1 / 28

Revocation Systems with Very Small Private Keys

Revocation Systems with Very Small Private Keys. Allison Lewko. Amit Sahai. Brent Waters. The University of Texas at Austin. University of California, Los Angeles. The University of Texas at Austin. TexPoint fonts used in EMF.

nairi
Download Presentation

Revocation Systems with Very Small Private Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Revocation Systems with Very Small Private Keys Allison Lewko Amit Sahai Brent Waters The University of Texas at Austin University of California, Los Angeles The University of Texas at Austin TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A

  2. MSK Public Params Broadcast Encryption [FN’93] ID 1 Ciphertext ID 2 Sender ID 3 Revocation Receivers

  3. Simple Solution – Long Ciphertexts Encrypt to each user ID1 ID2 ID3 ID4 Problem: very inefficient

  4. Public Params Revocation S = Set of Revoked Users Message S Encryption (short) CT– not readable by users in S

  5. MSK Public Params Revocation System Algorithms • Setup • KeyGen(MSK, ID) • Encrypt(S, PP,M) • Decrypt(S,CT, ID, SKID) ID S M, when ID  S

  6. Security Threat: Collusion ID ID 1 2 Revoked Users May Collude

  7. MSK Public Params Adaptive Security Definition Setup Challenge Key Queries Challenger Attacker ID 1 ID 1 Encrypt(Mb, PP, S) ID M0, M1, S 2 ID 2 Revoked set S must include all queried users Attacker must guess b

  8. Our Two Equations Technique Example: revoking ID* User ID Known values aID + b = c aID*+ b = d Unknown values User ID* can’t solve ID = ID* Dependent equations

  9. Revoking Many Users Revoking ID1, … ,IDr r pairs of equations: a1ID + b1 = c1 a1ID1 + b1 = d1 a2ID2 + b2 = d2 a2ID + b2 = c2   ith revoked user can’t solve ith pair arID + br = cr arIDr+ br = dr

  10. Problem: Collusion Revoked users ID1 and ID2 collude: ID1 ID2 a2, b2 a1, b1 a2ID1 + b2 = c2 a1ID2 + b1 = c1 a2ID2 + b2 = d2 a1ID1 + b1 = d1 Together, they can solve everything!

  11. Solution: Personalized Unknowns Unknowns depend on user’s key ID1 - ~ - ~ ID2 a2, b2 a1, b1 - - ~ ~ Needs a1, b1 Computes a1, b1 - - ~ ~ Computes a2, b2 Needs a2, b2

  12. Summary of Our Technique ID1 S = {ID1, … , IDr} ID2 Message M ID3 ID4 Split into r shares

  13. Preventing Collusion What if revoked users try to combine their shares? Private keys personalize reconstruction: Everyone is doing a different puzzle

  14. Our System • Public key: O(1) group elements • Private keys: O(1) group elements • Ciphertext: O(r) group elements (r = # revoked users) • Adaptive security from simple assumptions

  15. Why Key Size Matters • Small Public Keys: • Public Key does not grow with number of users • Adding new users does not require changing public key • Small Private Keys: • Easily stored on small receiving devices • Reduced memory cost (Only private key needed for decryption) • Efficient Attribute-Based Encryption with non-monotonic access formulas

  16. Previous Systems Some Previous Systems: [KD’98, NP’00, NNL’01, DF’02, BGW’05, DPP’07, GW’09] All of these have: (n = # users in the system, r = # revoked users) Private key size at least (log n) or Public key size at least (r) or (n) Most proven selectively secure (weaker security)

  17. Our Systems • Simple version • proven selectively secure from new non-interactive assumption • Second version • proven adaptively secure from Decisional Linear and Decisional Bilinear Diffie-Hellman Assumptions

  18. Our System (simple version) Setup: G – group of order p with bilinear map e Public Key: Master Secret Key: Personalization KeyGen(MSK, ID): Private Key for ID: split into pieces Encrypt(PK, M, S): Ciphertext: fails for ID= IDi Decrypt(S, CT, ID, SKID):

  19. How It Works e(C0, D0) = e(gs, g®gtb2) = e(g,g)®se(g,g)stb2 Blinding factor Personalized by t e(g,g)stb2 = e(g,g)s1tb2e(g,g)srtb2 Solve for using e(D1, C1,1) = e((gbIDh)t, gbs1) e(D2,C1,2) = e(g-t,(gb2ID1hb)s1) = e(g,g)b2ts1IDe(h,g)tbs1 = e(g,g)-b2ts1ID1 e(g,h)-tbs1

  20. How It Works Two equations in two unknowns (atbs1 and b2ts1): (let h = ga) b2ts1ID+ atbs1= c1 and b2ts1ID1+ atbs1=c2 If ID  ID1, equations are independent – solve for unknowns If ID = ID1, equations are dependent – cannot solve for atbs1 andb2ts1

  21. How It Works - Summary • User IDi won’t be able to compute the i-th share • All non-revoked users can decrypt, • All revoked users cannot • Collusion among revoked users won’t help • since they have different t values

  22. Adaptive Security from Simple Assumptions • Our Simple System • – selectively secure under a new assumption Techniques of our simple system + Dual System Encryption [W’09] = • System that is adaptively secure under Decisional Linear • and Decisional Bilinear Diffie-Hellman Assumptions

  23. ABE with Non-Monotonic Access Formulas [OSW’07] Attribute-Based Encryption: Ciphertexts: associated with attributes {A, B, D} Secret Keys: associated with access formulas (A Ç B) Æ: C Decryption: {A, B, D} satisfies (AÇB)Æ: C (A Ç B) Æ: C {A, B, D} M

  24. ABE with Non-Monotonic Access Formulas Strategy: combine monotonic ABE with Revocation : C Negated attribute Revoked user Small keys for Revocation - needed to prevent large blowup of key size for the ABE scheme

  25. Previous Systems Non-Monotonic ABE: [OSW’07] • Adapted [NP’00] revocation scheme to monotonic ABE scheme of [GPSW’06] • Private key size for ABE multiplied by O(log n), where n = max # attributes per ciphertext

  26. Non-Monotonic ABE Blinding factor for revocation: e(g,g)®s For each negated attribute : A: replace by Secret share of ® for : A ® • Applying this with our simple scheme gives • non-monotonic ABE without O(log n) blowup

  27. Summary • Small Keys and strong security achieved simultaneously • More efficient non-monotonic ABE

  28. Questions?

More Related