NCCU CPDA Lecture 12 Attribute Based Encryption

1/30
CPDA Lecture 12 Attribute-Based Encryption
曾一凡
林彥賓
2020 年 8 月 12 日
2020 年 8 月 12 日

2/30
Outline
Introduction
KP-ABE
Definition
Security Model
Access Tree To LSSS
Scheme
Correctness
Security Proof
CP-ABE
Definition
Security Model
Waters Scheme
Correctness
Security Proof
2020 年 8 月 12 日

3/30
Introduction
Key-Policy Attribute-Based Encryption (KP-ABE): an attribute set is
associated with a ciphertext, and an access structure(Policy) is
associated with private key
Ciphertext-Policy Attribute-Based Encryption (CP-ABE): a user’s
private key is associated with a set of descriptive attributes, and a
ciphertext is associated with an access structure(Policy)
2020 年 8 月 12 日

4/30
KP-ABE Definition
Setup(1λ): Taking as input the security parameter, the algorithm
outputs the system parameter params and the master secret key msk
Encrypt(S, M): Taking as inputs a set of attributes S and a message
M, the algorithm outputs a ciphertext CT
KeyGen(msk, A): Taking as inputs the master secret key msk and an
access structure A, the algorithm outputs a private key D
Decrypt(CT, D): Taking as inputs a ciphertext CT and a private key
D, the algorithm outputs a message
define |=
S |= A denote “S satisfies A”
correctness
For CT ←− Encrypt(S, M), D ←− KeyGen(msk, A), we have
M ←− Decrypt(CT, D) if S satisfies A
2020 年 8 月 12 日

5/30
KP-ABE Security Model
Setup: The challenger C runs the Setup algorithm and sends params
to the adversary A
Phase 1: The adversary A makes polynomially many queries to the
following oracles
KeyGen(Ai): Upon inputting an access structure Ai, the oracle returns
the corresponding private key DAi
Decrypt(CT, Ai): Upon inputting a ciphertext CT and an access
structure Ai, the oracle returns the output of Decrypt(CT, DAi
)
Challenge: The adversary A submits two distinct message (M0, M1)
of the same length, and a target attribute set S∗, where S∗ does not
satisfy the access structures queried in Phase 1. Then the challenger
C chooses a bit b ←− {0, 1}, and returns CT ←− Encrypt(S∗, Mb)
Phase 2: It is the same as Phase 1 except Decrypt(CT∗, Aj) and
KeyGen(Aj) such that S∗ |= Aj are not allowed
2020 年 8 月 12 日

6/30
KP-ABE Security Model
Guess: The adversary A outputs a bit b, and wins the game if b = b.
The advantage of the adversary A in winning the game is defined as
Adv(A) = Pr[b = b]−1/2
We say that an ABE scheme is CCA secure if for all PPT adversary
A, Adv(A) is negligible
2020 年 8 月 12 日

7/30
Access Tree To LSSS
1 label the root with [1] and label each node from the root to leaves
2 If an internal node is “∧”labelled with a vector v, then we label its left
son with [v, 1], and the right son with [0, ..., 0, −1]. The sum of left
and right should be [v, 0]
3 If an internal node is “∨”then we label the two sons with the same
vector as their parent
4 pad 0 to the shorter vectors to make all the vectors the same length
2020 年 8 月 12 日

8/30
Access Tree To LSSS
example
A ∧ (B ∨ (C ∧ D))
2020 年 8 月 12 日

9/30
KP-ABE Scheme
Setup(1λ): Define the universe U = {1, 2, ..., k}
1 Randomly choose ti ←− Zp, i = 1, 2, ..., k
2 Compute Ti = gti
, i = 1, 2, ..., k
3 Randomly choose y ←− Zp and compute Y = e(g, g)y
4 Set params = (T1, T2, ..., Tk, Y), msk = (t1, t2, ..., tk, y)
5 Output (params, msk)
Encrypt(S, M): To encrypt a message M ∈ GT for an attribute set
S ∈ U
1 Randomly choose s ←− Zp
2 Compute C = MYs
3 For x ∈ S, compute Cx = Ts
x
4 Output CT = (C, {Cx}x∈S)
KeyGen(msk, A): To generate the private key for access structure
A = (MZℓ×n
p , ρ)
1 Randomly choose v2, v3, ..., vn ←− Zp and set v = (y, v2, ..., vn)
2 Let Mi denote the i-th row of M. For i = 1 to ℓ, compute Di = g
Mi,v
tρ(i)
3 output private key D = ({Di}i=1,...,ℓ)
2020 年 8 月 12 日

10/30
KP-ABE Scheme
Decrypt(CT, D): Assume that CT and D are associated with an
attribute set S and an access structure A = (M, ρ), respectively. Let
I ⊂ {1, ..., ℓ} be defined as I = {i : ρ(i) ∈ S} If S |= A, then by the
property of LSSS, there must exist a set of constant {wi}iI such that
i wiMi = (1, 0, ..., 0)
n
. Output
M =
C
i∈I e(Di, Cρ(i))wi
Since i∈I wiMi = (1, 0, ..., 0)
n
, we have that
i∈I
wi Mi, v =
i∈I
wiMi, v = (1, 0, ..., 0), (y, v2, ..., vn) = y
2020 年 8 月 12 日

11/30
KP-ABE Correctness
i∈I
e(Di = g
Mi,v
tρ(i) , Cρ(i) = (T = gt
)s
ρ(i))wi
=
i∈I
e(g, g)wiMi,vs
= e(g, g)s
∏
i∈I wiMi,v
= e(g, g)sy
= Ys
(1)
C
i∈I e(Di, Cρ(i))wi
=
MYs
Ys
= M
2020 年 8 月 12 日

12/30
KP-ABE Security Proof
Theorem
GPSW KP-ABE is selectively secure against the chosen-plaintext attacks
under the DBDH assumption
Given the instance (g, ga, gb, gc, Z = e(g, g)a,b,c) of the DBDH problem
Init: The adversary A submits a target attribute set S∗
Setup:The challenger C performs as follows.
1 Y = e(ga
, gb
), which means we implicitly set y = ab
2 For i ∈ S∗
, random choose fi ←− Zp and compute Ti = gfi
(thus ti = fi)
3 For i ∈ U/S∗
random choose hi and compute Ti = (gb
)hi
(thus
ti = bhi)
4 Return params = ({Ti}i∈U, Y)
2020 年 8 月 12 日

13/30
KP-ABE Security Proof Phase 1 KeyGen Query
let l = (1, 0, ..., 0)
n
,
Ms be the submatrix whose rows correspond to the attribute in S∗
goal
find a vector v such that l · v = y = ab, and g
Mi,v
tρ(i) can be computed no
matter ρ(i) ∈ S∗ or not
Proposition 1
A vector x is independent of a set of vector represented by a matrix N, if
and only if there is a vector w such that N · w = 0 while x · w ̸= 0
Since S∗ does not satisfy A, the rows of MS∗ do not generate l, i.e., l is
independent of MS∗
2020 年 8 月 12 日

14/30
define
v = u + ψw, MS∗ · wT = 0 and l · wT = δ ̸= 0
random choose k = (k1, k2, ..., kn) and set u = bk = (bk1, bk2, ..., bkn)
l · vT
= ab
⇒ l · (u + ψw)T
= ab
⇒ bk1 + ψδ = ab
⇒ ψ = b(
a − k1
δ
)
2020 年 8 月 12 日

15/30
For ρ(j) ∈ S∗, tρ(j) = fρ(j)
Mj, v
tρ(j)
=
Mj, u +(ψ Mj, w = 0)
fρ(j)
= b(
Mj, y
fρ(j)
)
Di = (gb
)
Mj,y
fρ(j)
For ρ(j) /∈ S∗, tρ(j) = bhρ(j)
Mj, v
tρ(j)
=
Mj, (u = bk) +(ψ = b(a−k1
δ )) Mj, w
bhρ(j)
=
Mj, k +(a−k1
δ ) Mj, w
hρ(j)
=
δ Mj, k −ki Mj, w
δhρ(j)
+ a(
Mj, w
δhρ(j)
)
Di = g
δMj,k−kiMj,w
δhρ(j) · (ga
)
Mj,w
δhρ(j)
2020 年 8 月 12 日

16/30
KP-ABE Security Proof
Challenge: A submits two messages M0, M1, and C performs as
follows
1 Randomly choose b ←− {0, 1} and compute C = MbZ
2 Compute C = Mbe(g, g)abc
= MbYc
3 For i ∈ S∗
, compute Tc
i = gfic
= (gc
)fi
4 Return CT∗
= (C, {Ci}i∈S∗ )
Phase 2: same as Phase 1
Guess: since C = Mbe(g, g)abc = MbYc the challenger is able to solve
the DBDH problem if there is an adversary wins the game with
non-negligible advantage
2020 年 8 月 12 日

17/30
CP-ABE Definition
Setup(1λ): Taking as input the security parameter, the algorithm
outputs the system parameter params and the master secret key msk
Encrypt(A, M): Taking as inputs an access structure A and a
message M, the algorithm outputs a ciphertext CT
KeyGen(msk, S): Taking as inputs the master secret key msk and an
attribute set S, the algorithm outputs a private key D
Decrypt(CT, D): Taking as inputs a ciphertext CT and a private key
D, the algorithm outputs a message
correctness
For CT ←− Encrypt(A, M), D ←− KeyGen(msk, S), we have
M ←− Decrypt(CT, D) if S satisfies A
2020 年 8 月 12 日

18/30
CP-ABE Security Model
Setup: The challenger C runs the Setup algorithm and sends params
to the adversary A
Phase 1: The adversary A makes polynomially many queries to the
following oracles
KeyGen(Si): Upon inputting an attribute set Si, the oracle returns the
corresponding private key DSi
Decrypt(CT, Si): Upon inputting a ciphertext CT and an attribute set
Si, the oracle returns the output of Decrypt(CT, DSi
)
Challenge: The adversary submits two distinct message (M0, M1) of
the same length, and a target access structure A∗, where A∗ does not
satisfy the access structures queried in Phase 1. Then the challenger
C chooses a bit b ←− {0, 1}, and returns CT ←− Encrypt(S∗, Mb)
Phase 2: It is the same as Phase 1 except Decrypt(CT∗, Sj) and
KeyGen(Sj) such that Sj |= A∗ are not allowed
2020 年 8 月 12 日

19/30
CP-ABE Security Model
Guess: The adversary A outputs a bit b, and wins the game if b = b.
The advantage of the adversary A in winning the game is defined as
Adv(A) = Pr[b = b]−1/2
We say that an ABE scheme is CCA secure if for all PPT adversary
A, Adv(A) is negligible
2020 年 8 月 12 日

20/30
Waters CP-ABE
additional restriction
Let e : G × G −→ GT be a bilinear map, where G and GT are multiplicative
groups with prime order p. Let g be a generator of G
Setup(1λ): Define the universe U = 1, 2, ..., k
1 Randomly choose h1, h2, ..., hk ←− G
2 Randomly choose α, a ←− Zp
3 Compute Y = e(g, g)α
, h = ga
4 Set params = (g, h, Y, {hi}k
i=1), msk = gα
5 Output (params, msk)
Encrypt(A = (L, ρ), M): Let the LSSS access structure L be an ℓ × n
matrix
1 Choose a random vector v = (s, y2, ..., yn) ←− Zn
p
2 For i = 1 to ℓ, compute λi = Li, v
3 Compute C = MYs
, C′
= gs
4 For i = 1 to ℓ, compute Ci = hλi
h−s
ρ(i)
5 Output CT = (C, C′
, {Ci}ℓ
i=1 to ℓ)
2020 年 8 月 12 日

21/30
Waters CP-ABE
KeyGen(msk, S)
1 Randomly choose t ←− Zp
2 Compute K = gα
ht
, L = gt
3 For x ∈ S , compute Kx = ht
x
4 Output D = (K, L, {Kx}x∈S)
Decrypt(CT, D) Let CT and D be associated with an access
structure (M, ρ) and an attribute set S, respectively. Suppose that
S |= A and let I ∈ {1, ..., ℓ} be defined as I = {i : ρ(i) ∈ S}
1 Find {wi}i∈I such that i∈I wiMi = (1, 0, ..., 0)
2 Compute
M =
C
ω
, ω =
e(C′
, K)
i∈I(e(Ci, L)e(C′, Kρ(i)))wi )
2020 年 8 月 12 日

22/30
Waters CP-ABE Correctness
e(C′
, K) = e(gs
, ga
ht
) = e(g, g)αs
e(g, g)ast
i∈I
(e(Ci = gaλi
h−s
ρ(i), L = gt
)e(C′
= gs
, Kρ(i) = ht
ρ(i)))wi
)
=
i∈I
(e(g, g)atλi
e(hρ(i), g)−st
e(g, hρ(i))st
)wi
=
i∈I
e(g, g)atwiλi
= e(g, g)at
∑
i∈I wiλi
= e(g, g)at
∑
i∈I wiMi,V
= e(g, g)ats
C
ω
=
Me(g, g)αs
e(g,g)αse(g,g)ast
e(g,g)ast
= M
2020 年 8 月 12 日

23/30
Waters CP-ABE Security Proof
Definition: q-DBDHE Problem
Let a, s ←− Zp and gi = gai
. Given x= (g, g1, ..., gq, gq+2, ..., g2q, gs) and
Z ∈ GT decide if Z
?
= e(g, g)saq+1
Theorem
Waters’CP-ABE is selectively secure against chosen-plaintext attacks if the
q-DBDHE problem is hard
Given x = (g, ga, ..., gaq
, gaq+2
, ..., ga2q
, gs), Z ∈ GT , the challenger C
simulates the following CPA game for an adversary A
Init: The adversary A submits a target access structure
A∗ = (M∗, ρ∗) where M∗ ∈ Zℓ∗×n∗
p and n∗ ≤ q
2020 年 8 月 12 日

24/30
Setup:
1 Randomly choose α′
and set Y = e(ga
, gaq
)e(g, g)α′
, which means
α = αq+1
+ α′
2 Set h = ga
3 For x ∈ U choose randomly zx ←− Zp
4 For x /∈ U, if there is an i such that ρ∗
(i) = x, set
hx = gzx
gaMi[1]
ga2
Mi[2]
, ..., gan∗
Mi[n∗
]
where Mi[j] denotes the j-th entry of Mi; otherwise set hx = gzx
5 Return params = (g, h, Y, {hx}x∈U)
2020 年 8 月 12 日

25/30
Waters CP-ABE Security Proof Phase 1 KeyGen Query
1 Find a vector w = (w1, ..., wn∗ ) such that M∗ · w = 0 and
(1, 0, ..., 0) · w ̸= 0
2 Set w1 = −1
3 Randomly choose r ←− Zp
4 Set
It can be achieved by computing
2020 年 8 月 12 日

26/30
for x ∈ S
If x is not used in A∗ i.e. no ρ∗(i) = x, i ∈ {1, ..., ℓ}.
Kx = Lzx = gtzx = (gzx )t = ht
x
f x is used in A∗ i.e. exists ρ∗(i) = x, i ∈ {1, ..., ℓ}
2020 年 8 月 12 日

27/30
when j = m, there is no problem of unknow gaq+1
. since
2020 年 8 月 12 日

28/30
Waters CP-ABE Security Proof Challenge
1 The adversary submits two messages M0, M1
2 Randomly choose b ←− {0, 1}
3 Set C = gs
4 Compute C = MbZe(gs, gα′
)
5 Choose y′
2, ..., y′
n∗ ←− Zp
6 Set v = (s, sa + y′
2, sa2 + y′
3, ..., san∗−1 + y′
n∗ )
2020 年 8 月 12 日

29/30
Waters CP-ABE Security Proof Challenge
Ci = gaλi
h−s
ρ∗(i), hρ∗(i) = gzρ∗(i)+
∑n∗
j=1 ajMi[j]
2020 年 8 月 12 日

30/30
if there is an adversary winning the game with non-negligible advantage,
then the challenger is able to solve the q-DBDHE problem with the same
advantage
2020 年 8 月 12 日

NCCU CPDA Lecture 12 Attribute Based Encryption

Recommended

More Related Content

What's hot (20)

Similar to NCCU CPDA Lecture 12 Attribute Based Encryption (20)

More from National Chengchi University (10)

Recently uploaded (20)

NCCU CPDA Lecture 12 Attribute Based Encryption