Professional Documents
Culture Documents
A Project Report
submitted by
SUBHASHINI VENUGOPALAN
MASTER OF TECHNOLOGY
April 2011
THESIS CERTIFICATE
This is to certify that the thesis titled Attribute Based Cryptology, submitted
by Subhashini Venugopalan, to the Indian Institute of Technology, Madras, for
the award of the degree of Master of Technology, is a bona fide record of the
research work done by her under our supervision. The contents of this thesis, in
full or in parts, have not been submitted to any other Institute or University for
the award of any degree or diploma.
Place: Chennai
Date: 30 April 2011
To the memory of my grandparents
This work is licensed under the Creative Commons Attribution 3.0 License.
ACKNOWLEDGEMENTS
I am deeply indebted to Prof. C. Pandu Rangan for his inspiration, support and guid-
ance throughout my course here. His passion and enthusiasm for teaching, sharing his
knowledge and motivating students has not only amazed me, but has made an admirer of
everyone who has been taught by him. To me, he has been more than a research advisor,
his advice on topics ranging from philosophy to sports have benefited and enriched me
in several ways. Whenever I have approached him to discuss ideas for my project, or
any generic problem, or even something personal, I have always found an eager listener.
He has also been a fun and enthusiastic partner to discuss various puzzles and riddles.
I’m grateful to him for being very supportive in letting me pursue my interests outside
of academics, and encouraging me to learn and read widely. I’m happy to be a part
of his lab which is a treasure house of knowledge and a place that offers an excellent
environment for research. Not to forget, his sense of humour, and his jovial and affec-
tionate nature have made the lab a lively and fun place to be in. I’m grateful for this
opportunity and look forward to continue my interactions with him in future.
I would like to express my gratitude to Sharmi and Vivek with whom I have had
many insightful discussions, which have bettered my understanding of various topics
in cryptography. My debates with Sharmi were thoroughly enjoyable and have been
rewarding in terms of the sheer number of ideas that have resulted from them. My other
labmates, Akash, Bhargav, Billy, Chaya, Esha, Prateek, Preetha ma’am, and Sangeetha
have been a wonderful peer group to bounce off thoughts on various topics academic
and otherwise. The company of Bhargav, Pandu Rangan sir, and Venkie (of Microsoft
Research) always results in some rib-tickling jokes that have had the lab rolling with
laughter for days on end. Bhargav, apart from being the entertainer, along with Chaya
are great companions to brainstorm on math games and puzzles as well. All of these
people along with former labmates Sai, Shinku and Swarun have made my time in the
TCS lab stimulating and memorable.
I’d like to extend my thanks to Dr. Shankar Balachandran; his dedication and energy
are infectious, and I’m glad I had the opportunity to be his teaching assistant for 3
semesters. Working with him has been a delightful experience. I am also grateful to
Dr. Narayanaswamy for the interesting interactions we have had, and for the time and
energy he has devoted to me. I also take this opportunity to thank Professors Kamakoti,
Krishna Sivalingam, Kamala Krithivasan, Sreenivasa Kumar, Hema Murthy, Dr. Shailesh
Vaya, and Dr. Alan Davy who have all made my courses here pleasurable. I thank my
faculty advisors Prof. Janakiram and Dr. Madhu Mutyam; and also Dr. Ashish , Dr.
Chandra Sekhar, Prof. Siva Ram Murthy, and Dr. Ravindran for their constant support
and words of encouragement. Special thanks to Dr. Jayalal for instituting the theory
seminars which are exciting and informative. I am grateful to the entire computer science
department for their words of appreciation and the faith they have shown in me.
My thanks also goes to all my batchmates who have made the atmosphere in my
classes lively and thought provoking. Special mention to Smruthi and her wonderful circle
of friends who have made my life at IITM complete. Last, but most importantly, I’m
grateful to my parents, sister, and family for their love, blessings and support throughout
this endeavour.
i
ABSTRACT
ii
the threshold for a set of attributes she does not possess. Finally, we show a total
break in the system, where the attacker can act as the key generating authority
and use her knowledge of the secret key to generate private keys for other users.
We also include examples of the attacks to highlight the flaws of this scheme and
other schemes appearing in [LK08, SSN09, KABPR10, LK10] which have the same
or a similar key construct.
Our next move aims at overcoming the above mentioned attacks. For that, we
propose a novel threshold ABS scheme based on the concept of ring signatures.
Ring signatures [RST01] enable a signer to keep her identity hidden within the
identities of a group of n people who form the ring. We use this as a foundation
and create a threshold ABS scheme, where the signer has to keep a threshold
of t attributes, in her possession, anonymous from a given set of n∗ attributes.
Previous ABS schemes were largely derived from ideas in the encryption(ABE)
schemes. This thesis proffers a new ABS scheme based on ring signatures and
lends attribute-based signatures a different outlook.
iii
TABLE OF CONTENTS
ACKNOWLEDGEMENTS i
ABSTRACT ii
LIST OF FIGURES ix
ABBREVIATIONS x
NOTATION xi
1 Introduction 1
1.1 Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . 1
1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . . . . . . 4
1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 Efficient ciphertext-size threshold ABE . . . . . . . . . . 6
1.4.2 Security of threshold ABS . . . . . . . . . . . . . . . . . 6
1.4.3 New threshold ABS scheme . . . . . . . . . . . . . . . . 7
1.5 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . 7
2 Preliminaries 9
2.1 Bilinear Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Computational Diffie-Hellman Assumption . . . . . . . . 9
2.2.2 Decisional Diffie-Hellman Assumption . . . . . . . . . . . 9
2.2.3 Computational Bilinear Diffie-Hellman Assumption. . . . 10
2.2.4 Decisional Bilinear Diffie-Hellman Assumption . . . . . . 10
iv
2.2.5 Decision Linear Assumption . . . . . . . . . . . . . . . . 10
2.2.6 Bilinear Diffie-Hellman Exponent Assumption . . . . . . 10
2.2.7 Augmented Multi-sequence of Exponents D-H Problem . 10
2.3 Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.1 Linear secret sharing schemes . . . . . . . . . . . . . . . 11
2.3.2 Shamir’s secret sharing scheme . . . . . . . . . . . . . . 12
2.3.3 Lagrange interpolation . . . . . . . . . . . . . . . . . . . 12
2.4 Primitives for Attribute-based Encryption and Signatures . . . . 13
2.4.1 CP-ABE scheme algorithms . . . . . . . . . . . . . . . . 13
2.4.2 ABS algorithms . . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Waters’ signature . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.6 Forking Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
v
5 On The Security of Attribute Based Signatures 35
5.1 Efficient Threshold ABS Scheme . . . . . . . . . . . . . . . . . . 35
5.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.1.2 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.1.3 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.4 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.5 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.2 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.3 Preliminaries for the attack . . . . . . . . . . . . . . . . 37
5.2.4 Attack 1: Forgery without satisfying threshold . . . . . . 39
5.2.5 Attack 2: Universal forgery . . . . . . . . . . . . . . . . 40
5.2.6 Attack 3: Total break - impersonating key issuing authority 41
5.3 Attacks on schemes with similar key construct . . . . . . . . . . 41
5.3.1 Total break on attribute based ring signature scheme . . 42
5.3.2 Break on threshold attribute based signature scheme . . 42
5.3.3 Attack on ABS with multiple attribute authorities . . . . 43
5.3.4 Attack on multi-level threshold ABS scheme . . . . . . . 46
5.3.5 Total break on hidden ABS without anonymity revocation 48
5.4 Summary of attacks . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.5 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
vi
6.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.3.1 Security Notions . . . . . . . . . . . . . . . . . . . . . . 56
6.3.2 Modified Computational Bilinear Diffie-Hellman Assump-
tion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.3 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.4 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.4 Advantages of the new approach . . . . . . . . . . . . . . . . . . 62
References 70
LIST OF TABLES
viii
LIST OF FIGURES
6.1 Ring ABS where each alleged member of the ring has 4 attributes. 50
ix
ABBREVIATIONS
PK Public Key
SK Secret Key
TA Trusted Authority
x
NOTATION
xi
CHAPTER 1
Introduction
ABE. ABE was first introduced by Sahai and Waters in [SW05, GPSW06]. It
provides a mechanism by which we can ensure that even if the storage is com-
promised, the loss of information will only be minimal. What attribute based
encryption does is that, it effectively binds the access-control policy to the data
and the users(clients) instead of having a server mediating access to files. To
understand this better, we will take a closer look at what constitutes an attribute-
based system, with particular attention to ABE.
Access Policy. An access control policy would be a policy that defines the kind
of users who would have permissions to read the documents. e.g In an academic
setting, grade-sheets of a class may be accessible only to a professor handling the
course and some teaching assistants (TAs) of that course. We can express such a
policy in terms of a predicate:
OR
AND AND
We will call the various credentials (or variables) of the predicate as attributes
and the predicate itself which represents the access policy as the access-structure.
In the example here the access structure is quite simple. But in reality, access
policies may be quite complex and may involve a large number of attributes.
2
Types of ABE. ABE can be categorized in to two types depending on whether
the attributes are embedded in the ciphertext or whether the access-structure is
embedded in the ciphertext. The first is the Key-policy based ABE (KP-ABE)
which was infact the initial form of attribute based encryption that was developed.
It was originally introduced in [SW05] and later by Goyal et al. in [GPSW06] and
by Ostrovsky et al. [OSW07]. In KP-ABE they encrypt the attributes along with
the data and give the access structure to each user as part of their secret key. But
attribute based encryption is more applicable in the regular world if the access-
structure can be embedded in the ciphertext and the users can have their attributes
saved in their secret keys. This second form of ABE is known as ciphertext-policy
based (CP-ABE) and was introduced by Bethencourt et al. [BSW07]. Both these
initial schemes [GPSW06, BSW07] were largely based on the secret sharing scheme
developed by Shamir [Sha79]. However, it is ciphertext policy based ABE that has
become more popular in later schemes like in [CN07, GJPS08, NYO09, GNSN10]
and others. This might be largely due to the fact that CP-ABE represents a
natural and more intuitive way to view attribute based encryption.
3-of-6
The above figure [1.2] is an example where the threshold gate is a single pred-
3
icate. A regular access policy may consist of just a single threshold gate or there
may be even predicates where the threshold gate is a sub-node under some other
operation like AND or OR.
We will look at attribute based encryption and threshold CP-ABE schemes in
greater detail in Chapter(3) of this thesis.
Signing policy. A notable feature of ABS is that, unlike other signature schemes
attribute based systems are capable of supporting complex predicate policies. For
instance, some permissions can be approved only by a person who is: ((Major)
AND (in Army OR Navy)) OR (Captain AND in Operation-Star) OR (Com-
mander AND in Operation-X) . Moreover, a valid signature based on the above
predicate would only indicate one of the four possibilities for the signer: a) Major
in Army or b) Major in Navy or c) Captain in Operation-Star or d) Commander in
Operation-X; but it would not reveal which of these the signer actually is. Also, a
person who is not any of the four would not be able to produce a valid signature.
4
We would like to remark here that, signing policies are similar to access policies
and both of them are predicates on some attributes.
1.3 Motivation
In our thesis we look at threshold ABE and ABS schemes. The most appealing
fact about threshold gates is that they are very expressive and encompass the
other common AND and OR gate access structures as well.
In most of the existing ABE schemes, the size of the ciphertext is very large,
it is usually in the order of the number of attributes under consideration. Most
efficient schemes with expressive access control have ciphertext size proportional
to the number of attributes involved [Wat08]. There have also been works on
constant size CP-ABE schemes. A good number of the constant size ciphertext
schemes are applicable only to some restricted access structures that use only AND
gates [ZH10, EMN+ 09]; and those that support threshold, like the work of Herranz
et al. [HLR10], are suitable only in the case where the predicate has a single gate
(threshold or otherwise). This motivates us to work towards obtaining a more
expressive, multi-level threshold CP-ABE whose ciphertext-size is independent of
the number of attributes.
Aside from that, endeavors in ABE have also spurned attribute based signa-
tures. Hence, it is not surprising that attribute based signature constructions have
properties like collusion resistance and predicate policies similar to that of ABE;
additionally, they borrow some of the building blocks, like secret sharing, to en-
gender these features. Our study on threshold attribute-based signature schemes
have led us to observe that, unlike in most threshold ABE constructions, threshold
ABS schemes using secret sharing give the signer more secret components (in the
form of dummy attributes) than he/she should possess. Primary objective of that
is to enable the signer with more components so as to reveal less about his/her
identity and give a greater degree of anonymity. This instigates us to probe the
schemes from an adversarial standpoint and inspires us to make a detailed study
on the security aspects of ABS schemes.
5
1.4 Contributions
In the second part of this thesis we show attacks on the threshold attribute based
signature scheme proposed by Li et al. [LAS+ 10]. We claim that the scheme is
insecure since,
• a signer who does not possess the necessary number of attributes to satisfy
the threshold of the predicate can still produce a valid signature.
• an attacker can find a total break in the system and obtain a component of
the secret key with which she can pose as the key generating authority.
Since our attack is based on the key construct in the scheme, we show that
one or more of these breaks also hold for the following schemes which have similar
key generation algorithm:
a) The ABS scheme with multiple attribute authorities, which is the second
scheme proposed in [LAS+ 10];
6
e) Hidden attribute-based signatures without anonymity revocation by [LK10].
We also give our observations on why these attacks are applicable on these
schemes and mention our inferences.
This thesis also proffers a novel approach to threshold attribute based signatures.
Our approach is based on ring signature schemes and looks at forming a ring
of aggregated sets of attributes. Using this idea, we provide a threshold ABS
construction based on the efficient ID-based ring signature scheme in [CYH05].
We have shown the security of our scheme in the random oracle model.
7
Then, we prove our scheme to be unforgeable in the random oracle model. We
also mention an interesting new property, controlled partial anonymity, that arises
out of our approach.
In chapter 7, we presents our conclusions and potential directions for future
work. We also summarize the problems we discuss and the solutions that this
thesis has to offer along with their relevance in the current computing world.
8
CHAPTER 2
Preliminaries
Let G be a cyclic multiplicative group and g be it’s generator. Given two tuples
c0 = (g, g a , g b , g ab ) and c1 = (g, g a , g b , g c ) for random a, b, c ∈ Z∗p . The (t, )-
DDH assumption holds in G if there is no probabilistic polynomial-time adversary
whose probability of successfully distinguishing between the tuples c0 and c1 is
better than 21 + , where is negligible.
2.2.3 Computational Bilinear Diffie-Hellman Assumption.
10
Input: the vector →
−
x l̃+m̃ = (x1 , · · · , xl̃+m̃ ) whose components are pairwise dis-
tinct elements of (Z/pZ)∗ which define the polynomials
l̃
Y l̃+
Y m̃
f (x) = (X + xi ) and g(x) = (X + xi ) ,
i=1 i=l̃+1
the values
l̃+t̃−2 κ·γ·f (γ)
g1 , g1γ , · · · , g1γ , g1 (2.1)
l̃+t̃−2
g1ωγ , · · · , g1ωγ (2.2)
αγ l̃+t̃
g1α , g1αγ , · · · , g1 (2.3)
m̃−2 κ·g(γ)
g2 , g2γ , · · · , g2γ , g2 (2.4)
ωγ m̃−1
g2ω , g2ωγ , · · · , g2 (2.5)
αγ 2m̃−t̃+3
g2α , g2αγ , · · · , g2 (2.6)
Attribute based cryptosystems make substantial use of LSSS (linear secret sharing
schemes) . We borrow the following definition from Waters’ work in [Wat08].
A secret-sharing scheme Π over a set of parties P is called linear (over Zp ) if
2. There exists a matrix M with l rows and n columns called the share-
generating matrix for Π. For all i = 1, · · · , l, the i’th row of M we let
the function ρ defined the party labeling row i as ρ(i). When we consider
the column vector v = (s, r2 , · · · , rn ), where s ∈ Zp is the secret to be shared,
and r2 , · · · , rn ∈ Zp are randomly chosen, then M v is the vector of l shares
of the secret s according to Π. The share (M v)i belongs to party ρ(i).
11
It is further shown that every linear secret sharing-scheme according to the
above definition also enjoys the linear reconstruction property, defined as follows:
Suppose that Π is an LSSS for the access structure A. Let S ∈ A be any authorized
set, and let I ⊂ {1, 2, · · · , l} be defined as I = {i : ρ(i) ∈ S}. Then, there exist
constants {ωPi ∈ Zp }i∈I such that, if {λi } are valid shares of any secret s according
to Π, then i∈I ωi λi = s. Furthermore, these constants {ωi } can be found in time
polynomial in the size of the share-generating matrix M .
Shamir’s secret sharing scheme is a linear secret sharing scheme. Since this thesis
discusses threshold attribute-based cryptosystems and our ABE construction also
makes use of this idea, we make a brief presentation of this scheme here.
Shamir’s secret sharing is a form of secret sharing where a secret (S) is divided
into n parts and each part is given to one of the participants. The idea is that,
only if all (or t, as in the case of threshold) participants combine their shares
meaningfully will they be able to reconstruct the original secret. It is important
to note here that, if fewer than n (or t, as in the case of threshold) participants
co-operate they must not be able to retrieve the secret.
Let us look at the case where we want to use (t, n) threshold to share the secret
S. Without loss of generality we can assume S to be an element in a finite field
F. We know that it takes t points to define a polynomial of degree t − 1. Shamir’s
secret sharing uses this idea to give the shares. We can now look at the scheme
as an algorithm:
We note here that, with fewer than t shares it is highly improbable to recon-
struct the original polynomial exactly. Hence, by combining the shares of less than
t parties, no one gets any clue on the secret S. But when t or more parties of the
n combine, then we are able to get S precisely.
12
for any i ∈ Zp . We define the Lagrange coefficient ∆i,S of q(i) Q
in the computation
of q(j) for j ∈ Zp and a set, S, of elements in Zp as ∆i,S (j) = k∈S,k6=i j−k
i−k
. Thus,
X Y j−k
q(j) = q(i)∆i,S (j), where ∆i,S (j) =
i∈S k∈S,k6=i
i−k
13
• Sign. The Sign(m, Υ, D) algorithm takes as input the message m, the
signing policy or predicate Υ and the secret key of the signer D. It outputs
the signature σ on message m, which indicates that the signer has a set of
attributes that satisfy the predicate Υ.
• Setup(λ)
– Let G1 , G2 and GT be multiplicative groups of prime order p where
bilinear map function is efficient. And, e : G1 × G2 → GT
– n = |m|, length of the message
– Pick g ∈R G1 and g2 , u0 , u1 , u2 , · · · , un ∈R G2 .
– Set g1 = g α where α ∈R Z∗p
– Public parameters params are g, g1 , g2 , u0 , {ui }i∈{1,··· ,n}
– SK = α
• Sign(m, SK)
– Let m = m1 m2 · · · mn ∈ {0, 1}n and r ∈R Z∗p
Q mi r
n
α 0
– σ1 = g2 u ui
i=1
– σ2 = g r
• Verify(m, σ = (σ1 , σ2 ))
n
?
– Check e(g, σ1 ) = e(g1 , g2 ) · e(σ2 , u0 um
Q
i )
i
i=1
– Note here that inorder for the verification to pass it is necessary for g2α
to be in σ1 . That ensures the use of the secret key α.
14
Modification. The above scheme is proved secure in the standard model. A
modified simpler version of this is used in most of the ABS schemes where the
n
sign on the message, u0 uimi is replaced by a simple hash as H(m) and the rest
Q
i=1
of the procedure remains the same. This modified scheme is proven secure in the
random oracle model. We will look at the changes to the scheme and an intuition
towards the proof.
• Setup(λ) It remains the same except that a new hash function is defined
and the ui components are not chosen.
– A hash function H : {0, 1}∗ → G1
– Public parameters params are H and g, g1 = g α , g2 ∈ G
– SK = α
• Sign(m, SK)
– σ1 = g2α H(m)r
– σ2 = g r
• Verify(m, σ = (σ1 , σ2 ))
?
– Check e(g, σ1 ) = e(g1 , g2 ) · e(σ2 , H(m))
Proof Sketch. The proof for this is given in the random oracle model. The
security of this signature is reduced to solving the CDH problem. That is, given
the tuple g, A = g a and B = g b , we need to obtain g ab using an attacker who can
break the above signature scheme.
First we set α = a and g2 = g b , hence g1 = A and g2 = B. Now, inorder to
give the signature on a message m, we will set H(m) = g bxm where xm ∈R Z∗p and
then pick a random r and assume that there exists an r0 such that r0 = r − a/xm .
Then we give the signature as:
−1
σ1 = g rbxm σ2 = g r A xm
To see how this is the same as what a genuine signer would give:
0
σ1 = g2a H(m)r = g ab (g bxm )r−a/xm = g ab g rbxm −ab = g rbxm
0 −a −1
σ2 = g r = g r−a/xm = g r g xm = g r A xm
Now, we will see how it is possible for the challenger to solve CDH with the
components given by the forger. Note that, when a chosen message m∗ is given
for hashing, the challenger will out put as hash just g xm∗ . If the adversary asks
a signature on that message(m∗ ) then, the challenger will abort. But, if the
adversary gives a signature on the message m∗ :
∗ ∗
σ1 = g ab H(m∗ )r σ2 = g r
15
Then challenger does the following:
∗ ∗
σ1 g ab H(m∗ )r g ab g r xm∗
= ∗ = = g ab
(σ2 )xm∗ g r xm ∗ g r∗ xm∗
This allows the challenger to solve the CDH problem with the help of a forger
on this scheme.
16
CHAPTER 3
In this chapter we will briefly view the emergence of attribute based cryptosystems
and the problems they address. We will make a survey of existing literature
on attribute based encryption and signature schemes with particular focus on
those constructions that support threshold predicates. This chapter also pays
specific attention to cipher-text policy ABE schemes and motivates our study on
constructions that are efficient in terms of the ciphertext length. We will also
remark on some of the similarities in threshold ABS and ABE constructions here.
KP-ABE. The concept of ABE became more formal with the work of Goyal et
al. [GPSW06]. They established the first key-policy attribute-based encryption.
Although, their concept is reminiscent of secret sharing schemes, they were the
first to define the idea of collusion-resistance, where they disallow parties from co-
operating inorder to decrypt the ciphertext. They also use the tree-access structure
to represent the predicate policy that allows a user to decrypt the message. Their
scheme also highlights fine-grained access control that can be provided by ABE
schemes. They use the concepts of LSSS and monotone span programs to develop
the scheme. As in [SW05] their scheme is also proved secure by reduction to
DBDH in the selective-ID model. The authors suggest the applicability of their
scheme for encryption of audit logs and broadcast encryption. They leave the task
of creating a scheme that provides better anonymity as an open problem. i.e. An
encryption scheme that does not require one to reveal all the necessary attributes
required by the decryptor very precisely.
CCA secure. This was soon followed by Cheung and Newport [CN07] propos-
ing a provably secure CP-ABE scheme. Inorder to give a secure scheme, they
considered only those access structures with AND gates. However, their scheme
added support for negated attributes, in the words of the authors, their construc-
tion was for access structures with AND gates on positive and negative attributes.
They were able to give the proof for chosen plaintext (CPA) security by reducing
it to the DBDH problem. Further, they use the Cannetti-Halevi-Katz technique to
convert their scheme to a chosen ciphertext (CCA) secure scheme. Their work also
shows possible directions to extend the idea for threshold ABE and construction
of hierarchical attributes.
18
3.2 CP-ABE Schemes with Efficient Ciphertext-
Size
With attribute-based schemes gaining significance and relevance in various modern
decentralized environments, the foremost challenge was to make it more efficient
inorder to reduce the communication costs. This instigated the research commu-
nity to now focus on schemes that were more size-conserving. Almost all the initial
schemes had the number of keys and ciphertext components proportional to the
number of attributes. In most of the practical large-scale applications where the
universe of attributes can be numerous, the previous ABE schemes would result
in a huge set of keys for each user and an immensely lengthy ciphertext. It is at
this time that efficient ciphertext size CP-ABE schemes gained importance.
Efficient. The pioneering steps towards efficient CP-ABE was taken up by Wa-
ters in [Wat08]. The scheme proposed in that work was more efficient than all
previous schemes both in terms of the size of the components (key and cipher-
text) and also in the running time. Waters gave the construction of a CP-ABE
scheme that made use of LSSS to express access control and it was proved secure
in the standard model. In the same paper, the author provides two additional
constructions, which make a small compromise with respect to performance but
are proved secure in the decisional bilinear Diffie-Hellman exponent assumption
and the DBDH assumption. To see the improvement that their scheme offered
empirically, let us denote the number of attributes in the universe as nU , number
of attributes possessed by the user(recipient) as nr and that used by the sender
in encryption of the access structure as ns . Then, Waters’ scheme gives nU + nr
secret key components and nU × nS ciphertext components. In comparison with
the other schemes this reduced the number of components by atleast half.
19
valued attributes with wildcards. In addition to that, they were also able to
incorporate non-monotone access structures and have both positive and negative
attributes in their construction. However, as with [EMN+ 09], they could only
account for AND gates in the predicate. The primary focus of their scheme was
to enable attribute-based broadcast encryption, and they modified their construc-
tion to also create a scheme for broadcast encryption. The secret key size in their
scheme is proportional to the number of attributes involved, but the ciphertext
components is limited to three, excluding the access structure that is also passed to
the receiver. Their scheme was proved secure by reducing to the q-BDHE assump-
tion. They also show that their broadcast encryption scheme reduces the storage
overhead to a value proportional to the number of users and is independent of the
number of attributes.
Comparison. Here is a table comparing the key and ciphertext sizes in the
papers discussed. This is a modified extension to the table given in [EMN+ 09].
Paper PK SK Ciphertext
[SW05] n|G1 | + |GT | nu |G1 | nT |G1 | + |GT |
[GPSW06] n|G1 | + |GT | nu |G1 | nT |G1 | + |GT |
[CN07] (3n + 1)|G1 | + |GT | (2n + 1)|G1 | (n + 1)|G1 | + |GT |
[BSW07] 3|G1 | + |GT | (2n + 1)|G1 | (2nu + 1)|G1 | + |GT |
[NYO09] (2N 0 + 1)|G1 | + |GT | (3n + 1)|G1 | (2N 0 + 1)|G1 | + |GT |
[Wat08] 2|G1 | + |GT | (1 + n + nu )|G1 | (1 + nT n)|G1 | + |GT |
[EMN+ 09] (2N 0 + 3)|G1 | + |GT | 2|G1 | 2|G1 | + |GT |
[ZH10] (6n + 1)|G1 | (3nu + 1)|G1 | 2|G1 | + |GT |
(n − 1)|Zp | + |GT | +
[HLR10] (n + nu )|G1 | 1|G1 | + 1|G2 | + 1|GT |
(2n + 1)|G1 |
20
Here n denotes the total number of attributes in the universe set. nu de-
notes the attributes possessed
Pn by the user; nT denote the attributes in the access-
0
structure and N = i=1 ni which is the possible subsets of attributes. And
G1 , G2 , and GT is a triple of groups on which the bilinear map is efficiently com-
putable.
Our work. In our work, we try to extend the work of Herranz et al. [HLR10] and
combine it with [BSW07] to support better access policies. The first part of this
thesis will look at a CP-ABE scheme that can support multi-level threshold access
structures. Although, the scheme does not result in a constant sized ciphertext, it
will look at generating a ciphertext whose length is independent of the number of
attributes involved. Infact it is dependent on the size of the predicate and more
precisely, the number of leaf nodes in the tree-structure of the access policy.
21
party. The authors further provide a second scheme inorder to account for mul-
tiple attribute authorities (multi-authority). The security of their schemes rely
on the generic group model. The authors further propose applicability of ABS
in attribute based messaging, attribute-based authentication and as a stronger
variation of mesh signatures.
22
the notion of t-ABS. They propose two threshold-ABS schemes which can sup-
port any (k, n) threshold gate. Their constructions use Shamir’s secret sharing
concept to distribute the secret in the attributes and use Lagrange’s interpolation
technique to retrieve the secret component. Their key generation (which makes
use of Waters’ signature) and verification are similar to that in [LK08]. However,
their second scheme which is a modified version of their first basic scheme makes
use of zero-knowledge proof-of-knowledge and commitment schemes to make it ex-
istentially unforgeable. Their basic scheme is only selectively unforgeable. The
security of both their schemes is shown in the standard model by reduction to the
CDH problem. Further, the authors show how t-ABS can be extended and can
be used to obtain a threshold attribute-based anonymous credential system. Here
again, as with threshold ABE schemes, Shahandashti and Safavi-Naini’s scheme
supports only a single threshold gate and cannot be used with complex access
control policies. Hence, it provided good scope for someone to come up with a less
restrictive and a more expressive threshold scheme. Also, with the establishment
of the t-ABS framework, the task of coming up with a scheme that can be proved
to have tight existential unforgeability was still open.
Multi-level threshold. Next came the work of Kumar et al. [KABPR10] which
gave an ABS scheme for bounded multi-level threshold access structures. The
definition of their bounded tree structure is based upon the work by Goyal et al.
[GJPS08]. To support multiple-levels of threshold nodes, the authors extend the
secret sharing scheme to each node of the bounded-tree. This enables them to
keep the final secret at the root of the tree, and hence only those users whose
attributes satisfy the access tree will be able to travel all the way up to the root
to get the portion of the secret component that is required for the signature to
pass the verification. The key-generation for the construction here is a slightly
modified version of the one in [LAS+ 10]. Kumar et al. first present a scheme
that is proven secure in the random oracle model. They modify the first scheme
by defining the hash functions explicitly to give another scheme which is proved
secure in the standard model. The schemes are shown to be secure by reduction
23
to the CDH problem.
ABS general framework. More recently, Maji et al. [MPR10] give a general
framework for constructing ABS schemes. Their scheme uses monotone span pro-
grams to incorporate the access structure and also make use of non-interactive
witness indistinguishability (NIWI) to add to the anonymity of the signer. The
authors also introduce a new generic primitive called credential bundle which is
used in the key generating phase to bundle the attributes of the signer; this helps
in making their scheme collusion resistant. The given framework allows the users
to choose a zero-knowledge proof system as the NIWI component and also select
a signature scheme to provide the credential bundle. Furthermore, the authors
have shown three instantiations of their scheme a) one using non-interactive zero-
knowledge (NIZK) proof of Groth and Sahai [GS08] for the NIWI component and
Boneh-Boyen’s digital signature scheme to construct the credential bundle. b) the
second uses Waters’ signature for the credential bundle, this, unlike Boneh-Boyen’s
signature, prevents the signer from committing to some of the credential bundle
components in a bit-wise fashion. c) their third scheme uses the credential bundle
from the second scheme however, they use their own randomization to generate
the keys instead of using NIZK proofs.
The authors also mention some applications for ABS which are the same as the
ones in their earlier work in [MPR08] (which we have discussed in the previous
section).
Our work. In this thesis we discuss some of the security issues in the schemes
given in [LAS+ 10, LK08, SSN09, KABPR10, LK10] that employ the secret sharing
scheme to generate the keys. We give a detailed view of how the flaws in these
schemes can be used by an attacker to create forgeries; and we also present our ob-
servations on the short-comings of the existing key-generation techniques employed
by these schemes. We further provide a new approach towards threshold-ABS in-
spired by ring signatures. We also provide a provably secure t-ABS construction
using the approach.
24
CHAPTER 4
k-of-n
k’-of-n’ k"-of-n"
k‘-of-n‘ k*-of-n*
Access Tree T . The tree representing the access structure is denoted by T . Let
sx denote the number of children that each node x has. We will use kx to denote
the threshold value that needs to be satisfied at node x. And by par(x) we denote
the parent of the node x. The access tree T also defines an ordering between the
children of every node, that is, the children of a node are numbered from 1 to sx .
The function index(x) returns such a number associated with the node x, where
the index values are uniquely assigned to nodes in the access structure for a given
key in an arbitrary manner. An important point to note is that, all the attributes
of the access policy form the leaves of the access tree. We will use the notation ψT
to denote the set of last level of non-leaf nodes (i.e. those nodes whose children
are all attributes/leaves).
Satisfying the tree. Let r denote the root node of the tree. Tx denotes the
subtree at the node x. Essentially Tr is equivalent to T . If a set of attributes
A satisfy the subtree Tx then we will denote it as Tx (A) = 1. At each node x,
Tx (Ax ) = 1 if and only if atleast kx (threshold of node x) of the children node
return 1 from their subtree. By this recursive definition, if the attribute set satisfies
the entire tree then T (A) = 1.
4.2 Definitions
26
4.3 Construction
4.3.1 Setup
The setup algorithm chooses bilinear group triple (G1 , G2 , GT ) of prime order p
and a bilinear map e : G1 × G2 → GT . The algorithm also picks generators g of
G1 and h of G2 . Then it chooses 3 random exponents α, β, γ in Z∗p . It then sets
u = g αγ and v = e(g α , h).
After that it chooses a suitable encoding τ sending each of the m attributes
at ∈ P onto a (different) element τ (at) = x ∈ Z∗p . It then chooses a set of m − 1
dummy attributes D = {d1 , · · · , dm−1 }. By the notation Di for i < m − 1, we will
denote the set of the dummy attributes from d1 to di .
i
PK (public parameters): { P, u, v, hβ , {hαγ }i=0,··· ,2m−1 , D, τ }
KeyGen(PK, A, MK)
Given a set of attributes A ⊂ P, the central authority picks an r ∈ Z∗p at random
and computes the secret key for the user as follows:
n r α(1−r)
o
rγ i
SKA = {g γ+τ (at) }at∈A , {h }i=0,··· ,m−2 , g β
4.3.3 Encryption
Enc(PK, T , M)
For every non-leaf node x of the access tree T , we choose a polynomial qx . We,
proceed in a top down manner in selecting the polynomials, starting from the root
R. For a node x we set the degree of the node dx = kx − 1, one less than the
threshold value that needs to be satisfied at the gate at that node.
Now, beginning at the root, we choose a random s ∈R Z∗p and set qr (0) = s.
Then choose dr other points of the polynomial qr to define it completely. For all
other non-leaf nodes x, we set qx (0) = qparent(x) index(x) and choose dx other
points to completely define qx .
For the last level of non-leaf nodes, x ∈ ψT , we compute the following two
values:
27
The ciphertext is given by:
4.3.4 Decryption
1. Compute Aggregate[HLR10]:
n o r
r Q
at∈AS (γ+τ (at))
Aggregate g γ+τ (at) , τ (at) =g x
at∈ASx
2. Lx = e(Aggregate, Cx2 )
Y Y
r·qx (0)·α· (γ + τ (at)) (γ + d)
at∈Sx \ASx d∈Dm+kx −1−sx
Lx = e(g, h)
4. Compute
6. For the other nodes we consider the recursive case of moving up the tree.
For all nodes z which are children of a higher level non-leaf node x, let Fz
denote the decryption upto that node. Then, for each x we chose a set Sx
consisting of kx child nodes z for whom Fz 6= ⊥. If no such set exists then
Fx = ⊥ else,
1 rP(ASx ,Sx ) (γ)
h can be computed from the components given in the secret key.
28
Y ∆i,Śx (0)
Fx = Fz , where i = index(z) and Śx = {index(z) : z ∈ Sx }
z∈Sx
Y ∆i,Śx (0)
= e(g, h)α·r·qz (0)
z∈Sx
Y ∆i,Śx (0)
= e(g, h)α·r·qparent(z) (index(z)) , (by construction)
z∈Sx
Y
= e(g, h)α·r·qx (i)∆i,Śx (0)
z∈Sx
Hence, we eventually get e(g, h)α·r·qx (0) which is nothing but e(g, h)αrs .
7. When then do the last few steps to un-blind the message. We compute,
α(1−r)
e(g β , hβs ) = e(g, h)αs−αrs
This is multiplied with e(g, h)αrs which we obtained in our previous step.
This finally gives us e(g, h)αs which is the blinding factor. We divide C̃ by
this to retrieve the message M.
C̃ M · e(g, h)αs
α(1−r)
= =M
e(g β , hβs ) · e(g, h)αrs e(g, h)αs−αrs · e(g, h)αrs
4.4 Example
We will analyze the scheme with the help of an example. Let’s consider a situation
where we have a top secret defence document. Say, the document can be accessed
only by a personnel who is a general in the army AND has experience in 2 out
of 4 operations, namely, Op-X, Op-Y, Op-Z and Op-Star. We re-write the access
policy as follows:
^
(General ∧ Army) (2-out-of { Op-X, Op-Y, Op-Z, Op-Star })
We can represent the access policy as a tree structure as in the figure below:
Let’s now look at an example where some personnel have the access rights and
others whose attributes are insufficient to satisfy the predicate.
Let’s take the case where we have 4 people each with a different attribute set.
In the figure[4.3], we illustrate the case where two people have attributes that
satisfy the access policy and two others who don’t. We will show the various
phases of the encryption scheme for the person who is a general in the army with
experience in operations Op-Y and Op-Z as in the figure.
29
AND
AND 2-of-4
4.4.1 Setup
The setup algorithm chooses bilinear group triple (G1 , G2 , GT ) of prime order p
and a bilinear map e : G1 × G2 → GT . The algorithm also picks generators g of
G1 and h of G2 . Then it chooses 3 random exponents α, β, γ in Z∗p . It then sets
u = g αγ and v = e(g α , h).
Let the universe of attributes be P ={Army (A), Captain (C), General (G),
Op-X (X), Op-Y (Y), Op-Z (Z), Op-Star (S) }. So, m = 7. The dummy attributes
are m − 1 in number, so we have D = {d1 , · · · , d6 }. Now, for simplicity we’ll say
that A,C,G,X,Y,Z,S and the di s are all values in Z∗p and the function τ when
applied on these attributes give the same value.
i
PK (public parameters): { P, u, v, hβ , {hαγ }i=0,··· ,13 , D, τ }
KeyGen(PK, A, MK)
We will generate the keys for the person with attributes A ={Army, General,
Op-Y, Op-Z}. Here, A ⊂ P, the central authority picks an r ∈ Z∗p at random and
computes the secret key for the user as follows:
n r r r r α(1−r)
o
rγ i
SKA = {g γ+A , g , g , g } , {h }i=0,··· ,5 , g
γ+G γ+Y γ+Z β
30
Figure 4.3: Examples of access tree satisfaction.
Enc(PK, T , M)
For every non-leaf node x of the access tree T , we choose a polynomial qx . We,
proceed in a top down manner in selecting the polynomials, starting from the root
R. For a node x we set the degree of the node dx = kx − 1, one less than the
threshold value that needs to be satisfied at the gate at that node.
Now, beginning at the root, we choose a random s ∈R Z∗p and set qr (0) = s.
Then choose dr other points of the polynomial qr to define it completely. For all
other non-leaf nodes x, we set qx (0) = qparent(x) index(x) and choose dx other
points to completely define qx .
Following the procedure, we get the following tree:
For the last level of non-leaf nodes, x ∈ ψT , we compute the following values.
For node 1:
C11 = u−(s+10)
C12 = h(s+10).α.(γ+A)(γ+G)(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )(γ+d5 )(γ+d6 )
C21 = u−(s+20)
C22 = h(s+20).α.(γ+X)(γ+Y )(γ+Z)(γ+S)(γ+d1 )(γ+d2 )(γ+d3 )(γ+d4 )
The ciphertext is given by:
31
Figure 4.4: Encryption - Generating shares using the Shamir’s secret sharing idea
2. L1 = e(Aggregate, C12 )
1
((γ + d1 )(γ + d2 )(γ + d3 )(γ + d4 )(γ + d5 )(γ + d6 ) − (d1 d2 d3 d4 d5 d6 ))
γ
rP(AS (γ)
4. e(C11 , h x ,Sx ) ) equals
For node 2:
n r r
o r
1. Aggregate: g (γ+Y ) , g (γ+Z) , τ (at)at={Y,Z} = g (γ+Y )(γ+Z)
32
2. L2 = e(Aggregate, C22 )
1
((γ + X)(γ + S)(γ + d1 )(γ + d2 )(γ + d3 )(γ + d4 ) − (XSd1 d2 d3 d4 ))
γ
rP(AS (γ)
4. e(C21 , h x ,Sx ) ) equals
Now, we move to the next higher level of non-leaf nodes. Here, we remain with
just the root. For all nodes z which are children of a higher level non-leaf node x,
let Fz denote the decryption upto that node. So, for the root we consider F1 and
F2 .
Y ∆i,Śx (0)
Fx = Fz , where i = index(z) and Śx = {1, 2}
z∈Sx
∆1,Ś (0) ∆2,Ś (0)
= F1 1
· F2 2
2 −1
= e(g, h)α·r·(s+10) e(g, h)α·r·(s+20)
= (e(g, h))(2α·r·(s+10))−(α·r·(s+20))
= e(g, h)α·r·s
3. C̃/e(g, h)αs = M
Conclusion. This example show that the scheme is correct, however we still
need to establish its security. Although the scheme appears to be reliable and
robust we need to formally prove it to be secure under some hard cryptographic
assumption. The secret key and public key components used in the scheme point
33
us to the Augmented Multi-sequence of Exponents Diffie-Hellman Problem (aMSE-
DDH)[HLR10] as a potential hardness assumption. But, based on the fact that our
scheme provides extension of the threshold gate to multiple levels as in [BSW07],
we believe that the scheme can only be proved secure in the generic group model.
34
CHAPTER 5
5.1.1 Definitions
5.1.2 Setup
Setup(d)→(params, msk).
First, define the attributes in universe U as elements in Zp . A d − 1 default
attribute set from Zp is given as Ω = {Ω1 , Ω2 , · · · , Ωd−1 }. Select a random gener-
ator g ∈ G1 , a random x ∈ Zp , and set g1 = g x . Next, pick a random element
g2 ∈ G1 and compute Z = e(g1 , g2 ). Two hash functions are also chosen such that
H1 , H2 : {0, 1}∗ → G1 . The public parameters is params and the master secret
key is msk.
To generate a private key for an attribute set ω, the following steps are taken:
5.1.4 Sign
Suppose one has a private key for the attribute set ω. To sign a message m
with predicate Υk,ω∗ (·), namely, to prove owning at least k attributes among an
n-element attribute set ω ∗ , signer selects a k-element subset ω 0 ⊆ ω ∩ ω ∗ and
proceeds as follows:
5.1.5 Verify
To verify the signature σ = (σ0 , {σi }i∈ω∗ ∪Ω0 , σ 0 0 ) on message m with threshold
k for attributes ω ∗ ∪ Ω0 , check if the following equation holds:
e(g, σ0 ) ?
0
=Z
[Πi∈ω∗ ∪Ω0 e(H1 (i), σi )]e(H2 (m), σ 0 )
5.2 Attacks
In this section we present the attacks on the above scheme. We’ll take the following
example case into consideration for the attack:
36
- Accordingly Ω = Ω1 ; (|Ω|= d − 1)
- Let the threshold k = 2 i.e the user needs to have both attributes in ω ∗ to
generate a valid signature.
5.2.1 Setup
5.2.2 Extract
1. Since d = 2 we consider a one-degree polynomial q(y) whose constant is set
to x and we pick a random value in Z∗p as the other co-efficient. So, q(0) = x.
And set, q(y) = 7y + x.
2. ω̂ = ω ∪ Ω = {A, B, C, D, Ω1 }.
Attacker picks d secret keys at a time and does the following computations:
37
∆ (0)
Computations done by signer . We will evaluate Πi∈S di,0i,S for pairs of
attributes, S ∈ {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to get:
X1 = g2x HArA ∆AB HBrB ∆BA X2 = g2x HArA ∆AC HCrC ∆CA
x rA ∆AD rD ∆DA x rB ∆BC rC ∆CB
X3 = g2 HA HD X4 = g2 HB HC (5.1)
x rB ∆BD rD ∆DB x rC ∆CD rD ∆DC
X5 = g2 HB HD X6 = g2 HC HD
∆A3 = ∆A1 − ∆A2 = ∆AD − ∆AC ∆B3 = ∆BA ∆CB − ∆B1 ∆CA
∆A4 = ∆A1 ∆CB − ∆AB ∆CA ∆B4 = ∆BA ∆DB − ∆B2 ∆DA
∆A5 = ∆A2 ∆DB − ∆AB ∆DA ∆B5 = ∆B2 ∆A5 − ∆B4 ∆A4
Y2∆DB
Z3 = = HArA ∆A5 HBrB ∆B4 (5.2)
Y4∆DA
Z2∆A5
Z4 = ∆A4 = HBrB ∆B5 (5.3)
Z3
1
∆ /∆B4 ˆ
HBrB = HArA ∆ · HBrB
∆B4
Z5 = Z3 = HA A5 (5.4)
38
5.2.4 Attack 1: Forgery without satisfying threshold
• ω = {A, B, C, D}
• d = 2 So, (d − 1) = 1
• Ω = {Ω1 }
• ω ∗ = {A, P }
Sign
Here C is a constant, which can be computed by the signer. Now for the σi values:
0 0
σA = (g rA )C .g r A , σP = g r P
Verification
e(g, σ0 )
[Πi∈ω∗ ∪Ω0 e(H1 (i), σi )]e(H2 (m), σ 0 0 )
0 0
e(g, g2x )e(g, HArA C )e(g, HAr A )e(g, HPr P )e(g, H2 (m)s )
=
[e(HA , σA )e(HP , σP )]e(H2 (m), g s )
0
0
e(g, g2x )e g, HArA C e g, HAr A e g, HPr P
=
[e (HA , (g rA )C g r0 A )e (HP , g r0 P )]
= e(g, g2x )
=Z
39
5.2.5 Attack 2: Universal forgery
Computations for launching the attack. We will continue with the prelim-
inary computations that we have already done. We also know that the Lagrange
coefficients for any set of attributes can be found. Thus, the ∆ij values can be
computed and therefore we can proceed to find:
−1
δB = Z4∆B5 = HBrB (5.7)
∆A5 −1
Z3
δA = = HArA (5.8)
(δB )∆B4
• ω = {A, B, C, D}
• d = 2 So, (d − 1) = 1
• Ω = {Ω1 }
• ω ∗ = {L, M }
40
Verify
0
r0 M
e(g, σ0 ) e(g, g2x )e g, HLr L
· HMe (g, H2 (m)s )
=
[Πi∈ω∗ ∪Ω0 e(H1 (i), σi )] e(H2 (m), σ 0 0 ) [e (HL , σL ) e (HM , σM )] e (H2 (m), g s )
0
r0 M
e(g, g2x )e g, HLr L e g, HM
=
[e (HL , g r0 L )e (HM , g r0 M )]
= e(g, g2x )
=Z
The attacker now holds g2x . With this, we show how (s)he can generate the private
keys for anyone.
To generate a private key for an attribute set ω, the attacker does the following:
41
threshold scheme by Shahandashti and Safavi-Naini in [SSN09], then on the ABS
with multiple attribute authorities [LAS+ 10]. We then proceed to show that the
attacks are also applicable on the ABS scheme for bounded multi-level threshold
circuits [KABPR10] and also on the scheme for hidden ABS without anonymity
revocation presented in [LK10].
Here we would like to remark that [LAS+ 10] has been derived from [LK08] and
that both their key extract phases are exactly the same. We first present the key
extraction phase of [LK08].
Key Extract
To generate a private key for an attribute set ω, the following steps are taken:
→ First, choose a d − 1 degree polynomial q(y) randomly such that q(0) = x;
→ Generate a new attribute set ω̂ = ω ∪ Ω. For each i ∈ ω̂, choose ri ∈R Zp .
q(i)
→ Compute, di0 = g2 · (H1 (i))ri and di1 = g ri ;
→ Finally, output Di = (di0 , di1 ) as the private key for each i ∈ ω̂
Total break
It’s now easy to see that the di0 components in [LK08] are exactly the same as
before. This allows us derive the set of equations (5.1) which are the primary set of
equations used in deriving the rest of the values. From there we can proceed in the
exact same manner to get equations (5.2), then (5.3), (5.7), (5.8) and finally (5.9).
This will allow the attacker to get g2x . Now, the attacker can use the strategy in
Section[5.2.6] and impersonate the key generating authority.
Setup
42
n+1
∆i,N (x)
n
Y
g2x ti and msk = y and mpk = (g, g1 , g2 , t1 , t2 , · · · , tn+1 , h)
i=1
KeyGen
KeyGen(msk, A): To generate keys for the user attribute set A. Choose a random
d − 1 degree polynomial q(x) such that q(0) = y, choose random elements ri ∈ Zp
for i ∈ A, and output: n o
q(i)
ssk = g2 T (i)ri , g ri
i∈A
Attack
We will first establish the congruence of the key generation in this scheme to that
of [LAS+ 10]. Here, we can note that T (i) is a publicly computable function, the
definition of which has been established in the setup. Thus, we can consider it to
be equivalent to the hash function H1 (i) as used in schemes [LAS+ 10, LK08] for
the purposes of this attack. If we now use the notation Ti to indicate the value of
∆ (0)
T (i) where i is the attribute under consideration and then evaluate Πi∈S sski0i,S
for pairs of attributes, S ∈ {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to
get:
X1 = g2y TArA ∆AB TBrB ∆BA X2 = g2y TArA ∆AC TCrC ∆CA
X3 = g2y TArA ∆AD TDrD ∆DA X4 = g2y TBrB ∆BC TCrC ∆CB
X5 = g2y TBrB ∆BD TDrD ∆DB X6 = g2y TCrC ∆CD TDrD ∆DC
If we now use the notation Hi to indicate the value of T (i) and also replace
the msk which is y here, with x. Then, we can get the same set of preliminary
equations as in (5.1). From here on, the rest of the steps in extracting g2y is exactly
the same as before. Thus, with the help of g2y , the attacker is capable of producing
keys for any set of attributes.
Generating Keys. To generate keys for the user attribute set A. The attacker
chooses a random d − 1 degree polynomial q(x), such that q(0) = y, say q(x) =
10x + y. And chooses random elements ri ∈ Zp for i ∈ A, and outputs:
ABS scheme with multiple attribute authorities is the second ABS scheme pro-
posed in [LAS+ 10]. Here, we assume that there are k attribute authorities in
addition to one central authority. This scheme has some variations in its con-
struction since it needs to be able to address multiple authorities. We will review
43
the phases of the construction of their scheme before we show how an attacker can
break the system.
Setup
Extract
First, a user with identity u gets a secret key from the central authority as dca =
x−Σk fs (u)
g2 i=1 i . Then, she can request attribute private key from the i-th attribute
authority as follows: Assume the user u is eligible to get an attribute set Ai,u from
the attribute authority i. The attribute authority i chooses a random d − 1 degree
polynomial
n qi (·) such that qi (0) = fsi (u)
o and computes the secret key q(j) for user
qi (j)
u as dij0 = g2 Hi (j)rij , dij1 = g rij .
j∈Ai,u ∪Ωi
Sign
Suppose one has a private key for attribute set Ai,u for 1 ≤ i ≤ k. To sign a
message with predicate Υ that for each i, at least ki out of ni attributes ωi∗ are
issued from the attribute authority i (Note ki could be equal to 0). The user
selects a ki -value attribute subset ωi0 ⊆ Ai,u ∩ ωi∗ . The following steps are taken:
• First, the user chooses ri1 , ri2 , · · · , ri,ni +d−ki ∈ Z∗p and selects a d − ki default
attribute subset Ω0i ⊆ Ωi . Define Si = ωi0 ∪ Ω0i ;
n o n o
∆i,S (0) r0 0
σij = dij1 g ij , σij = g rij
, σ00 = g s
j∈Si j∈ωi∗ \ωi0
44
Verify
On input the signature (σ0 , {σij }j∈ωi∗ ∪Ω0i , σ00 ) with predicate Υ, compute
?
Y Y
e(g, σ0 ) = Z · e(Hi (j), σij )e(H(m), σ00 )
1≤i≤k j∈ωi∗ ∪Ω0i
If the equation holds, the signature is valid and the algorithm outputs accept.
Otherwise, the algorithm outputs reject.
Attack
In order to attack this system, a forger has to try and get part of the secret
component of every authority. The attacker can accomplish this as follows:
• Using the set of attributes {Ai,u ∪ Ωi } the user has from each authority i,
the attacker forms equations as in (5.1); the only difference being, g2x will
fs (u)
now be g2 i .
fsi (u)
• Following along the same way as before, the user can now extract g2 .
fs (u)
• Once the attacker extracts g2 i for all 1 ≤ i ≤ k. She computes their
product:
k Pk
fs (u) fs (u)
Y
g2 i = g2 i=1 i
i=1
n o
fs (u)
Universal Forgery. Now, using the values g2x and g2 i , the attacker
i=1,··· ,k
can forge on any message for any threshold of attributes. The signature is com-
puted as (σ0 , {σij }j∈ωi∗ ∪Ω0i , σ00 ) where:
g2fsi (u) 0
Y Y
σ0 = dca · Hi (j)rij (H(m))s
1≤i≤k j∈ωi∗
n 0
o
σij = g rij
, σ00 = g s
j∈ωi∗
Verification
Y Y
e(g, σ0 ) = Z · e(Hi (j), σij ) e(H(m), σ00 )
1≤i≤k j∈ωi∗ ∪Ω0i
45
Analysis of the verification:
g2fsi (u) 0
Y Y
e(g , σ0 ) = e g , dc a · Hi (j)rij (H(m))s
1≤i≤k j∈ωi∗
Pk
x−Σki=1 fsi (u) i=1 fsi (u)
0
Y Y
= e g , g2 · g2 Hi (j)rij e(g, H(m))s
1≤i≤k j∈ωi∗
0
Y Y
= e(g, g2x ) · e(g , Hi (j))rij e(g, H(m))s
1≤i≤k j∈ωi∗
0
Y Y
=Z · e(g rij , Hi (j)) e(H(m), σ00 )
1≤i≤k j∈ωi∗
Y Y
=Z · e(Hi (j), σij ) e(H(m), σ00 )
1≤i≤k j∈ωi∗ ∪Ω0i
Hence, the verification passes. This shows that universal forgery can be performed
by any attacker.
In this subsection we will focus on how the attack is possible on the multi-level
threshold ABS scheme proposed by Kumar et al in [KABPR10]. Here, inorder
to achieve multi-level threshold properties, the authors use the access structure
that was first described in Goyal et al’s paper on bounded ciphertext policy ABE
[GJPS08]. They denote the access tree structure by T . Now, let us look at how
the key is generated for a signer possessing a set of attributes θ such that only
those users satisfying the access tree can produce a signature:
Key Generation
The key generation algorithm outputs a private key that enables the signer to
sign on any message m under a bounded threshold circuit T , as long as T (θ) =
1. Choose a random polynomial q(x) for each non-leaf node x in the universal
bounded threshold circuit Tu . These polynomials are chosen in the following way
in a top-down manner, starting from the root node r. For each x, set the degree
cx of the polynomial qx to be one less than the threshold value, i.e., cx = num − 1.
Now, for the root node r, set qr (0) = χ and choose cr other points of the polynomial
qr randomly to define it completely. For any other non-leaf node x, assign qx (0) =
qpar(x) (index(x)) and choose cx other points randomly to completely define qx .
The secret values are given to the user by generating a new attribute set
θ∗ = θ ∪ δ. For all i ∈ θ∗ :
Thus the private key is {dx,i0 , dx,i1 |x ∈ ΨTu , i ∈ θ} ∪ {dy,i0 , dy,i1 |y ∈ ΦTu , i ∈ δ}.
Attack
In order to model this attack, we will first consider all the non-leaf nodes x at
depth d − 1 i.e all x ∈ ΨTu . By using our method of attack, we will try to extract
q (0)
g2x , for each of these nodes. Once, we get these values, we can use these to
satisfy the threshold of the parent node and get its share of the secret and so
on until we reach the root. To do this we will first establish the congruence
of the key generation in this scheme to that of [LAS+ 10]. Here, we can note
that H1 (x||i) is a publicly computable function, the definition of which has been
established in the setup. Thus, we can consider it to be equivalent to the hash
function H1 (i) as used in schemes [LAS+ 10, LK08]. If we now use the notation
Hxi to indicate the value of H1 (x||i) where x is the node under consideration
∆i,S (0)
and i is the attribute under consideration and then evaluate Πi∈S dx,i0 for pairs
of attributes, S ∈ {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to get the
following equations. (It is important here to note that this is possible because,
a secret key component is given for all of the users attributes for each and every
non-leaf node in ΨTu ).
q (0)
rxA ∆AB rxB ∆BA q (0)
rxA ∆AC rxC ∆CA
X1 = g2x HxA HxB X2 = g2x HxA HxC
q (0)
rxA ∆AD rxD ∆DA q (0)
rxB ∆BC rxC ∆CB
X3 = g2x HxA HxD X4 = g2x HxB HxC
q (0)
rxB ∆BD rxD ∆DB q (0)
rxC ∆CD rxD ∆DC
X5 = g2x HxB HxD X6 = g2x HxC HxD
This leads us to equations that have the exact same form as the primary
q (0)
equations in (5.1). Thus, we can extract g2x for all x ∈ ΨTu . Now, we have the
secret shares of all the children nodes at depth d − 1. We are in a position to
interpolate and get the share of the parent nodes as well. By definition, qx (0) =
qpar(x) (index(x)), so we can use interpolation and get qpar(x) (0). Thus, by doing
the procedure of interpolation recursively at each level, we can get the value at
q (0)
the root, g2r = g χ . Now, the attacker is just as capable of generating keys for
any set of attributes as the key generating authority.
47
5.3.5 Total break on hidden ABS without anonymity revo-
cation
Here, we would like to remark that a total break is one of the strongest attacks
possible and it encompasses a universal forgery. This is because, in a total break
the adversary can get keys for any set of attributes. And with that it would be very
simple to give a signature on any message, thus giving the attacker the implicit
capability for universal forgery.
5.5 Observations
Our main observations are that, the specific attack we mention is possible when
the following conditions are satisfied:
1. d is a constant and the universe of attributes U contains a large number of
elements.
2. The signer possesses lot more than d attributes although (s)he might not
have k out of the given set ω ∗ of attributes.
48
It is important here to note that the attack was made on the key construction
and method of verification, and not on the signature itself. The primary flaw in the
key construction is in using the idea of secret shares to distribute the master secret,
and at the same time giving each person lot more shares than what is required for
recovering the secret. These additional shares - in the form of dummies and other
attributes the signer has which are not a part of ω ∗ - give the signer multiple ways
to recover a derivative of the master secret key, which in turn leads to the attacks.
Discussion. We would like to remark here that, the concept of secret sharing
when combined with Waters’ signature, seems to be vulnerable to the attack we
have focused on, even when the number of keys are far fewer. We strongly feel
that there does not exist a fix for this key-construct that can resist the mentioned
attacks, however this direction is definitely worth exploring.
49
CHAPTER 6
From the attacks in the previous chapter we can see that the idea of secret sharing
introduces a weakness in threshold attribute based ABS schemes. In this section
we propose a new scheme for threshold attribute based signatures which is con-
ceptually based on ring signatures. We will first briefly relate the idea behind the
scheme before presenting our construction.
Figure 6.1: Ring ABS where each alleged member of the ring has 4 attributes.
Intuition. Any threshold attribute based signature ensures that the signer pos-
sesses atleast t out of the specified signing attributes, say n∗ in number. Another
∗
way to look at this would be that, the signer has atleast 1 out of the nt com-
binations of the attribute sets. Thus, a new approach to the same would be, for
0 n∗
the signer to pick some n sets of t attributes each from the t possible sets, and
prove that she has atleast one of the n0 sets in her possession. Showing that the
signer has 1 out of n0 sets is where the idea of ring signature fits in. Note here
n∗
that 1 ≤ n0 ≤ t . If, n0 ≥ 2, it would be sufficient to prove that the signature
is valid and the signer has the specified attributes, moreover it would also give a
reasonable degree of anonymity and not reveal the exact credentials of the signer.
If, the actual predicate was an AND, then t = n∗ , which means n0 = 1 and the
signer needs to prove the possession of the complete set of attributes. On the
other hand, if the predicate consisted of just OR, then t = 1 and again the signer
can choose an appropriate n0 depending on the amount of privacy she wishes to
have and then produce a signature. With this intuition, we are ready to see the
details of the scheme.
6.1.1 Construction
Let G1 denote a cyclic additive group of prime order p on which the bilinear
function is efficiently computable. Let e(·, ·) be the bilinear function, e : G1 ×
G1 → G2 . Let, H1 and H2 be two hash functions where, H1 : {0, 1}∗ → G1 and
H2 : {0, 1}∗ → Z∗p .
Key-Gen. The signer with identity ID ∈ {0, 1}∗ submits ID to TA. TA sets the
signer’s public key QID to be H1 (ID) ∈ G1 , computes the signer’s private signing
key SID by SID = xQID . Then TA sends the private signing key to the signer via
a secure channel, or using some secure and anonymous protocol.
Sign. Let L = {ID1 , ID2 , · · · , IDn } be the set of all identities of n users. The
actual signer, indexed by s (i.e. his/her public key is QIDs = H(IDs )), carries out
the following steps to give an ID-based ring signature on behalf of the group L.
51
1. Choose Ui ∈R G1 , compute hi = H2 (m||L||Ui )∀i ∈ {1, 2, · · · , n}\{s}.
2. Choose rs0 ∈R Zp , compute Us = rs0 QIDs − i6=s {Ui + hi QIDi }.
P
Sn
Verify. A verifier can check the validity of a signature σ = { i=1 {Ui }, V } for
the message m and a set of identities L as follows.
1. Compute hi = H2 (m||L||Ui )∀i ∈ {1, 2, · · · , n}.
2. Checking whether e(Ppub , ni=1 (Ui + hi QIDi )) = e(P, V ).
P
Discussion. This signature scheme has formally been shown to have uncondi-
tional signer anonymity property in [CYH05]. Also, the scheme is proven to be
existentially-unforgeable in the chosen message attack game by reduction to the
CDH problem in the random oracle model. The reduction has been shown with
the help of forking lemma for generic ring signatures [HS04].
6.2.1 Setup
52
params = (e, G1 , G2 , H1 (·), H2 (·), H3 (·), H4 (·), P, Ppub , δ) msk = α.
D ← KeyGen(Uβ , ID, msk). Let, Uβ be the set of attributes that a user β has.
Let D denote the set of keys given to the user. Say, |Uβ | = nβ . Here, the attribute
authority picks a rβ ∈R Z∗p and then computes the following:
Qi = H1 (Ai ) Di = rβ · α · Qi (∀Ai ∈ Uβ )
D̄0 = rβ P D̄1 = rβ−1 P
ω = H3 (Uβ , ID) W = H4 (ω)
D̄2 = rβ−1 W
The attribute authority finally gives the key, D = {Di }i∈{1,··· ,nβ } , D̄0 , D̄1 , D̄2 , ω .
Key verification
Here, the user who is receiving the keys for her attributes can verify the secret
keys as follows.
?
e(D̄0 , D̄1 ) = γ
?
e(D̄0 , D̄2 ) = e(P, H4 (H3 (Uβ , ID)))
?
e(Di , D̄1 ) = e(Qi , Ppub )
6.2.3 Sign
53
for i = {1, · · · , n0 }\s
P
2. Ui = ri · Qj ,
Aj ∈Ti
It is important to note in the algorithm that the size of the signature is inde-
pendent of the number of attributes, but depends more on the degree of privacy
that the signer prefers. This is because, n0 is a factor that the signer chooses,
depending on the amount of information the signer wishes to reveal.
6.2.4 Verify
The verifier can check the signature by performing the following computations:
?
e(V¯0 , V¯1 ) = γ
?
e(V¯0 , V¯2 ) = e(P, H4 (ω))
n 0 !
?
X
¯
e(V , V1 ) = e (Ui + hi
P
Qj ) , Ppub
i=1 Aj ∈Ti
The signature is valid only if all the three checks are satisfied, in all other cases
it’s considered to be invalid.
Verification Analysis
We argue here that, if the steps of the algorithm are followed without deviation
then, the signature given is valid. We will show a proof of the correctness mathe-
matically. Let’s first consider e(V¯0 , V¯1 ):
54
Next we check e(V¯0 , V¯2 ):
n 0
X P
We’ll consider the first component (Ui + hi Qj ) and simplify it before we
i=1 Aj ∈Ti
compute the mapping.
55
n0 n n 0 0
X P X X P
(Ui + hi Qj ) = Ui + (hi · Qj )
i=1 Aj ∈Ti i=1 i=1 Aj ∈Ti
Xn0 n
X
0
P P
= Us + Ui + (hs · Qj ) + (hi · Qj )
i=1;i6=s Aj ∈Ts i=1;i6=s Aj ∈Ti
! n 0 !
P X P
= rs · Qj − (ri + hi ) Qj
Aj ∈Ts i=1;i6=s Aj ∈Ti
n 0 n 0
P X X P
+ (hs · Qj ) + Ui + (hi · Qj )
Aj ∈Ts i=1;i6=s i=1;i6=s Aj ∈Ti
n0
! !
P X P
= rs · Qj − (ri + hi ) Qj
Aj ∈Ts i=1;i6=s Aj ∈Ti
P X P X P
+ (hs · Qj ) + (ri Qj ) + (hi Qj )
Aj ∈Ts i6=s Aj ∈Ti i6=s Aj ∈Ti
P
= (rs + hs ) · Qi (6.2)
Ai ∈Ts
Thus, from equations (6.1), (6.2) and (6.3) we can see that the verification
holds and can be performed using the public values.
6.3 Security
We will show that our threshold attribute based signature scheme is existentially
unforgeable with respect to the chosen message attack (CMA) .
We first define the game under which our threshold attribute based ring signature
scheme is existentially unforgeable.
Setup. The challenger C takes a security parameter k and runs the Setup to
generate common public parameters params and also the master secret key α. C
sends params to adversary A.
Attack. The adversary A chooses a specific attribute Ax and gives it to C. Ad-
versary can then perform polynomially bounded number of queries in an adaptive
manner (interactively) with the oracles.
56
- Hash functions. A can query for the output of the hash functions H1 (·) and
H2 (·) for any input.
- KeyGen. A is allowed to query the key for any set of attributes ( the set
may include Ax ).
Forgery. At the end of the game, A outputs a threshold attribute based signa-
ture σ on the set of attributes U ∗ . The restriction being Ax must be an element of
every subset Ti given by A, where |Ti | = t00 (threshold number of elements). Also,
the chosen set of attributes must not have been queried (as a single set) directly or
as a subset (of a larger set) during any of the key-generation or signature queries.
This ensures that, the adversary has not queried for atleast one element from each
subset of elements which can possibly satisfy the threshold. This game model also
captures the proof of security for the scheme’s collusion-resistant nature. This is
because, here, the adversary may have the keys for all of the attributes (including
Ax ) as part of one set or an other, but A should not be able to combine the secret
keys to generate a signature for the given set. A wins the game if the verification
on σ passes the check.
6.3.3 Unforgeability
Theorem 6.3.1 (Unforgeability) In the random oracle model (where the hash
functions are modeled as random oracles), if there exists an algorithm A that
can win the existentially unforgeable, chosen message attack game, with non-
negligible probability by making a valid ABS in polynomial time, then the modified-
computational bilinear Diffie-Hellman (m-CBDH) problem can be solved in poly-
nomial time.
Proof: The proof for the unforgeability of our threshold attribute based sig-
nature follows, to some extent, that given by Chow et al. in [CYH05]. In the
57
subsequent discussion we will show the reduction of our scheme to solving the
CBDH problem.
Inorder to solve the m-CBDH problem, the challenger C receives the instance
{P, aP, bP, cP, a−1 P } and has to finally produce e(P, P )abc as the output. The
challenger will run A as a subroutine in the existential unforgeability game. As
defined in the game, A can make queries to the hash functions; although the hash
outputs will be random, the challenger C will maintain separate lists of the query
and response of each oracle in order to simulate proper collision-resistant hash
functions and avoid inconsistencies. Also, in the proof, we’ll make the assumption
that all the H1 (Ai ) queries are made before they are used in any further oracle
queries.
Setting. First, the challenger C sets the public-key as Ppub = aP and master
secret as α = a. Note that C does not know a, b or c, but it will simulate those
values during its responses to A, with the help of aP , bP , cP and a−1 P .
H1 queries. When A makes queries to the hash function H1 (·) with input as
some attribute Ai , C does the following. If Ai was already queried before, the hash
value will be in the list L1 and C will search and give the stored value. Otherwise,
it first picks an si ∈ Z∗p uniformly at random, and then checks if this value is
present in the list L1 . If it is present C re-picks si repeating the process until it
gets a new value. Then, if Ai 6= Ax , it sets Qi = H1 (Ai ) = si P . If Ai = Ax , then it
sets Qx = H1 (Ax ) = sx (bP ). After each response, C makes sure to save the tuple
< Ai , si , Qi > in the list L1 , if it wasn’t already present.
H4 queries. List L4 is used to maintain the queries and responses of this oracle.
When an input ω is queried for its hash, the list L4 is looked up to see if a matching
entry already exists, if it is found the corresponding value is returned. In all other
cases, an w ∈R Z∗p is picked uniformly at random and W is set to be W = wcP .
The tuple of, < ω, W, w > is added to the list, L4 .
58
2. Now, ω = H3 (Uβ , ID)
4. Tuple < Uβ , ID, ω > is added to L3 and tuple < ω, w, W > is added to L4 .
Case-2: If however, Ax ∈ Uβ , then the keys given are follows. Let, rγ ∈R Z∗p ,
be chosen at random. Assume, rβ = rγ /a. Then, the rest of the values are set as
follows:
1. Set, D̄0 = rβ P = rγ (a−1 P ) and D̄1 = rβ−1 P = rγ−1 (aP )
4. Tuple < Uβ , ID, ω > is added to L3 and tuple < ω, w, W > is added to L4 .
The final key is given as, D = {Di }i∈{1,··· ,nβ } , D̄0 , D̄1 , D̄2 , ω .
In both cases, all the intermediate random values that have been chosen by the
challenger are added to the respective lists along with the computed components
and final responses.
2. Add the values rβ , Uβ , D̄0 , D̄1 , D̄2 , Ts to the sign oracle list.
59
3. Picks z ∈R Z∗p and sets1 , V = r∗ rβ 0 · z · (aP )
6. V = r∗ −1 rβ 0 z(aP )
Forgery. Finally, A will output σ = {Ti , Ui }i={1,··· ,n0 } , V , V¯0 , V¯1 , V¯2 , ω ,
the forged signature on the message m such that Ax is present in each of the
chosen subsets, Ti , on which the ring signature is given.
Solving CBDH. From the forking lemma for generic ring signature schemes
[HS04] it follows that, if with non-negligible probability, A can give a valid forged
signature in the above interaction within time TA , then we can construct another
algorithm A0 which within time 2TA can output two signatures σ and σ 0 with values
σ = {Ti , Ui }i={1,··· ,n0 } , V , V¯0 ,V¯1 ,V¯2 , ω ; σ 0 = {Ti , Ui }i={1,··· ,n0 } , V 0 , V¯00 ,V¯10 ,V¯20 , ω
also with non-negligible probability. It also follows from the lemma that with
non-negligible probability, we can have hi = h0i , for all i ∈ {1, · · · , n0 }\s. Now,
given A0 derived from A, we can solve for e(P, P )abc as follows.
s−1
x
−1 0 −1
e(V, V¯2 ) w (hs −hs )
X
e(P, P )abc =
e(V 0 , V¯ 0 ) ÷ e
(s i aP ), cP
2 Aj ∈Ts
Aj 6=Ax
This is possible since, sx can be looked up from the list L1 , and values of si (for
all Ai ∈ Ts , Ai 6= Ax ) can also be found from table L1 . Also, hs and h0s can be
queried on H2 ’s list L2 from the given values, and can be found within a constant
number of trials.
A more detailed derivation, showing the computations involved in extracting
the solution for CBDH can be found in the Appendix(A.2).
1
Note: This cannot be done by a normal signer since rβ 0 will only be available to the attribute
authority.
60
6.3.4 Anonymity
In this section we will define what anonymity is and prove that our scheme provides
unconditional anonymity to the signer’s attribute subset used in the signature.
We define signer ambiguity for our scheme in a manner similar to the one given
in [CYH05] for ring signatures. An attribute-based signature scheme, using the
ring approach as defined by us, for the threshold access structure, is said to have
unconditional signer
S attribute-set ambiguity if for any group of n0 attribute subsets
{T }, where T = Ti , ∀1 ≤ i ≤ n0 , Ti ⊆ U ∗ and |Ti | = t , any message m and
any signature σ, where σ = Sign(m, t, U ∗ ); any verifier A even with unbounded
computing resources, cannot identify the actual attribute subset of the signer (used
in the signature) with probability better than a random guess. That is, A can
output the actual signer’s chosen attribute subset (indexed by Ts ) with probability
no better than 1/n0 .
Proof: We first claim that all the Ui ’s are uniformly distributed. This is because,
each Ui (including Us ) is obtained via multiplying the components with a value ri ,
that is chosen uniformly at random. So, we can say that the Ui ’s by themselves
(as independent entities) don’t leak any information. Another component of the
signature, ω, is a hash of the attributes of the user, but since it’s a hash and is
created even before Ts is chosen, it cannot reveal anything about Ts . Also, the
other values, V̄0 , V̄1 and V̄2 are unrelated to Ts . So, it remains to be seen if V gives
away any information about Ts with the help of the bilinear map function along
with any of the given components and public values.
So, we will consider ifPV = r∗ (rs + hs )P Ai ∈Ts Di , leaks anything about Ts .
P
Let us focus on V − r∗ hs Ai ∈Ts Di = r∗ rs Ai ∈Ts Di . The hs component can be
obtained publicly since it is a hash. We’ll see if this component gives away infor-
mation related to Ts when considered along with V̄1 = r∗ −1 rβ−1 P , in the bilinear
map. If we manage to get r∗ rs Ai ∈Ts Di , then we can do the following verifica-
P
tion test: we check if e(r∗ rs Ai ∈Ts Di , V̄1 ) = e(rs Ai ∈Ts Qi , Ppub )? To do this,
P P
any user who suspects that X the set TkPwas used in signing
?
of the message will only
P
need to check if, e(Uk + (Ui + hi Qj ), Ppub ) = e(V, V̄1 )/e(hk Qj , Ppub ).
i6=k Aj ∈Ti Aj ∈Tk
We will now show that, although the above equality is valid for k = s, it is
equally valid for any of the other attribute subsets in T i.e the check is symmetric
with respect to any attribute subset and hence does not reveal anything about Ts .
61
To see that, consider:
X P P X P
Uk + (Ui + hi Qj ), Ppub ) = Us + i6=s (Ui ) + (hi Qj
i6=k Aj ∈Ti i6=k Aj ∈Ti
! !
P X P
= rs · Qj − (ri + hi ) Qj
Aj ∈Ts i6=s Aj ∈Ti
P X P
+ (Ui ) + (hi Qj )
i6=s i6=k Aj ∈Ti
P X P X P
= rs · Qj − ri Qj − hi Qj
Aj ∈Ts i6=s Aj ∈Ti i6=s Aj ∈Ti
P X P
+ (Ui ) + (hi Qj )
i6=s i6=k Aj ∈Ti
P P P
= rs · Qj − hk Qj + hs Qj
Aj ∈Ts Aj ∈Tk Aj ∈Ts
P P
= (rs + hs ) Qj − hk Qj
Aj ∈Ts Aj ∈Tk
∗−1 r −1 α−1
= (V )r
P
β − hk Qj
Aj ∈Tk
Thus,
∗−1 r −1 α−1
X
Qj ), Ppub ) = e((V )r
P P
e(Uk + (Ui + hi β − hk Qj , Ppub )
i6=k Aj ∈Ti Aj ∈Tk
P
= e(V, V̄1 )/e(hk Qj , Ppub )
Aj ∈Tk
S This proves that the check is symmetric with all attribute subsets in T =
Ti , ∀1 ≤ i ≤ n0 . So, the signature components are independent and uniformly
distributed irrespective of the attribute subset being used. Thus, our scheme is
unconditionally signer attribute-set anonymous.
62
signature (although it may not be necessary). She can choose all the n0 attribute
sets {Ti }i∈{1,··· ,n0 } with CIA officer being one of the attributes in each of these
sets. By doing this, she has control over which of her attributes she wants to
reveal. But if Alice does not wish to reveal anything about her credentials except
∗
that they satisfy the necessary threshold, then she will have to give all the nt
possible sets. If on the other-hand, Alice is completely indifferent about revealing
all of her attributes, then she can give a signature and include a single subset of
attributes. And that set should contain just the exact set of attributes used in the
signature inorder to satisfy the given policy. Note that this will also be a constant
size signature, since it will have only one Ti and Ui .
The power that this feature gives is that, even if the signing policy is specified
by a different authority, the signer can choose to reveal more in the signature than
what other schemes would normally allow. In a way, our approach allows the
signer control over the signature size and privacy, although he/she may not have
had the freedom to set the signing policy. If a signer does not care about privacy,
then she can go for a constant size signature. On the other-hand if the size of
the signature components is immaterial, then signer can choose to get complete
privacy by choosing all the subsets of attributes satisfying the policy to be a part
of the signature.
We also observe that this scheme can be extended to a multi-level threshold
attribute based signature if each attribute is present only once in the predicate.
63
CHAPTER 7
7.1 Conclusion
The first problem we looked at was the multi-level threshold attribute-based en-
cryption. We focused on ciphertext-policy based schemes since CP-ABE addresses
the problem of attribute-based communication in a natural way, i.e the access
policy is associated with the ciphertext during encryption and each user gets keys
based on the attributes/credentials they have. We paid particular attention to
efficiency because, almost all attribute-based solutions require a huge number of
components for keys and ciphertext, making them cumbersome for large-scale
tasks. Although some constant-size threshold schemes exist, they only support
one gate and are not as expressive as some of the applications and real-world sit-
uations require them to be. Ours is an attempt to give an efficient scheme that
does not compromise on the expressiveness of the access policy. We also believe
that ours is the first multi-level threshold scheme where the size of the ciphertext
is proportional to the complexity of the predicate policy as opposed to the number
of attributes involved.
With regard to attribute-based signatures, our study has shown that many of the
ABS schemes have been influenced by CP-ABE constructions. We also observed
that the idea of secret sharing and use of dummy attributes play an important
role in the formulation of schemes that support threshold access structures. These
observations coupled with our study of Waters’ signature on the attributes gave
us some intuitions for the attacks. However, we have seen other threshold schemes
making use of secret sharing that do not exhibit this vulnerability. We notice that
some these schemes use different mechanisms to generate their keys, and some
others using Waters’ signature ensure a check on the dummy values provided to
the user. Modifying the broken schemes to force some properties on number of
dummy values makes them inept for threshold predicates. This has led us to
conclude that the schemes for which we presented breaks cannot be fixed easily.
Future directions. In this thesis we show our scheme can be reduced to a mod-
ified version of the CBDH problem with the help of the forking lemma. However,
we make use of the forking lemma which does not lead to a tight reduction. A
challenging line of work would be to develop a scheme that can be proved secure
without the use of forking lemma. If such a scheme can be provided it can also
address the open problem of creating a provably secure ring signature scheme with
a tight-reduction to some hard problem.
65
7.2 Summary
We began this work by studying various aspects of attribute-based cryptosystems.
We looked at the origin of attribute-based encryption and traced its development.
We then closely investigated size-efficient CP-ABE schemes. Later, we moved
to threshold CP-ABE schemes that had achieved constant-size ciphertexts. Our
observation that all the proposed constant-size ABE schemes could support only
one gate, led us to explore and obtain an efficient and expressive threshold CP-
ABE scheme. We inferred that an extension of the regular threshold schemes to
multi-level threshold would give them the required expressiveness. The scheme we
propose here supports multiple levels of threshold and at the same time has far
fewer ciphertext components than previous such schemes. Our scheme results in
a ciphertext-size that is independent of the number of attributes, it depends only
on the number of gates in the access structure. Although our proposal appears
reliable and robust (which we have seen with an example) it’s security remains to
be formalized. A good extension in this area would be to devise a provably secure
constant-size ciphertext multi-threshold CP-ABE.
Next, we looked at attribute-based signatures, and pointed out vulnerabilities
in a number of schemes. We closely examined the key-generating algorithm on
which our attacks were based. Then, we formally presented the different kind
of ways in which each of these schemes could be attacked. We concluded that
the attacks cannot be fixed easily just by changing the number of components
(attributes and dummies) given to the user; a fix would require a different key-
generating mechanism altogether. But we still think it is a worthwhile venture
to design a threshold attribute-based signature scheme built on Waters’ signature
and secret sharing principle, that is resistant to our attack.
With the momentum of the breaks we decided to explore a new way to per-
ceive threshold attribute-based signatures. Threshold is an instantly appealing
predicate primarily due to its versatility. So, we took up the challenge of creating
a novel threshold-ABS scheme founded on the principles of ring signatures. Our
construction aggregated attribute sets and gave a signature on a ring comprising
of various attribute subsets. Although our scheme is sound, it has been proved
secure in the selective model with the help of the forking lemma which makes the
reduction, and in turn, the security, weak. A good problem in this direction would
be to come up with a tightly-reducible scheme based on the proposed approach.
This can also lead to resolving some open problems in ring signatures.
Finally, in this chapter, we gave a more complete picture of our work in
attribute-based cryptosystems. We consolidated our observations and inferences.
We also reflected on some of the interesting lines on which work in this area can
proceed. The problems we have looked at are all fundamental issues faced in
distributed settings. With large-scale data decentralization and vast networks of
distributed data (from social networks, cloud-computing, electronic-mail etc.) we
can see a number of avenues where such kind of security is highly pertinent. By
tackling these problems, we not only look at solving some central security issues,
we also embrace these emerging technologies and the new revolution in communi-
cation that they bring with them.
66
APPENDIX A
This chapter is dedicated to show the correctness of the verification steps used
in the proof of our scheme in Chapter(6), in particular we look at the proof for
Theorem(6.3.1).
2. V = r∗ rβ 0 · z · (aP )
5. V = r∗ −1 rβ 0 z(aP )
n 0 !
X
¯
Now, we will see if e(V , V1 ) = e (Ui + hi
P
Qj ) , Ppub will hold true.
i=1 Aj ∈Ti
= e (z · (aP ) , P )
= e (zP , Ppub ) (A.1)
n 0 n 0
X X
(h0s
P P
+ · Qj ) + Ui + (hi · Qj )
Aj ∈Ts i=1;i6=s i=1;i6=s Aj ∈Ti
n 0 !
X P
= zP − (ri + hi ) Qj
i=1;i6=s Aj ∈Ti
X P X P
+ (ri Qj ) + (hi Qj )
i6=s Aj ∈Ti i6=s Aj ∈Ti
= zP (A.2)
68
Thus, R.H.S also reduces to,
n 0 !
X P
e (Ui + hi Qj ) , Ppub = e(zP, Ppub ) (A.3)
i=1 Aj ∈Ti
From equations (A.1), (A.2) and (A.3) we can see that the verification holds for
the constructed signature.
X
V = r∗ rβ1 (rs + hs )(absx P + a Qi )
Ai ∈TS ,i6=x
X
= r∗ rβ1 (rs + hs )(absx P + a si P )
Ai ∈TS ,i6=x
W1 = e(V, V̄2 )
P
(rs +hs )(absx P +a si )(wc)
Ai ∈TS ,i6=x
= e(P, P )
P
−1
(rs +hs )(abcsx P +ac si )
X1 = W1w =γ i6=x
(A.4)
i∈Ts ,i6=x
Y
Z= = γ abc·sx
Ȳ
(Z)−sx = γ abc = e(P, P )abc (A.5)
69
REFERENCES
[Boy07] Xavier Boyen. Mesh signatures. In Proceedings of the 26th annual
international conference on Advances in Cryptology, EUROCRYPT
’07, pages 210–227, Berlin, Heidelberg, 2007. Springer-Verlag.
[BS04] Dan Boneh and Hovav Shacham. Group signatures with verifier-local
revocation. In ACM Conference on Computer and Communications
Security, pages 168–177, 2004.
[CN07] Ling Cheung and Calvin Newport. Provably secure ciphertext policy
abe. In Proceedings of the 14th ACM conference on Computer and
communications security, CCS ’07, pages 456–465, New York, NY,
USA, 2007. ACM.
[EMN+ 09] Keita Emura, Atsuko Miyaji, Akito Nomura, Kazumasa Omote,
and Masakazu Soshi. A ciphertext-policy attribute-based encryption
scheme with constant ciphertext length. In Proceedings of the 5th
International Conference on Information Security Practice and Ex-
perience, ISPEC ’09, pages 13–23, Berlin, Heidelberg, 2009. Springer-
Verlag.
[GJPS08] Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai.
Bounded ciphertext policy attribute based encryption. In Proceed-
ings of the 35th international colloquium on Automata, Languages
and Programming, Part II, ICALP ’08, pages 579–591, Berlin, Hei-
delberg, 2008. Springer-Verlag.
70
[GNSN10] Martin Gagné, Shivaramakrishnan Narayan, and Reihaneh Safavi-
Naini. Threshold attribute-based signcryption. In SCN, pages 154–
171, 2010.
[GPSW06] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters.
Attribute-based encryption for fine-grained access control of en-
crypted data. In Proceedings of the 13th ACM conference on Com-
puter and communications security, CCS ’06, pages 89–98, New York,
NY, USA, 2006. ACM.
[GS08] Jens Groth and Amit Sahai. Efficient non-interactive proof systems
for bilinear groups. In EUROCRYPT, pages 415–432, 2008.
[HLR10] Javier Herranz, Fabien Laguillaumie, and Carla Ràfols. Constant size
ciphertexts in threshold attribute-based encryption. In Public Key
Cryptography, pages 19–34, 2010.
[HS04] Javier Herranz and Germán Sáez. New identity-based ring signature
schemes. In ICICS’04, pages 27–39, 2004.
[LAS+ 10] Jin Li, Man Ho Au, Willy Susilo, Dongqing Xie, and Kui Ren.
Attribute-based signature and its applications. In Proceedings of the
5th ACM Symposium on Information, Computer and Communica-
tions Security, ASIACCS ’10, pages 60–69, New York, NY, USA,
2010. ACM.
71
[MPR10] Hemanta K. Maji, Manoj Prabhakaran, and Mike Rosulek.
Attribute-based signatures. Cryptology ePrint Archive, Report
2010/595, 2010. http://eprint.iacr.org/.
[RST01] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a
secret. In Proceedings of the 7th International Conference on the
Theory and Application of Cryptology and Information Security: Ad-
vances in Cryptology, pages 554–567. Springer-Verlag, 2001.
72