Abstract
We propose an efficient large-universe multi-authority ciphertext - policy attribute-based encryption system. In a large-universe ABE scheme, any string can be used as an attribute of the system, and these attributes are not necessarily enumerated during setup. In a multi-authority ABE scheme, there is no central authority that distributes the keys to users. Instead, there are several authorities, each of which is responsible for the authorized key distribution of a specific set of attributes. Prior to our work, several schemes have been presented that satisfy one of these two properties but not both.
Our construction achieves maximum versatility by allowing multiple authorities to control the key distribution for an exponential number of attributes. In addition, the ciphertext policies of our system are sufficiently expressive and overcome the restriction that “each attribute is used only once” that constrained previous constructions. Besides versatility, another goal of our work is to increase efficiency and practicality. As a result, we use the significantly faster prime order bilinear groups rather than composite order groups. The construction is non-adaptively secure in the random oracle model under a non-interactive q-type assumption, similar to one used in prior works. Our work extends existing “program-and-cancel” techniques to prove security and introduces two new techniques of independent interest for other ABE constructions. We provide an implementation and some benchmarks of our construction in \(\mathsf {Charm}\), a programming framework developed for rapid prototyping of cryptographic primitives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Actually, their system is more general in that it allows for monotone span programs.
- 2.
The one use restriction is needed to make the security proof of Lewko and Waters go through, if the one use restriction were violated there is neither a known attack nor a security proof.
- 3.
If a user wants a key that corresponds to multiple attributes from the same authority, the key generation algorithm is trivially extended to take in many attributes by running the “single attribute” version once for each attribute.
- 4.
The only requirement is that they have the correct type.
- 5.
The global identifier universe \(\mathcal {GID}\) can be any set that provides a unique identifier for each user and is mapped by H.
References
Akinyele, J.A., Green, M., Rubin, A.: Charm: a framework for rapidly prototyping cryptosystems. Cryptology ePrint Archive, Report 2011/617 (2011). http://eprint.iacr.org/
Al-Riyami, S.S., Malone-Lee, J., Smart, N.P.: Escrow-free encryption supporting cryptographic workflow. Int. J. Inf. Sec. 5(4), 217–229 (2006)
Bagga, W., Molva, R., Crosta, S.: Policy-based encryption schemes from bilinear pairings. In: ASIACCS, p. 368 (2006)
Barbosa, M., Farshim, P.: Secure cryptographic workflow in the standard model. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 379–393. Springer, Heidelberg (2006)
Beimel, A.: Secure schemes for secret sharing and key distribution. Ph.D. thesis, Dept. of Computer Science, Technion (1996)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, pp. 321–334 (2007)
Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003). Extended Abstract in Crypto 2001
Boneh, D., Gentry, C., Hamburg, M.: Space-efficient identity based encryption without pairings. In: FOCS, pp. 647–657 (2007)
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007)
Bradshaw, R.W., Holt, J.E., Seamons, K.E.: Concealing complex policies with hidden credentials. In: ACM Conference on Computer and Communications Security, pp. 146–157 (2004)
Charm. http://www.charm-crypto.com
Chase, M.: Multi-authority attribute based encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007)
Chase, M., Chow, S.S.M.: Improving privacy and security in multi-authority attribute-based encryption. In: ACM Conference on Computer and Communications Security, pp. 121–130 (2009)
Cheung, L., Newport, C.C.: Provably secure ciphertext policy abe. In: ACM Conference on Computer and Communications Security, pp. 456–465 (2007)
Cocks, Clifford: An identity based encryption scheme based on quadratic residues. In: Honary, Bahram (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001)
Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010)
Galbraith, S.D., Paterson, K.G., Smart, N.P., Smart, N.P.: Pairings for cryptographers. In: Discrete Applied Mathematics (2008)
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)
Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded ciphertext policy attribute based encryption. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 579–591. Springer, Heidelberg (2008)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer and Communications Security, pp. 89–98 (2006)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008)
Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 446–465. Springer, Heidelberg (2000)
Lewko, A.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012)
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010)
Lewko, A., Waters, B.: Decentralizing attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 568–588. Springer, Heidelberg (2011)
Lewko, A., Waters, B.: Unbounded HIBE and attribute-based encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547–567. Springer, Heidelberg (2011)
Lynn, B.: The stanford pairing based crypto library. http://crypto.stanford.edu/pbc
Miklau, G., Suciu, D.: Controlling access to published data using cryptography. In: VLDB, pp. 898–909 (2003)
Miracl crypto sdk. https://certivox.com/solutions/miracl-crypto-sdk/
Miyaji, A., Nakabayashi, M., Takano, S.: Characterization of elliptic curve traces under FR-reduction. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 90–108. Springer, Heidelberg (2001)
National Institute of Standards and Technology. Nist special publication 800–37 (2010)
Okamoto, T., Takashima, K.: Homomorphic encryption and signatures from vector decomposition. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 57–74. Springer, Heidelberg (2008)
Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009)
Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010)
Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: ACM Conference on Computer and Communications Security, pp. 195–203 (2007)
Page, D., Smart, N.P., Vercauteren, F.: A comparison of mnt curves and supersingular curves. IACR Cryptology ePrint Archive, p. 165 (2004)
Pirretti, M., Traynor, P., McDaniel, P., Waters, B.: Secure attribute-based systems. In: ACM Conference on Computer and Communications Security, pp. 99–112 (2006)
Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: ACM Conference on Computer and Communications Security, pp. 463–474 (2013)
Rouselakis, Y., Waters, B.: Efficient statically-secure large-universe multi-authority attribute-based encryption. Cryptology ePrint Archive, Report 2015/016 (2015). http://eprint.iacr.org/2015/016
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)
Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009)
Shi, E., Waters, B.: Delegating capabilities in predicate encryption systems. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 560–578. Springer, Heidelberg (2008)
Smart, N.P.: Access control using pairing based cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 111–121. Springer, Heidelberg (2003)
Source code of our constructions. www.rouselakis.com\RWABE
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)
Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 53–70. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A “Zero-Out” Lemma
Due to lack of space the proof of the lemma is presented in the full version of the paper [41].
Lemma 1
Let \(A \in \mathbb {Z}_p^{\ell \times n}\) be the secret sharing matrix of a linear secret sharing scheme for an access policy \(\mathbb {A}\) and let \(\mathcal {C} \subseteq [\ell ]\) be a non-authorized set of rows. Let \(c\in \mathbb {N}\) be the dimension of the subspace spanned by the rows of \(\mathcal {C}\).
Then the distribution of the shares \(\{\lambda _x\}_{x\in [\ell ]}\) sharing the secret \(z\in {\mathbb {Z}_p}\) generated with the matrix A is the same as the distribution of the shares \(\{\lambda '_x\}_{x\in [\ell ]}\) sharing the same secret z generated with some matrix \(A'\), where \(A'_{x,j} = 0\) for all \((x,j)\in \mathcal {C}\times [n-c]\) (see Fig. 1).
B Bilinear Groups
Our construction works with instantiations of bilinear groups of prime order. Abstractly, let \(\mathbb {G}\) and \(\mathbb {G}_T\) be two multiplicative cyclic groups of prime order p, where the group operation is efficiently computable in the security parameter. Let g be a generator of \(\mathbb {G}\) and \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) be an efficiently computable pairing function that satisfies the following properties:
-
1.
Bilinearity: for all \(u,v\in \mathbb {G}\) and \(a,b\in \mathbb {Z}_p\) it is true that \(e(u^a,v^b)=e(u,v)^{ab}\).
-
2.
Non-degeneracy: \(e(g,g)\ne \mathbb {1}_{\mathbb {G}_T}\).
The above definition considers the so called symmetric groups, where the two arguments of the pairing belong to the same group. In general, there exist asymmetric bilinear groups, where \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) and \(\mathbb {G}_1\), \(\mathbb {G}_2\), and \(\mathbb {G}_T\) are three different groups of prime order p. Several asymmetric instantiations of bilinear groups possess beneficial properties such as faster operations under the same security level and/or easier hashing to group elements.
C Approximate Security Level of all \(\mathsf {Charm}\) Elliptic Curves
In Table 2 we present the approximate security levels of all the elliptic curves supported by \(\mathsf {Charm}\). Although the results of the table do not necessarily translate to the security level of our assumption (or the various assumptions of the other ABE schemes), they provides an intuitive comparison between the security levels of the different instantiations. For more information on the security of discrete log and of q-type assumptions we refer the reader to [19, 24, 33, 38].
D Prime vs Composite Order Group Operations
In order to demonstrate the generic difference in the efficiency of prime order vs composite order implementations, we timed the group exponentiation (of a random group element with a random exponent) and pairing operations (on random group elements) in the \(\mathsf {MIRACL}\) framework [31] for different security levels. The benchmarks were executed on a dual core Intel® Xeon® CPU W3503@2.40 GHz with 2.0 GB RAM running Ubuntu R10.04. The elliptic curve utilized for all benchmarks was the super-singular (symmetric) curve \(y^2=x^3+1 \mod p\) with embedding degree 2 for suitable primes p.
In Table 3 we can see the significant gap between the timings in prime and composite order groups for the same security levels. This is the main reason that we used prime order groups for our construction.
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rouselakis, Y., Waters, B. (2015). Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_19
Download citation
DOI: https://doi.org/10.1007/978-3-662-47854-7_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47853-0
Online ISBN: 978-3-662-47854-7
eBook Packages: Computer ScienceComputer Science (R0)