an ad hoc group signature scheme for accountable and anonymous access to outsourced data chuang wang...
TRANSCRIPT
An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to
Outsourced Data
Chuang Wanga,b and Wensheng Zhanga
aDepartment of Computer ScienceIowa State UniversitybSymantec Corporation
2
Background: Data Outsourcing
remote un-trusted data storage server
encrypt
decrypt
author
authorized users
3
ABE (Attribute-based Encryption)
OR
AND
“Computer
Science”
“ISU”
“PrivacyGrp@Symant
ec”
Access Structure
Graduate student
@cs.iastate
retrieve
decrypt
retrieve
decrypt
X
derive key based on secrets
associated with his attributes
4
Accountability?
What if the secret doc is found exposed?A trusted third-party authority should be able to find out who have accessed the data (accountability/ traceability)
Meanwhile, anonymity of users should be kept from entities other than the authority (including the un-trusted storage server)
OR
AND
“Computer
Science”
“ISU”
“Privacy@Symant
ec”
Access Structure
5
Group Signature Scheme
OR
AND
“Computer
Science”
“ISU”
“Privacy@Symant
ec”
Access Structure
group public key (gpk)
A user i’s personalized private key
(gski)
m
σm = sign(gpk, gski, m)
Verify(gpk, σm)=1?Record σm
(Authority is able to trace the signature to user i.)
Authorized Users
6
Group Signature Scheme: Problem
OR
AND
“Computer
Science”
“ISU”
“Privacy@Symant
ec”
Access Structure
group public key (gpk)
A user i’s personalized private key
(gski)
Access structures may be defined on the fly (when a document is outsourced)
Significant communication
overheads may need to set up private
keys for the members of dynamic
groups
The groups of users satisfying the access structures are formed
dynamically
Authorized Users
7
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design
Goals
Objective: ad hoc group signature scheme.
Design RequirementsUser anonymity: A successfully verified user could be any one of the authorized users.
– Ex: Access Structure = “a AND b”; a successfully-verified user could be any one owning attributes a and b.
– Ex: Access Structure = “(a AND b) OR c”; a successfully-verified user could be any one owning attributes a and b, or any one owning c, and the server and other users cannot know which of the above two cases occurs.
Traceability: The authority is able to trace a signature to a user.
8
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design
Goals
Objective: ad hoc group signature scheme.
Design RequirementsUser anonymity: A successfully verified user could be any one of the authorized users.
Accountability (traceability): The authority is able to trace a signature to a user.
Efficiency in communication (for group management):
when a new access structure is created, no extra communication for group management (e.g., distributing keys) is required.
9
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Key Ideas
When a user joins: he/she is preloaded key materials for each attribute assigned.
Storage Cost
Communication Cost
When a document (and associated access structure) posted to server:
server is given key materials for the access structure (AS).
A user’s attributes satisfy the AS
Y
Obtain: the user-specific and access structure-specific privacy key for group signature
10
Basis: Group Signature [BonehShacham’04]
Complexity Assumptions:q-SDH problemDecision Linear problem
xi, Ai=g 1/(ζ+xi) g, g’=g
ζ
user i’s private key (gski)
public key (gpk)
e(Ai, g’×g ) = e(g, g) xibilinear mapping
System-wide secret
• Signing: sign(gpk, gski, m) σm
• Verifying: verify(gpk, m, σm) 1/0
11
AdHocSign: Roadmap of the Design
What to do?Construct and give appropriate key materials to users and storage server, s.t., an authorized user is able to derive his/her private key as in the BS group signature scheme
How?Consider a conjunction-only access structure
– Ex: “a AND b”Consider a disjunction-only access structure
– Ex: “a OR b”Consider a general (i.e., conjunction of disjunctive) access structure
– Ex: “(a OR b) AND (c OR d)”
12
AdHocSign for Conjunction-only Access Structures: Intuition
AND
a b
Access structure: T
Secrets:
αa , αb Authority
Server
Key materials: ra, rbPublic key:
• gT = g
• gT’ = gT
ζ
αa×ra+αb×rb
User i
Private key:
• xi
Key materials:
• for attribute a: gi,a=g
• for attribute b: gi,b=g
• … …
αa/(ζ+x i)
αb/(ζ+x i)
<T=“a AND b”; ra, rb>
• AiT = gi,a ×gi,b = grbra (αa×ra+αb×rb)/(ζ+x i)
e(AiT, gT’×gT
xi) = e(gT, gT)
13
AdHocSign for Disjunction-only Access Structures: Intuition (1)
OR
a b
Access structure: T
Secrets:
αa, αb,Authority
Server
Key materials:
ra= rT/αa ; rb= rT/αb
Public key:
• gT = g
• gT’ = gT
ζ
rT
User i
Private key:
• xi
Key materials:
• for attribute a: gi,a=g
• for attribute c: …
• … …
αa/(ζ+x i)
<T=“a OR b”; ra, rb>
• AiT = gi,a =
g
ra rT/(ζ+x i)
e(AiT, gT’×gT
xi) = e(gT, gT)
rT
14
AdHocSign for Disjunction-only Access Structures: Intuition (2)
OR
a b
Access structure: T
Secrets:
αa, αb,Authority
Server
Key materials:
ra= rT/αa ; rb= rT/αb
User i
Key materials:
• for attribute a: gi,a=g
• … …
• … …
αa/(ζ+x i)
<T=“a OR b”; ra, rb>
rT, ζ
Problem: User i can derive gi,b = gi,a,
<T=“a OR b”; ra, rb>
ra/rb
though user i does not own attribute b.
Later on, user i can satisfy access structures such as “a AND b”, “b OR x”.
15
AdHocSign for Disjunction-only Access Structure: Intuition (3)
The authorityFor each attribute a, multiple (instead of a single) secret
numbers are picked: αa,1, αa,2, …, αa,N Each user i who owns attribute a is preloaded with N secrets (key materials):gi,a,1, gi,a,2, …, gi,a,N, where gi,a,k = g
Every time when a new disjunction-only access structure, e.g., T=“a OR b”, is defined:
rT is selected randomly
rT,a = rT/αa,k1 and rT,b = rT/αb,k2, where αa,k1 and αb,k2 have not been used before
A user i with attribute a or b should use gi,a,k1 or gi,b,k2 to derive its private key
αa, k/(ζ+ xi)
16
AdHocSign for General Access Structures: Intuition
OR
c d
Access structure
αa,k1
Authority
OR
a b
AND
αb,k2 αc,k3 αd,k4
rT1 rT2
Server
Key materials given to server:(a, k1, rT,a = rT1/αa,k1)
(b, k2, rT,b = rT1/αb,k2)
(c, k3, rT,c = rT2/αc,k3)
(d, k4, rT,d = rT2/αd,k4)
Public key:
• gT = grT1+rT2
• gT’ = gTζ
17
AdHocSign for General Access Structures: Intuition
User i
Assume the user owns attributes a and d
Key materials assigned to user i:
• For attribute a
• …
• gi,a,k1 = g
• …
• For attribute d
• …
• gi,d,k4 = g
• …
αa,k1/(ζ+xi)
αd,k4/(ζ+xi)
Key materials provided by server:(a, k1, rT,a = rT1/αa,k1)
… ….
(d, k4, rT,d = rT2/αd,k4)
AiT = gi,a,k1 × gi,d,k4
= g
rT, a rT, d
(rT1+rT2)/(ζ+xi)
Private key: (xi, AiT)
18
Security Features
TraceabilityIntuitively: Storage server and/or collusive users are hard to forge valid signatures that cannot trace back to any of them, as long as the SDH problem is hard.
Formally: Our proposed AdHocSign scheme is (t, qH, qS, n, m,ε) traceable if (q, t’, ε’)-SDH assumption holds, where n = q-1, ε= 8n*sqrt(ε’qH) + 2n/q, t’=O(tmN).
19
Security Features
Selfless-anonymityIntuitively: Storage server and/or others are hard to determine if two signatures are pertinent to the same user or not, as long as the Decision Linear problem is hard.
Formally: Our proposed AdHocSign scheme is (t, qH, qS, n, m,ε) selflessly anonymous if (t’, ε’) Decision Linear assumption holds, where ε’ = ε(1/n2 – qSqH/p)/2.
20
Cost Analysis
Computational costUser’s cost
– Private key preparation– x exponential ops, where x is the number of disjunctive
components in the access structure – typically lower than signing cost as long as x is not too
large– Signing (using BS Group Signature Signing)
Server’s cost– Verification (using BS Group Signature Signing)
Overall: Typically less than twice of that of BS Group Signature scheme
21
Cost Analysis
Communication costO(L): L is the length of an access structure
Storage costO(Nx)
– x - total number of attributes owned by a user – N - total number of secrets preloaded for each attribute
N: the minimum number of different access structures that can be defined dynamically; in practice, more different access structures can be defined dynamically
22
Conclusion
We design a new group signature scheme for dynamically-formed groups
Selfless-anonymity
Traceability
No user key distribution at dynamic group forming time – at the cost of storing extra key materials when a user
joins the system
Applicable when: storage is cheaper than communication (cost for dynamic management of groups)
Thank you!
Contacts of the authors{wzhang, chuangw}@iastate.edu
Full paper:www.cs.iastate.edu/~wzhang/papers/adhocsign.pdf
24
Implementation
Prototype developmentBased on jPBC (java pairing-based library)Adopting the type A curve
Evaluation setupUser: desktop with 1.83 GHz Genuine Intel processor and 3GB RAMServer: workstation with two 2.13 GHz Intel Xeon processors and 24 GB RAM
Evaluation resultsBS Group Signature
– Signing cost – 1.65 seconds by average– Verification cost – 0.28 seconds by average
Private key computation in AdHocSign– ~0.1 second for each disjunctive component in the access structure