABS
in attribute based messaging, attribute-based authentication and as a stronger
variation of mesh signatures.
Attiribute-based ring signature. With the anonymity features of attribute-

based signatures becoming more prominent, it seemed natural to incorporate it
in ring signatures. Ring signature schemes, introduced by Rivest et al. [RST01]
essentially give the signer a means to remain hidden (anonymous) amongst a set
of n users who form the ring. To create a ring signature, it is sufficient for one to
have the secret key of a single member (usually the signer himself) of the ring and
have public keys of the others. With ABS, the signer’s identity remains hidden
and only the attributes possessed by the signer can be guessed based on the signing
policy. The first attribute-based ring signature scheme was proposed by Li and
Kim [LK08]. Their scheme uses the idea of Shamir’s secret sharing to share the
secret in the keys of the signer’s attributes. Only those signers with the right
combination of attributes can successfully sign a message to pass the verification
for a given predicate. The authors give two schemes in their paper, one whose
security is shown in the random oracle model and the other is proved without
random oracles. Both schemes are shown to be secure by reduction to the CDH
problem.
Without anonymity revocation. Extending the property of anonymity in

the ring signature, is the work on hidden ABS without anonymity revocation
by [LK10]. Like many of the attribute-based primitives, this is also based on a
problem in the identity-based setting called hidden identity-based signatures. In
schemes with anonymity revocation, although the construction by itself provides
anonymity, there is a trapdoor which some designated authority can use inorder
to reveal the exact identity of the signer. This might be necessary in some appli-
cations. Here, however, the scheme composed by Li and Kim ensures that such
a revocation is not possible by any authority. This scheme actually borrows this
property directly from the ring signature scheme in [LK08].
3.4 Threshold Attribute-Based Signatures

(k, n)-threshold. Our interest in threshold ABS (t-ABS) schemes is motivated
by the similarities in threshold ABE and ABS constructions. The initial thresh-
old ABS scheme was defined and formalized by Shahandashti and Safavi-Naini
[SSN09]. However it is interesting to note that the ring signature scheme by Li
and Kim [LK08] can be considered as an (n, n) threshold ABS scheme since the
signer needs to have all the attributes of the predicate to be a part of the ring. But
Li and Kim [LK08] do not explicitly make a mention of threshold ABS in their
work. The work by Shahandashti and Safavi-Naini [SSN09] is the first to formalize
22
the notion of t-ABS. They propose two threshold-ABS schemes which can sup-
port any (k, n) threshold gate. Their constructions use Shamir’s secret sharing
concept to distribute the secret in the attributes and use Lagrange’s interpolation
technique to retrieve the secret component. Their key generation (which makes
use of Waters’ signature) and verification are similar to that in [LK08]. However,
their second scheme which is a modified version of their first basic scheme makes
use of zero-knowledge proof-of-knowledge and commitment schemes to make it ex-
istentially unforgeable. Their basic scheme is only selectively unforgeable. The
security of both their schemes is shown in the standard model by reduction to the
CDH problem. Further, the authors show how t-ABS can be extended and can
be used to obtain a threshold attribute-based anonymous credential system. Here
again, as with threshold ABE schemes, Shahandashti and Safavi-Naini’s scheme
supports only a single threshold gate and cannot be used with complex access
control policies. Hence, it provided good scope for someone to come up with a less
restrictive and a more expressive threshold scheme. Also, with the establishment
of the t-ABS framework, the task of coming up with a scheme that can be proved
to have tight existential unforgeability was still open.
Efficient threshold. Instigated by the new concept of threshold in ABS schemes

Li et al. [LAS+ 10] extended the work of [LK08] and [SSN09] to come up with an
efficient (k, n) t-ABS scheme. They propose three schemes in their paper. The first
two are for efficient t-ABS and the third extends their idea in t-ABS to address the
case where there can be multiple attribute authorities. Their schemes again make
use of the secret sharing concept. The efficiency they gain is by reducing the sizes
in both the key and signature elements. Their signature technique integrates the
attributes to give a component that can be used to sign the document in a single
step instead of separately signing with each individual attribute as in [SSN09].
They show their scheme to be selectively unforgeable by reduction to the CDH
problem. The first scheme that they proffer is proved secure with the help of
random oracles, their other scheme is proved in the standard model. The proof
for their multi-authority ABS also makes use of random oracles. The authors also
propose new directions to use ABS for access control with non-transferability.
Multi-level threshold. Next came the work of Kumar et al. [KABPR10] which
gave an ABS scheme for bounded multi-level threshold access structures. The
definition of their bounded tree structure is based upon the work by Goyal et al.
[GJPS08]. To support multiple-levels of threshold nodes, the authors extend the
secret sharing scheme to each node of the bounded-tree. This enables them to
keep the final secret at the root of the tree, and hence only those users whose
attributes satisfy the access tree will be able to travel all the way up to the root
to get the portion of the secret component that is required for the signature to
pass the verification. The key-generation for the construction here is a slightly
modified version of the one in [LAS+ 10]. Kumar et al. first present a scheme
that is proven secure in the random oracle model. They modify the first scheme
by defining the hash functions explicitly to give another scheme which is proved
secure in the standard model. The schemes are shown to be secure by reduction
23
to the CDH problem.
ABS general framework. More recently, Maji et al. [MPR10] give a general
framework for constructing ABS schemes. Their scheme uses monotone span pro-
grams to incorporate the access structure and also make use of non-interactive
witness indistinguishability (NIWI) to add to the anonymity of the signer. The
authors also introduce a new generic primitive called credential bundle which is
used in the key generating phase to bundle the attributes of the signer; this helps
in making their scheme collusion resistant. The given framework allows the users
to choose a zero-knowledge proof system as the NIWI component and also select
a signature scheme to provide the credential bundle. Furthermore, the authors
have shown three instantiations of their scheme a) one using non-interactive zero-
knowledge (NIZK) proof of Groth and Sahai [GS08] for the NIWI component and
Boneh-Boyen’s digital signature scheme to construct the credential bundle. b) the
second uses Waters’ signature for the credential bundle, this, unlike Boneh-Boyen’s
signature, prevents the signer from committing to some of the credential bundle
components in a bit-wise fashion. c) their third scheme uses the credential bundle
from the second scheme however, they use their own randomization to generate
the keys instead of using NIZK proofs.
The authors also mention some applications for ABS which are the same as the
ones in their earlier work in [MPR08] (which we have discussed in the previous
section).
Our work. In this thesis we discuss some of the security issues in the schemes
given in [LAS+ 10, LK08, SSN09, KABPR10, LK10] that employ the secret sharing
scheme to generate the keys. We give a detailed view of how the flaws in these
schemes can be used by an attacker to create forgeries; and we also present our ob-
servations on the short-comings of the existing key-generation techniques employed
by these schemes. We further provide a new approach towards threshold-ABS in-
spired by ring signatures. We also provide a provably secure t-ABS construction
using the approach.
24
CHAPTER 4
Efficient Multi-level Threshold CP-ABE
In this chapter we present our approach for an efficient ciphertext-size, multi-level

threshold CP-ABE. An efficient multi-level threshold ciphertext policy attribute-
based encryption scheme is one where, the sender can encrypt a message using an
access structure that may be complex and have multiple threshold nodes (refer
to figure[4.1]); but the encryption algorithm should output a ciphertext whose
number of components are significantly smaller than the total number of attributes
involved. We have seen in section[3.2] that Herranz et al.[HLR10] have presented
an elegant constant-size ciphertext scheme that appears to be a suitable model for
such a task. However, like we have remarked earlier, their method does not seem
to have the capacity to extend and include multiple threshold gates. We have also
observed that, secret sharing is an important concept that can allow us to expand
a threshold gate to multiple levels. We also notice that the access trees as defined
in [GPSW06] and [GJPS08] allow threshold gates at each of the internal nodes
and by default support multiple-levels. Thus, our scheme proposes to combine all
these aspects inorder to arrive at a size-efficient multi-level threshold CP-ABE.
k-of-n
k’-of-n’ k"-of-n"
k‘-of-n‘ k*-of-n*
Figure 4.1: Multi-level threshold tree.
In this chapter we present the construction of our CP-ABE scheme. We will

start by giving the model of our access tree and attributes and then move on to the
description of the ciphertext and the secret keys. We will then show the algorithm
for decryption and verify its correctness. Then, we proceed to demonstrate our
scheme with the help of a simple example.
4.1 Model
We denote the universe set of attributes by P. Let m be the cardinality of P. A
party who wishes to encrypt a message will specify the access control predicate
through an access tree structure, which we denote by T . Any party who wishes to
decrypt the ciphertext must be able to satisfy the access tree inorder to retrieve
the message.
The tree model we follow is similar to that described in [BSW07]. We treat
each individual non-leaf node of the tree to be a threshold gate. Note that this
representation of the access policy is very expressive since an AND gate can be
represented as an n-out-of-n threshold gate and an OR can be represented with
1-out-of-n threshold gate.
Access Tree T . The tree representing the access structure is denoted by T . Let
sx denote the number of children that each node x has. We will use kx to denote
the threshold value that needs to be satisfied at node x. And by par(x) we denote
the parent of the node x. The access tree T also defines an ordering between the
children of every node, that is, the children of a node are numbered from 1 to sx .
The function index(x) returns such a number associated with the node x, where
the index values are uniquely assigned to nodes in the access structure for a given
key in an arbitrary manner. An important point to note is that, all the attributes
of the access policy form the leaves of the access tree. We will use the notation ψT
to denote the set of last level of non-leaf nodes (i.e. those nodes whose children
are all attributes/leaves).
Satisfying the tree. Let r denote the root node of the tree. Tx denotes the
subtree at the node x. Essentially Tr is equivalent to T . If a set of attributes
A satisfy the subtree Tx then we will denote it as Tx (A) = 1. At each node x,
Tx (Ax ) = 1 if and only if atleast kx (threshold of node x) of the children node
return 1 from their subtree. By this recursive definition, if the attribute set satisfies
the entire tree then T (A) = 1.
4.2 Definitions
Definition 1: [Lagrange Co-efficient]

We recall the definition of Lagrange coefficient: ∆i,S for i ∈ Z∗p and a set, S, of
elements in Z∗p : ∆i,S (x) = j∈S,j6=i x−j
Q
i−j
. ♦
Definition 2: [Aggregate Function] Aggregate function (as defined originally in

[DP08]) does:
r Qn r
Aggregate({g γ+xi , xi }1≤i≤n ) = g i=1 (γ+xi )
in O(n2 ) exponentiations. ♦
26
4.3 Construction
4.3.1 Setup
The setup algorithm chooses bilinear group triple (G1 , G2 , GT ) of prime order p
and a bilinear map e : G1 × G2 → GT . The algorithm also picks generators g of
G1 and h of G2 . Then it chooses 3 random exponents α, β, γ in Z∗p . It then sets
u = g αγ and v = e(g α , h).
After that it chooses a suitable encoding τ sending each of the m attributes
at ∈ P onto a (different) element τ (at) = x ∈ Z∗p . It then chooses a set of m − 1
dummy attributes D = {d1 , · · · , dm−1 }. By the notation Di for i < m − 1, we will
denote the set of the dummy attributes from d1 to di .
i
PK (public parameters): { P, u, v, hβ , {hαγ }i=0,··· ,2m−1 , D, τ }
MK (master secret key): { α, β, γ, g, h }
4.3.2 Key Generation
KeyGen(PK, A, MK)
Given a set of attributes A ⊂ P, the central authority picks an r ∈ Z∗p at random
and computes the secret key for the user as follows:
n r α(1−r)
o
rγ i
SKA = {g γ+τ (at) }at∈A , {h }i=0,··· ,m−2 , g β
4.3.3 Encryption
Enc(PK, T , M)
For every non-leaf node x of the access tree T , we choose a polynomial qx . We,
proceed in a top down manner in selecting the polynomials, starting from the root
R. For a node x we set the degree of the node dx = kx − 1, one less than the
threshold value that needs to be satisfied at the gate at that node.
Now, beginning at the root, we choose a random s ∈R Z∗p and set qr (0) = s.
Then choose dr other points of the polynomial qr to define it completely. For all
other non-leaf nodes x, we set qx (0) = qparent(x) index(x) and choose dx other
points to completely define qx .
For the last level of non-leaf nodes, x ∈ ψT , we compute the following two
values:
Cx1 = u−qx (0)

Q Q
qx (0).α at∈Sx (γ+τ (at)) d∈Dm+kx −1−sx (γ+d)
Cx2 = h
27
The ciphertext is given by:
CT = { C̃ = M · e(g, h)αs , C0 = hβs , {Cx1 , Cx2 }∀x∈ψT , T }
4.3.4 Decryption
Dec(CT, SK, PK)

Let A denote the user’s attribute set and Sx denote the set of attributes involved
at each non-leaf node x ∈ ψT . Let ASx = A ∩ Sx . Any decryptor whose attributes
satisfy the access tree can decrypt the message as follows:
For last level non-leaf nodes, x ∈ ψT do the following:
1. Compute Aggregate[HLR10]:
n o r
r Q
at∈AS (γ+τ (at))
Aggregate g γ+τ (at) , τ (at) =g x
at∈ASx
2. Lx = e(Aggregate, Cx2 )
Y Y
r·qx (0)·α· (γ + τ (at)) (γ + d)
at∈Sx \ASx d∈Dm+kx −1−sx
Lx = e(g, h)
3. Define P(ASx ,Sx ) (γ) to be equal to

 
Y Y
1
γ
 (γ + τ (at)) − τ (at)
at∈(Sx ∪Dm+kx −1−sx )\ASx at∈(Sx ∪Dm+kx −1−sx )\ASx
4. Compute
e(Cx1 , hrP(ASx ,Sx ) (γ) ) 1

Lx = e(g, h)qx (0).r.α.Πat∈(Sx ∪Dm+kx −1−sx )\ASx τ (at)
Q
5. Now, raise the above value to the exponent 1/ at∈(Sx ∪Dm+kx −1−sx )\ASx τ (at)
to get e(g, h)α·r·qx (0) . We denote this by Fx .
6. For the other nodes we consider the recursive case of moving up the tree.
For all nodes z which are children of a higher level non-leaf node x, let Fz
denote the decryption upto that node. Then, for each x we chose a set Sx
consisting of kx child nodes z for whom Fz 6= ⊥. If no such set exists then
Fx = ⊥ else,
1 rP(ASx ,Sx ) (γ)
h can be computed from the components given in the secret key.
28
Y ∆i,Śx (0)
Fx = Fz , where i = index(z) and Śx = {index(z) : z ∈ Sx }
z∈Sx
Y ∆i,Śx (0)
= e(g, h)α·r·qz (0)
z∈Sx
Y ∆i,Śx (0)
= e(g, h)α·r·qparent(z) (index(z)) , (by construction)
z∈Sx
Y
= e(g, h)α·r·qx (i)∆i,Śx (0)
z∈Sx
= e(g, h)α·r·qx (0) , (polynomial interpolation)
Hence, we eventually get e(g, h)α·r·qx (0) which is nothing but e(g, h)αrs .
7. When then do the last few steps to un-blind the message. We compute,
α(1−r)
e(g β , hβs ) = e(g, h)αs−αrs
This is multiplied with e(g, h)αrs which we obtained in our previous step.
This finally gives us e(g, h)αs which is the blinding factor. We divide C̃ by
this to retrieve the message M.
C̃ M · e(g, h)αs
α(1−r)
= =M
e(g β , hβs ) · e(g, h)αrs e(g, h)αs−αrs · e(g, h)αrs
4.4 Example
We will analyze the scheme with the help of an example. Let’s consider a situation
where we have a top secret defence document. Say, the document can be accessed
only by a personnel who is a general in the army AND has experience in 2 out
of 4 operations, namely, Op-X, Op-Y, Op-Z and Op-Star. We re-write the access
policy as follows:
^
(General ∧ Army) (2-out-of { Op-X, Op-Y, Op-Z, Op-Star })
We can represent the access policy as a tree structure as in the figure below:
Let’s now look at an example where some personnel have the access rights and
others whose attributes are insufficient to satisfy the predicate.
Let’s take the case where we have 4 people each with a different attribute set.
In the figure[4.3], we illustrate the case where two people have attributes that
satisfy the access policy and two others who don’t. We will show the various
phases of the encryption scheme for the person who is a general in the army with
experience in operations Op-Y and Op-Z as in the figure.
29
AND
AND 2-of-4
General Army Op-X Op-Y Op-Z Op-Star
Figure 4.2: Access tree structure for a multi-level predicate.
4.4.1 Setup
The setup algorithm chooses bilinear group triple (G1 , G2 , GT ) of prime order p
and a bilinear map e : G1 × G2 → GT . The algorithm also picks generators g of
G1 and h of G2 . Then it chooses 3 random exponents α, β, γ in Z∗p . It then sets
u = g αγ and v = e(g α , h).
Let the universe of attributes be P ={Army (A), Captain (C), General (G),
Op-X (X), Op-Y (Y), Op-Z (Z), Op-Star (S) }. So, m = 7. The dummy attributes
are m − 1 in number, so we have D = {d1 , · · · , d6 }. Now, for simplicity we’ll say
that A,C,G,X,Y,Z,S and the di s are all values in Z∗p and the function τ when
applied on these attributes give the same value.
i
PK (public parameters): { P, u, v, hβ , {hαγ }i=0,··· ,13 , D, τ }
MK (master secret key): { α, β, γ, g, h }
4.4.2 Generating the keys
KeyGen(PK, A, MK)
We will generate the keys for the person with attributes A ={Army, General,
Op-Y, Op-Z}. Here, A ⊂ P, the central authority picks an r ∈ Z∗p at random and
computes the secret key for the user as follows:
n r r r r α(1−r)
o
rγ i
SKA = {g γ+A , g , g , g } , {h }i=0,··· ,5 , g
γ+G γ+Y γ+Z β
30
Figure 4.3: Examples of access tree satisfaction.
4.4.3 Encrypting a message
Enc(PK, T , M)
For every non-leaf node x of the access tree T , we choose a polynomial qx . We,
proceed in a top down manner in selecting the polynomials, starting from the root
R. For a node x we set the degree of the node dx = kx − 1, one less than the
threshold value that needs to be satisfied at the gate at that node.
Now, beginning at the root, we choose a random s ∈R Z∗p and set qr (0) = s.
Then choose dr other points of the polynomial qr to define it completely. For all
other non-leaf nodes x, we set qx (0) = qparent(x) index(x) and choose dx other
points to completely define qx .
Following the procedure, we get the following tree:
For the last level of non-leaf nodes, x ∈ ψT , we compute the following values.
For node 1:
C11 = u−(s+10)
C12 = h(s+10).α.(γ+A)(γ+G)(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )(γ+d5 )(γ+d6 )
For the second node:
C21 = u−(s+20)
C22 = h(s+20).α.(γ+X)(γ+Y )(γ+Z)(γ+S)(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )
The ciphertext is given by:
CT = { C̃ = M · e(g, h)αs , C0 = hβs , {C11 , C12 , C21 , C22 }}
31
Figure 4.4: Encryption - Generating shares using the Shamir’s secret sharing idea
4.4.4 Decrypting the ciphertext
Dec(CT, SK, PK)

We’ll show the decryption for the case of the given secret key components. We
first do the computations for the last level non-leaf nodes, x ∈ ψT .
For node 1:
n r r
o r
1. Compute Aggregate: Aggregate g (γ+G) , g (γ+A) , τ (A), τ (G) = g (γ+G)(γ+A)
2. L1 = e(Aggregate, C12 )
L1 = e(g, h)r·(s+10)·α·(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )(γ+d5 )(γ+d6 )
3. Define P(AS1 ,S1 ) (γ) to be equal to:
1
((γ + d1 )(γ + d2 )(γ + d3 )(γ + d4 )(γ + d5 )(γ + d6 ) − (d1 d2 d3 d4 d5 d6 ))
γ
rP(AS (γ)
4. e(C11 , h x ,Sx ) ) equals
e(g, h)(s+10).r.α.((γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )(γ+d5 )(γ+d6 )−(d1 d2 d3 d4 d5 d6 ))
5. Multiplying the above with L1 , we get, e(g, h)(s+10).r.α.(d1 d2 d3 d4 d5 d6 )

1/(d1 d2 d3 d4 d5 d6 )
rP(AS ,Sx ) (γ)
6. Now, F1 = e(C11 , h x ) · L1 = e(g, h)α·r·(s+10) .
For node 2:
n r r
o r
1. Aggregate: g (γ+Y ) , g (γ+Z) , τ (at)at={Y,Z} = g (γ+Y )(γ+Z)
32
2. L2 = e(Aggregate, C22 )
L2 = e(g, h)r·(s+20)·α·(γ+X)(γ+S)(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )
3. Define P(AS2 ,S2 ) (γ) to be equal to
1
((γ + X)(γ + S)(γ + d1 )(γ + d2 )(γ + d3 )(γ + d4 ) − (XSd1 d2 d3 d4 ))
γ
rP(AS (γ)
4. e(C21 , h x ,Sx ) ) equals
e(g, h)(s+20).r.α.((γ+X)(γ+S)(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )−(XSd1 d2 d3 d4 ))
5. Multiplying the above with L2 , we get, e(g, h)(s+20).r.α.(XSd1 d2 d3 d4 )

1/(XSd1 d2 d3 d4 )
rP (γ)
6. Now, F1 = e(C21 , h (ASx ,Sx ) ) · L2 = e(g, h)α·r·(s+20) .
Now, we move to the next higher level of non-leaf nodes. Here, we remain with
just the root. For all nodes z which are children of a higher level non-leaf node x,
let Fz denote the decryption upto that node. So, for the root we consider F1 and
F2 .
Y ∆i,Śx (0)
Fx = Fz , where i = index(z) and Śx = {1, 2}
z∈Sx
∆1,Ś (0) ∆2,Ś (0)
= F1 1
· F2 2
∆1,Ś (0) ∆2,Ś (0)

= e(g, h)α·r·(s+10) 1
e(g, h)α·r·(s+20) 2
2 −1
= e(g, h)α·r·(s+10) e(g, h)α·r·(s+20)
= (e(g, h))(2α·r·(s+10))−(α·r·(s+20))
= e(g, h)α·r·s
Now, we can unblind the message from C̃ = M · e(g, h)αs as follows:

α(1−r)
1. e(g β , hβs ) = e(g, h)αs−αrs
2. Multiply the above with e(g, h)αrs to get e(g, h)αs .
3. C̃/e(g, h)αs = M
Conclusion. This example show that the scheme is correct, however we still
need to establish its security. Although the scheme appears to be reliable and
robust we need to formally prove it to be secure under some hard cryptographic
assumption. The secret key and public key components used in the scheme point
33
us to the Augmented Multi-sequence of Exponents Diffie-Hellman Problem (aMSE-
DDH)[HLR10] as a potential hardness assumption. But, based on the fact that our
scheme provides extension of the threshold gate to multiple levels as in [BSW07],
we believe that the scheme can only be proved secure in the generic group model.
34
CHAPTER 5
On The Security of Attribute Based Signatures
In this chapter we present our observations on the security of some attribute-based

signature schemes. We first take a detailed look at the ABS scheme in [LAS+ 10].
Then we show that the scheme does not ensure the threshold property and is also
universally forgeable by formulating attacks on it. Further, we illustrate with an
example that the scheme can be broken in a manner where an adversary can obtain
a secret component (not actually the secret key) with which she can generate valid
secret keys for any signer. Subsequently, we present the attacks on various related
schemes having the same or similar key construction algorithm. This body of work
also comprises of the forgeries on the attribute based ring signature scheme by Li
and Kim [LK08]; a total break on the threshold ABS scheme by Shahandashti and
Safavi-Naini [SSN09]; universal forgery on the multi-authority ABS scheme by Li
et al. [LAS+ 10]; a total break on multi-level threshold ABS scheme by Kumar et
al. [KABPR10] and finally a total break on the hidden attribute-based signatures
without anonymity revocation proposed by Li and Kim [LK10].
5.1 Efficient Threshold ABS Scheme

In this section we present the construction of the efficient threshold ABS scheme
by Li et al [LAS+ 10]. Let us briefly recall some definitions before going to the
construction.
5.1.1 Definitions
Bilinear Pairing Recall the definition of bilinear pairing defined in Section(2.1).

Lagrange Co-efficient Recall the definition from Section(2.3.3)
5.1.2 Setup
Setup(d)→(params, msk).
First, define the attributes in universe U as elements in Zp . A d − 1 default
attribute set from Zp is given as Ω = {Ω1 , Ω2 , · · · , Ωd−1 }. Select a random gener-
ator g ∈ G1 , a random x ∈ Zp , and set g1 = g x . Next, pick a random element
g2 ∈ G1 and compute Z = e(g1 , g2 ). Two hash functions are also chosen such that
H1 , H2 : {0, 1}∗ → G1 . The public parameters is params and the master secret
key is msk.
params = (g, g1 , g2 , Z, d, H1 , H2 ) msk = x

5.1.3 Extract
To generate a private key for an attribute set ω, the following steps are taken:
• First, choose a d − 1 degree polynomial q(y) randomly such that q(0) = x;
• Generate a new attribute set ω̂ = ω ∪ Ω. For each i ∈ ω̂, choose ri ∈R Zp

and compute
q(i)
di0 = g2 · H1 (i)ri and di1 = g ri
• Finally, output Di = (di0 , di1 ) as the private key for each i ∈ ω̂
5.1.4 Sign
Suppose one has a private key for the attribute set ω. To sign a message m
with predicate Υk,ω∗ (·), namely, to prove owning at least k attributes among an
n-element attribute set ω ∗ , signer selects a k-element subset ω 0 ⊆ ω ∩ ω ∗ and
proceeds as follows:
• First, the signer selects a default attribute subset Ω0 ⊆ Ω with |Ω0 |= d − k

and chooses n + d − k random values r0 i ∈ Zp for i ∈ ω ∗ ∪ Ω0 .
• The signer then computes,

∆ (0) 0
σ0 = [Πi∈ω0 ∪Ω0 di0i,S ][Πi∈ω∗ ∪Ω0 H1 (i)r i ]H2 (m)s
( ∆ (0) 0
di1i,S · g r i for i ∈ ω 0 ∪ Ω0
σi = 0
gr i for i ∈ ω ∗ \ω 0
σ 0 0 = g s , with a randomly chosen value s ∈ Zp
• Signature: σ = (σ0 , {σi }i∈ω∗ ∪Ω0 , σ 0 0 )
5.1.5 Verify
To verify the signature σ = (σ0 , {σi }i∈ω∗ ∪Ω0 , σ 0 0 ) on message m with threshold
k for attributes ω ∗ ∪ Ω0 , check if the following equation holds:
e(g, σ0 ) ?
0
=Z
[Πi∈ω∗ ∪Ω0 e(H1 (i), σi )]e(H2 (m), σ 0 )
5.2 Attacks
In this section we present the attacks on the above scheme. We’ll take the following
example case into consideration for the attack:
- Let d = 2 (for simplicity)
36
- Accordingly Ω = Ω1 ; (|Ω|= d − 1)
- Users attributes ω = {A, B, C, D}
- Signing attributes ω ∗ = {A, P }
- Let the threshold k = 2 i.e the user needs to have both attributes in ω ∗ to
generate a valid signature.
- For simplicity we will denote H1 (i) by Hi .
5.2.1 Setup
At the end of Setup(d), we have params = (g, g1 , g2 , Z, d, H1 , H2 ) and msk = x.
5.2.2 Extract
1. Since d = 2 we consider a one-degree polynomial q(y) whose constant is set
to x and we pick a random value in Z∗p as the other co-efficient. So, q(0) = x.
And set, q(y) = 7y + x.
2. ω̂ = ω ∪ Ω = {A, B, C, D, Ω1 }.
So we have the following secret key values:

n o
q(A)
DA = dA0 = g2 · HArA , dA1 = g rA
n o
q(B)
DB = dB0 = g2 · HArB , dB1 = g rB
n o
q(C)
DC = dC0 = g2 · HArC , dC1 = g rC
n o
q(D) rD rD
DD = dD0 = g2 · HA , dD1 = g
n o
q(Ω ) r
DΩ1 = dΩ1 0 = g2 1 · HΩΩ11 , dΩ1 1 = g rΩ1
5.2.3 Preliminaries for the attack
Attacker picks d secret keys at a time and does the following computations:
Notations. For a set S = {A, B} when we evaluate the Lagrange co-efficient

∆i,S (0) at i = A, we will denote the value as ∆AB . If i = B, then we denote it as
∆BA . Please note that ∆AB need not equal ∆BA .
37
∆ (0)
Computations done by signer . We will evaluate Πi∈S di,0i,S for pairs of
attributes, S ∈ {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to get:
X1 = g2x HArA ∆AB HBrB ∆BA X2 = g2x HArA ∆AC HCrC ∆CA 


x rA ∆AD rD ∆DA x rB ∆BC rC ∆CB
X3 = g2 HA HD X4 = g2 HB HC (5.1)

x rB ∆BD rD ∆DB x rC ∆CD rD ∆DC 
X5 = g2 HB HD X6 = g2 HC HD
We will use the following notations for simplicity:
∆A1 = ∆AB − ∆AC ∆B1 = ∆BA − ∆BC

∆A2 = ∆AB − ∆AD ∆B2 = ∆BA − ∆BD
Now, the user computes the following:

X1
Y1 = = HArA ∆A1 HBrB ∆BA HC−rC ∆CA
X2
X1 −rD ∆DA
Y2 = = HArA ∆A2 HBrB ∆BA HD
X3
X1
Y3 = = HArA ∆AB HBrB ∆B1 HC−rC ∆CB
X4
X1 −rD ∆DB
Y4 = = HArA ∆AB HBrB ∆B2 HD
X5
We extend our notations to include:
∆A3 = ∆A1 − ∆A2 = ∆AD − ∆AC ∆B3 = ∆BA ∆CB − ∆B1 ∆CA
∆A4 = ∆A1 ∆CB − ∆AB ∆CA ∆B4 = ∆BA ∆DB − ∆B2 ∆DA
∆A5 = ∆A2 ∆DB − ∆AB ∆DA ∆B5 = ∆B2 ∆A5 − ∆B4 ∆A4
Then, the user does the following computations:

Y1 rD ∆DA −rC ∆CA
Z1 = = HArA ∆A3 HD HC
Y2
Y ∆CB
Z2 = 1∆CA = HArA ∆A4 HBrB ∆B3
Y3
Y2∆DB
Z3 = = HArA ∆A5 HBrB ∆B4 (5.2)
Y4∆DA
Z2∆A5
Z4 = ∆A4 = HBrB ∆B5 (5.3)
Z3
1
∆ /∆B4 ˆ
HBrB = HArA ∆ · HBrB
∆B4
Z5 = Z3 = HA A5 (5.4)
With these computations the signer is now ready to forge.
38
5.2.4 Attack 1: Forgery without satisfying threshold
The attacker (who possesses attributes in ω) is now, going to sign a document

claiming (s)he has attribute 2-out-of-{A,P}. Note, here that the attacker does
not have the attribute P and has not received any secret key pertaining to the
attribute P . Recall,
• ω = {A, B, C, D}
• d = 2 So, (d − 1) = 1
• Ω = {Ω1 }
• ω ∗ = {A, P }
Sign
The attacker computes the following

q(A) q(B) 0 0
σ0I = [{g2 HArA }∆AB · {g2 HBrB }∆BA ][HAr A HPr P ]H2 (m)s (5.5)
0
Note that, rA , rP0 and s are values that the signer picks during signing. Now, the
attacker raises (5.4) to the exponent (−∆BA ) and multiplies with σ0I .
(−∆BA ) 0 0
σ 0 = Z5 × σ0I = g2x HArA C [HAr A HPr P ]H2 (m)s (5.6)
Here C is a constant, which can be computed by the signer. Now for the σi values:
0 0
σA = (g rA )C .g r A , σP = g r P
Finally, σ 0 0 = g s . The signature is σ = {σ0 , {σi }i∈{A,P } , σ 0 0 }
Verification
e(g, σ0 )
[Πi∈ω∗ ∪Ω0 e(H1 (i), σi )]e(H2 (m), σ 0 0 )
0 0
e(g, g2x )e(g, HArA C )e(g, HAr A )e(g, HPr P )e(g, H2 (m)s )
=
[e(HA , σA )e(HP , σP )]e(H2 (m), g s )
0
0

e(g, g2x )e g, HArA C e g, HAr A e g, HPr P
=
[e (HA , (g rA )C g r0 A )e (HP , g r0 P )]
= e(g, g2x )
=Z
39
5.2.5 Attack 2: Universal forgery
We now show universal forgeability in the proposed scheme by extracting the

secret component hidden in the signer’s keys.
Computations for launching the attack. We will continue with the prelim-
inary computations that we have already done. We also know that the Lagrange
coefficients for any set of attributes can be found. Thus, the ∆ij values can be
computed and therefore we can proceed to find:
−1
δB = Z4∆B5 = HBrB (5.7)
∆A5 −1
Z3
δA = = HArA (5.8)
(δB )∆B4
Using the components δA and δB , we can now do the following:

X1
ρ= ∆AB ∆BA
= g2x (5.9)
δA δB
Now, with the value of g2x the attacker will be in a position to forge for any
threshold of attributes and provide the appropriate σi components to pass the
verification tests.
Sign (Universal forgery)
The attacker (who possesses attributes in ω) is now, capable of signing a document

claiming (s)he has attributes 2-out-of-{L,M}. Note here that the signer does
not have either of the 2 attributes L or M and has not received any secret key
pertaining to these attributes. We are now looking at the following situation:
• ω = {A, B, C, D}
• d = 2 So, (d − 1) = 1
• Ω = {Ω1 }
• ω ∗ = {L, M }
The forger generates the following signature:

0 0
σ0 = g2x [HLr L HM
rM
]H2 (m)s
0 0
σL = g r L , σM = g r M
σ00 = gs
Final signature is given as σ = {σ0 , {σi }i∈{L,M } , σ 0 0 }.
40
Verify
0

r0 M
e(g, σ0 ) e(g, g2x )e g, HLr L
· HMe (g, H2 (m)s )
=
[Πi∈ω∗ ∪Ω0 e(H1 (i), σi )] e(H2 (m), σ 0 0 ) [e (HL , σL ) e (HM , σM )] e (H2 (m), g s )
0

r0 M
e(g, g2x )e g, HLr L e g, HM
=
[e (HL , g r0 L )e (HM , g r0 M )]
= e(g, g2x )
=Z
5.2.6 Attack 3: Total break - impersonating key issuing au-

thority
The attacker now holds g2x . With this, we show how (s)he can generate the private
keys for anyone.
To generate a private key for an attribute set ω, the attacker does the following:
• First, choose a d − 1 degree polynomial q(y). Say q(y) = 10y + x
• Generate a new attribute set ω̂ = ω ∪ Ω. For each i ∈ ω̂, choose ri ∈R Zp

and compute di0 and di1 .
q(i)
di0 = g2 · H1 (i)ri = g210i · g2x · H1 (i)ri and di1 = g ri
• Finally, output Di = (di0 , di1 ) as the private key for each i ∈ ω̂
This shows a total break on the system.

In this section we have shown how an attacker of the scheme can compute
certain intermediate values from some attributes and dummy attributes that are
available to any user. With the help of these values, an adversary is not only able
to launch multiple attacks on the scheme, but also procure g2x , which holds the
secret and can be used to completely break the system. The subsequent section
shows how the same intermediate values can be obtained in other schemes and
how those schemes can also be broken based on similar principles.
5.3 Attacks on schemes with similar key construct

In this section, we explore how we can attack other schemes whose key construction
is congruent to [LAS+ 10]. We’ll first look into the attribute based ring signature
scheme of Kim and Li in [LK08]. We will then show the attack on the (k, n)
41
threshold scheme by Shahandashti and Safavi-Naini in [SSN09], then on the ABS
with multiple attribute authorities [LAS+ 10]. We then proceed to show that the
attacks are also applicable on the ABS scheme for bounded multi-level threshold
circuits [KABPR10] and also on the scheme for hidden ABS without anonymity
revocation presented in [LK10].
5.3.1 Total break on attribute based ring signature scheme
Here we would like to remark that [LAS+ 10] has been derived from [LK08] and
that both their key extract phases are exactly the same. We first present the key
extraction phase of [LK08].
Key Extract
To generate a private key for an attribute set ω, the following steps are taken:
→ First, choose a d − 1 degree polynomial q(y) randomly such that q(0) = x;
→ Generate a new attribute set ω̂ = ω ∪ Ω. For each i ∈ ω̂, choose ri ∈R Zp .
q(i)
→ Compute, di0 = g2 · (H1 (i))ri and di1 = g ri ;
→ Finally, output Di = (di0 , di1 ) as the private key for each i ∈ ω̂
Total break
It’s now easy to see that the di0 components in [LK08] are exactly the same as
before. This allows us derive the set of equations (5.1) which are the primary set of
equations used in deriving the rest of the values. From there we can proceed in the
exact same manner to get equations (5.2), then (5.3), (5.7), (5.8) and finally (5.9).
This will allow the attacker to get g2x . Now, the attacker can use the strategy in
Section[5.2.6] and impersonate the key generating authority.
5.3.2 Break on threshold attribute based signature scheme
The threshold attribute based signature scheme by Shahandashti and Safavi-Naini

in [SSN09] has been extended from the previous ring signature scheme [LK08]
to support (k, n) threshold. We will take a closer look at their setup and key
extraction phases before we identify the similarities and describe how the attack
is applicable.
Setup
Setup(1k ): Pick y randomly from Zp and set g1 = g y . Pick random elements

∆
from G1 , g2 , h, t1 , t2 , · · · , tn+1 ∈R G1 . Define and output the following: T (x) =
42
n+1
∆i,N (x)
n
Y
g2x ti and msk = y and mpk = (g, g1 , g2 , t1 , t2 , · · · , tn+1 , h)
i=1
KeyGen
KeyGen(msk, A): To generate keys for the user attribute set A. Choose a random
d − 1 degree polynomial q(x) such that q(0) = y, choose random elements ri ∈ Zp
for i ∈ A, and output: n o
q(i)
ssk = g2 T (i)ri , g ri
i∈A
Attack
We will first establish the congruence of the key generation in this scheme to that
of [LAS+ 10]. Here, we can note that T (i) is a publicly computable function, the
definition of which has been established in the setup. Thus, we can consider it to
be equivalent to the hash function H1 (i) as used in schemes [LAS+ 10, LK08] for
the purposes of this attack. If we now use the notation Ti to indicate the value of
∆ (0)
T (i) where i is the attribute under consideration and then evaluate Πi∈S sski0i,S
for pairs of attributes, S ∈ {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to
get:
X1 = g2y TArA ∆AB TBrB ∆BA X2 = g2y TArA ∆AC TCrC ∆CA
X3 = g2y TArA ∆AD TDrD ∆DA X4 = g2y TBrB ∆BC TCrC ∆CB
X5 = g2y TBrB ∆BD TDrD ∆DB X6 = g2y TCrC ∆CD TDrD ∆DC
If we now use the notation Hi to indicate the value of T (i) and also replace
the msk which is y here, with x. Then, we can get the same set of preliminary
equations as in (5.1). From here on, the rest of the steps in extracting g2y is exactly
the same as before. Thus, with the help of g2y , the attacker is capable of producing
keys for any set of attributes.
Generating Keys. To generate keys for the user attribute set A. The attacker
chooses a random d − 1 degree polynomial q(x), such that q(0) = y, say q(x) =
10x + y. And chooses random elements ri ∈ Zp for i ∈ A, and outputs:
ssk = g210i · g2y · T (i)ri , g ri i∈A

5.3.3 Attack on ABS with multiple attribute authorities
ABS scheme with multiple attribute authorities is the second ABS scheme pro-
posed in [LAS+ 10]. Here, we assume that there are k attribute authorities in
addition to one central authority. This scheme has some variations in its con-
struction since it needs to be able to address multiple authorities. We will review
43
the phases of the construction of their scheme before we show how an attacker can
break the system.
Setup
Assume that there are k distributed attribute authorities. Each of them is in

charge of the issue of attribute set Ai for 1 ≤ i ≤ k. Define a default attribute
set Ωi of d elements for each attribute authority. The central authority chooses
s1 , · · · , sk for all attribute authorities and hash functions H1 , H2 , · · · , Hk , H :
{0, 1}∗ → G1 . In addition, the central authority chooses a random generator
g ∈ G1 , a random x ∈ Z∗p , and sets g1 = g x . Next, she picks a random element
g2 ∈ G1 and computes Z = e(g1 , g2 ). For the attribute authority i, the secret key
is si , which is assigned by the central authority.
Extract
First, a user with identity u gets a secret key from the central authority as dca =
x−Σk fs (u)
g2 i=1 i . Then, she can request attribute private key from the i-th attribute
authority as follows: Assume the user u is eligible to get an attribute set Ai,u from
the attribute authority i. The attribute authority i chooses a random d − 1 degree
polynomial
n qi (·) such that qi (0) = fsi (u)
o and computes the secret key q(j) for user
qi (j)
u as dij0 = g2 Hi (j)rij , dij1 = g rij .
j∈Ai,u ∪Ωi
Sign
Suppose one has a private key for attribute set Ai,u for 1 ≤ i ≤ k. To sign a
message with predicate Υ that for each i, at least ki out of ni attributes ωi∗ are
issued from the attribute authority i (Note ki could be equal to 0). The user
selects a ki -value attribute subset ωi0 ⊆ Ai,u ∩ ωi∗ . The following steps are taken:
• First, the user chooses ri1 , ri2 , · · · , ri,ni +d−ki ∈ Z∗p and selects a d − ki default
attribute subset Ω0i ⊆ Ωi . Define Si = ωi0 ∪ Ω0i ;
• She also computes (σ0 , {σij }j∈ωi∗ ∪Ω0i , σ00 ), where:

 
∆j,Si (0) 0
Y Y Y
σ0 =  dij0 Hi (j)rij  (H(m))s
1≤i≤k j∈Si j∈ωi∗ \ωi0
n o n o
∆i,S (0) r0 0
σij = dij1 g ij , σij = g rij
, σ00 = g s
j∈Si j∈ωi∗ \ωi0
44
Verify
On input the signature (σ0 , {σij }j∈ωi∗ ∪Ω0i , σ00 ) with predicate Υ, compute
?
Y Y
e(g, σ0 ) = Z · e(Hi (j), σij )e(H(m), σ00 )
1≤i≤k j∈ωi∗ ∪Ω0i
If the equation holds, the signature is valid and the algorithm outputs accept.
Otherwise, the algorithm outputs reject.
Attack
In order to attack this system, a forger has to try and get part of the secret
component of every authority. The attacker can accomplish this as follows:
• Using the set of attributes {Ai,u ∪ Ωi } the user has from each authority i,
the attacker forms equations as in (5.1); the only difference being, g2x will
fs (u)
now be g2 i .
fsi (u)
• Following along the same way as before, the user can now extract g2 .
fs (u)
• Once the attacker extracts g2 i for all 1 ≤ i ≤ k. She computes their
product:
k Pk
fs (u) fs (u)
Y
g2 i = g2 i=1 i
i=1
• Multiplying it with the secret component given by the central authority :

Pk Pk
i=1 fsi (u) x−Σki=1 fsi (u) fsi (u)
dca × g2 = g2 × g2 i=1
= g2x
n o
fs (u)
Universal Forgery. Now, using the values g2x and g2 i , the attacker
i=1,··· ,k
can forge on any message for any threshold of attributes. The signature is com-
puted as (σ0 , {σij }j∈ωi∗ ∪Ω0i , σ00 ) where:
 
g2fsi (u) 0
Y Y
σ0 = dca · Hi (j)rij  (H(m))s
1≤i≤k j∈ωi∗
n 0
o
σij = g rij
, σ00 = g s
j∈ωi∗
Verification
 
Y Y
e(g, σ0 ) = Z ·  e(Hi (j), σij ) e(H(m), σ00 )
45
Analysis of the verification:
   
g2fsi (u) 0
Y Y
e(g , σ0 ) = e g , dc a · Hi (j)rij  (H(m))s 
 
Pk
x−Σki=1 fsi (u) i=1 fsi (u)
0
Y Y
= e g , g2 · g2 Hi (j)rij  e(g, H(m))s
 
0
Y Y
= e(g, g2x ) ·  e(g , Hi (j))rij  e(g, H(m))s
 
0
Y Y
=Z · e(g rij , Hi (j)) e(H(m), σ00 )
 
Y Y
=Z · e(Hi (j), σij ) e(H(m), σ00 )
Hence, the verification passes. This shows that universal forgery can be performed
by any attacker.
5.3.4 Attack on multi-level threshold ABS scheme
In this subsection we will focus on how the attack is possible on the multi-level
threshold ABS scheme proposed by Kumar et al in [KABPR10]. Here, inorder
to achieve multi-level threshold properties, the authors use the access structure
that was first described in Goyal et al’s paper on bounded ciphertext policy ABE
[GJPS08]. They denote the access tree structure by T . Now, let us look at how
the key is generated for a signer possessing a set of attributes θ such that only
those users satisfying the access tree can produce a signature:
Key Generation
The key generation algorithm outputs a private key that enables the signer to
sign on any message m under a bounded threshold circuit T , as long as T (θ) =
1. Choose a random polynomial q(x) for each non-leaf node x in the universal
bounded threshold circuit Tu . These polynomials are chosen in the following way
in a top-down manner, starting from the root node r. For each x, set the degree
cx of the polynomial qx to be one less than the threshold value, i.e., cx = num − 1.
Now, for the root node r, set qr (0) = χ and choose cr other points of the polynomial
qr randomly to define it completely. For any other non-leaf node x, assign qx (0) =
qpar(x) (index(x)) and choose cx other points randomly to completely define qx .
The secret values are given to the user by generating a new attribute set
θ∗ = θ ∪ δ. For all i ∈ θ∗ :
1. If i ∈ θ, for each x ∈ ΨTu

46
(a) Choose rx,i ∈ Z∗p
n o
qx (i) rx,i
(b) Compute dx,i0 = g2 H1 (x||i) , dx,i1 = g rx.i
2. If j ∈ δ, for each y ∈ ΦTu

(a) Choose ry,j ∈ Z∗p
n o
q (j)
(b) Compute dy,j0 = g2y H1 (y||j)ry,j , dy,j1 = g ry,j
Thus the private key is {dx,i0 , dx,i1 |x ∈ ΨTu , i ∈ θ} ∪ {dy,i0 , dy,i1 |y ∈ ΦTu , i ∈ δ}.
Attack
In order to model this attack, we will first consider all the non-leaf nodes x at
depth d − 1 i.e all x ∈ ΨTu . By using our method of attack, we will try to extract
q (0)
g2x , for each of these nodes. Once, we get these values, we can use these to
satisfy the threshold of the parent node and get its share of the secret and so
on until we reach the root. To do this we will first establish the congruence
of the key generation in this scheme to that of [LAS+ 10]. Here, we can note
that H1 (x||i) is a publicly computable function, the definition of which has been
established in the setup. Thus, we can consider it to be equivalent to the hash
function H1 (i) as used in schemes [LAS+ 10, LK08]. If we now use the notation
Hxi to indicate the value of H1 (x||i) where x is the node under consideration
∆i,S (0)
and i is the attribute under consideration and then evaluate Πi∈S dx,i0 for pairs
of attributes, S ∈ {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to get the
following equations. (It is important here to note that this is possible because,
a secret key component is given for all of the users attributes for each and every
non-leaf node in ΨTu ).
q (0)
rxA ∆AB rxB ∆BA q (0)
rxA ∆AC rxC ∆CA
X1 = g2x HxA HxB X2 = g2x HxA HxC
q (0)
rxA ∆AD rxD ∆DA q (0)
rxB ∆BC rxC ∆CB
X3 = g2x HxA HxD X4 = g2x HxB HxC
q (0)
rxB ∆BD rxD ∆DB q (0)
rxC ∆CD rxD ∆DC
X5 = g2x HxB HxD X6 = g2x HxC HxD
This leads us to equations that have the exact same form as the primary
q (0)
equations in (5.1). Thus, we can extract g2x for all x ∈ ΨTu . Now, we have the
secret shares of all the children nodes at depth d − 1. We are in a position to
interpolate and get the share of the parent nodes as well. By definition, qx (0) =
qpar(x) (index(x)), so we can use interpolation and get qpar(x) (0). Thus, by doing
the procedure of interpolation recursively at each level, we can get the value at
q (0)
the root, g2r = g χ . Now, the attacker is just as capable of generating keys for
any set of attributes as the key generating authority.
47
5.3.5 Total break on hidden ABS without anonymity revo-
cation
The hidden attribute-based signatures without anonymity revocation was pro-

posed by Li and Kim in [LK10]. This scheme has been largely derived from the
work in [LAS+ 10] and hence it has the exact setup and key-extract phases as in
[LAS+ 10] and [LK08].
Now, any signer who gets a set of keys from the key-generating authority, can
use the same procedure as described in Section[5.2.3] to retrieve the component g2x .
This will enable the attacker to use the strategy in Section[5.2.6] and impersonate
the key generating authority. Hence, the key extract algorithm in this scheme
[LK10] causes a total break of the system.
5.4 Summary of attacks

We summarize all our attacks (mentioned in the previous sections) in the table
below.
ABS Scheme Type of break Source
Flexible Threshold Predicate Support Total Break [LAS+ 10]
Multiple Attribute Authorities Universal Forgery [LAS+ 10]
Attribute-Based Ring Signatures Total Break [LK08]
Threshold Attribute-Based Signatures Total Break [SSN09]
Bounded multi-level threshold circuits Total Break [KABPR10]
Hidden ABS without anonymity revocation Total Break [LK10]
Table 5.1: Table summarizing the attacks
Here, we would like to remark that a total break is one of the strongest attacks
possible and it encompasses a universal forgery. This is because, in a total break
the adversary can get keys for any set of attributes. And with that it would be very
simple to give a signature on any message, thus giving the attacker the implicit
capability for universal forgery.
5.5 Observations
Our main observations are that, the specific attack we mention is possible when
the following conditions are satisfied:
1. d is a constant and the universe of attributes U contains a large number of
elements.
2. The signer possesses lot more than d attributes although (s)he might not
have k out of the given set ω ∗ of attributes.
48
It is important here to note that the attack was made on the key construction
and method of verification, and not on the signature itself. The primary flaw in the
key construction is in using the idea of secret shares to distribute the master secret,
and at the same time giving each person lot more shares than what is required for
recovering the secret. These additional shares - in the form of dummies and other
attributes the signer has which are not a part of ω ∗ - give the signer multiple ways
to recover a derivative of the master secret key, which in turn leads to the attacks.
Discussion. We would like to remark here that, the concept of secret sharing
when combined with Waters’ signature, seems to be vulnerable to the attack we
have focused on, even when the number of keys are far fewer. We strongly feel
that there does not exist a fix for this key-construct that can resist the mentioned
attacks, however this direction is definitely worth exploring.
49
CHAPTER 6
New Threshold Attribute-Based Signature Scheme
From the attacks in the previous chapter we can see that the idea of secret sharing
introduces a weakness in threshold attribute based ABS schemes. In this section
we propose a new scheme for threshold attribute based signatures which is con-
ceptually based on ring signatures. We will first briefly relate the idea behind the
scheme before presenting our construction.
Ring signature. A ring signature, introduced by Rivest et al. [RST01], is a form

of digital signature which can be produced by any one member of a ring/group of
signers, all of who have a set of public/secret key pairs. The ring-signature only
says that the message was signed by one member of the ring, moreover, it will not
reveal anything about the signer itself. Additionally, the members of the ring can
be quite arbitrary and the ring can be easily extended to include more people as
long as they each have their own public/private key pairs. Infact there is no need
for the ring members to be endowed with any special property at all. The fact
that ring signatures can maintain the anonymity of a single signer from amongst
a group of people, is what makes it appropriate for our threshold needs.
Figure 6.1: Ring ABS where each alleged member of the ring has 4 attributes.
Intuition. Any threshold attribute based signature ensures that the signer pos-
sesses atleast t out of the specified signing attributes, say n∗ in number. Another
∗
way to look at this would be that, the signer has atleast 1 out of the nt com-
binations of the attribute sets. Thus, a new approach to the same would be, for
0 n∗

the signer to pick some n sets of t attributes each from the t possible sets, and
prove that she has atleast one of the n0 sets in her possession. Showing that the
signer has 1 out of n0 sets is where the idea of ring signature fits in. Note here
n∗
that 1 ≤ n0 ≤ t . If, n0 ≥ 2, it would be sufficient to prove that the signature
is valid and the signer has the specified attributes, moreover it would also give a
reasonable degree of anonymity and not reveal the exact credentials of the signer.
If, the actual predicate was an AND, then t = n∗ , which means n0 = 1 and the
signer needs to prove the possession of the complete set of attributes. On the
other hand, if the predicate consisted of just OR, then t = 1 and again the signer
can choose an appropriate n0 depending on the amount of privacy she wishes to
have and then produce a signature. With this intuition, we are ready to see the
details of the scheme.
6.1 Underlying Ring Signature

The underlying ring signature scheme that we use for our construction is the
efficient ID-based ring signature scheme proposed by Chow et al. [CYH05]. In
this section we will present the construction of the ring signature scheme. Note
here that ID represents the identity of a user.
6.1.1 Construction
Let G1 denote a cyclic additive group of prime order p on which the bilinear
function is efficiently computable. Let e(·, ·) be the bilinear function, e : G1 ×
G1 → G2 . Let, H1 and H2 be two hash functions where, H1 : {0, 1}∗ → G1 and
H2 : {0, 1}∗ → Z∗p .
Setup. The trusted authority (TA) randomly chooses x ∈R Zp , keeps it as the

master secret key and computes the corresponding public key Ppub = xP . The
system parameters are: {G1 , G2 , e(·, ·), p, P, Ppub , H1 , H2 }.
Key-Gen. The signer with identity ID ∈ {0, 1}∗ submits ID to TA. TA sets the
signer’s public key QID to be H1 (ID) ∈ G1 , computes the signer’s private signing
key SID by SID = xQID . Then TA sends the private signing key to the signer via
a secure channel, or using some secure and anonymous protocol.
Sign. Let L = {ID1 , ID2 , · · · , IDn } be the set of all identities of n users. The
actual signer, indexed by s (i.e. his/her public key is QIDs = H(IDs )), carries out
the following steps to give an ID-based ring signature on behalf of the group L.
51
1. Choose Ui ∈R G1 , compute hi = H2 (m||L||Ui )∀i ∈ {1, 2, · · · , n}\{s}.
2. Choose rs0 ∈R Zp , compute Us = rs0 QIDs − i6=s {Ui + hi QIDi }.
P
3. Compute hs = H2 (m||L||Us ) and V = (hs + rs0 )SIDs .

4. Output the signature on m as σ = { ni=1 {Ui }, V }.
S
Sn
Verify. A verifier can check the validity of a signature σ = { i=1 {Ui }, V } for
the message m and a set of identities L as follows.
1. Compute hi = H2 (m||L||Ui )∀i ∈ {1, 2, · · · , n}.
2. Checking whether e(Ppub , ni=1 (Ui + hi QIDi )) = e(P, V ).
P
3. Accept the signature if it is true, reject otherwise.
Discussion. This signature scheme has formally been shown to have uncondi-
tional signer anonymity property in [CYH05]. Also, the scheme is proven to be
existentially-unforgeable in the chosen message attack game by reduction to the
CDH problem in the random oracle model. The reduction has been shown with
the help of forking lemma for generic ring signatures [HS04].
6.2 New ABS Scheme Construction

We present the construction for our scheme which is based on the ring signature
proposed in [CYH05]. Here, for each set of attributes in the chosen n0 , we aggregate
the attributes by summing them up and form n0 components, one for each set.
One of these components has the signer’s secret key embedded in it, making it
a ring signature. During the verification phase the signer’s component also takes
care of eliminating all the attribute sets except the one which is actually used for
signing, thus proving the possession of one among the chosen n0 attribute sets.
Our construction also allows the key-generating authority to revoke anonymity if
required.
6.2.1 Setup
Let U denote the universe of attributes. U = {A1 , A2 , · · · , An } where Ai denotes

an attribute. Let t denote the threshold that a user needs to satisfy and U ∗ denote
the set of attributes in the predicate. If |U ∗ | = n∗ then, a user must have atleast t
out of the n∗ attributes to be able to produce a valid signature on a message. Let
G1 denote a cyclic additive group of prime order p on which the bilinear function
is efficiently computable. Let e(·, ·) be the bilinear function, e : G1 × G1 → G2 .
Let, H1 , H2 , H3 , and H4 be four hash functions where, H1 : {0, 1}∗ → G1 ,
H2 : {0, 1}∗ → Z∗p , H3 : {0, 1}∗ → {0, 1}∗ and H4 : {0, 1}∗ → G1 . Let the generator
of the group be P ∈R G1 , secret key be α ∈R Z∗p , and denote γ = e(P, P ) ∈ G2 .
The master secret key (msk) is α and Ppub = αP .
52
params = (e, G1 , G2 , H1 (·), H2 (·), H3 (·), H4 (·), P, Ppub , δ) msk = α.
6.2.2 Key Generation
D ← KeyGen(Uβ , ID, msk). Let, Uβ be the set of attributes that a user β has.
Let D denote the set of keys given to the user. Say, |Uβ | = nβ . Here, the attribute
authority picks a rβ ∈R Z∗p and then computes the following:
Qi = H1 (Ai ) Di = rβ · α · Qi (∀Ai ∈ Uβ )
D̄0 = rβ P D̄1 = rβ−1 P
ω = H3 (Uβ , ID) W = H4 (ω)
D̄2 = rβ−1 W

The attribute authority finally gives the key, D = {Di }i∈{1,··· ,nβ } , D̄0 , D̄1 , D̄2 , ω .
Key verification
Here, the user who is receiving the keys for her attributes can verify the secret
keys as follows.
?
e(D̄0 , D̄1 ) = γ
?
e(D̄0 , D̄2 ) = e(P, H4 (H3 (Uβ , ID)))
?
e(Di , D̄1 ) = e(Qi , Ppub )
6.2.3 Sign
σ ← Sign(U ∗ , t, D, m, params). The signer who possesses atleast t of the at-

tributes in U ∗ must be able to produce a valid signature on a message m. Let
Tβ be the t-element subset of attributes of U ∗ , that the user chooses inorder to
generate the signature. i.e Tβ ⊆ U ∗ ∩ Uβ such that, |Tβ | = t. Let T be a collection
of n0 subsets of attributes from U ∗ such that each of these subsets has a cardinality
of exactly t and no two of them are equivalent. We’ll assume that the sets in T are
indexed by values from 1 to n0 , and we’ll denote by Ti , the elements of T which
are each a subset of the attributes in U ∗ . So, the signer chooses {Ti }i∈{1,··· ,n0 }
∗
where Ti ⊆ U ∗ , |Ti | = t , Ti 6= Tj and 2 ≤ n0 ≤ nt . Without loss of generality,
we can assume that the set Tβ is present in T and is at a random index s where
1 ≤ s ≤ n0 . Thus, we refer to Tβ as Ts in our subsequent discussions. Hence, Ts
is the set of t attributes that the signer possesses among U ∗ , and will use for the
signature, and the remaining (n0 − 1) sets are used just for the sake of anonymity.
Then, the signer computes the following signature components.
The signer first picks n0 random values, ri ∈R Z∗p for i = {1, · · · , n0 }, and an
r∗ ∈R Z∗p and then proceeds to generate the signature on m as follows:
1. Set V¯0 = r∗ D̄0 , V¯1 = r∗ −1 D̄1 and V¯2 = r∗ −1 D̄2
53
for i = {1, · · · , n0 }\s
P
2. Ui = ri · Qj ,
Aj ∈Ti
3. We define, hi = H2 (m, Ui , Ti , V¯0 , V¯1 , V¯2 ), for all i ∈ {1, · · · , n0 }\s.

n0
! !
P X P
4. Us = rs · Qj − (ri + hi ) Qj
Aj ∈Ts i=1;i6=s Aj ∈Ti
5. We define, hs = H2 (m, Us , Ts , V¯0 , V¯1 ), in a manner consistent to that of the

definition of the hi values.
6. We set, V = r∗ (rs + hs ) Ai ∈Ts Di and,

P
The final signature σ is given as:
σ = {Ti }i={1,··· ,n0 } , {Ui }i={1,··· ,n0 } , V , V¯0 , V¯1 , V¯2 , ω

It is important to note in the algorithm that the size of the signature is inde-
pendent of the number of attributes, but depends more on the degree of privacy
that the signer prefers. This is because, n0 is a factor that the signer chooses,
depending on the amount of information the signer wishes to reveal.
6.2.4 Verify
The verifier can check the signature by performing the following computations:
?
e(V¯0 , V¯1 ) = γ
?
e(V¯0 , V¯2 ) = e(P, H4 (ω))
n 0 !
?
X
¯
e(V , V1 ) = e (Ui + hi
P
Qj ) , Ppub
i=1 Aj ∈Ti
The signature is valid only if all the three checks are satisfied, in all other cases
it’s considered to be invalid.
Verification Analysis
We argue here that, if the steps of the algorithm are followed without deviation
then, the signature given is valid. We will show a proof of the correctness mathe-
matically. Let’s first consider e(V¯0 , V¯1 ):
e(V¯0 , V¯1 ) = e(r∗ D̄0 , r∗ −1 D̄1 )

= e(r∗ rβ P , r∗ −1 rβ−1 P )
= e(P , P )
=γ
54
Next we check e(V¯0 , V¯2 ):
e(V¯0 , V¯2 ) = e(r∗ D̄0 , r∗ −1 D̄2 )

= e(r∗ rβ P , r∗ −1 rβ−1 H4 (ω))
= e(P , H4 (ω))
Now, we will see if the third verification is !

also valid. i.e Check if,
Xn0
e(V , V¯1 ) = e
P
(Ui + hi Qj ) , Ppub is correct for a valid signature. We
i=1 Aj ∈Ti
look at the L.H.S and the R.H.S components separately in showing the proof.
Consider the L.H.S:
!
X
e V , V¯1 = e r∗ (rs + hs ) Di , r∗ −1 D̄1

Ai ∈Ts
!
X
= e (rs + hs ) Di , rβ−1 P
Ai ∈Ts

rβ−1 P
P
= e (rs + hs ) · rβ · α Qi ,
Ai ∈Ts

P
= e (rs + hs ) · α Qi , P
Ai ∈Ts

P
= e (rs + hs ) · Qi , α · P
Ai ∈Ts

P
= e (rs + hs ) · Qi , Ppub (6.1)
Ai ∈Ts
Now, for the R.H.S:

n 0 !
X P
e (Ui + hi Qj ) , Ppub
i=1 Aj ∈Ti
n 0
X P
We’ll consider the first component (Ui + hi Qj ) and simplify it before we
i=1 Aj ∈Ti
compute the mapping.
55
n0 n n 0 0
X P X X P
(Ui + hi Qj ) = Ui + (hi · Qj )
i=1 Aj ∈Ti i=1 i=1 Aj ∈Ti
Xn0 n
X
0
P P
= Us + Ui + (hs · Qj ) + (hi · Qj )
i=1;i6=s Aj ∈Ts i=1;i6=s Aj ∈Ti
! n 0 !
P X P
= rs · Qj − (ri + hi ) Qj
n 0 n 0
P X X P
+ (hs · Qj ) + Ui + (hi · Qj )
Aj ∈Ts i=1;i6=s i=1;i6=s Aj ∈Ti
n0
! !
P X P
P X P X P
+ (hs · Qj ) + (ri Qj ) + (hi Qj )
Aj ∈Ts i6=s Aj ∈Ti i6=s Aj ∈Ti
P
= (rs + hs ) · Qi (6.2)
Ai ∈Ts
Using the above we get R.H.S to be,

n0
!
X P P
e (Ui + hi Qj ) , Ppub = e (rs + hs ) · Qi , Ppub (6.3)
i=1 Aj ∈Ti Ai ∈Ts
Thus, from equations (6.1), (6.2) and (6.3) we can see that the verification
holds and can be performed using the public values.
6.3 Security
We will show that our threshold attribute based signature scheme is existentially
unforgeable with respect to the chosen message attack (CMA) .
6.3.1 Security Notions
We first define the game under which our threshold attribute based ring signature
scheme is existentially unforgeable.
Setup. The challenger C takes a security parameter k and runs the Setup to
generate common public parameters params and also the master secret key α. C
sends params to adversary A.
Attack. The adversary A chooses a specific attribute Ax and gives it to C. Ad-
versary can then perform polynomially bounded number of queries in an adaptive
manner (interactively) with the oracles.
56
- Hash functions. A can query for the output of the hash functions H1 (·) and
H2 (·) for any input.
- KeyGen. A is allowed to query the key for any set of attributes ( the set
may include Ax ).
- Sign. A picks a set of attributes U 0 (it can contain Ax ), a threshold t0 , and

any message m; C will output (t0 , n)-threshold ABS signature on m.
Forgery. At the end of the game, A outputs a threshold attribute based signa-
ture σ on the set of attributes U ∗ . The restriction being Ax must be an element of
every subset Ti given by A, where |Ti | = t00 (threshold number of elements). Also,
the chosen set of attributes must not have been queried (as a single set) directly or
as a subset (of a larger set) during any of the key-generation or signature queries.
This ensures that, the adversary has not queried for atleast one element from each
subset of elements which can possibly satisfy the threshold. This game model also
captures the proof of security for the scheme’s collusion-resistant nature. This is
because, here, the adversary may have the keys for all of the attributes (including
Ax ) as part of one set or an other, but A should not be able to combine the secret
keys to generate a signature for the given set. A wins the game if the verification
on σ passes the check.
6.3.2 Modified Computational Bilinear Diffie-Hellman As-

sumption.
We’ll state the modified computational Diffie-Hellman problem, as we use it, to

prove the security of our scheme.
Let e : G × G → GT be an efficiently computable bilinear map, where G has
prime order p. The modified computational bilinear diffie-hellman(m-CBDH) as-
sumption is said to hold in G if, given elements {P, aP, bP, cP, a−1 P }, then no prob-
abilistic polynomial-time adversary can compute e(P, P )abc with non-negligible ad-
vantage, where a, b, c ∈R Z∗p and generator P ∈ G are chosen independently and
uniformly at random.
6.3.3 Unforgeability
Theorem 6.3.1 (Unforgeability) In the random oracle model (where the hash
functions are modeled as random oracles), if there exists an algorithm A that
can win the existentially unforgeable, chosen message attack game, with non-
negligible probability by making a valid ABS in polynomial time, then the modified-
computational bilinear Diffie-Hellman (m-CBDH) problem can be solved in poly-
nomial time.
Proof: The proof for the unforgeability of our threshold attribute based sig-
nature follows, to some extent, that given by Chow et al. in [CYH05]. In the
57
subsequent discussion we will show the reduction of our scheme to solving the
CBDH problem.
Inorder to solve the m-CBDH problem, the challenger C receives the instance
{P, aP, bP, cP, a−1 P } and has to finally produce e(P, P )abc as the output. The
challenger will run A as a subroutine in the existential unforgeability game. As
defined in the game, A can make queries to the hash functions; although the hash
outputs will be random, the challenger C will maintain separate lists of the query
and response of each oracle in order to simulate proper collision-resistant hash
functions and avoid inconsistencies. Also, in the proof, we’ll make the assumption
that all the H1 (Ai ) queries are made before they are used in any further oracle
queries.
Setting. First, the challenger C sets the public-key as Ppub = aP and master
secret as α = a. Note that C does not know a, b or c, but it will simulate those
values during its responses to A, with the help of aP , bP , cP and a−1 P .
H1 queries. When A makes queries to the hash function H1 (·) with input as
some attribute Ai , C does the following. If Ai was already queried before, the hash
value will be in the list L1 and C will search and give the stored value. Otherwise,
it first picks an si ∈ Z∗p uniformly at random, and then checks if this value is
present in the list L1 . If it is present C re-picks si repeating the process until it
gets a new value. Then, if Ai 6= Ax , it sets Qi = H1 (Ai ) = si P . If Ai = Ax , then it
sets Qx = H1 (Ax ) = sx (bP ). After each response, C makes sure to save the tuple
< Ai , si , Qi > in the list L1 , if it wasn’t already present.
H3 queries. Queries to the H3 oracle are answered by the challenger as follows.

C picks an ω ∈ Z∗p uniformly at random, and then checks if this value is present
in the list L3 . If it is present, then it re-picks ω repeating the process until it gets
a new value. Then the tuple < Uβ , ID, ω > is added to list L3 .
H4 queries. List L4 is used to maintain the queries and responses of this oracle.
When an input ω is queried for its hash, the list L4 is looked up to see if a matching
entry already exists, if it is found the corresponding value is returned. In all other
cases, an w ∈R Z∗p is picked uniformly at random and W is set to be W = wcP .
The tuple of, < ω, W, w > is added to the list, L4 .
Key-Gen queries. Adversary A is allowed to request for the private keys on

any set of attributes Uβ (including Ax ). So, we will consider this in two cases: (1)
when the element Ax ∈ / Uβ , and (2) when the element Ax ∈ Uβ .
Case-1 : When the challenger gets a query where Ax ∈
/ Uβ , C first picks rβ 0 ∈R
Z∗p and then gives the keys as follows:
1. Set, D̄0 = rβ 0 P and D̄1 = rβ−1

0 P
58
2. Now, ω = H3 (Uβ , ID)
3. W = H4 (ω), this is set as W = w(cP ) (w ∈R Zp∗ )
4. Tuple < Uβ , ID, ω > is added to L3 and tuple < ω, w, W > is added to L4 .
5. Compute, D̄2 = rβ−1 −1

0 W = rβ 0 w(cP )
6. It retrieves the tuple < Ai , si , Qi > corresponding to Ai from the list L1 .
7. Then, sets Di = rβ 0 · si · (aP ) and returns Di .
Case-2: If however, Ax ∈ Uβ , then the keys given are follows. Let, rγ ∈R Z∗p ,
be chosen at random. Assume, rβ = rγ /a. Then, the rest of the values are set as
follows:
1. Set, D̄0 = rβ P = rγ (a−1 P ) and D̄1 = rβ−1 P = rγ−1 (aP )
2. Now, ω = H3 (Uβ , ID)
3. W = H4 (ω), this is set as W = wP (w ∈R Zp∗ )
4. Tuple < Uβ , ID, ω > is added to L3 and tuple < ω, w, W > is added to L4 .
5. Compute, D̄2 = rβ−1 W = rγ−1 w(aP )
6. Finally, Di = rβ · α · Qi = rγ sx (bP ) (∀Ai ∈ Uβ )

The final key is given as, D = {Di }i∈{1,··· ,nβ } , D̄0 , D̄1 , D̄2 , ω .
In both cases, all the intermediate random values that have been chosen by the
challenger are added to the respective lists along with the computed components
and final responses.
H2 queries. Whenever queries to H2 (·) are made, C first looks up entries in L2

to see if the same query was made previously. If a matching entry is found, it
gives the corresponding saved hash value, otherwise, it just picks a random value
from Z∗p and gives it as output, storing the input and response as a tuple in L2 .
Sign. Signature requests are answered by C as follows:

It picks a Ts at random first. If Ax ∈ / Ts , then it computes the signature
as in the algorithm in Section(6.2.3) since it knows all the components. It also
makes sure to save the hash queries and responses, like hi = H2 (m, Ui , Ti , V¯0 , V¯1 )
components in list L2 . If however, Ax ∈ Ts , it first selects n0 random values,
ri ∈R Z∗p for i = {1, · · · , n0 }, and computes the following:
1. V0 = r∗ D̄0 = r∗ −1 rβ 0 P, V¯1 = r∗ −1 D̄1 = r∗ −1 rβ−1

0 P
¯ ∗ −1 ∗ −1 −1
V2 = r D̄2 = r rβ 0 H4 (ω)
2. Add the values rβ , Uβ , D̄0 , D̄1 , D̄2 , Ts to the sign oracle list.
59
3. Picks z ∈R Z∗p and sets1 , V = r∗ rβ 0 · z · (aP )
4. For i ∈ {1, · · · , n0 }\s

P
- Computes Ui = ri · Qj
Aj ∈Ti
- Gets hi = H2 (m, Ui , Ti , V¯0 , V¯1 , V¯2 ) and saves hi in list L2

! !
X
5. Us = zP − h0s ·
P P
Qj − (ri + hi ) Qj
Aj ∈Ts i6=s Aj ∈Ti
6. V = r∗ −1 rβ 0 z(aP )
7. Save the tuple < h0s , Us , Ts , V¯0 , V¯1 , V¯2 , V > in L2 .
8. σ = {Ti }i={1,··· ,n0 } , {Ui }i={1,··· ,n0 } , V , V¯0 , V¯1 , V¯2 , ω

Proof for the verification of this signature can be found in Appendix(A.1).
Forgery. Finally, A will output σ = {Ti , Ui }i={1,··· ,n0 } , V , V¯0 , V¯1 , V¯2 , ω ,

the forged signature on the message m such that Ax is present in each of the
chosen subsets, Ti , on which the ring signature is given.
Solving CBDH. From the forking lemma for generic ring signature schemes
[HS04] it follows that, if with non-negligible probability, A can give a valid forged
signature in the above interaction within time TA , then we can construct another
algorithm A0 which within time 2TA can output two signatures σ and σ 0 with values
σ = {Ti , Ui }i={1,··· ,n0 } , V , V¯0 ,V¯1 ,V¯2 , ω ; σ 0 = {Ti , Ui }i={1,··· ,n0 } , V 0 , V¯00 ,V¯10 ,V¯20 , ω

also with non-negligible probability. It also follows from the lemma that with
non-negligible probability, we can have hi = h0i , for all i ∈ {1, · · · , n0 }\s. Now,
given A0 derived from A, we can solve for e(P, P )abc as follows.
  s−1
x
−1 0 −1
 e(V, V¯2 ) w (hs −hs )

 X 
e(P, P )abc =
 e(V 0 , V¯ 0 ) ÷ e
 (s i aP ), cP 

2 Aj ∈Ts
Aj 6=Ax
This is possible since, sx can be looked up from the list L1 , and values of si (for
all Ai ∈ Ts , Ai 6= Ax ) can also be found from table L1 . Also, hs and h0s can be
queried on H2 ’s list L2 from the given values, and can be found within a constant
number of trials.
A more detailed derivation, showing the computations involved in extracting
the solution for CBDH can be found in the Appendix(A.2).
1
Note: This cannot be done by a normal signer since rβ 0 will only be available to the attribute
authority.
60
6.3.4 Anonymity
In this section we will define what anonymity is and prove that our scheme provides
unconditional anonymity to the signer’s attribute subset used in the signature.
We define signer ambiguity for our scheme in a manner similar to the one given
in [CYH05] for ring signatures. An attribute-based signature scheme, using the
ring approach as defined by us, for the threshold access structure, is said to have
unconditional signer
S attribute-set ambiguity if for any group of n0 attribute subsets
{T }, where T = Ti , ∀1 ≤ i ≤ n0 , Ti ⊆ U ∗ and |Ti | = t , any message m and
any signature σ, where σ = Sign(m, t, U ∗ ); any verifier A even with unbounded
computing resources, cannot identify the actual attribute subset of the signer (used
in the signature) with probability better than a random guess. That is, A can
output the actual signer’s chosen attribute subset (indexed by Ts ) with probability
no better than 1/n0 .
Theorem 6.3.2 (anonymity) Our threshold attribute-based signature has un-

conditional signer attribute-set anonymity property.
Proof: We first claim that all the Ui ’s are uniformly distributed. This is because,
each Ui (including Us ) is obtained via multiplying the components with a value ri ,
that is chosen uniformly at random. So, we can say that the Ui ’s by themselves
(as independent entities) don’t leak any information. Another component of the
signature, ω, is a hash of the attributes of the user, but since it’s a hash and is
created even before Ts is chosen, it cannot reveal anything about Ts . Also, the
other values, V̄0 , V̄1 and V̄2 are unrelated to Ts . So, it remains to be seen if V gives
away any information about Ts with the help of the bilinear map function along
with any of the given components and public values.
So, we will consider ifPV = r∗ (rs + hs )P Ai ∈Ts Di , leaks anything about Ts .
P
Let us focus on V − r∗ hs Ai ∈Ts Di = r∗ rs Ai ∈Ts Di . The hs component can be
obtained publicly since it is a hash. We’ll see if this component gives away infor-
mation related to Ts when considered along with V̄1 = r∗ −1 rβ−1 P , in the bilinear
map. If we manage to get r∗ rs Ai ∈Ts Di , then we can do the following verifica-
P
tion test: we check if e(r∗ rs Ai ∈Ts Di , V̄1 ) = e(rs Ai ∈Ts Qi , Ppub )? To do this,
P P
any user who suspects that X the set TkPwas used in signing
?
of the message will only
P
need to check if, e(Uk + (Ui + hi Qj ), Ppub ) = e(V, V̄1 )/e(hk Qj , Ppub ).
i6=k Aj ∈Ti Aj ∈Tk
We will now show that, although the above equality is valid for k = s, it is
equally valid for any of the other attribute subsets in T i.e the check is symmetric
with respect to any attribute subset and hence does not reveal anything about Ts .
61
To see that, consider:
X P P X P
Uk + (Ui + hi Qj ), Ppub ) = Us + i6=s (Ui ) + (hi Qj
i6=k Aj ∈Ti i6=k Aj ∈Ti
! !
P X P
P X P
+ (Ui ) + (hi Qj )
i6=s i6=k Aj ∈Ti
P X P X P
= rs · Qj − ri Qj − hi Qj
Aj ∈Ts i6=s Aj ∈Ti i6=s Aj ∈Ti
P X P
+ (Ui ) + (hi Qj )
i6=s i6=k Aj ∈Ti
P P P
= rs · Qj − hk Qj + hs Qj
Aj ∈Ts Aj ∈Tk Aj ∈Ts
P P
= (rs + hs ) Qj − hk Qj
Aj ∈Ts Aj ∈Tk
∗−1 r −1 α−1
= (V )r
P
β − hk Qj
Aj ∈Tk
Thus,
∗−1 r −1 α−1
X
Qj ), Ppub ) = e((V )r
P P
e(Uk + (Ui + hi β − hk Qj , Ppub )
i6=k Aj ∈Ti Aj ∈Tk
P
= e(V, V̄1 )/e(hk Qj , Ppub )
Aj ∈Tk
S This proves that the check is symmetric with all attribute subsets in T =
Ti , ∀1 ≤ i ≤ n0 . So, the signature components are independent and uniformly
distributed irrespective of the attribute subset being used. Thus, our scheme is
unconditionally signer attribute-set anonymous.
6.4 Advantages of the new approach

The proposed threshold scheme has a new property that we can call controlled
partial anonymity which is not known to be present (to the best of the our knowl-
edge) in any of the previous threshold attribute based signature schemes. This
is a feature that would allow the signers to control their anonymity even if the
signing policy is not determined by them. We will illustrate this feature with an
example. Let us say Alice is signing a document which wants the signer to satisfy
a threshold predicate, and she has sufficient attributes to satisfy the predicate.
Say, one of the attributes of the signing policy is CIA officer. Now, Alice being
a CIA officer among other things wishes to highlight this particular fact in her
62
signature (although it may not be necessary). She can choose all the n0 attribute
sets {Ti }i∈{1,··· ,n0 } with CIA officer being one of the attributes in each of these
sets. By doing this, she has control over which of her attributes she wants to
reveal. But if Alice does not wish to reveal anything about her credentials except
∗
that they satisfy the necessary threshold, then she will have to give all the nt
possible sets. If on the other-hand, Alice is completely indifferent about revealing
all of her attributes, then she can give a signature and include a single subset of
attributes. And that set should contain just the exact set of attributes used in the
signature inorder to satisfy the given policy. Note that this will also be a constant
size signature, since it will have only one Ti and Ui .
The power that this feature gives is that, even if the signing policy is specified
by a different authority, the signer can choose to reveal more in the signature than
what other schemes would normally allow. In a way, our approach allows the
signer control over the signature size and privacy, although he/she may not have
had the freedom to set the signing policy. If a signer does not care about privacy,
then she can go for a constant size signature. On the other-hand if the size of
the signature components is immaterial, then signer can choose to get complete
privacy by choosing all the subsets of attributes satisfying the policy to be a part
of the signature.
We also observe that this scheme can be extended to a multi-level threshold
attribute based signature if each attribute is present only once in the predicate.
63
CHAPTER 7
Conclusions and Directions for Future Work
We conclude our discussions on attribute-based cryptosystems in this chapter. We

will first recap our work on size efficient attribute based schemes and present some
of the challenges this area poses. We will then revisit the security of ABS schemes
and outline our inferences. We present some interesting directions for future work
in the area of threshold attribute-based signatures with particular focus on our
new approach. We also give some intuitions for potential solutions to some of the
problems we pose. Finally we’ll end this chapter by summarizing our work and
present the potential this field has in the emerging computing world.
7.1 Conclusion
7.1.1 Threshold CP-ABE
The first problem we looked at was the multi-level threshold attribute-based en-
cryption. We focused on ciphertext-policy based schemes since CP-ABE addresses
the problem of attribute-based communication in a natural way, i.e the access
policy is associated with the ciphertext during encryption and each user gets keys
based on the attributes/credentials they have. We paid particular attention to
efficiency because, almost all attribute-based solutions require a huge number of
components for keys and ciphertext, making them cumbersome for large-scale
tasks. Although some constant-size threshold schemes exist, they only support
one gate and are not as expressive as some of the applications and real-world sit-
uations require them to be. Ours is an attempt to give an efficient scheme that
does not compromise on the expressiveness of the access policy. We also believe
that ours is the first multi-level threshold scheme where the size of the ciphertext
is proportional to the complexity of the predicate policy as opposed to the number
of attributes involved.
Proposed Extensions. Our scheme appears to be provable only in the generic

model. An immediate open problem would be to provide a scheme that can be
reduced to a well known hard assumption. Additionally, this problem would be
considered as completely solved only if a scheme that can be proved in the standard
model is also presented.
Another natural extension to our work would be to design a provably secure
constant-size multi-level threshold CP-ABE scheme. Such a scheme would be most
practical, both for it’s compactness and the manifold control that it can provide
to the access policy.
7.1.2 Attribute Based Signatures
With regard to attribute-based signatures, our study has shown that many of the
ABS schemes have been influenced by CP-ABE constructions. We also observed
that the idea of secret sharing and use of dummy attributes play an important
role in the formulation of schemes that support threshold access structures. These
observations coupled with our study of Waters’ signature on the attributes gave
us some intuitions for the attacks. However, we have seen other threshold schemes
making use of secret sharing that do not exhibit this vulnerability. We notice that
some these schemes use different mechanisms to generate their keys, and some
others using Waters’ signature ensure a check on the dummy values provided to
the user. Modifying the broken schemes to force some properties on number of
dummy values makes them inept for threshold predicates. This has led us to
conclude that the schemes for which we presented breaks cannot be fixed easily.
Open Problem. We leave it as an open problem to come up with a provably

secure attribute based signature scheme with a key construct that makes use of
the linear secret sharing scheme combined with Waters’ signature.
7.1.3 Threshold ABS - New Directions
In our work on threshold attribute based signatures, we give a completely new

perspective on the problem of threshold signatures. Instead of viewing it as a
single (k, n) component, we break it up as 1-out-of-n0 , k-sized, components. This
view gives us the flexibility to use the trusted and well established idea of ring
signatures for the signing algorithm. However, there is still the challenge of being
able to aggregate the attributes into k-sized components. While aggregate signa-
ture allows one to verify each sub-component’s identity(signer), the fundamental
aspect in ring signature is to give anonymity and prevent anyone from recognizing
the exact signer. The combination of these two contrasting features is critical in
devising a scheme based on our new concept. It is easy to see from our scheme that
the aggregation is required since we want to be able to identify all the attributes
in each of the chosen n0 subsets. However, we use the ring externally, to combine
these subsets so that a recipient is not able to identify which of the subsets was
used during the signing algorithm. Our scheme provides a construct that maps
both features to create an interesting threshold ABS scheme that gives the signer
a different way to control his/her anonymity.
Future directions. In this thesis we show our scheme can be reduced to a mod-
ified version of the CBDH problem with the help of the forking lemma. However,
we make use of the forking lemma which does not lead to a tight reduction. A
challenging line of work would be to develop a scheme that can be proved secure
without the use of forking lemma. If such a scheme can be provided it can also
address the open problem of creating a provably secure ring signature scheme with
a tight-reduction to some hard problem.
65
7.2 Summary
We began this work by studying various aspects of attribute-based cryptosystems.
We looked at the origin of attribute-based encryption and traced its development.
We then closely investigated size-efficient CP-ABE schemes. Later, we moved
to threshold CP-ABE schemes that had achieved constant-size ciphertexts. Our
observation that all the proposed constant-size ABE schemes could support only
one gate, led us to explore and obtain an efficient and expressive threshold CP-
ABE scheme. We inferred that an extension of the regular threshold schemes to
multi-level threshold would give them the required expressiveness. The scheme we
propose here supports multiple levels of threshold and at the same time has far
fewer ciphertext components than previous such schemes. Our scheme results in
a ciphertext-size that is independent of the number of attributes, it depends only
on the number of gates in the access structure. Although our proposal appears
reliable and robust (which we have seen with an example) it’s security remains to
be formalized. A good extension in this area would be to devise a provably secure
constant-size ciphertext multi-threshold CP-ABE.
Next, we looked at attribute-based signatures, and pointed out vulnerabilities
in a number of schemes. We closely examined the key-generating algorithm on
which our attacks were based. Then, we formally presented the different kind
of ways in which each of these schemes could be attacked. We concluded that
the attacks cannot be fixed easily just by changing the number of components
(attributes and dummies) given to the user; a fix would require a different key-
generating mechanism altogether. But we still think it is a worthwhile venture
to design a threshold attribute-based signature scheme built on Waters’ signature
and secret sharing principle, that is resistant to our attack.
With the momentum of the breaks we decided to explore a new way to per-
ceive threshold attribute-based signatures. Threshold is an instantly appealing
predicate primarily due to its versatility. So, we took up the challenge of creating
a novel threshold-ABS scheme founded on the principles of ring signatures. Our
construction aggregated attribute sets and gave a signature on a ring comprising
of various attribute subsets. Although our scheme is sound, it has been proved
secure in the selective model with the help of the forking lemma which makes the
reduction, and in turn, the security, weak. A good problem in this direction would
be to come up with a tightly-reducible scheme based on the proposed approach.
This can also lead to resolving some open problems in ring signatures.
Finally, in this chapter, we gave a more complete picture of our work in
attribute-based cryptosystems. We consolidated our observations and inferences.
We also reflected on some of the interesting lines on which work in this area can
proceed. The problems we have looked at are all fundamental issues faced in
distributed settings. With large-scale data decentralization and vast networks of
distributed data (from social networks, cloud-computing, electronic-mail etc.) we
can see a number of avenues where such kind of security is highly pertinent. By
tackling these problems, we not only look at solving some central security issues,
we also embrace these emerging technologies and the new revolution in communi-
cation that they bring with them.
66
APPENDIX A
Detailed Analysis of Proof
This chapter is dedicated to show the correctness of the verification steps used
in the proof of our scheme in Chapter(6), in particular we look at the proof for
Theorem(6.3.1).
A.1 Sign Oracle Correctness

We will show the proof for the verification of the signature generated by the oracle
while showing the security of the scheme (from Section(6.3.3)).
The signature components generated by the sign oracle are as follows:
1. V0 = r∗ D̄0 = r∗ −1 rβ 0 P, V¯1 = r∗ −1 D̄1 = r∗ −1 rβ−1

0 P
V¯2 = r D̄2 = r rβ 0 H4 (ω)

∗ −1 ∗ −1 −1
2. V = r∗ rβ 0 · z · (aP )
3. For i ∈ {1, · · · , n0 }\s

P
- Computes Ui = ri · Qj
Aj ∈Ti
- Gets hi = H2 (m, Ui , Ti , V¯0 , V¯1 , V¯2 )

! !
X
4. Us = zP − h0s ·
P P
Qj − (ri + hi ) Qj
5. V = r∗ −1 rβ 0 z(aP )
6. σ = {Ti }i={1,··· ,n0 } , {Ui }i={1,··· ,n0 } , V , V¯0 , V¯1 , V¯2 , , ω

Now, the verification has to satisfy the following three equations:

?
e(V¯0 , V¯1 ) = γ
?
e(V¯0 , V¯2 ) = e(P, H4 (ω))
n 0 !
?
X
¯
e(V , V1 ) = e (Ui + hi
P
Qj ) , Ppub
i=1 Aj ∈Ti
A.1.1 Verification analysis
Let’s first consider e(V¯0 , V¯1 ):
e(V¯0 , V¯1 ) = e(D̄0 , D̄1 ) = e(rβ P , rβ−1 P ) = e(P , P ) = γ
Similarly, for e(V¯0 , V¯2 ):
e(V¯0 , V¯2 ) = e(D̄0 , D̄2 ) = e(r∗ rβ P , r∗ −1 rβ−1 H4 (ω)) = e(P , H4 (ω)) = δ
n 0 !
X
¯
Now, we will see if e(V , V1 ) = e (Ui + hi
P
Qj ) , Ppub will hold true.
i=1 Aj ∈Ti
Consider the L.H.S:
e V , V¯1 = e rβ 0 · z · (aP ) , rβ−1 P

= e (z · (aP ) , P )
= e (zP , Ppub ) (A.1)
Now, for the R.H.S:

n0 !
X P
e (Ui + hi Qj ) , Ppub
i=1 Aj ∈Ti
Let’s just consider the first component:

n 0 n 0 n 0
X P X X P
(Ui + hi Qj ) = Ui + (hi · Qj )
i=1 Aj ∈Ti i=1 i=1 Aj ∈Ti
n 0 n 0
X X
(h0s
P P
= Us + Ui + · Qj ) + (hi · Qj )
i=1;i6=s Aj ∈Ts i=1;i6=s Aj ∈Ti
! !
X
h0s
P P
= zP − · Qj − (ri + hi ) Qj
n 0 n 0
X X
(h0s
P P
+ · Qj ) + Ui + (hi · Qj )
Aj ∈Ts i=1;i6=s i=1;i6=s Aj ∈Ti
n 0 !
X P
= zP − (ri + hi ) Qj
i=1;i6=s Aj ∈Ti
X P X P
+ (ri Qj ) + (hi Qj )
i6=s Aj ∈Ti i6=s Aj ∈Ti
= zP (A.2)
68
Thus, R.H.S also reduces to,
n 0 !
X P
e (Ui + hi Qj ) , Ppub = e(zP, Ppub ) (A.3)
i=1 Aj ∈Ti
From equations (A.1), (A.2) and (A.3) we can see that the verification holds for
the constructed signature.
A.2 Correctness of Solving CBDH

After using the forking lemma (refer Section(6.3.3)), let us say we have two sig-
natures σ and σ 0 which have the following components:
X X
V = r1∗ (rs + hs ) Di V 0 = r2∗ (rs + h0s ) Di
Ai ∈Ts Ai ∈Ts
V̄2 = r1∗ −1 rβ1 −1 wcP V¯ 0 2 = r2∗ −1 rβ2 −1 wcP
X
V = r∗ rβ1 (rs + hs )(absx P + a Qi )
Ai ∈TS ,i6=x
X
= r∗ rβ1 (rs + hs )(absx P + a si P )
Ai ∈TS ,i6=x
W1 = e(V, V̄2 )
P
(rs +hs )(absx P +a si )(wc)
Ai ∈TS ,i6=x
= e(P, P )
P
−1
(rs +hs )(abcsx P +ac si )
X1 = W1w =γ i6=x
(A.4)
Similarly, set W2 = e(V 0 , V¯ 0 2 ) and get X2 as follows:

(rs +h0s )(abcsx P +ac
P
−1
si )
X2 = W2w =γ i6=x
Now, we do the following,

(hs −h0s )(abcsx P +ac
P
X1 si )
Y1 = =γ i6=x
X2 P
(abcsx P +ac si )
(hs −h0s )−1
Y = Y1 =γ i6=x
P
X ac si
Ȳ = e( si (aP ), cP ) = γ i6=x
i∈Ts ,i6=x
Y
Z= = γ abc·sx
Ȳ
(Z)−sx = γ abc = e(P, P )abc (A.5)
69
REFERENCES
[Boy07] Xavier Boyen. Mesh signatures. In Proceedings of the 26th annual
international conference on Advances in Cryptology, EUROCRYPT
’07, pages 210–227, Berlin, Heidelberg, 2007. Springer-Verlag.
[BS04] Dan Boneh and Hovav Shacham. Group signatures with verifier-local
revocation. In ACM Conference on Computer and Communications
Security, pages 168–177, 2004.
[BSW07] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy

attribute-based encryption. In IEEE Symposium on Security and
Privacy, pages 321–334, 2007.
[Cam97] Jan Camenisch. Efficient and generalized group signatures. In

Proceedings of the 16th annual international conference on Theory
and application of cryptographic techniques, EUROCRYPT’97, pages
465–479, Berlin, Heidelberg, 1997. Springer-Verlag.
[CN07] Ling Cheung and Calvin Newport. Provably secure ciphertext policy
abe. In Proceedings of the 14th ACM conference on Computer and
communications security, CCS ’07, pages 456–465, New York, NY,
USA, 2007. ACM.
[CYH05] Sherman S. M. Chow, S. M. Yiu, and Lucas C. K. Hui. Efficient iden-

tity based ring signature. In Applied Crypto and Network Security -
ACNS 2005, LNCS 3531, pages 499–512. Springer, 2005.
[DP08] Cécile Delerablée and David Pointcheval. Dynamic threshold public-

key encryption. In Proceedings of the 28th Annual conference on
Cryptology: Advances in Cryptology, CRYPTO 2008, pages 317–334,
Berlin, Heidelberg, 2008. Springer-Verlag.
[EMN+ 09] Keita Emura, Atsuko Miyaji, Akito Nomura, Kazumasa Omote,
and Masakazu Soshi. A ciphertext-policy attribute-based encryption
scheme with constant ciphertext length. In Proceedings of the 5th
International Conference on Information Security Practice and Ex-
perience, ISPEC ’09, pages 13–23, Berlin, Heidelberg, 2009. Springer-
Verlag.
[GJPS08] Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai.
Bounded ciphertext policy attribute based encryption. In Proceed-
ings of the 35th international colloquium on Automata, Languages
and Programming, Part II, ICALP ’08, pages 579–591, Berlin, Hei-
delberg, 2008. Springer-Verlag.
70
[GNSN10] Martin Gagné, Shivaramakrishnan Narayan, and Reihaneh Safavi-
Naini. Threshold attribute-based signcryption. In SCN, pages 154–
171, 2010.
[GPSW06] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters.
Attribute-based encryption for fine-grained access control of en-
crypted data. In Proceedings of the 13th ACM conference on Com-
puter and communications security, CCS ’06, pages 89–98, New York,
NY, USA, 2006. ACM.
[GS08] Jens Groth and Amit Sahai. Efficient non-interactive proof systems
for bilinear groups. In EUROCRYPT, pages 415–432, 2008.
[HLR10] Javier Herranz, Fabien Laguillaumie, and Carla Ràfols. Constant size
ciphertexts in threshold attribute-based encryption. In Public Key
Cryptography, pages 19–34, 2010.
[HS04] Javier Herranz and Germán Sáez. New identity-based ring signature
schemes. In ICICS’04, pages 27–39, 2004.
[KABPR10] Swarun Kumar, Shivank Agrawal, Subha Balaraman, and

C Pandu Rangan. Attribute based signatures for bounded multi-level
threshold circuits. In Proceedings of the 7th European Workshop on
Public Key Services, Applications and Infrastructures, EuroPKI ’10,
2010.
[Kha07a] Dalia Khader. Attribute based group signature with revocation.

Cryptology ePrint Archive, Report 2007/241, 2007. http://eprint.
iacr.org/.
[Kha07b] Dalia Khader. Attribute based group signatures. Cryptology ePrint

Archive, Report 2007/159, 2007. http://eprint.iacr.org/.
[LAS+ 10] Jin Li, Man Ho Au, Willy Susilo, Dongqing Xie, and Kui Ren.
Attribute-based signature and its applications. In Proceedings of the
5th ACM Symposium on Information, Computer and Communica-
tions Security, ASIACCS ’10, pages 60–69, New York, NY, USA,
2010. ACM.
[LK08] Jin Li and Kwangjo Kim. Attribute-based ring signatures. Cryptol-

ogy ePrint Archive, Report 2008/394, 2008. http://eprint.iacr.
org/.
[LK10] Jin Li and Kwangjo Kim. Hidden attribute-based signatures without

anonymity revocation. Inf. Sci., 180:1681–1689, May 2010.
[MPR08] Hemanta Maji, Manoj Prabhakaran, and Mike Rosulek. Attribute-

based signatures: Achieving attribute-privacy and collusion-
resistance. Cryptology ePrint Archive, Report 2008/328, 2008.
http://eprint.iacr.org/.
71
[MPR10] Hemanta K. Maji, Manoj Prabhakaran, and Mike Rosulek.
Attribute-based signatures. Cryptology ePrint Archive, Report
2010/595, 2010. http://eprint.iacr.org/.
[NYO09] Takashi Nishide, Kazuki Yoneyama, and Kazuo Ohta. Attribute-

based encryption with partially hidden ciphertext policies. IEICE
Transactions, 92-A(1):22–32, 2009.
[OSW07] Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-based

encryption with non-monotonic access structures. In Proceedings of
the 14th ACM conference on Computer and communications security,
CCS ’07, pages 195–203, New York, NY, USA, 2007. ACM.
[RST01] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a
secret. In Proceedings of the 7th International Conference on the
Theory and Application of Cryptology and Information Security: Ad-
vances in Cryptology, pages 554–567. Springer-Verlag, 2001.
[Sha79] Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613,

1979.
[SSN09] Siamak F. Shahandashti and Reihaneh Safavi-Naini. Threshold

attribute-based signatures and their application to anonymous cre-
dential systems. In Proceedings of the 2nd International Conference
on Cryptology in Africa: Progress in Cryptology, AFRICACRYPT
’09, pages 198–216, Berlin, Heidelberg, 2009. Springer-Verlag.
[SW05] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In

EUROCRYPT, pages 457–473, 2005.
[Wat05] Brent Waters. Efficient identity-based encryption without random

oracles. In EUROCRYPT, pages 114–127, 2005.
[Wat08] Brent Waters. Ciphertext-policy attribute-based encryption: An ex-

pressive, efficient, and provably secure realization. Cryptology ePrint
Archive, Report 2008/290, 2008. http://eprint.iacr.org/.
[ZH10] Zhibin Zhou and Dijiang Huang. On efficient ciphertext-policy at-

tribute based encryption and broadcast encryption: extended ab-
stract. In Proceedings of the 17th ACM conference on Computer and
communications security, CCS ’10, pages 753–755, New York, NY,
USA, 2010. ACM.
72

Thesis PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thesis PDF

Uploaded by

Copyright:

Available Formats

Attribute Based Cryptology

in partial fulfilment of the requirements

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

Prof. C. Pandu Rangan

KEYWORDS: attribute based, cryptosystems, encryption, signatures, effi-

The problems of confidentiality, authenticity and anonymity have been studied

LIST OF TABLES viii

3 Existing Threshold Attribute-based Cryptosystems 17

4 Efficient Multi-level Threshold CP-ABE 25

6 New Threshold Attribute-Based Signature Scheme 50

7 Conclusions and Directions for Future Work 64

A Detailed Analysis of Proof 67

3.1 Comparison of PK, SK and ciphertext sizes . . . . . . . . . . . 20

5.1 Table summarizing the attacks . . . . . . . . . . . . . . . . . . . 48

1.1 Representation of the access policy as a tree. . . . . . . . . . . . 2

4.1 Multi-level threshold tree. . . . . . . . . . . . . . . . . . . . . . 25

ABE Attribute-Based Encryption

ABGS Attribute Based Group Signature

ABS Attribute-Based Signature

aMSE-DDH Augmented Multi-sequence of Exponents Diffie-Hellman Assump-

CBDH Computational Bilinear Diffie-Hellman Assumption

CDH Computational Diffie-Hellman Assumption

CMA Chosen Message Attack

CP-ABE Ciphertext-Policy Attribute Based Encryption

CPA Chosen Plaintext Attack

DBDH Decisional Bilinear Diffie-Hellman Assumption

DDH Decisional Diffie-Hellman Assumption

DLIN Decision Linear Assumption

KP-ABE Key-Policy Attribute Based Encryption

LSSS Linear Secret Sharing Schemes

m-CBDH modified Computational Bilinear Diffie-Hellman Assumption

MK Master Secret Key

MSP Monotone Span Program

NIWI Non-Interactive Witness Indistinguishability

NIZK Non-Interactive Zero Knowledge

q-BDHE q-Bilinear Diffie-Hellman Exponent Assumption

t-ABS threshold Attribute Based Signature

G, G1 , G2 , GT Cyclic groups of prime order p

A public-key cryptosystem comprises of mechanisms to provide confidentiality,

1.1 Attribute-Based Encryption

( (Professor ∧ CS dept.) (M.tech student ∧ CS-410 TA ∧ CS dept.) )

Prof CS M.Tech CS CS410-TA

Figure 1.1: Representation of the access policy as a tree.

Properties. There are two major features to attribute based encryption:

Also, an important property that attribute based encryption schemes must

Threshold. In this thesis we will be targeting threshold access policies. Let’s

Colonel Major Navy Op-X Op-Y Op-Z

Figure 1.2: Threshold access policy to represent 3-out-of(“Colonel”, “Major”,

1.2 Attribute Based Signatures

ABS. Attribute based signature is a cryptographic primitive in which users pro-

Collusion. Another important property of attribute based systems is collusion

1.4.1 Efficient ciphertext-size threshold ABE

A part of this work focuses on an approach to get a multi-level threshold CP-ABE

1.4.2 Security of threshold ABS

• a signer with some attributes, completely unrelated to the attributes of the

b) Attribute based ring signature scheme in [LK08];

c) The threshold attribute based signature by Shahandashti et al. [SSN09] which

d) ABS for multi-level threshold circuits by Kumar et al. [KABPR10] and

1.4.3 New threshold ABS scheme

1.5 Organization of the Thesis

2.1 Bilinear Pairing

1. Bilinear: e(g1 a , g2 b ) = e(g1 , g2 )ab for all g1 ∈ G1 ,g2 ∈ G2 , where a, b ∈ Zp .