Revocation Systems with Very Small Private Keys

1
Revocation Systems with Very Small Private Keys
Allison Lewko
Brent Waters
Amit Sahai
The University of Texas at Austin
The University of Texas at Austin
University of California, Los Angeles
TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. A
2
Broadcast Encryption FN93
ID
1
Ciphertext
ID
2
Sender
ID
3
Revocation
Receivers
3
Simple Solution Long Ciphertexts
Encrypt to each user
ID1
ID2
ID3
ID4
Problem very inefficient
4
Revocation
S Set of Revoked Users
Message
S
Encryption
(short) CT not readable by users in S
5
Revocation System Algorithms

• Setup
• KeyGen(MSK, ID)
• Encrypt(S, PP,M)
• Decrypt(S,CT, ID, SKID)

ID
S
M, when ID ? S
6
Security Threat Collusion
ID
ID
1
2
Revoked Users May Collude
7
Adaptive Security Definition
Setup
Challenge
Key Queries
Challenger
Attacker
ID
1
ID
1
ID
M0, M1, S
Encrypt(Mb, PP, S)
2
ID
2
Revoked set S must include all queried users
Attacker must guess b
8
Our Two Equations Technique
Example revoking ID
User ID
Known values
aID b c
aID b d
Unknown values
User ID cant solve
ID ID
Dependent equations
9
Revoking Many Users
Revoking ID1, ,IDr
r pairs of equations
a1ID b1 c1
a1ID1 b1 d1
a2ID2 b2 d2
a2ID b2 c2
?
?
ith revoked user cant solve ith pair
arID br cr
arIDr br dr
10
Problem Collusion
Revoked users ID1 and ID2 collude
ID1
ID2
a1, b1
a2, b2
a2ID1 b2 c2
a1ID2 b1 c1
a1ID1 b1 d1
a2ID2 b2 d2
Together, they can solve everything!
11
Solution Personalized Unknowns
Unknowns depend on users key
ID1
-

ID2
-

a2, b2
a1, b1
-
-


a1, b1
Needs
Computes
a1, b1
-
-


a2, b2
Computes
a2, b2
Needs
12
Summary of Our Technique
ID1
S ID1, , IDr
ID2
Message M
ID3
ID4
Split into r shares
13
Preventing Collusion
What if revoked users try to combine their
shares?
Private keys personalize reconstruction Everyone
is doing a different puzzle
14
Our System

• Public key O(1) group elements
• Private keys O(1) group elements
• Ciphertext O(r) group elements (r revoked
  users)
• Adaptive security from simple assumptions

15
Why Key Size Matters

• Small Public Keys
• Public Key does not grow with number of users
• Adding new users does not require changing
  public key
• Small Private Keys
• Easily stored on small receiving devices
• Reduced memory cost
• (Only private key needed for decryption)
• Efficient Attribute-Based Encryption with
  non-monotonic access formulas

16
Previous Systems

• Some Previous Systems
• KD98, NP00, NNL01, DF02, BGW05, DPP07,
  GW09
• All of these have (n users in the system, r
  revoked users)
• Private key size at least ?(log n) or
• Public key size at least ?(r) or ?(n)
• Most proven selectively secure (weaker security)

17
Our Systems

• Simple version
• proven selectively secure from new
  non-interactive assumption
• Second version
• proven adaptively secure from Decisional Linear
  and Decisional Bilinear Diffie-Hellman Assumptions

18
Our System (simple version)
Setup G group of order p with bilinear map e
Public Key
Master Secret Key
Personalization
KeyGen(MSK, ID)
Private Key for ID
split into pieces
Encrypt(PK, M, S)
Ciphertext
fails for ID IDi
Decrypt(S, CT, ID, SKID)
19
How It Works
e(C0, D0) e(gs, ggtb2) e(g,g)s e(g,g)stb2
Blinding factor
Personalized by t
e(g,g)stb2 e(g,g)s1tb2 ? e(g,g)srtb2
Solve for using
e(D1, C1,1) e((gbIDh)t, gbs1)
e(D2,C1,2) e(g-t,(gb2 ID1hb)s1)
e(g,g) b2ts1ID e(h,g)tbs1
e(g,g)-b2t s1ID1 e(g,h)-tbs1
20
How It Works
Two equations in two unknowns (atbs1 and b2ts1)
(let h ga)
b2ts1ID atbs1 c1 and b2ts1ID1 atbs1
c2
If ID ? ID1, equations are independent
solve for unknowns
If ID ID1, equations are dependent
cannot solve for atbs1 and b2ts1
21
How It Works - Summary

• User IDi wont be able to compute the i-th share
• All non-revoked users can decrypt,
• All revoked users cannot
• Collusion among revoked users wont help
• since they have different t values

22
Adaptive Security from Simple Assumptions

• Our Simple System
• selectively secure under a new assumption

Techniques of our simple system

Dual System Encryption W09

• System that is adaptively secure under
  Decisional Linear
• and Decisional Bilinear Diffie-Hellman
  Assumptions

23
ABE with Non-Monotonic Access Formulas OSW07
Attribute-Based Encryption
Ciphertexts associated with attributes
A, B, D
Secret Keys associated with access formulas
(A Ç B) Æ C
Decryption
A, B, D satisfies (AÇB)Æ C
(A Ç B) Æ C
A, B, D
M
24
ABE with Non-Monotonic Access Formulas
Strategy combine monotonic ABE with Revocation
C
Negated attribute
Revoked user
Small keys for Revocation - needed to prevent
large blowup of key size for the ABE scheme
25
Previous Systems

• Non-Monotonic ABE OSW07
• Adapted NP00 revocation scheme to monotonic
  ABE scheme of GPSW06
• Private key size for ABE multiplied by O(log n),
• where n max attributes per ciphertext

26
Non-Monotonic ABE
Blinding factor for revocation e(g,g)s
For each negated attribute A
replace by
Secret share of for A

Applying this with our simple scheme gives
non-monotonic ABE without O(log n) blowup
27
Summary

• Small Keys and strong security achieved
  simultaneously
• More efficient non-monotonic ABE

28
Questions?