Attribute Based Cryptology

A Project Report

submitted by

SUBHASHINI VENUGOPALAN

in partial fulfilment of the requirements

for the award of the degree of

MASTER OF TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

INDIAN INSTITUTE OF TECHNOLOGY MADRAS

April 2011

THESIS CERTIFICATE

This is to certify that the thesis titled Attribute Based Cryptology, submitted

by Subhashini Venugopalan, to the Indian Institute of Technology, Madras, for

the award of the degree of Master of Technology, is a bona fide record of the

research work done by her under our supervision. The contents of this thesis, in

full or in parts, have not been submitted to any other Institute or University for

the award of any degree or diploma.

Prof. C. Pandu RanganResearch GuideProfessorDept. of Computer Science and EnggIIT-Madras, 600 036

Place: Chennai

Date: 30 April 2011

To the memory of my grandparents

This work is licensed under the Creative Commons Attribution 3.0 License.

ACKNOWLEDGEMENTS

I am deeply indebted to Prof. C. Pandu Rangan for his inspiration, support and guid-ance throughout my course here. His passion and enthusiasm for teaching, sharing hisknowledge and motivating students has not only amazed me, but has made an admirer ofeveryone who has been taught by him. To me, he has been more than a research advisor,his advice on topics ranging from philosophy to sports have benefited and enriched mein several ways. Whenever I have approached him to discuss ideas for my project, orany generic problem, or even something personal, I have always found an eager listener.He has also been a fun and enthusiastic partner to discuss various puzzles and riddles.I’m grateful to him for being very supportive in letting me pursue my interests outsideof academics, and encouraging me to learn and read widely. I’m happy to be a partof his lab which is a treasure house of knowledge and a place that offers an excellentenvironment for research. Not to forget, his sense of humour, and his jovial and affec-tionate nature have made the lab a lively and fun place to be in. I’m grateful for thisopportunity and look forward to continue my interactions with him in future.

I would like to express my gratitude to Sharmi and Vivek with whom I have hadmany insightful discussions, which have bettered my understanding of various topicsin cryptography. My debates with Sharmi were thoroughly enjoyable and have beenrewarding in terms of the sheer number of ideas that have resulted from them. My otherlabmates, Akash, Bhargav, Billy, Chaya, Esha, Prateek, Preetha ma’am, and Sangeethahave been a wonderful peer group to bounce off thoughts on various topics academicand otherwise. The company of Bhargav, Pandu Rangan sir, and Venkie (of MicrosoftResearch) always results in some rib-tickling jokes that have had the lab rolling withlaughter for days on end. Bhargav, apart from being the entertainer, along with Chayaare great companions to brainstorm on math games and puzzles as well. All of thesepeople along with former labmates Sai, Shinku and Swarun have made my time in theTCS lab stimulating and memorable.

I’d like to extend my thanks to Dr. Shankar Balachandran; his dedication and energyare infectious, and I’m glad I had the opportunity to be his teaching assistant for 3semesters. Working with him has been a delightful experience. I am also grateful toDr. Narayanaswamy for the interesting interactions we have had, and for the time andenergy he has devoted to me. I also take this opportunity to thank Professors Kamakoti,Krishna Sivalingam, Kamala Krithivasan, Sreenivasa Kumar, Hema Murthy, Dr. ShaileshVaya, and Dr. Alan Davy who have all made my courses here pleasurable. I thank myfaculty advisors Prof. Janakiram and Dr. Madhu Mutyam; and also Dr. Ashish , Dr.Chandra Sekhar, Prof. Siva Ram Murthy, and Dr. Ravindran for their constant supportand words of encouragement. Special thanks to Dr. Jayalal for instituting the theoryseminars which are exciting and informative. I am grateful to the entire computer sciencedepartment for their words of appreciation and the faith they have shown in me.

My thanks also goes to all my batchmates who have made the atmosphere in myclasses lively and thought provoking. Special mention to Smruthi and her wonderful circleof friends who have made my life at IITM complete. Last, but most importantly, I’mgrateful to my parents, sister, and family for their love, blessings and support throughoutthis endeavour.

i

ABSTRACT

KEYWORDS: attribute based, cryptosystems, encryption, signatures, effi-cient, multi-level, threshold, security.

The problems of confidentiality, authenticity and anonymity have been studiedfor long in cryptography, and the notion of provable security is the foundationfor most, if not all, modern cryptographic research. With great advancementsin technology, there is also a need to define and view these concepts of securityunder various dimensions. One such recent dimension of security is the attributebased view that has been conceived by the requirements in a distributed setting.Attribute based encryption and signature schemes have been developed in orderto give a more fine grained access control. Presently attribute-based systems havewide applicability in a number of new decentralized settings and address someexciting problems. In this thesis we propose an efficient attribute-based encryp-tion(ABE) scheme , with support for multi-level threshold predicates.We also dis-cuss regarding the security of some attribute-based signature(ABS) schemes andgive the construction for a threshold ABS scheme based on a novel approach.

In this work we first look at ABE. Anonymous access control is a very de-sirable property in various applications, e.g. encrypted storage in distributedenvironments; and attribute based encryption is a cryptographic scheme that istargeted to achieve this property. ABE is an encryption mechanism that is usefulin settings where the list of users may not be known apriori. Here, all users maypossess some credentials, and these are used to determine access control and alsoprovide a reasonable degree of anonymity with respect to the user’s identity. Ci-phertext policy attribute based encryption is a scheme that gives a natural wayto separate the credentials from the access policy and cleverly combine them at alater stage to provide secure access to protected data. In most ABE schemes thesize of the ciphertext is quite large and is of the order of the number of attributes.In this work we present our approach for a multi-level threshold attribute basedencryption which is independent of the number of attributes.

Secondly, we consider ABS schemes. Attribute-based signatures allow userspossessing a set of credentials to sign documents; although the credentials of thesigner can be verified, signers can still continue to retain a reasonable degree ofanonymity. This thesis discusses certain aspects regarding the security of someattribute based signature schemes. In particular we show multiple breaks in theexisting threshold attribute based signature schemes in [LAS+10]. We first claimthat the scheme is not secure since it allows, a signer without sufficient attributes- to satisfy the threshold of the access policy to sign a document and pass thenecessary verification. Then, we show that a signer possessing keys for someattributes can perform universal forgery and produce a signature that can satisfy

ii

the threshold for a set of attributes she does not possess. Finally, we show a totalbreak in the system, where the attacker can act as the key generating authorityand use her knowledge of the secret key to generate private keys for other users.We also include examples of the attacks to highlight the flaws of this scheme andother schemes appearing in [LK08, SSN09, KABPR10, LK10] which have the sameor a similar key construct.

Our next move aims at overcoming the above mentioned attacks. For that, wepropose a novel threshold ABS scheme based on the concept of ring signatures.Ring signatures [RST01] enable a signer to keep her identity hidden within theidentities of a group of n people who form the ring. We use this as a foundationand create a threshold ABS scheme, where the signer has to keep a thresholdof t attributes, in her possession, anonymous from a given set of n∗ attributes.Previous ABS schemes were largely derived from ideas in the encryption(ABE)schemes. This thesis proffers a new ABS scheme based on ring signatures andlends attribute-based signatures a different outlook.

iii

TABLE OF CONTENTS

ACKNOWLEDGEMENTS i

ABSTRACT ii

LIST OF TABLES viii

LIST OF FIGURES ix

ABBREVIATIONS x

NOTATION xi

1 Introduction 1

1.1 Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . 1

1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . . . . . . 4

1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.4.1 Efficient ciphertext-size threshold ABE . . . . . . . . . . 6

1.4.2 Security of threshold ABS . . . . . . . . . . . . . . . . . 6

1.4.3 New threshold ABS scheme . . . . . . . . . . . . . . . . 7

1.5 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . 7

2 Preliminaries 9

2.1 Bilinear Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Computational Diffie-Hellman Assumption . . . . . . . . 9

2.2.2 Decisional Diffie-Hellman Assumption . . . . . . . . . . . 9

2.2.3 Computational Bilinear Diffie-Hellman Assumption. . . . 10

2.2.4 Decisional Bilinear Diffie-Hellman Assumption . . . . . . 10

iv

2.2.5 Decision Linear Assumption . . . . . . . . . . . . . . . . 10

2.2.6 Bilinear Diffie-Hellman Exponent Assumption . . . . . . 10

2.2.7 Augmented Multi-sequence of Exponents D-H Problem . 10

2.3 Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.3.1 Linear secret sharing schemes . . . . . . . . . . . . . . . 11

2.3.2 Shamir’s secret sharing scheme . . . . . . . . . . . . . . 12

2.3.3 Lagrange interpolation . . . . . . . . . . . . . . . . . . . 12

2.4 Primitives for Attribute-based Encryption and Signatures . . . . 13

2.4.1 CP-ABE scheme algorithms . . . . . . . . . . . . . . . . 13

2.4.2 ABS algorithms . . . . . . . . . . . . . . . . . . . . . . . 13

2.5 Waters’ signature . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.6 Forking Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3 Existing Threshold Attribute-based Cryptosystems 17

3.1 Inception of Attribute Based Encryption . . . . . . . . . . . . . 17

3.2 CP-ABE Schemes with Efficient Ciphertext-Size . . . . . . . . . 19

3.3 Development of Attribute Based Signatures . . . . . . . . . . . 21

3.4 Threshold Attribute-Based Signatures . . . . . . . . . . . . . . . 22

4 Efficient Multi-level Threshold CP-ABE 25

4.1 Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4.3 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.3.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.3.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . 27

4.3.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.3.4 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.4.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.4.2 Generating the keys . . . . . . . . . . . . . . . . . . . . . 30

4.4.3 Encrypting a message . . . . . . . . . . . . . . . . . . . . 31

4.4.4 Decrypting the ciphertext . . . . . . . . . . . . . . . . . 32

v

5 On The Security of Attribute Based Signatures 35

5.1 Efficient Threshold ABS Scheme . . . . . . . . . . . . . . . . . . 35

5.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.1.2 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.1.3 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.1.4 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.1.5 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.2.2 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5.2.3 Preliminaries for the attack . . . . . . . . . . . . . . . . 37

5.2.4 Attack 1: Forgery without satisfying threshold . . . . . . 39

5.2.5 Attack 2: Universal forgery . . . . . . . . . . . . . . . . 40

5.2.6 Attack 3: Total break - impersonating key issuing authority 41

5.3 Attacks on schemes with similar key construct . . . . . . . . . . 41

5.3.1 Total break on attribute based ring signature scheme . . 42

5.3.2 Break on threshold attribute based signature scheme . . 42

5.3.3 Attack on ABS with multiple attribute authorities . . . . 43

5.3.4 Attack on multi-level threshold ABS scheme . . . . . . . 46

5.3.5 Total break on hidden ABS without anonymity revocation 48

5.4 Summary of attacks . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.5 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6 New Threshold Attribute-Based Signature Scheme 50

6.1 Underlying Ring Signature . . . . . . . . . . . . . . . . . . . . . 51

6.1.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . 51

6.2 New ABS Scheme Construction . . . . . . . . . . . . . . . . . . 52

6.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.2.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . 53

6.2.3 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.2.4 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

vi

6.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.3.1 Security Notions . . . . . . . . . . . . . . . . . . . . . . 56

6.3.2 Modified Computational Bilinear Diffie-Hellman Assump-tion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.3.3 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . 57

6.3.4 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.4 Advantages of the new approach . . . . . . . . . . . . . . . . . . 62

7 Conclusions and Directions for Future Work 64

7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

7.1.1 Threshold CP-ABE . . . . . . . . . . . . . . . . . . . . . 64

7.1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . 65

7.1.3 Threshold ABS - New Directions . . . . . . . . . . . . . 65

7.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

A Detailed Analysis of Proof 67

A.1 Sign Oracle Correctness . . . . . . . . . . . . . . . . . . . . . . 67

A.1.1 Verification analysis . . . . . . . . . . . . . . . . . . . . . 68

A.2 Correctness of Solving CBDH . . . . . . . . . . . . . . . . . . . 69

References 70

LIST OF TABLES

3.1 Comparison of PK, SK and ciphertext sizes . . . . . . . . . . . 20

5.1 Table summarizing the attacks . . . . . . . . . . . . . . . . . . . 48

viii

LIST OF FIGURES

1.1 Representation of the access policy as a tree. . . . . . . . . . . . 2

1.2 Threshold access policy to represent 3-out-of(“Colonel”, “Major”,“Navy”, “Op-X”, “Op-Y” , “Op-Z”). . . . . . . . . . . . . . . . . . 3

4.1 Multi-level threshold tree. . . . . . . . . . . . . . . . . . . . . . 25

4.2 Access tree structure for a multi-level predicate. . . . . . . . . . 30

4.3 Examples of access tree satisfaction. . . . . . . . . . . . . . . . . 31

4.4 Encryption - Generating shares using the Shamir’s secret sharingidea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

6.1 Ring ABS where each alleged member of the ring has 4 attributes. 50

ix

ABBREVIATIONS

ABE Attribute-Based Encryption

ABGS Attribute Based Group Signature

ABS Attribute-Based Signature

aMSE-DDH Augmented Multi-sequence of Exponents Diffie-Hellman Assump-tion

CBDH Computational Bilinear Diffie-Hellman Assumption

CDH Computational Diffie-Hellman Assumption

CMA Chosen Message Attack

CP-ABE Ciphertext-Policy Attribute Based Encryption

CPA Chosen Plaintext Attack

DBDH Decisional Bilinear Diffie-Hellman Assumption

DDH Decisional Diffie-Hellman Assumption

DLIN Decision Linear Assumption

KP-ABE Key-Policy Attribute Based Encryption

LSSS Linear Secret Sharing Schemes

m-CBDH modified Computational Bilinear Diffie-Hellman Assumption

MK Master Secret Key

MSP Monotone Span Program

NIWI Non-Interactive Witness Indistinguishability

NIZK Non-Interactive Zero Knowledge

PK Public Key

q-BDHE q-Bilinear Diffie-Hellman Exponent Assumption

SK Secret Key

t-ABS threshold Attribute Based Signature

TA Trusted Authority

x

NOTATION

G,G1,G2,GT Cyclic groups of prime order p

g Generator of group G

p, q Large primes

e(·, ·) A bilinear pairing

∆i,S(x) Co-efficient for Lagrange’s interpolation

T Multi-level threshold circuit

Zp Finite field of prime order p

CT Ciphertext

⊥ Null

D User’s signing secret keys

σ Signature

Υ Signing Predicate (policy)

C Challenger

A Adversary

k, λ Security parameter

m Message

msk Master secret key

params Public Parameters

xi

CHAPTER 1

Introduction

A public-key cryptosystem comprises of mechanisms to provide confidentiality,through public key encryption, and authenticity, through digital signatures. Insuch a system, the parties involved in communication - sender and receiver -maintain a pair of keys each, in order to perform either of the two operations ofencryption or signing. Depending on the application, there have been a variety ofpublic key cryptosystems proposed. A recent addition to this assortment is theattribute based system. Unlike in traditional cryptography where the intendedrecipient or the signer’s identity is clearly known, in an attribute based systemsone only needs to specify the attributes or credentials of the recipient(s) or thesigner in the form of a predicate that is to be satisfied. This feature enables securedata sharing even in a decentralized setting, providing both fine-grained controlon access and some degree of anonymity for the participants. In this thesis, we willlook at attribute-based systems with special focus on those that support thresholdpredicates.

1.1 Attribute-Based Encryption

There are several settings where a user would want to give access to documentsbased on certain credentials or the position/role of a person. This may be com-parable with ‘Views’ in a database. We would want different kind of users of thedatabase to be able to see only those contents that are relevant to them. Similarly,in a distributed setting where all the data may be stored in a server, the servermight allow access to files and documents based on some predefined access controlpolicy, for instance, clients may have to provide proper certification to retrievespecific files. In such cases, if the data(storage) in the database or server is com-promised, then although it may be in the encrypted form, anyone who has accessto the database or server may be able to retrieve all information including thosedocuments that may not be relevant to them. To be more specific, any normaluser of the database who gets his/her hands on the compromised data may nowbe able to get those files which were restricted and whose access was determinedby some application in the database or server.

ABE. ABE was first introduced by Sahai and Waters in [SW05, GPSW06]. Itprovides a mechanism by which we can ensure that even if the storage is com-promised, the loss of information will only be minimal. What attribute basedencryption does is that, it effectively binds the access-control policy to the dataand the users(clients) instead of having a server mediating access to files. Tounderstand this better, we will take a closer look at what constitutes an attribute-based system, with particular attention to ABE.

Access Policy. An access control policy would be a policy that defines the kindof users who would have permissions to read the documents. e.g In an academicsetting, grade-sheets of a class may be accessible only to a professor handling thecourse and some teaching assistants (TAs) of that course. We can express such apolicy in terms of a predicate:

( (Professor ∧ CS dept.)∨

(M.tech student ∧ CS-410 TA ∧ CS dept.) )

OR

ANDAND

Prof CS M.Tech CS CS410-TA

Figure 1.1: Representation of the access policy as a tree.

We will call the various credentials (or variables) of the predicate as attributesand the predicate itself which represents the access policy as the access-structure.In the example here the access structure is quite simple. But in reality, accesspolicies may be quite complex and may involve a large number of attributes.

Properties. There are two major features to attribute based encryption:1. It has the capacity to address complex access control policies.

2. The exact list of users need not be known apriori. Knowledge of the accesspolicy is sufficient.

Also, an important property that attribute based encryption schemes mustsatisfy is that of collusion resistance. Collusion resistance means that, if 2 ormore users possessing different keys combine to decrypt the ciphertext, they will besuccessful if and only if any one of the users could have decrypted it individually.In other words, even if multiple parties collude, they should not be able to decryptthe ciphertext unless one of them was able to decrypt it completely by herself.These properties ensure that only users possessing the right keys have access tothe information. Moreover, as the encryption is based on the access-structure itimplicitly assures anonymous access control.

2

Types of ABE. ABE can be categorized in to two types depending on whetherthe attributes are embedded in the ciphertext or whether the access-structure isembedded in the ciphertext. The first is the Key-policy based ABE (KP-ABE)which was infact the initial form of attribute based encryption that was developed.It was originally introduced in [SW05] and later by Goyal et al. in [GPSW06] andby Ostrovsky et al. [OSW07]. In KP-ABE they encrypt the attributes along withthe data and give the access structure to each user as part of their secret key. Butattribute based encryption is more applicable in the regular world if the access-structure can be embedded in the ciphertext and the users can have their attributessaved in their secret keys. This second form of ABE is known as ciphertext-policybased (CP-ABE) and was introduced by Bethencourt et al. [BSW07]. Both theseinitial schemes [GPSW06, BSW07] were largely based on the secret sharing schemedeveloped by Shamir [Sha79]. However, it is ciphertext policy based ABE that hasbecome more popular in later schemes like in [CN07, GJPS08, NYO09, GNSN10]and others. This might be largely due to the fact that CP-ABE represents anatural and more intuitive way to view attribute based encryption.

Threshold. In this thesis we will be targeting threshold access policies. Let’stake an example to understand what a threshold predicate is. Say Bob wants toencrypt and send a message to people who have atleast 3 out of 6 properties - Colonel, Major, Navy, Op-X, Op-Y , Op-Z . i.e The recipient should have any 3 ofthe properties: a) Colonel, b) Major, c) Navy, d) worked in operation-X, e) workedin operation-Y, f) worked in operation-Z . For instance, a person who successfullydecrypts the message may be an army major with experience in operations X andY. Equivalently, the message can be opened by a naval colonel who has worked inoperation Z. Thus 3 is just a minimum threshold of the attributes that must besatisfied by the recipient. In general, if the threshold is (t, n); then the decryptormust have t or more of the specified n attributes.

3-of-6

Colonel Major Navy Op-X Op-Y Op-Z

Figure 1.2: Threshold access policy to represent 3-out-of(“Colonel”, “Major”,“Navy”, “Op-X”, “Op-Y” , “Op-Z”).

The above figure [1.2] is an example where the threshold gate is a single pred-

3

icate. A regular access policy may consist of just a single threshold gate or theremay be even predicates where the threshold gate is a sub-node under some otheroperation like AND or OR.

We will look at attribute based encryption and threshold CP-ABE schemes ingreater detail in Chapter(3) of this thesis.

1.2 Attribute Based Signatures

There are several situations where one may need to obtain some permissions or asignature from an authority having certain credentials, but it may be immaterialas to who the specific authorizer is. For example, Alice may need an approvalfrom a major in the army or a captain in the navy but it may not matter as towho exactly gave her the permissions. There are also other situations where onemay need to prove that they possess specific credentials but would not want toreveal all their personal details in doing so. Let’s take an example where Bob, acaptain in the navy, is going to a secret officers meet. He wouldn’t want to revealmore about himself except to prove that he is an officer who is within his rightsin attending the meet. These are cases where attribute based signatures can beuseful.

ABS. Attribute based signature is a cryptographic primitive in which users pro-duce signatures based on some predicate of attributes, using keys issued by oneor more attribute authorities. ABS has largely been inspired by attribute basedencryption schemes [GPSW06, BSW07, Wat08]. Attribute based systems are ap-plicable in settings where there is a need for a complex policy to govern the accessof a document or provide authentication. These systems are also privacy-friendlysince they deal with the attributes of a user and not with any direct identity that isassociated with the signer. In this sense, ABS is similar to signature variants likeGroup signatures [Cam97], Ring signatures [RST01] and Mesh signatures [Boy07].The dominant idea of all these signature primitives is that they allow the signerfine-grained control over the amount of personal information exposed. However,it is important to note that a valid ABS signature guarantees that only a per-son possessing the required attributes that satisfy the predicate can produce asignature.

Signing policy. A notable feature of ABS is that, unlike other signature schemesattribute based systems are capable of supporting complex predicate policies. Forinstance, some permissions can be approved only by a person who is:

(((Major)

AND (in Army OR Navy)) OR (Captain AND in Operation-Star) OR (Com-mander AND in Operation-X)

). Moreover, a valid signature based on the above

predicate would only indicate one of the four possibilities for the signer: a) Majorin Army or b) Major in Navy or c) Captain in Operation-Star or d) Commander inOperation-X; but it would not reveal which of these the signer actually is. Also, aperson who is not any of the four would not be able to produce a valid signature.

4

We would like to remark here that, signing policies are similar to access policiesand both of them are predicates on some attributes.

Collusion. Another important property of attribute based systems is collusionresistance. This essentially means that multiple parties cannot collude and com-bine all their attributes to produce a valid signature if any one party could notdo it individually. For example, a commander in the airforce and a captain inoperation-X should not be able to somehow combine their attributes to producea valid signature for the above predicate.

1.3 Motivation

In our thesis we look at threshold ABE and ABS schemes. The most appealingfact about threshold gates is that they are very expressive and encompass theother common AND and OR gate access structures as well.

In most of the existing ABE schemes, the size of the ciphertext is very large,it is usually in the order of the number of attributes under consideration. Mostefficient schemes with expressive access control have ciphertext size proportionalto the number of attributes involved [Wat08]. There have also been works onconstant size CP-ABE schemes. A good number of the constant size ciphertextschemes are applicable only to some restricted access structures that use only ANDgates [ZH10, EMN+09]; and those that support threshold, like the work of Herranzet al. [HLR10], are suitable only in the case where the predicate has a single gate(threshold or otherwise). This motivates us to work towards obtaining a moreexpressive, multi-level threshold CP-ABE whose ciphertext-size is independent ofthe number of attributes.

Aside from that, endeavors in ABE have also spurned attribute based signa-tures. Hence, it is not surprising that attribute based signature constructions haveproperties like collusion resistance and predicate policies similar to that of ABE;additionally, they borrow some of the building blocks, like secret sharing, to en-gender these features. Our study on threshold attribute-based signature schemeshave led us to observe that, unlike in most threshold ABE constructions, thresholdABS schemes using secret sharing give the signer more secret components (in theform of dummy attributes) than he/she should possess. Primary objective of thatis to enable the signer with more components so as to reveal less about his/heridentity and give a greater degree of anonymity. This instigates us to probe theschemes from an adversarial standpoint and inspires us to make a detailed studyon the security aspects of ABS schemes.

5

1.4 Contributions

1.4.1 Efficient ciphertext-size threshold ABE

A part of this work focuses on an approach to get a multi-level threshold CP-ABEwhere the ciphertext size is independent of the number of attributes. The multi-level threshold access structure is more expressive and can be used to representcomplex access control policies. To be more specific, this access predicate canhave a threshold gate at every level of the access tree i.e. we can have a nodeas a threshold-gate and further, even the children of that node can be thresholdnodes until we reach the leaves which form the attributes. We propose a schemethat supports such an access structure and at the same time is efficient in terms ofthe number of ciphertext components. The main advantage of such a multi-levelthreshold structure is that, the threshold-gate can also be converted to just ANDor OR gate. Hence, a scheme that can support threshold gates at every levelof the access tree, can essentially be transformed to suit any complicated accesspredicate, making it highly expressive. In addition, the size of the ciphertext inour scheme depends on the complexity of the access policy as opposed to thecardinality of the universe of attributes.

1.4.2 Security of threshold ABS

In the second part of this thesis we show attacks on the threshold attribute basedsignature scheme proposed by Li et al. [LAS+10]. We claim that the scheme isinsecure since,

• a signer who does not possess the necessary number of attributes to satisfythe threshold of the predicate can still produce a valid signature.

• a signer with some attributes, completely unrelated to the attributes of thepredicate can perform universal forgery.

• an attacker can find a total break in the system and obtain a component ofthe secret key with which she can pose as the key generating authority.

Since our attack is based on the key construct in the scheme, we show thatone or more of these breaks also hold for the following schemes which have similarkey generation algorithm:

a) The ABS scheme with multiple attribute authorities, which is the secondscheme proposed in [LAS+10];

b) Attribute based ring signature scheme in [LK08];

c) The threshold attribute based signature by Shahandashti et al. [SSN09] whichis derived based on [LK08];

d) ABS for multi-level threshold circuits by Kumar et al. [KABPR10] and

6

e) Hidden attribute-based signatures without anonymity revocation by [LK10].

We also give our observations on why these attacks are applicable on theseschemes and mention our inferences.

1.4.3 New threshold ABS scheme

This thesis also proffers a novel approach to threshold attribute based signatures.Our approach is based on ring signature schemes and looks at forming a ringof aggregated sets of attributes. Using this idea, we provide a threshold ABSconstruction based on the efficient ID-based ring signature scheme in [CYH05].We have shown the security of our scheme in the random oracle model.

1.5 Organization of the Thesis

In Chapter 2, we begin with the formal definitions and fundamental conceptsneeded to follow attribute-based encryption and signature schemes . We dis-cuss some preliminaries and then proceed to the hardness assumptions used inselect ABE and ABS proofs. We then present the basic ideas on which thresh-old attribute-based cryptosystems are built on, like Shamir’s secret sharing andWaters’ signature.

Chapter 3 contains the development of attribute-based encryption, signaturesand some applications. It is a survey of the literature related to our problems.We devote specific sections for efficient ciphertext-size CP-ABE schemes and showhow each of them compare with respect to their key and ciphertext sizes. We alsodiscuss threshold ABS schemes at length and introduce our interest in working inthis area.

In chapter 4, we present the details for a multi-level threshold CP-ABE schemeand give our approach to solve the problem. We start by providing the exact modelof the access structure that we intend to facilitate and then give the algorithmsfor encryption and decryption. We also illustrate our scheme with the help of anexample.

Chapter 5 looks at the security of some attribute-based signature schemes. Wetake the particular case of the efficient threshold ABS scheme proposed by Li etal. in [LAS+10] and show that an adversary can not only create forgeries butalso get a part of the secret component which can be used to impersonate thekey-generating authority. We also look at other ABS schemes which incorporatea similar mechanism for key-generation and demonstrate the attacks in each ofthem. We conclude the chapter with our observations on the vulnerabilities ofthese schemes.

In chapter 6, we propose a new threshold ABS scheme based on the conceptof ring signatures. We explain how we imbibe the spirit of ring signatures to thethreshold ABS problem and then follow it with the construction of the scheme.

7

Then, we prove our scheme to be unforgeable in the random oracle model. Wealso mention an interesting new property, controlled partial anonymity, that arisesout of our approach.

In chapter 7, we presents our conclusions and potential directions for futurework. We also summarize the problems we discuss and the solutions that thisthesis has to offer along with their relevance in the current computing world.

8

CHAPTER 2

Preliminaries

2.1 Bilinear Pairing

Let G1, G2, GT be multiplicative groups of prime order p. The elements g1 ∈ G1

and g2 ∈ G2 are generators of G1 and G2 respectively. A bilinear pairing is a mape : G1 × G2 → GT with the following properties:

1. Bilinear: e(g1a, g2

b) = e(g1, g2)ab for all g1 ∈ G1,g2 ∈ G2, where a, b ∈ Zp.

2. Non-degenerate: There exists g1 ∈ G1 and g2 ∈ G2 such that e(g1, g2) 6= 1;in other words, the map does not send all pairs in G1 × G2 to the identityin GT .

3. Computability: There is an efficient algorithm to compute e(g1, g2) for allg1 ∈ G1 and g2 ∈ G2.

2.2 Hardness Assumptions

2.2.1 Computational Diffie-Hellman Assumption

Let G be a cyclic multiplicative group and g be it’s generator. The computationaldiffie-hellman(CDH) assumption holds in G if, given g, ga, gb ∈ G for unknowna, b ∈ Z∗p, it is computationally infeasible to compute gab.

We say that the (t, ε)-CDH assumption holds in G if no adversary running intime less than t can solve the CDH problem with success probability greater thanε, where ε is negligible.

2.2.2 Decisional Diffie-Hellman Assumption

Let G be a cyclic multiplicative group and g be it’s generator. Given two tuplesc0 = (g, ga, gb, gab) and c1 = (g, ga, gb, gc) for random a, b, c ∈ Z∗p. The (t, ε)-DDH assumption holds in G if there is no probabilistic polynomial-time adversarywhose probability of successfully distinguishing between the tuples c0 and c1 isbetter than 1

2+ ε, where ε is negligible.

2.2.3 Computational Bilinear Diffie-Hellman Assumption.

Let e : G×G→ GT be an efficiently computable bilinear map, where G has primeorder p. The computational bilinear diffie-hellman(CBDH) assumption is said tohold in G if, given elements P, aP, bP, cP, then no probabilistic polynomial-timeadversary can compute e(P, P )abc with non-negligible advantage, where a, b, c ∈RZ∗p and generator P ∈ G are chosen independently and uniformly at random.

2.2.4 Decisional Bilinear Diffie-Hellman Assumption

Let e : G×G→ GT be an efficiently computable bilinear map, where G has primeorder p. The decisional bilinear diffie-hellman(DBDH) assumption is said to holdin G if no probabilistic polynomial-time adversary is able to distinguish the tuplesc0 = (g, ga, gb, gc, e(g, g)abc) and c1 = (g, ga, gb, gc, e(g, g)z) with non-negligibleadvantage, where a, b, c, z ∈R Z∗p and generator g ∈ G are chosen independentlyand uniformly at random.

2.2.5 Decision Linear Assumption

Let e : G×G→ GT be an efficiently computable bilinear map, where G has primeorder p with generator g. The decision-linear (DLIN) assumption holds in G if,given the elements (ga, gb, gra, gsb, gt) ∈ G , for a random choice of a, b, r, s ∈ Zp ,it is computationally infeasible to determine whether t = r + s or t is random inZp.

2.2.6 Bilinear Diffie-Hellman Exponent Assumption

Let e : G×G→ GT be an efficiently computable bilinear map, where G has primeorder p with generator g. Let a, s ∈ Zp be chosen at random. Let gi denote ga

i .The q-Bilinear diffie-hellman exponent(q-BDHE) assumption holds in G if, giventhe following vector of 2q + 1 elements, y = (g, g1, · · · , gq, gq+2, · · · , g2q, g

s) (notethat the gq+1 is not in the list); it is infeasible for a polynomial time adversary tocompute e(g, g)a

q+1s.

2.2.7 Augmented Multi-sequence of Exponents Diffie Hell-man Problem

We present this problem as defined by Herranz et al. [HLR10]. Let G1, G2, GT

be multiplicative groups of prime order p, and let e : G1 × G2 → GT be a non-degenerate and efficiently computable bilinear map. Let g1 be a generator of G1

and g2 be a generator of G2. Let l, m, t be three integers. The (l, m, t)-augmentedmulti-sequence of exponents decisional Diffie-Hellman problem ((l, m, t)-aMSE-DDH) related to the group triplet (G1, G2, GT ) is as follows:

10

Input: the vector −→x l+m = (x1, · · · , xl+m) whose components are pairwise dis-tinct elements of (Z/pZ)∗ which define the polynomials

f(x) =l∏

i=1

(X + xi) and g(x) =l+m∏i=l+1

(X + xi) ,

the values

g1, gγ1 , · · · , g

γ l+t−2

1 , gκ·γ·f(γ)1 (2.1)

gωγ1 , · · · , gωγl+t−2

1 (2.2)

gα1 , gαγ1 , · · · , gαγ

l+t

1 (2.3)

g2, gγ2 , · · · , g

γm−2

2 , gκ·g(γ)2 (2.4)

gω2 , gωγ2 , · · · , gωγ

m−1

2 (2.5)

gα2 , gαγ2 , · · · , gαγ

2m−t+3

2 (2.6)

where κ, α, γ, ω are unknown random elements of (Z/pZ)∗ , and finally an elementT ∈R GT (chosen uniformly at random).

Output: a bit b.

The problem is correctly solved if the output is b = 1 when T = e(g1, g2)κ·f(γ)

or if the output is b = 0 when T is a random value from GT . In other words, thegoal is to distinguish if T is a random value or if it is equal to e(g1, g2)κ·f(γ).

The aMSE-DDH assumption holds if there is no probabilistic polynomial-time adversary who can distinguish between a T chosen randomly from GT ande(g1, g2)κ·f(γ) with non-negligible probability.

2.3 Secret Sharing

2.3.1 Linear secret sharing schemes

Attribute based cryptosystems make substantial use of LSSS (linear secret sharingschemes) . We borrow the following definition from Waters’ work in [Wat08].

A secret-sharing scheme Π over a set of parties P is called linear (over Zp ) if

1. The shares for each party form a vector over Zp.

2. There exists a matrix M with l rows and n columns called the share-generating matrix for Π. For all i = 1, · · · , l, the i’th row of M we letthe function ρ defined the party labeling row i as ρ(i). When we considerthe column vector v = (s, r2, · · · , rn), where s ∈ Zp is the secret to be shared,and r2, · · · , rn ∈ Zp are randomly chosen, then Mv is the vector of l sharesof the secret s according to Π. The share (Mv)i belongs to party ρ(i).

11

It is further shown that every linear secret sharing-scheme according to theabove definition also enjoys the linear reconstruction property, defined as follows:Suppose that Π is an LSSS for the access structureA. Let S ∈ A be any authorizedset, and let I ⊂ 1, 2, · · · , l be defined as I = i : ρ(i) ∈ S. Then, there existconstants ωi ∈ Zpi∈I such that, if λi are valid shares of any secret s accordingto Π, then

∑i∈I ωiλi = s. Furthermore, these constants ωi can be found in time

polynomial in the size of the share-generating matrix M .

2.3.2 Shamir’s secret sharing scheme

Shamir’s secret sharing scheme is a linear secret sharing scheme. Since this thesisdiscusses threshold attribute-based cryptosystems and our ABE construction alsomakes use of this idea, we make a brief presentation of this scheme here.

Shamir’s secret sharing is a form of secret sharing where a secret (S) is dividedinto n parts and each part is given to one of the participants. The idea is that,only if all (or t, as in the case of threshold) participants combine their sharesmeaningfully will they be able to reconstruct the original secret. It is importantto note here that, if fewer than n (or t, as in the case of threshold) participantsco-operate they must not be able to retrieve the secret.

Let us look at the case where we want to use (t, n) threshold to share the secretS. Without loss of generality we can assume S to be an element in a finite fieldF. We know that it takes t points to define a polynomial of degree t− 1. Shamir’ssecret sharing uses this idea to give the shares. We can now look at the schemeas an algorithm:

Algorithm 1 Shamir’s secret sharing1: Choose t− 1 co-efficients a1, · · · , at−1 ∈R F2: Set a0 = S3: Construct polynomial f(x) = a0 + a1x+ a2x

2 + · · ·+ at−1xt−1

4: Sharing: Evaluate the polynomial at n points5: Set each party’s share as (i, f(i))6: Reconstruction: Get the share of t or more parties7: Use Lagrange’s interpolation (Section[2.3.3]) to evaluate f(0) and get S.

We note here that, with fewer than t shares it is highly improbable to recon-struct the original polynomial exactly. Hence, by combining the shares of less thant parties, no one gets any clue on the secret S. But when t or more parties of then combine, then we are able to get S precisely.

2.3.3 Lagrange interpolation

Let q(x) be a d − 1 degree polynomial with each of it’s co-efficients as elementsof Zp. Then, given any set S of d points and the evaluation of the polynomial atthese points, q(a1), · · · , q(ad); we can use Lagrange’s interpolation to compute q(i)

12

for any i ∈ Zp. We define the Lagrange coefficient ∆i,S of q(i) in the computationof q(j) for j ∈ Zp and a set, S, of elements in Zp as ∆i,S(j) =

∏k∈S,k 6=i

j−ki−k . Thus,

q(j) =∑i∈S

q(i)∆i,S(j), where ∆i,S(j) =∏

k∈S,k 6=i

j − ki− k

2.4 Primitives for Attribute-based Encryption andSignatures

2.4.1 CP-ABE scheme algorithms• Setup. A randomized algorithm Setup(k) takes in as input a security

parameter and provides a set of public parameters (PK) and the master keyvalues (MK) .

• Encryption. The algorithm Enc(M, T , PK) is a randomized algorithmthat takes as input the message M to be encrypted, the access structureT which needs to be satisfied and the public parameters PK to outputthe ciphertext CT . We can say, that the encryption algorithm embeds theaccess structure in the ciphertext such that only those users with attributessatisfying T will be able to decrypt and retrieve the message M.

• Key-Generation. The KeyGen(MK, PK, A) algorithm takes as inputthe master key values MK, the public parameters PK and the attribute setA of the user, and outputs for the user a set of decryption keys SK whichconfirms the users possession of all the attributes in A and no other externalattribute.

• Decryption. The decryption algorithm Dec(CT , SK, PK) takes as in-put the ciphertext CT , the user secret keys SK and the public parametersPK, and it outputs the encrypted message M, if and only if the attributesA embedded in SK satisfy the access structure T which was used whileencrypting the ciphertext CT . i.e If T (A) = 1 then message M is outputelse, it outputs ⊥.

2.4.2 ABS algorithms• Setup. A randomized algorithm Setup(k) takes in as input a security

parameter and provides a set of public parameters params and the mastersecret key values MK .

• Key-Generation. The algorithm Key-Gen( ω, MK, params) is a ran-domized algorithm that takes as input ω which are the attributes of theuser, the master secret key MK and public parameters params. It gives asoutput a set of secret keys D corresponding to the attributes of the user; Dwould indicate that the user has all the attributes in the set ω. This phaseis sometimes also known as key-extraction phase.

13

• Sign. The Sign(m, Υ, D) algorithm takes as input the message m, thesigning policy or predicate Υ and the secret key of the signer D. It outputsthe signature σ on message m, which indicates that the signer has a set ofattributes that satisfy the predicate Υ.

• Verify. The verification algorithmVer(σ, Υ, params, m) takes as input thesignature σ, the predicate Υ, the public parameters params and the messagem. And the verification test passes, if and only if the subset of attributes ωof the signer embedded in σ satisfy the access structure Υ which was usedwhile signing. i.e If Υ(ω) = 1 then verification passes, else it outputs ⊥.

2.5 Waters’ signature

The ABS schemes we discuss in this thesis make extensive use of Waters’ signature[Wat05] for generating keys in the key-extraction phase, for each of the user’sattributes. Here, we will take a quick look at the signature scheme. The followingalgorithms constitute the scheme:

• Setup(λ)– Let G1, G2 and GT be multiplicative groups of prime order p where

bilinear map function is efficient. And, e : G1 ×G2 → GT

– n = |m|, length of the message

– Pick g ∈R G1 and g2, u′, u1, u2, · · · , un ∈R G2.

– Set g1 = gα where α ∈R Z∗p– Public parameters params are g, g1, g2, u

′, uii∈1,··· ,n– SK = α

• Sign(m, SK)– Let m = m1m2 · · ·mn ∈ 0, 1n and r ∈R Z∗p

– σ1 = gα2

(u′

n∏i=1

umii

)r– σ2 = gr

• Verify(m, σ = (σ1, σ2))

– Check e(g, σ1)?= e(g1, g2) · e(σ2, u

′n∏i=1

umii )

– Note here that inorder for the verification to pass it is necessary for gα2to be in σ1. That ensures the use of the secret key α.

14

Modification. The above scheme is proved secure in the standard model. Amodified simpler version of this is used in most of the ABS schemes where the

sign on the message, u′n∏i=1

umii is replaced by a simple hash as H(m) and the rest

of the procedure remains the same. This modified scheme is proven secure in therandom oracle model. We will look at the changes to the scheme and an intuitiontowards the proof.

• Setup(λ) It remains the same except that a new hash function is definedand the ui components are not chosen.– A hash function H : 0, 1∗ → G1

– Public parameters params are H and g, g1 = gα, g2 ∈ G– SK = α

• Sign(m, SK)– σ1 = gα2H(m)r

– σ2 = gr

• Verify(m, σ = (σ1, σ2))

– Check e(g, σ1)?= e(g1, g2) · e(σ2, H(m))

Proof Sketch. The proof for this is given in the random oracle model. Thesecurity of this signature is reduced to solving the CDH problem. That is, giventhe tuple g, A = ga and B = gb, we need to obtain gab using an attacker who canbreak the above signature scheme.

First we set α = a and g2 = gb, hence g1 = A and g2 = B. Now, inorder togive the signature on a message m, we will set H(m) = gbxm where xm ∈R Z∗p andthen pick a random r and assume that there exists an r′ such that r′ = r− a/xm.Then we give the signature as:

σ1 = grbxm σ2 = grA−1xm

To see how this is the same as what a genuine signer would give:

σ1 = ga2H(m)r′= gab(gbxm)r−a/xm = gabgrbxm−ab = grbxm

σ2 = gr′= gr−a/xm = grg

−axm = grA

−1xm

Now, we will see how it is possible for the challenger to solve CDH with thecomponents given by the forger. Note that, when a chosen message m∗ is givenfor hashing, the challenger will out put as hash just gxm∗ . If the adversary asksa signature on that message(m∗) then, the challenger will abort. But, if theadversary gives a signature on the message m∗ :

σ1 = gabH(m∗)r∗

σ2 = gr∗

15

Then challenger does the following:

σ1

(σ2)xm∗=gabH(m∗)r

∗

gr∗xm∗=gabgr

∗xm∗

gr∗xm∗= gab

This allows the challenger to solve the CDH problem with the help of a forgeron this scheme.

2.6 Forking Lemma

We make use of the forking lemma to give the proof for unforgeability of thethreshold attribute based signature that we propose in Chapter(6). Here, we willfirst present the conditions that are necessary for a ring signature to be consid-ered generic and then define the forking lemma for generic ring signatures. Thedefinitions are borrowed from those given by Herranz et al. in [HS04].

Generic Ring Signature. We denote by H(·), a cryptographic hash functionthat outputs k bits, where k is the security parameter. Consider a group of nring members. Now, given the input message m, a generic ring signature schemeproduces a tuple (m,R1, · · · , Rn, h1, · · · , hn, σ), where R1, · · · , Rn (randomness)take their values randomly in a large set G in such a way that Ri 6= Rj for alli 6= j, hi is the hash value of (m,Ri), for 1 ≤ i ≤ n, and the value σ is fullydetermined by R1, · · · , Rn, h1, · · · , hn and the message m.

Another required condition is that no Ri can appear with probability greaterthan 2/2k , where k is the security parameter. This condition can be achieved bychoosing the set G as large as necessary.

Forking lemma. The forking lemma for adaptive chosen message attacks withrespect to generic ring signature schemes, as given in [HS04] is as follows. LetA be a probabilistic polynomial time Turing machine whose input only consistsof public data. We denote by qh and qs, the number of queries that A can askto the random oracle and to some real signers of the ring, respectively. Assumethat, within time bound T, A produces with non-negligible probability ε, a validring signature (m,R1, R2, · · · , Rn, h1, · · ·hn, σ). Suppose, the valid ring signaturecan be simulated with a polynomially indistinguishable distribution of probabil-ity, without knowing any of the secret keys of the ring , within a time boundof Ts. Then there exists another probabilistic polynomial time Turing machinewhich can, by a replay of attacker A where the interactions with the signer aresimulated, produce two valid ring signatures (m,R1, R2, · · · , Rn, h1, · · ·hn, σ) and(m,R1, R2, · · · , Rn, h

′1, · · ·h′n, σ′) such that hj 6= h′j, for some j ∈ 1, · · · , n and

hi = h′i for all i = 1, · · · , n such that i 6= j, within a bounded time and non-negligible probability.

16

CHAPTER 3

Existing Threshold Attribute-based Cryptosystems

In this chapter we will briefly view the emergence of attribute based cryptosystemsand the problems they address. We will make a survey of existing literatureon attribute based encryption and signature schemes with particular focus onthose constructions that support threshold predicates. This chapter also paysspecific attention to cipher-text policy ABE schemes and motivates our study onconstructions that are efficient in terms of the ciphertext length. We will alsoremark on some of the similarities in threshold ABS and ABE constructions here.

3.1 Inception of Attribute Based Encryption

The notion of attribute-based encryption was first introduced by Sahai and Wa-ters [SW05] in their work titled Fuzzy Identity-based encryption. Here, they viewedidentities as a set of attributes and extended identity based encryption by makingit more fine-grained. Their construction allows attributes to be defined by arbi-trary strings. In order to generate the keys for each identity and distribute it inthe attributes, their scheme uses the idea of Shamir’s secret sharing. The schemeis proved secure in the selective-ID model by showing a reduction to the DecisionalBilinear Diffie-Hellman assumption. They also pose the problem of whether at-tributes can be certified by multiple authorities, i.e different attributes are givenby different authorities instead of one single attribute authority.

KP-ABE. The concept of ABE became more formal with the work of Goyal etal. [GPSW06]. They established the first key-policy attribute-based encryption.Although, their concept is reminiscent of secret sharing schemes, they were thefirst to define the idea of collusion-resistance, where they disallow parties from co-operating inorder to decrypt the ciphertext. They also use the tree-access structureto represent the predicate policy that allows a user to decrypt the message. Theirscheme also highlights fine-grained access control that can be provided by ABEschemes. They use the concepts of LSSS and monotone span programs to developthe scheme. As in [SW05] their scheme is also proved secure by reduction toDBDH in the selective-ID model. The authors suggest the applicability of theirscheme for encryption of audit logs and broadcast encryption. They leave the taskof creating a scheme that provides better anonymity as an open problem. i.e. Anencryption scheme that does not require one to reveal all the necessary attributesrequired by the decryptor very precisely.

CP-ABE. CP-ABE which came up next addressed the issue of anonymity tosome extent and actually gave a different kind of expressibility to attribute-based

systems. The first ciphertext-policy ABE scheme was developed by Bethencourtet al. [BSW07]. Their definition of tree-access structure and the secret sharingconcept was largely borrowed from [GPSW06]. However, CP-ABE was a moreintuitive representation of ABE. The scheme in [BSW07] also supported thresholdgates at every node of the tree. With CP-ABE, there was now better scope forproviding stronger anonymity to decryptors. Since only the access structure ismade public and the attributes that a user has is not required to be revealed toothers, it gives a greater sense of privacy to the decryptor. However, the majordrawback of this scheme is that, it is proved to be secure only in the generic groupheuristic and does not reduce to any of the known hardness assumptions. Theauthors felt that a challenging line of work would be to come up with a provablysecure system (may be different from CP-ABE and KP-ABE) that could probablyhave more elegant forms of expression.

CCA secure. This was soon followed by Cheung and Newport [CN07] propos-ing a provably secure CP-ABE scheme. Inorder to give a secure scheme, theyconsidered only those access structures with AND gates. However, their schemeadded support for negated attributes, in the words of the authors, their construc-tion was for access structures with AND gates on positive and negative attributes.They were able to give the proof for chosen plaintext (CPA) security by reducingit to the DBDH problem. Further, they use the Cannetti-Halevi-Katz technique toconvert their scheme to a chosen ciphertext (CCA) secure scheme. Their work alsoshows possible directions to extend the idea for threshold ABE and constructionof hierarchical attributes.

Non-monotone. Soon after that, Ostrovsky et al. [OSW07] proposed a KP-ABE scheme that could support non-monotone access structures. In the previousschemes, if an encryptor wanted to specify the negation of an attribute in the pred-icate then (s)he had to have both the attribute and it’s negation for all attributesin the universal set. However, Ostrovsky et al’s scheme gave a more elegant con-struction to overcome that problem. They were able to give more expressivenessto their predicates by employing revocation methods in their ABE scheme. Theyalso give a sketch of how to obtain the same property in a CP-ABE construction.The authors prove their scheme to be secure by reducing it to the DBDH problem.They also give a lead on how the idea can be used to realize any access formula.

Recipient-anonymous. The open problem of designing a more privacy-friendlyABE, which was posed by [GPSW06] was answered by Nishide et al. [NYO09].They presented ABE schemes that partially hid the access structures. This was,in a sense, the first attempt to give privacy not only to the decryptor but also tothe predicate which is used in creating the ciphertext. Since it was the first steptowards recipient anonymity their scheme employed only the AND gate accessstructure. The schemes are proved to be secure using the DBDH and DLINassumptions. They also discuss on how attributes can be added to the universe(which is usually fixed during the setup phase) after secret keys are generated.

18

3.2 CP-ABE Schemes with Efficient Ciphertext-Size

With attribute-based schemes gaining significance and relevance in various moderndecentralized environments, the foremost challenge was to make it more efficientinorder to reduce the communication costs. This instigated the research commu-nity to now focus on schemes that were more size-conserving. Almost all the initialschemes had the number of keys and ciphertext components proportional to thenumber of attributes. In most of the practical large-scale applications where theuniverse of attributes can be numerous, the previous ABE schemes would resultin a huge set of keys for each user and an immensely lengthy ciphertext. It is atthis time that efficient ciphertext size CP-ABE schemes gained importance.

Efficient. The pioneering steps towards efficient CP-ABE was taken up by Wa-ters in [Wat08]. The scheme proposed in that work was more efficient than allprevious schemes both in terms of the size of the components (key and cipher-text) and also in the running time. Waters gave the construction of a CP-ABEscheme that made use of LSSS to express access control and it was proved securein the standard model. In the same paper, the author provides two additionalconstructions, which make a small compromise with respect to performance butare proved secure in the decisional bilinear Diffie-Hellman exponent assumptionand the DBDH assumption. To see the improvement that their scheme offeredempirically, let us denote the number of attributes in the universe as nU , numberof attributes possessed by the user(recipient) as nr and that used by the senderin encryption of the access structure as ns. Then, Waters’ scheme gives nU + nrsecret key components and nU × nS ciphertext components. In comparison withthe other schemes this reduced the number of components by atleast half.

Constant-size AND. Taking efficiency as the new challenge, Emura et al.[EMN+09] gave the first CP-ABE scheme with constant size ciphertext. Theirconstruction uses the idea of summing up the master keys inorder to get a con-stant size ciphertext and hence, their scheme supported only AND-gate predicatestructures. However, their scheme allowed multi-valued attributes as part of theuniverse set of attributes. Their work was proved secure by reduction to theDBDH assumption. Although this scheme had large number of public and mastersecret key components, which was comparable to previous schemes like [NYO09],the number of user secret key components are just two and the ciphertext compo-nents are just three! In effect, their work was a tremendous improvement in termsof ciphertext size, secret key size as well as the running time of the encryption anddecryption algorithms. More importantly it was the first time that there was anABE construction with a ciphertext size that was independent of the number ofattributes.

Constant-size non-monotone. Building on that, Zhou and Huang [ZH10] pro-posed another constant-size CP-ABE scheme. Their scheme also supported multi-

19

valued attributes with wildcards. In addition to that, they were also able toincorporate non-monotone access structures and have both positive and negativeattributes in their construction. However, as with [EMN+09], they could onlyaccount for AND gates in the predicate. The primary focus of their scheme wasto enable attribute-based broadcast encryption, and they modified their construc-tion to also create a scheme for broadcast encryption. The secret key size in theirscheme is proportional to the number of attributes involved, but the ciphertextcomponents is limited to three, excluding the access structure that is also passed tothe receiver. Their scheme was proved secure by reducing to the q-BDHE assump-tion. They also show that their broadcast encryption scheme reduces the storageoverhead to a value proportional to the number of users and is independent of thenumber of attributes.

Constant-size threshold. In the mean while, the task of coming up with aconstant-size CP-ABE scheme which supported more complex access structures(other than AND gates) was accomplished by Herranz et al. [HLR10]. Theyproposed an elegant constant size ciphertext CP-ABE that supported thresholdaccess policies. Since it was a threshold scheme it could also be used to representAND and OR gates as well. The work in [HLR10] makes use of a novel aggregatefunction proposed originally by Delerablée and Pointcheval [DP08]. The aggregatefunction acts similar to summing of the keys as in Emura et al.’s work [EMN+09].When it comes to comparing the size-efficiency, like in [ZH10], the size of thesecret key is proportional to the number of attributes but the ciphertext consistsof just 3 components. Their scheme was proved secure by reducing it to the a-MSE-DDH (augmented multi-sequence of exponents diffie-hellman) assumption.One shortcoming of this scheme is that, it supports only a single threshold gateand there does not seem to be an easy way to extend it to incorporate multi-levelthreshold access structures.

Comparison. Here is a table comparing the key and ciphertext sizes in thepapers discussed. This is a modified extension to the table given in [EMN+09].

Paper PK SK Ciphertext[SW05] n|G1|+ |GT | nu|G1| nT |G1|+ |GT |[GPSW06] n|G1|+ |GT | nu|G1| nT |G1|+ |GT |[CN07] (3n+ 1)|G1|+ |GT | (2n+ 1)|G1| (n+ 1)|G1|+ |GT |[BSW07] 3|G1|+ |GT | (2n+ 1)|G1| (2nu + 1)|G1|+ |GT |[NYO09] (2N ′ + 1)|G1|+ |GT | (3n+ 1)|G1| (2N ′ + 1)|G1|+ |GT |[Wat08] 2|G1|+ |GT | (1 + n+ nu)|G1| (1 + nT n)|G1|+ |GT |[EMN+09] (2N ′ + 3)|G1|+ |GT | 2|G1| 2|G1|+ |GT |[ZH10] (6n+ 1)|G1| (3nu + 1)|G1| 2|G1|+ |GT |

[HLR10] (n − 1)|Zp| + |GT | +(2n+ 1)|G1|

(n+ nu)|G1| 1|G1|+ 1|G2|+ 1|GT |

Table 3.1: Comparison of PK, SK and ciphertext sizes

20

Here n denotes the total number of attributes in the universe set. nu de-notes the attributes possessed by the user; nT denote the attributes in the access-structure and N ′ =

∑ni=1 ni which is the possible subsets of attributes. And

G1,G2, and GT is a triple of groups on which the bilinear map is efficiently com-putable.

Our work. In our work, we try to extend the work of Herranz et al. [HLR10] andcombine it with [BSW07] to support better access policies. The first part of thisthesis will look at a CP-ABE scheme that can support multi-level threshold accessstructures. Although, the scheme does not result in a constant sized ciphertext, itwill look at generating a ciphertext whose length is independent of the number ofattributes involved. Infact it is dependent on the size of the predicate and moreprecisely, the number of leaf nodes in the tree-structure of the access policy.

3.3 Development of Attribute Based Signatures

The work on attribute based signature schemes began only after ABE schemesbecame more prominent. Attribute based signatures, like the encryption schemes,have a natural property of anonymity which can enhance some authorization appli-cations. Initial ABS schemes were largely motivated by the constructions in ABEschemes and in particular were influenced by the CP-ABE schemes of [GPSW06]and [GJPS08] due to their support for a wide range of access policies.

ABGS. ABS was introduced into group signatures by Khader [Kha07b]. Intheir work on attribute based group signatures, they built their scheme on thetree structure defined in Goyal et al. [GPSW06]. They extended the conceptof identity-based group signatures to an attribute based signature in order toassociate additional credentials to a signer (member of the group) and at thesame time prevent collusion among group members. They base their constructionon the concepts of secret sharing and linear encryption. They prove their schemeto be CPA-secure in the random-oracle model with the help of the q-strong Diffie-Hellman assumption, the DLIN assumption and the forking lemma. In a secondwork [Kha07a] by the same authors, they extended their first scheme to include theidea of revoking attributes. They base their revocation capability on the paper byBoneh and Sacham [BS04]. However, the security of this extended paper is similarto their first attribute based group signature paper.

Formalization of ABS. Although Khader [Kha07b] gave the notion of at-tribute based signatures, the first formal definition of ABS was given by Maji etal. [MPR08]. They also defined the properties of strong unforgeability and strongprivacy(to the signer) that an attribute-based signature must provide. Their con-struction uses monotone span programs (MSP) to represent access policies. Theirscheme also discusses the feature of unlinkability, where, given multiple signa-tures by the same signer, they cannot be identified as being signed by the same

21

party. The authors further provide a second scheme inorder to account for mul-tiple attribute authorities (multi-authority). The security of their schemes relyon the generic group model. The authors further propose applicability of ABSin attribute based messaging, attribute-based authentication and as a strongervariation of mesh signatures.

Attiribute-based ring signature. With the anonymity features of attribute-based signatures becoming more prominent, it seemed natural to incorporate itin ring signatures. Ring signature schemes, introduced by Rivest et al. [RST01]essentially give the signer a means to remain hidden (anonymous) amongst a setof n users who form the ring. To create a ring signature, it is sufficient for one tohave the secret key of a single member (usually the signer himself) of the ring andhave public keys of the others. With ABS, the signer’s identity remains hiddenand only the attributes possessed by the signer can be guessed based on the signingpolicy. The first attribute-based ring signature scheme was proposed by Li andKim [LK08]. Their scheme uses the idea of Shamir’s secret sharing to share thesecret in the keys of the signer’s attributes. Only those signers with the rightcombination of attributes can successfully sign a message to pass the verificationfor a given predicate. The authors give two schemes in their paper, one whosesecurity is shown in the random oracle model and the other is proved withoutrandom oracles. Both schemes are shown to be secure by reduction to the CDHproblem.

Without anonymity revocation. Extending the property of anonymity inthe ring signature, is the work on hidden ABS without anonymity revocationby [LK10]. Like many of the attribute-based primitives, this is also based on aproblem in the identity-based setting called hidden identity-based signatures. Inschemes with anonymity revocation, although the construction by itself providesanonymity, there is a trapdoor which some designated authority can use inorderto reveal the exact identity of the signer. This might be necessary in some appli-cations. Here, however, the scheme composed by Li and Kim ensures that sucha revocation is not possible by any authority. This scheme actually borrows thisproperty directly from the ring signature scheme in [LK08].

3.4 Threshold Attribute-Based Signatures

(k, n)-threshold. Our interest in threshold ABS (t-ABS) schemes is motivatedby the similarities in threshold ABE and ABS constructions. The initial thresh-old ABS scheme was defined and formalized by Shahandashti and Safavi-Naini[SSN09]. However it is interesting to note that the ring signature scheme by Liand Kim [LK08] can be considered as an (n, n) threshold ABS scheme since thesigner needs to have all the attributes of the predicate to be a part of the ring. ButLi and Kim [LK08] do not explicitly make a mention of threshold ABS in theirwork. The work by Shahandashti and Safavi-Naini [SSN09] is the first to formalize

22

the notion of t-ABS. They propose two threshold-ABS schemes which can sup-port any (k, n) threshold gate. Their constructions use Shamir’s secret sharingconcept to distribute the secret in the attributes and use Lagrange’s interpolationtechnique to retrieve the secret component. Their key generation (which makesuse of Waters’ signature) and verification are similar to that in [LK08]. However,their second scheme which is a modified version of their first basic scheme makesuse of zero-knowledge proof-of-knowledge and commitment schemes to make it ex-istentially unforgeable. Their basic scheme is only selectively unforgeable. Thesecurity of both their schemes is shown in the standard model by reduction to theCDH problem. Further, the authors show how t-ABS can be extended and canbe used to obtain a threshold attribute-based anonymous credential system. Hereagain, as with threshold ABE schemes, Shahandashti and Safavi-Naini’s schemesupports only a single threshold gate and cannot be used with complex accesscontrol policies. Hence, it provided good scope for someone to come up with a lessrestrictive and a more expressive threshold scheme. Also, with the establishmentof the t-ABS framework, the task of coming up with a scheme that can be provedto have tight existential unforgeability was still open.

Efficient threshold. Instigated by the new concept of threshold in ABS schemesLi et al. [LAS+10] extended the work of [LK08] and [SSN09] to come up with anefficient (k, n) t-ABS scheme. They propose three schemes in their paper. The firsttwo are for efficient t-ABS and the third extends their idea in t-ABS to address thecase where there can be multiple attribute authorities. Their schemes again makeuse of the secret sharing concept. The efficiency they gain is by reducing the sizesin both the key and signature elements. Their signature technique integrates theattributes to give a component that can be used to sign the document in a singlestep instead of separately signing with each individual attribute as in [SSN09].They show their scheme to be selectively unforgeable by reduction to the CDHproblem. The first scheme that they proffer is proved secure with the help ofrandom oracles, their other scheme is proved in the standard model. The prooffor their multi-authority ABS also makes use of random oracles. The authors alsopropose new directions to use ABS for access control with non-transferability.

Multi-level threshold. Next came the work of Kumar et al. [KABPR10] whichgave an ABS scheme for bounded multi-level threshold access structures. Thedefinition of their bounded tree structure is based upon the work by Goyal et al.[GJPS08]. To support multiple-levels of threshold nodes, the authors extend thesecret sharing scheme to each node of the bounded-tree. This enables them tokeep the final secret at the root of the tree, and hence only those users whoseattributes satisfy the access tree will be able to travel all the way up to the rootto get the portion of the secret component that is required for the signature topass the verification. The key-generation for the construction here is a slightlymodified version of the one in [LAS+10]. Kumar et al. first present a schemethat is proven secure in the random oracle model. They modify the first schemeby defining the hash functions explicitly to give another scheme which is provedsecure in the standard model. The schemes are shown to be secure by reduction

23

to the CDH problem.

ABS general framework. More recently, Maji et al. [MPR10] give a generalframework for constructing ABS schemes. Their scheme uses monotone span pro-grams to incorporate the access structure and also make use of non-interactivewitness indistinguishability (NIWI) to add to the anonymity of the signer. Theauthors also introduce a new generic primitive called credential bundle which isused in the key generating phase to bundle the attributes of the signer; this helpsin making their scheme collusion resistant. The given framework allows the usersto choose a zero-knowledge proof system as the NIWI component and also selecta signature scheme to provide the credential bundle. Furthermore, the authorshave shown three instantiations of their scheme a) one using non-interactive zero-knowledge (NIZK) proof of Groth and Sahai [GS08] for the NIWI component andBoneh-Boyen’s digital signature scheme to construct the credential bundle. b) thesecond uses Waters’ signature for the credential bundle, this, unlike Boneh-Boyen’ssignature, prevents the signer from committing to some of the credential bundlecomponents in a bit-wise fashion. c) their third scheme uses the credential bundlefrom the second scheme however, they use their own randomization to generatethe keys instead of using NIZK proofs.The authors also mention some applications for ABS which are the same as theones in their earlier work in [MPR08] (which we have discussed in the previoussection).

Our work. In this thesis we discuss some of the security issues in the schemesgiven in [LAS+10, LK08, SSN09, KABPR10, LK10] that employ the secret sharingscheme to generate the keys. We give a detailed view of how the flaws in theseschemes can be used by an attacker to create forgeries; and we also present our ob-servations on the short-comings of the existing key-generation techniques employedby these schemes. We further provide a new approach towards threshold-ABS in-spired by ring signatures. We also provide a provably secure t-ABS constructionusing the approach.

24

CHAPTER 4

Efficient Multi-level Threshold CP-ABE

In this chapter we present our approach for an efficient ciphertext-size, multi-levelthreshold CP-ABE. An efficient multi-level threshold ciphertext policy attribute-based encryption scheme is one where, the sender can encrypt a message using anaccess structure that may be complex and have multiple threshold nodes (referto figure[4.1]); but the encryption algorithm should output a ciphertext whosenumber of components are significantly smaller than the total number of attributesinvolved. We have seen in section[3.2] that Herranz et al.[HLR10] have presentedan elegant constant-size ciphertext scheme that appears to be a suitable model forsuch a task. However, like we have remarked earlier, their method does not seemto have the capacity to extend and include multiple threshold gates. We have alsoobserved that, secret sharing is an important concept that can allow us to expanda threshold gate to multiple levels. We also notice that the access trees as definedin [GPSW06] and [GJPS08] allow threshold gates at each of the internal nodesand by default support multiple-levels. Thus, our scheme proposes to combine allthese aspects inorder to arrive at a size-efficient multi-level threshold CP-ABE.

k-of-n

k’-of-n’k"-of-n"

k*-of-n*k‘-of-n‘

Figure 4.1: Multi-level threshold tree.

In this chapter we present the construction of our CP-ABE scheme. We willstart by giving the model of our access tree and attributes and then move on to thedescription of the ciphertext and the secret keys. We will then show the algorithmfor decryption and verify its correctness. Then, we proceed to demonstrate ourscheme with the help of a simple example.

4.1 Model

We denote the universe set of attributes by P . Let m be the cardinality of P . Aparty who wishes to encrypt a message will specify the access control predicatethrough an access tree structure, which we denote by T . Any party who wishes todecrypt the ciphertext must be able to satisfy the access tree inorder to retrievethe message.

The tree model we follow is similar to that described in [BSW07]. We treateach individual non-leaf node of the tree to be a threshold gate. Note that thisrepresentation of the access policy is very expressive since an AND gate can berepresented as an n-out-of-n threshold gate and an OR can be represented with1-out-of-n threshold gate.

Access Tree T . The tree representing the access structure is denoted by T . Letsx denote the number of children that each node x has. We will use kx to denotethe threshold value that needs to be satisfied at node x. And by par(x) we denotethe parent of the node x. The access tree T also defines an ordering between thechildren of every node, that is, the children of a node are numbered from 1 to sx.The function index(x) returns such a number associated with the node x, wherethe index values are uniquely assigned to nodes in the access structure for a givenkey in an arbitrary manner. An important point to note is that, all the attributesof the access policy form the leaves of the access tree. We will use the notation ψTto denote the set of last level of non-leaf nodes (i.e. those nodes whose childrenare all attributes/leaves).

Satisfying the tree. Let r denote the root node of the tree. Tx denotes thesubtree at the node x. Essentially Tr is equivalent to T . If a set of attributesA satisfy the subtree Tx then we will denote it as Tx(A) = 1. At each node x,Tx(Ax) = 1 if and only if atleast kx (threshold of node x) of the children nodereturn 1 from their subtree. By this recursive definition, if the attribute set satisfiesthe entire tree then T (A) = 1.

4.2 Definitions

Definition 1: [Lagrange Co-efficient]We recall the definition of Lagrange coefficient: ∆i,S for i ∈ Z∗p and a set, S, ofelements in Z∗p : ∆i,S(x) =

∏j∈S,j 6=i

x−ji−j . ♦

Definition 2: [Aggregate Function] Aggregate function (as defined originally in[DP08]) does:

Aggregate(gr

γ+xi , xi1≤i≤n) = gr∏n

i=1(γ+xi)

in O(n2) exponentiations. ♦

26

4.3 Construction

4.3.1 Setup

The setup algorithm chooses bilinear group triple (G1,G2,GT ) of prime order pand a bilinear map e : G1 × G2 → GT . The algorithm also picks generators g ofG1 and h of G2. Then it chooses 3 random exponents α, β, γ in Z∗p. It then setsu = gαγ and v = e(gα, h).

After that it chooses a suitable encoding τ sending each of the m attributesat ∈ P onto a (different) element τ(at) = x ∈ Z∗p. It then chooses a set of m − 1dummy attributes D = d1, · · · , dm−1. By the notation Di for i < m− 1, we willdenote the set of the dummy attributes from d1 to di.

PK (public parameters): P , u, v, hβ, hαγii=0,··· ,2m−1 ,D, τ

MK (master secret key): α, β, γ, g, h

4.3.2 Key Generation

KeyGen(PK, A, MK)Given a set of attributes A ⊂ P , the central authority picks an r ∈ Z∗p at randomand computes the secret key for the user as follows:

SKA =

g

rγ+τ(at)at∈A , hrγ

ii=0,··· ,m−2 , gα(1−r)β

4.3.3 Encryption

Enc(PK, T , M)For every non-leaf node x of the access tree T , we choose a polynomial qx. We,proceed in a top down manner in selecting the polynomials, starting from the rootR. For a node x we set the degree of the node dx = kx − 1, one less than thethreshold value that needs to be satisfied at the gate at that node.

Now, beginning at the root, we choose a random s ∈R Z∗p and set qr(0) = s.Then choose dr other points of the polynomial qr to define it completely. For allother non-leaf nodes x, we set qx(0) = qparent(x)

(index(x)

)and choose dx other

points to completely define qx.

For the last level of non-leaf nodes, x ∈ ψT , we compute the following twovalues:

Cx1 = u−qx(0)

Cx2 = hqx(0).α

∏at∈Sx(γ+τ(at))

∏d∈Dm+kx−1−sx

(γ+d)

27

The ciphertext is given by:

CT = C = M · e(g, h)αs , C0 = hβs , Cx1, Cx2∀x∈ψT , T

4.3.4 Decryption

Dec(CT, SK, PK)Let A denote the user’s attribute set and Sx denote the set of attributes involvedat each non-leaf node x ∈ ψT . Let ASx = A∩Sx. Any decryptor whose attributessatisfy the access tree can decrypt the message as follows:

For last level non-leaf nodes, x ∈ ψT do the following:

1. Compute Aggregate[HLR10]:

Aggregate(

gr

γ+τ(at) , τ(at)at∈ASx

)= g

r∏at∈ASx

(γ+τ(at))

2. Lx = e(Aggregate, Cx2)

Lx = e(g, h)

r·qx(0)·α·∏

at∈Sx\ASx

(γ + τ(at))∏

d∈Dm+kx−1−sx

(γ + d)

3. Define P(ASx ,Sx)(γ) to be equal to

1γ

∏at∈(Sx∪Dm+kx−1−sx )\ASx

(γ + τ(at))−∏

at∈(Sx∪Dm+kx−1−sx )\ASx

τ(at)

4. Compute

e(Cx1, hrP(ASx,Sx)

(γ)) 1 Lx = e(g, h)qx(0).r.α.Πat∈(Sx∪Dm+kx−1−sx )\ASxτ(at)

5. Now, raise the above value to the exponent 1/∏

at∈(Sx∪Dm+kx−1−sx )\ASxτ(at)

to get e(g, h)α·r·qx(0). We denote this by Fx.

6. For the other nodes we consider the recursive case of moving up the tree.For all nodes z which are children of a higher level non-leaf node x, let Fzdenote the decryption upto that node. Then, for each x we chose a set Sxconsisting of kx child nodes z for whom Fz 6= ⊥. If no such set exists thenFx = ⊥ else,

1hrP(ASx

,Sx)(γ) can be computed from the components given in the secret key.

28

Fx =∏z∈Sx

F∆i,Sx

(0)z , where i = index(z) and Sx = index(z) : z ∈ Sx

=∏z∈Sx

(e(g, h)α·r·qz(0)

)∆i,Sx(0)

=∏z∈Sx

(e(g, h)α·r·qparent(z)(index(z))

)∆i,Sx(0), (by construction)

=∏z∈Sx

e(g, h)α·r·qx(i)∆i,Sx(0)

= e(g, h)α·r·qx(0), (polynomial interpolation)

Hence, we eventually get e(g, h)α·r·qx(0) which is nothing but e(g, h)αrs.

7. When then do the last few steps to un-blind the message. We compute,

e(gα(1−r)β , hβs) = e(g, h)αs−αrs

This is multiplied with e(g, h)αrs which we obtained in our previous step.This finally gives us e(g, h)αs which is the blinding factor. We divide C bythis to retrieve the message M.

C

e(gα(1−r)β , hβs) · e(g, h)αrs

=M · e(g, h)αs

e(g, h)αs−αrs · e(g, h)αrs= M

4.4 Example

We will analyze the scheme with the help of an example. Let’s consider a situationwhere we have a top secret defence document. Say, the document can be accessedonly by a personnel who is a general in the army AND has experience in 2 outof 4 operations, namely, Op-X, Op-Y, Op-Z and Op-Star. We re-write the accesspolicy as follows:

((General ∧ Army)

∧(2-out-of Op-X, Op-Y, Op-Z, Op-Star )

)We can represent the access policy as a tree structure as in the figure below:

Let’s now look at an example where some personnel have the access rights andothers whose attributes are insufficient to satisfy the predicate.

Let’s take the case where we have 4 people each with a different attribute set.In the figure[4.3], we illustrate the case where two people have attributes thatsatisfy the access policy and two others who don’t. We will show the variousphases of the encryption scheme for the person who is a general in the army withexperience in operations Op-Y and Op-Z as in the figure.

29

AND

AND

General Army

2-of-4

Op-X Op-Y Op-Z Op-Star

Figure 4.2: Access tree structure for a multi-level predicate.

4.4.1 Setup

The setup algorithm chooses bilinear group triple (G1,G2,GT ) of prime order pand a bilinear map e : G1 × G2 → GT . The algorithm also picks generators g ofG1 and h of G2. Then it chooses 3 random exponents α, β, γ in Z∗p. It then setsu = gαγ and v = e(gα, h).

Let the universe of attributes be P =Army (A), Captain (C), General (G),Op-X (X), Op-Y (Y), Op-Z (Z), Op-Star (S) . So, m = 7. The dummy attributesare m− 1 in number, so we have D = d1, · · · , d6. Now, for simplicity we’ll saythat A,C,G,X,Y,Z,S and the dis are all values in Z∗p and the function τ whenapplied on these attributes give the same value.

PK (public parameters): P , u, v, hβ, hαγii=0,··· ,13 ,D, τ

MK (master secret key): α, β, γ, g, h

4.4.2 Generating the keys

KeyGen(PK, A, MK)We will generate the keys for the person with attributes A =Army, General,Op-Y, Op-Z. Here, A ⊂ P , the central authority picks an r ∈ Z∗p at random andcomputes the secret key for the user as follows:

SKA =

g

rγ+A , g

rγ+G , g

rγ+Y , g

rγ+Z , hrγii=0,··· ,5 , g

α(1−r)β

30

Figure 4.3: Examples of access tree satisfaction.

4.4.3 Encrypting a message

Enc(PK, T , M)For every non-leaf node x of the access tree T , we choose a polynomial qx. We,proceed in a top down manner in selecting the polynomials, starting from the rootR. For a node x we set the degree of the node dx = kx − 1, one less than thethreshold value that needs to be satisfied at the gate at that node.

Now, beginning at the root, we choose a random s ∈R Z∗p and set qr(0) = s.Then choose dr other points of the polynomial qr to define it completely. For allother non-leaf nodes x, we set qx(0) = qparent(x)

(index(x)

)and choose dx other

points to completely define qx.

Following the procedure, we get the following tree:

For the last level of non-leaf nodes, x ∈ ψT , we compute the following values.For node 1:

C11 = u−(s+10)

C12 = h(s+10).α.(γ+A)(γ+G)(γ+d1)(γ+d2)(γ+d3)(γ+d4)(γ+d5)(γ+d6)

For the second node:

C21 = u−(s+20)

C22 = h(s+20).α.(γ+X)(γ+Y )(γ+Z)(γ+S)(γ+d1)(γ+d2)(γ+d3)(γ+d4)

The ciphertext is given by:

CT = C = M · e(g, h)αs , C0 = hβs , C11, C12, C21, C22

31

Figure 4.4: Encryption - Generating shares using the Shamir’s secret sharing idea

4.4.4 Decrypting the ciphertext

Dec(CT, SK, PK)We’ll show the decryption for the case of the given secret key components. Wefirst do the computations for the last level non-leaf nodes, x ∈ ψT .

For node 1:

1. Compute Aggregate: Aggregate(g

r(γ+G) , g

r(γ+A) , τ(A), τ(G)

)= g

r(γ+G)(γ+A)

2. L1 = e(Aggregate, C12)

L1 = e(g, h)r·(s+10)·α·(γ+d1)(γ+d2)(γ+d3)(γ+d4)(γ+d5)(γ+d6)

3. Define P(AS1,S1)(γ) to be equal to:

1

γ((γ + d1)(γ + d2)(γ + d3)(γ + d4)(γ + d5)(γ + d6)− (d1d2d3d4d5d6))

4. e(C11, hrP(ASx,Sx)

(γ)) equals

e(g, h)(s+10).r.α.((γ+d1)(γ+d2)(γ+d3)(γ+d4)(γ+d5)(γ+d6)−(d1d2d3d4d5d6))

5. Multiplying the above with L1, we get, e(g, h)(s+10).r.α.(d1d2d3d4d5d6)

6. Now, F1 =(e(C11, h

rP(ASx ,Sx)(γ)) · L1

)1/(d1d2d3d4d5d6)

= e(g, h)α·r·(s+10).

For node 2:

1. Aggregate:(g

r(γ+Y ) , g

r(γ+Z) , τ(at)at=Y,Z

)= g

r(γ+Y )(γ+Z)

32

2. L2 = e(Aggregate, C22)

L2 = e(g, h)r·(s+20)·α·(γ+X)(γ+S)(γ+d1)(γ+d2)(γ+d3)(γ+d4)

3. Define P(AS2,S2)(γ) to be equal to

1

γ((γ +X)(γ + S)(γ + d1)(γ + d2)(γ + d3)(γ + d4)− (XSd1d2d3d4))

4. e(C21, hrP(ASx,Sx)

(γ)) equals

e(g, h)(s+20).r.α.((γ+X)(γ+S)(γ+d1)(γ+d2)(γ+d3)(γ+d4)−(XSd1d2d3d4))

5. Multiplying the above with L2, we get, e(g, h)(s+20).r.α.(XSd1d2d3d4)

6. Now, F1 =(e(C21, h

rP(ASx ,Sx)(γ)) · L2

)1/(XSd1d2d3d4)

= e(g, h)α·r·(s+20).

Now, we move to the next higher level of non-leaf nodes. Here, we remain withjust the root. For all nodes z which are children of a higher level non-leaf node x,let Fz denote the decryption upto that node. So, for the root we consider F1 andF2.

Fx =∏z∈Sx

F∆i,Sx

(0)z , where i = index(z) and Sx = 1, 2

= F∆1,S1

(0)

1 · F∆2,S2

(0)

2

=(e(g, h)α·r·(s+10)

)∆1,S1(0) (

e(g, h)α·r·(s+20))∆2,S2

(0)

=(e(g, h)α·r·(s+10)

)2 (e(g, h)α·r·(s+20)

)−1

= (e(g, h))(2α·r·(s+10))−(α·r·(s+20))

= e(g, h)α·r·s

Now, we can unblind the message from C = M · e(g, h)αs as follows:

1. e(gα(1−r)β , hβs) = e(g, h)αs−αrs

2. Multiply the above with e(g, h)αrs to get e(g, h)αs.

3. C/e(g, h)αs = M

Conclusion. This example show that the scheme is correct, however we stillneed to establish its security. Although the scheme appears to be reliable androbust we need to formally prove it to be secure under some hard cryptographicassumption. The secret key and public key components used in the scheme point

33

us to the Augmented Multi-sequence of Exponents Diffie-Hellman Problem (aMSE-DDH)[HLR10] as a potential hardness assumption. But, based on the fact that ourscheme provides extension of the threshold gate to multiple levels as in [BSW07],we believe that the scheme can only be proved secure in the generic group model.

34

CHAPTER 5

On The Security of Attribute Based Signatures

In this chapter we present our observations on the security of some attribute-basedsignature schemes. We first take a detailed look at the ABS scheme in [LAS+10].Then we show that the scheme does not ensure the threshold property and is alsouniversally forgeable by formulating attacks on it. Further, we illustrate with anexample that the scheme can be broken in a manner where an adversary can obtaina secret component (not actually the secret key) with which she can generate validsecret keys for any signer. Subsequently, we present the attacks on various relatedschemes having the same or similar key construction algorithm. This body of workalso comprises of the forgeries on the attribute based ring signature scheme by Liand Kim [LK08]; a total break on the threshold ABS scheme by Shahandashti andSafavi-Naini [SSN09]; universal forgery on the multi-authority ABS scheme by Liet al. [LAS+10]; a total break on multi-level threshold ABS scheme by Kumar etal. [KABPR10] and finally a total break on the hidden attribute-based signatureswithout anonymity revocation proposed by Li and Kim [LK10].

5.1 Efficient Threshold ABS Scheme

In this section we present the construction of the efficient threshold ABS schemeby Li et al [LAS+10]. Let us briefly recall some definitions before going to theconstruction.

5.1.1 Definitions

Bilinear Pairing Recall the definition of bilinear pairing defined in Section(2.1).

Lagrange Co-efficient Recall the definition from Section(2.3.3)

5.1.2 Setup

Setup(d)→(params, msk).First, define the attributes in universe U as elements in Zp . A d − 1 defaultattribute set from Zp is given as Ω = Ω1,Ω2, · · · ,Ωd−1. Select a random gener-ator g ∈ G1 , a random x ∈ Zp , and set g1 = gx. Next, pick a random elementg2 ∈ G1 and compute Z = e(g1, g2). Two hash functions are also chosen such thatH1, H2 : 0, 1∗ → G1 . The public parameters is params and the master secretkey is msk.

params = (g, g1, g2,Z, d,H1, H2) msk = x

5.1.3 Extract

To generate a private key for an attribute set ω, the following steps are taken:

• First, choose a d− 1 degree polynomial q(y) randomly such that q(0) = x;

• Generate a new attribute set ω = ω ∪ Ω. For each i ∈ ω, choose ri ∈R Zpand compute

di0 = gq(i)2 ·H1(i)ri and di1 = gri

• Finally, output Di = (di0, di1) as the private key for each i ∈ ω

5.1.4 Sign

Suppose one has a private key for the attribute set ω. To sign a message mwith predicate Υk,ω∗(·), namely, to prove owning at least k attributes among ann-element attribute set ω∗, signer selects a k-element subset ω′ ⊆ ω ∩ ω∗ andproceeds as follows:

• First, the signer selects a default attribute subset Ω′ ⊆ Ω with |Ω′ |= d− kand chooses n+ d− k random values r′i ∈ Zp for i ∈ ω∗ ∪ Ω′.

• The signer then computes,

σ0 = [Πi∈ω′∪Ω′d∆i,S(0)i0 ][Πi∈ω∗∪Ω′H1(i)r

′i ]H2(m)s

σi =

d

∆i,S(0)i1 · gr′i for i ∈ ω′ ∪ Ω′

gr′i for i ∈ ω∗\ω′

σ′0 = gs, with a randomly chosen value s ∈ Zp

• Signature: σ = (σ0 , σii∈ω∗∪Ω′ , σ′0)

5.1.5 Verify

To verify the signature σ = (σ0 , σii∈ω∗∪Ω′ , σ′0) on message m with thresholdk for attributes ω∗ ∪ Ω′, check if the following equation holds:

e(g, σ0)

[Πi∈ω∗∪Ω′e(H1(i), σi)]e(H2(m), σ′0)?= Z

5.2 Attacks

In this section we present the attacks on the above scheme. We’ll take the followingexample case into consideration for the attack:

- Let d = 2 (for simplicity)

36

- Accordingly Ω = Ω1; (|Ω|= d− 1)

- Users attributes ω = A,B,C,D

- Signing attributes ω∗ = A,P

- Let the threshold k = 2 i.e the user needs to have both attributes in ω∗ togenerate a valid signature.

- For simplicity we will denote H1(i) by Hi.

5.2.1 Setup

At the end of Setup(d), we have params = (g, g1, g2,Z, d,H1, H2) and msk = x.

5.2.2 Extract1. Since d = 2 we consider a one-degree polynomial q(y) whose constant is set

to x and we pick a random value in Z∗p as the other co-efficient. So, q(0) = x.And set, q(y) = 7y + x.

2. ω = ω ∪ Ω = A,B,C,D,Ω1.

So we have the following secret key values:

DA =dA0 = g

q(A)2 ·HrA

A , dA1 = grA

DB =dB0 = g

q(B)2 ·HrB

A , dB1 = grB

DC =dC0 = g

q(C)2 ·HrC

A , dC1 = grC

DD =dD0 = g

q(D)2 ·HrD

A , dD1 = grD

DΩ1 =dΩ10 = g

q(Ω1)2 ·HrΩ1

Ω1, dΩ11 = grΩ1

5.2.3 Preliminaries for the attack

Attacker picks d secret keys at a time and does the following computations:

Notations. For a set S = A,B when we evaluate the Lagrange co-efficient∆i,S(0) at i = A, we will denote the value as ∆AB. If i = B, then we denote it as∆BA. Please note that ∆AB need not equal ∆BA.

37

Computations done by signer . We will evaluate Πi∈Sd∆i,S(0)i,0 for pairs of

attributes, S ∈ A,B, A,C, A,D, B,C, B,D, C,D to get:

X1 = gx2HrA∆ABA HrB∆BA

B X2 = gx2HrA∆ACA HrC∆CA

C

X3 = gx2HrA∆ADA HrD∆DA

D X4 = gx2HrB∆BCB HrC∆CB

C

X5 = gx2HrB∆BDB HrD∆DB

D X6 = gx2HrC∆CDC HrD∆DC

D

(5.1)

We will use the following notations for simplicity:

∆A1 = ∆AB −∆AC ∆B1 = ∆BA −∆BC

∆A2 = ∆AB −∆AD ∆B2 = ∆BA −∆BD

Now, the user computes the following:

Y1 =X1

X2

= HrA∆A1A HrB∆BA

B H−rC∆CAC

Y2 =X1

X3

= HrA∆A2A HrB∆BA

B H−rD∆DAD

Y3 =X1

X4

= HrA∆ABA HrB∆B1

B H−rC∆CBC

Y4 =X1

X5

= HrA∆ABA HrB∆B2

B H−rD∆DBD

We extend our notations to include:

∆A3 = ∆A1 −∆A2 = ∆AD −∆AC ∆B3 = ∆BA∆CB −∆B1∆CA

∆A4 = ∆A1∆CB −∆AB∆CA ∆B4 = ∆BA∆DB −∆B2∆DA

∆A5 = ∆A2∆DB −∆AB∆DA ∆B5 = ∆B2∆A5 −∆B4∆A4

Then, the user does the following computations:

Z1 =Y1

Y2

= HrA∆A3A HrD∆DA

D H−rC∆CAC

Z2 =Y ∆CB

1

Y ∆CA3

= HrA∆A4A HrB∆B3

B

Z3 =Y ∆DB

2

Y ∆DA4

= HrA∆A5A HrB∆B4

B (5.2)

Z4 =Z∆A5

2

Z∆A43

= HrB∆B5B (5.3)

Z5 = Z1

∆B43 = H

∆A5/∆B4

A HrBB = HrA∆

A ·HrBB (5.4)

With these computations the signer is now ready to forge.

38

5.2.4 Attack 1: Forgery without satisfying threshold

The attacker (who possesses attributes in ω) is now, going to sign a documentclaiming (s)he has attribute 2-out-of-A,P. Note, here that the attacker doesnot have the attribute P and has not received any secret key pertaining to theattribute P . Recall,

• ω = A,B,C,D

• d = 2 So, (d− 1) = 1

• Ω = Ω1

• ω∗ = A,P

Sign

The attacker computes the following

σ0I = [gq(A)2 HrA

A ∆AB · gq(B)

2 HrBB

∆BA ][Hr′AA Hr′P

P ]H2(m)s (5.5)

Note that, r′A, r′P and s are values that the signer picks during signing. Now, theattacker raises (5.4) to the exponent (−∆BA) and multiplies with σ0I .

σ0 = Z(−∆BA)5 × σ0I = gx2H

rACA [Hr′A

A Hr′PP ]H2(m)s (5.6)

Here C is a constant, which can be computed by the signer. Now for the σi values:

σA = (grA)C.gr′A , σP = gr

′P

Finally, σ′0 = gs. The signature is σ = σ0 , σii∈A,P , σ′0

Verification

e(g, σ0)

[Πi∈ω∗∪Ω′e(H1(i), σi)]e(H2(m), σ′0)

=e(g, gx2 )e(g,HrAC

A )e(g,Hr′AA )e(g,Hr′P

P )e(g,H2(m)s)

[e(HA, σA)e(HP , σP )]e(H2(m), gs)

=e(g, gx2 )e

(g,HrAC

A

)e(g,Hr′A

A

)e(g,Hr′P

P

)[e (HA, (grA)Cgr′A)e (HP , gr

′P )]

= e(g, gx2 )

= Z

39

5.2.5 Attack 2: Universal forgery

We now show universal forgeability in the proposed scheme by extracting thesecret component hidden in the signer’s keys.

Computations for launching the attack. We will continue with the prelim-inary computations that we have already done. We also know that the Lagrangecoefficients for any set of attributes can be found. Thus, the ∆ij values can becomputed and therefore we can proceed to find:

δB = Z∆B5−1

4 = HrBB (5.7)

δA =

(Z3

(δB)∆B4

)∆A5−1

= HrAA (5.8)

Using the components δA and δB, we can now do the following:

ρ =X1

δA∆ABδB

∆BA= gx2 (5.9)

Now, with the value of gx2 the attacker will be in a position to forge for anythreshold of attributes and provide the appropriate σi components to pass theverification tests.

Sign (Universal forgery)

The attacker (who possesses attributes in ω) is now, capable of signing a documentclaiming (s)he has attributes 2-out-of-L,M. Note here that the signer doesnot have either of the 2 attributes L or M and has not received any secret keypertaining to these attributes. We are now looking at the following situation:

• ω = A,B,C,D

• d = 2 So, (d− 1) = 1

• Ω = Ω1

• ω∗ = L,M

The forger generates the following signature:

σ0 = gx2 [Hr′LL Hr′M

M ]H2(m)s

σL = gr′L , σM = gr

′M

σ′0 = gs

Final signature is given as σ = σ0 , σii∈L,M , σ′0.

40

Verify

e(g, σ0)

[Πi∈ω∗∪Ω′e(H1(i), σi)] e(H2(m), σ′0)=e(g, gx2 )e

(g,Hr′L

L ·Hr′MM

)e (g,H2(m)s)

[e (HL, σL) e (HM , σM)] e (H2(m), gs)

=e(g, gx2 )e

(g,Hr′L

L

)e(g,Hr′M

M

)[e (HL, gr

′L)e (HM , gr

′M )]

= e(g, gx2 )

= Z

5.2.6 Attack 3: Total break - impersonating key issuing au-thority

The attacker now holds gx2 . With this, we show how (s)he can generate the privatekeys for anyone.

To generate a private key for an attribute set ω, the attacker does the following:

• First, choose a d− 1 degree polynomial q(y). Say q(y) = 10y + x

• Generate a new attribute set ω = ω ∪ Ω. For each i ∈ ω, choose ri ∈R Zpand compute di0 and di1.

di0 = gq(i)2 ·H1(i)ri = g10i

2 · gx2 ·H1(i)ri and di1 = gri

• Finally, output Di = (di0, di1) as the private key for each i ∈ ω

This shows a total break on the system.

In this section we have shown how an attacker of the scheme can computecertain intermediate values from some attributes and dummy attributes that areavailable to any user. With the help of these values, an adversary is not only ableto launch multiple attacks on the scheme, but also procure gx2 , which holds thesecret and can be used to completely break the system. The subsequent sectionshows how the same intermediate values can be obtained in other schemes andhow those schemes can also be broken based on similar principles.

5.3 Attacks on schemes with similar key construct

In this section, we explore how we can attack other schemes whose key constructionis congruent to [LAS+10]. We’ll first look into the attribute based ring signaturescheme of Kim and Li in [LK08]. We will then show the attack on the (k, n)

41

threshold scheme by Shahandashti and Safavi-Naini in [SSN09], then on the ABSwith multiple attribute authorities [LAS+10]. We then proceed to show that theattacks are also applicable on the ABS scheme for bounded multi-level thresholdcircuits [KABPR10] and also on the scheme for hidden ABS without anonymityrevocation presented in [LK10].

5.3.1 Total break on attribute based ring signature scheme

Here we would like to remark that [LAS+10] has been derived from [LK08] andthat both their key extract phases are exactly the same. We first present the keyextraction phase of [LK08].

Key Extract

To generate a private key for an attribute set ω, the following steps are taken:

→ First, choose a d− 1 degree polynomial q(y) randomly such that q(0) = x;

→ Generate a new attribute set ω = ω ∪ Ω. For each i ∈ ω, choose ri ∈R Zp.

→ Compute, di0 = gq(i)2 · (H1(i))ri and di1 = gri ;

→ Finally, output Di = (di0, di1) as the private key for each i ∈ ω

Total break

It’s now easy to see that the di0 components in [LK08] are exactly the same asbefore. This allows us derive the set of equations (5.1) which are the primary set ofequations used in deriving the rest of the values. From there we can proceed in theexact same manner to get equations (5.2), then (5.3), (5.7), (5.8) and finally (5.9).This will allow the attacker to get gx2 . Now, the attacker can use the strategy inSection[5.2.6] and impersonate the key generating authority.

5.3.2 Break on threshold attribute based signature scheme

The threshold attribute based signature scheme by Shahandashti and Safavi-Nainiin [SSN09] has been extended from the previous ring signature scheme [LK08]to support (k, n) threshold. We will take a closer look at their setup and keyextraction phases before we identify the similarities and describe how the attackis applicable.

Setup

Setup(1k): Pick y randomly from Zp and set g1 = gy. Pick random elementsfrom G1, g2, h, t1, t2, · · · , tn+1 ∈R G1. Define and output the following: T (x)

∆=

42

gxn

2

n+1∏i=1

t∆i,N (x)i and msk = y and mpk = (g, g1, g2, t1, t2, · · · , tn+1, h)

KeyGen

KeyGen(msk, A): To generate keys for the user attribute set A. Choose a randomd− 1 degree polynomial q(x) such that q(0) = y, choose random elements ri ∈ Zpfor i ∈ A, and output:

ssk =gq(i)2 T (i)ri , gri

i∈A

Attack

We will first establish the congruence of the key generation in this scheme to thatof [LAS+10]. Here, we can note that T (i) is a publicly computable function, thedefinition of which has been established in the setup. Thus, we can consider it tobe equivalent to the hash function H1(i) as used in schemes [LAS+10, LK08] forthe purposes of this attack. If we now use the notation Ti to indicate the value ofT (i) where i is the attribute under consideration and then evaluate Πi∈Sssk

∆i,S(0)i0

for pairs of attributes, S ∈ A,B, A,C, A,D, B,C, B,D, C,D toget:

X1 = gy2TrA∆ABA T rB∆BA

B X2 = gy2TrA∆ACA T rC∆CA

C

X3 = gy2TrA∆ADA T rD∆DA

D X4 = gy2TrB∆BCB T rC∆CB

C

X5 = gy2TrB∆BDB T rD∆DB

D X6 = gy2TrC∆CDC T rD∆DC

D

If we now use the notation Hi to indicate the value of T (i) and also replacethe msk which is y here, with x. Then, we can get the same set of preliminaryequations as in (5.1). From here on, the rest of the steps in extracting gy2 is exactlythe same as before. Thus, with the help of gy2 , the attacker is capable of producingkeys for any set of attributes.

Generating Keys. To generate keys for the user attribute set A. The attackerchooses a random d − 1 degree polynomial q(x), such that q(0) = y, say q(x) =10x+ y. And chooses random elements ri ∈ Zp for i ∈ A, and outputs:

ssk =g10i

2 · gy2 · T (i)ri , gri

i∈A

5.3.3 Attack on ABS with multiple attribute authorities

ABS scheme with multiple attribute authorities is the second ABS scheme pro-posed in [LAS+10]. Here, we assume that there are k attribute authorities inaddition to one central authority. This scheme has some variations in its con-struction since it needs to be able to address multiple authorities. We will review

43

the phases of the construction of their scheme before we show how an attacker canbreak the system.

Setup

Assume that there are k distributed attribute authorities. Each of them is incharge of the issue of attribute set Ai for 1 ≤ i ≤ k. Define a default attributeset Ωi of d elements for each attribute authority. The central authority choosess1, · · · , sk for all attribute authorities and hash functions H1, H2, · · · , Hk, H :0, 1∗ → G1. In addition, the central authority chooses a random generatorg ∈ G1 , a random x ∈ Z∗p, and sets g1 = gx. Next, she picks a random elementg2 ∈ G1 and computes Z = e(g1, g2). For the attribute authority i, the secret keyis si , which is assigned by the central authority.

Extract

First, a user with identity u gets a secret key from the central authority as dca =

gx−Σki=1fsi (u)2 . Then, she can request attribute private key from the i-th attributeauthority as follows: Assume the user u is eligible to get an attribute set Ai,u fromthe attribute authority i. The attribute authority i chooses a random d−1 degreepolynomial qi(·) such that qi(0) = fsi(u) and computes the secret key q(j) for useru as

dij0 = g

qi(j)2 Hi(j)

rij , dij1 = grijj∈Ai,u∪Ωi

.

Sign

Suppose one has a private key for attribute set Ai,u for 1 ≤ i ≤ k. To sign amessage with predicate Υ that for each i, at least ki out of ni attributes ω∗i areissued from the attribute authority i (Note ki could be equal to 0). The userselects a ki-value attribute subset ω′i ⊆ Ai,u ∩ ω∗i . The following steps are taken:

• First, the user chooses ri1, ri2, · · · , ri,ni+d−ki ∈ Z∗p and selects a d−ki defaultattribute subset Ω′i ⊆ Ωi. Define Si = ω′i ∪ Ω′i;

• She also computes (σ0, σijj∈ω∗i ∪Ω′i, σ′0), where:

σ0 =∏

1≤i≤k

∏j∈Si

d∆j,Si

(0)

ij0

∏j∈ω∗i \ω′i

Hi(j)r′ij

(H(m))s

σij = d

∆i,S(0)ij1 gr

′ij

j∈Si

,σij = gr

′ij

j∈ω∗i \ω′i

, σ′0 = gs

44

Verify

On input the signature (σ0, σijj∈ω∗i ∪Ω′i, σ′0) with predicate Υ, compute

e(g, σ0)?= Z ·

∏1≤i≤k

∏j∈ω∗i ∪Ω′i

e(Hi(j), σij)e(H(m), σ′0)

If the equation holds, the signature is valid and the algorithm outputs accept.Otherwise, the algorithm outputs reject.

Attack

In order to attack this system, a forger has to try and get part of the secretcomponent of every authority. The attacker can accomplish this as follows:

• Using the set of attributes Ai,u ∪ Ωi the user has from each authority i,the attacker forms equations as in (5.1); the only difference being, gx2 willnow be gfsi (u)

2 .

• Following along the same way as before, the user can now extract gfsi (u)2 .

• Once the attacker extracts gfsi (u)2 for all 1 ≤ i ≤ k. She computes their

product:k∏i=1

gfsi (u)2 = g

∑ki=1 fsi (u)

2

• Multiplying it with the secret component given by the central authority :

dca × g∑ki=1 fsi (u)

2 = gx−Σki=1fsi (u)2 × g

∑ki=1 fsi (u)

2 = gx2

Universal Forgery. Now, using the values gx2 andgfsi (u)2

i=1,··· ,k

, the attacker

can forge on any message for any threshold of attributes. The signature is com-puted as (σ0, σijj∈ω∗i ∪Ω′i

, σ′0) where:

σ0 = dca ·∏

1≤i≤k

gfsi (u)2

∏j∈ω∗i

Hi(j)r′ij

(H(m))s

σij = gr

′ij

j∈ω∗i

, σ′0 = gs

Verification

e(g, σ0) = Z ·

∏1≤i≤k

∏j∈ω∗i ∪Ω′i

e(Hi(j), σij)

e(H(m), σ′0)

45

Analysis of the verification:

e(g , σ0) = e

g , dca ·∏

1≤i≤k

gfsi (u)2

∏j∈ω∗i

Hi(j)r′ij

(H(m))s

= e

g , gx−Σki=1fsi (u)2 · g

∑ki=1 fsi (u)

2

∏1≤i≤k

∏j∈ω∗i

Hi(j)r′ij

e(g,H(m))s

= e(g, gx2 ) ·∏

1≤i≤k

∏j∈ω∗i

e(g , Hi(j))r′ij

e(g,H(m))s

= Z ·

∏1≤i≤k

∏j∈ω∗i

e(gr′ij , Hi(j))

e(H(m), σ′0)

= Z ·

∏1≤i≤k

∏j∈ω∗i ∪Ω′i

e(Hi(j), σij)

e(H(m), σ′0)

Hence, the verification passes. This shows that universal forgery can be performedby any attacker.

5.3.4 Attack on multi-level threshold ABS scheme

In this subsection we will focus on how the attack is possible on the multi-levelthreshold ABS scheme proposed by Kumar et al in [KABPR10]. Here, inorderto achieve multi-level threshold properties, the authors use the access structurethat was first described in Goyal et al’s paper on bounded ciphertext policy ABE[GJPS08]. They denote the access tree structure by T . Now, let us look at howthe key is generated for a signer possessing a set of attributes θ such that onlythose users satisfying the access tree can produce a signature:

Key Generation

The key generation algorithm outputs a private key that enables the signer tosign on any message m under a bounded threshold circuit T , as long as T (θ) =1. Choose a random polynomial q(x) for each non-leaf node x in the universalbounded threshold circuit Tu. These polynomials are chosen in the following wayin a top-down manner, starting from the root node r. For each x, set the degreecx of the polynomial qx to be one less than the threshold value, i.e., cx = num−1.Now, for the root node r, set qr(0) = χ and choose cr other points of the polynomialqr randomly to define it completely. For any other non-leaf node x, assign qx(0) =qpar(x)(index(x)) and choose cx other points randomly to completely define qx.

The secret values are given to the user by generating a new attribute setθ∗ = θ ∪ δ. For all i ∈ θ∗ :

1. If i ∈ θ, for each x ∈ ΨTu46

(a) Choose rx,i ∈ Z∗p

(b) Compute dx,i0 =gqx(i)2 H1(x||i)rx,i

, dx,i1 = grx.i

2. If j ∈ δ, for each y ∈ ΦTu(a) Choose ry,j ∈ Z∗p

(b) Compute dy,j0 =gqy(j)2 H1(y||j)ry,j

, dy,j1 = gry,j

Thus the private key is dx,i0, dx,i1|x ∈ ΨTu , i ∈ θ ∪ dy,i0, dy,i1|y ∈ ΦTu , i ∈ δ.

Attack

In order to model this attack, we will first consider all the non-leaf nodes x atdepth d− 1 i.e all x ∈ ΨTu . By using our method of attack, we will try to extractgqx(0)2 , for each of these nodes. Once, we get these values, we can use these tosatisfy the threshold of the parent node and get its share of the secret and soon until we reach the root. To do this we will first establish the congruenceof the key generation in this scheme to that of [LAS+10]. Here, we can notethat H1(x||i) is a publicly computable function, the definition of which has beenestablished in the setup. Thus, we can consider it to be equivalent to the hashfunction H1(i) as used in schemes [LAS+10, LK08]. If we now use the notationHxi to indicate the value of H1(x||i) where x is the node under considerationand i is the attribute under consideration and then evaluate Πi∈Sd

∆i,S(0)x,i0 for pairs

of attributes, S ∈ A,B, A,C, A,D, B,C, B,D, C,D to get thefollowing equations. (It is important here to note that this is possible because,a secret key component is given for all of the users attributes for each and everynon-leaf node in ΨTu).

X1 = gqx(0)2 HrxA∆AB

xA HrxB∆BAxB X2 = g

qx(0)2 HrxA∆AC

xA HrxC∆CAxC

X3 = gqx(0)2 HrxA∆AD

xA HrxD∆DAxD X4 = g

qx(0)2 HrxB∆BC

xB HrxC∆CBxC

X5 = gqx(0)2 HrxB∆BD

xB HrxD∆DBxD X6 = g

qx(0)2 HrxC∆CD

xC HrxD∆DCxD

This leads us to equations that have the exact same form as the primaryequations in (5.1). Thus, we can extract gqx(0)

2 for all x ∈ ΨTu . Now, we have thesecret shares of all the children nodes at depth d − 1. We are in a position tointerpolate and get the share of the parent nodes as well. By definition, qx(0) =qpar(x)(index(x)), so we can use interpolation and get qpar(x)(0). Thus, by doingthe procedure of interpolation recursively at each level, we can get the value atthe root, gqr(0)

2 = gχ. Now, the attacker is just as capable of generating keys forany set of attributes as the key generating authority.

47

5.3.5 Total break on hidden ABS without anonymity revo-cation

The hidden attribute-based signatures without anonymity revocation was pro-posed by Li and Kim in [LK10]. This scheme has been largely derived from thework in [LAS+10] and hence it has the exact setup and key-extract phases as in[LAS+10] and [LK08].

Now, any signer who gets a set of keys from the key-generating authority, canuse the same procedure as described in Section[5.2.3] to retrieve the component gx2 .This will enable the attacker to use the strategy in Section[5.2.6] and impersonatethe key generating authority. Hence, the key extract algorithm in this scheme[LK10] causes a total break of the system.

5.4 Summary of attacks

We summarize all our attacks (mentioned in the previous sections) in the tablebelow.

ABS Scheme Type of break SourceFlexible Threshold Predicate Support Total Break [LAS+10]

Multiple Attribute Authorities Universal Forgery [LAS+10]Attribute-Based Ring Signatures Total Break [LK08]

Threshold Attribute-Based Signatures Total Break [SSN09]Bounded multi-level threshold circuits Total Break [KABPR10]

Hidden ABS without anonymity revocation Total Break [LK10]

Table 5.1: Table summarizing the attacks

Here, we would like to remark that a total break is one of the strongest attackspossible and it encompasses a universal forgery. This is because, in a total breakthe adversary can get keys for any set of attributes. And with that it would be verysimple to give a signature on any message, thus giving the attacker the implicitcapability for universal forgery.

5.5 Observations

Our main observations are that, the specific attack we mention is possible whenthe following conditions are satisfied:

1. d is a constant and the universe of attributes U contains a large number ofelements.

2. The signer possesses lot more than d attributes although (s)he might nothave k out of the given set ω∗ of attributes.

48

It is important here to note that the attack was made on the key constructionand method of verification, and not on the signature itself. The primary flaw in thekey construction is in using the idea of secret shares to distribute the master secret,and at the same time giving each person lot more shares than what is required forrecovering the secret. These additional shares - in the form of dummies and otherattributes the signer has which are not a part of ω∗ - give the signer multiple waysto recover a derivative of the master secret key, which in turn leads to the attacks.

Discussion. We would like to remark here that, the concept of secret sharingwhen combined with Waters’ signature, seems to be vulnerable to the attack wehave focused on, even when the number of keys are far fewer. We strongly feelthat there does not exist a fix for this key-construct that can resist the mentionedattacks, however this direction is definitely worth exploring.

49

CHAPTER 6

New Threshold Attribute-Based Signature Scheme

From the attacks in the previous chapter we can see that the idea of secret sharingintroduces a weakness in threshold attribute based ABS schemes. In this sectionwe propose a new scheme for threshold attribute based signatures which is con-ceptually based on ring signatures. We will first briefly relate the idea behind thescheme before presenting our construction.

Ring signature. A ring signature, introduced by Rivest et al. [RST01], is a formof digital signature which can be produced by any one member of a ring/group ofsigners, all of who have a set of public/secret key pairs. The ring-signature onlysays that the message was signed by one member of the ring, moreover, it will notreveal anything about the signer itself. Additionally, the members of the ring canbe quite arbitrary and the ring can be easily extended to include more people aslong as they each have their own public/private key pairs. Infact there is no needfor the ring members to be endowed with any special property at all. The factthat ring signatures can maintain the anonymity of a single signer from amongsta group of people, is what makes it appropriate for our threshold needs.

Figure 6.1: Ring ABS where each alleged member of the ring has 4 attributes.

Intuition. Any threshold attribute based signature ensures that the signer pos-sesses atleast t out of the specified signing attributes, say n∗ in number. Anotherway to look at this would be that, the signer has atleast 1 out of the

(n∗

t

)com-

binations of the attribute sets. Thus, a new approach to the same would be, forthe signer to pick some n′ sets of t attributes each from the

(n∗

t

)possible sets, and

prove that she has atleast one of the n′ sets in her possession. Showing that thesigner has 1 out of n′ sets is where the idea of ring signature fits in. Note herethat 1 ≤ n′ ≤

(n∗

t

). If, n′ ≥ 2, it would be sufficient to prove that the signature

is valid and the signer has the specified attributes, moreover it would also give areasonable degree of anonymity and not reveal the exact credentials of the signer.If, the actual predicate was an AND, then t = n∗, which means n′ = 1 and thesigner needs to prove the possession of the complete set of attributes. On theother hand, if the predicate consisted of just OR, then t = 1 and again the signercan choose an appropriate n′ depending on the amount of privacy she wishes tohave and then produce a signature. With this intuition, we are ready to see thedetails of the scheme.

6.1 Underlying Ring Signature

The underlying ring signature scheme that we use for our construction is theefficient ID-based ring signature scheme proposed by Chow et al. [CYH05]. Inthis section we will present the construction of the ring signature scheme. Notehere that ID represents the identity of a user.

6.1.1 Construction

Let G1 denote a cyclic additive group of prime order p on which the bilinearfunction is efficiently computable. Let e(·, ·) be the bilinear function, e : G1 ×G1 → G2. Let, H1 and H2 be two hash functions where, H1 : 0, 1∗ → G1 andH2 : 0, 1∗ → Z∗p.

Setup. The trusted authority (TA) randomly chooses x ∈R Zp , keeps it as themaster secret key and computes the corresponding public key Ppub = xP . Thesystem parameters are: G1,G2, e(·, ·), p, P, Ppub, H1, H2.

Key-Gen. The signer with identity ID ∈ 0, 1∗ submits ID to TA. TA sets thesigner’s public key QID to be H1(ID) ∈ G1, computes the signer’s private signingkey SID by SID = xQID. Then TA sends the private signing key to the signer viaa secure channel, or using some secure and anonymous protocol.

Sign. Let L = ID1, ID2, · · · , IDn be the set of all identities of n users. Theactual signer, indexed by s (i.e. his/her public key is QIDs = H(IDs)), carries outthe following steps to give an ID-based ring signature on behalf of the group L.

51

1. Choose Ui ∈R G1 , compute hi = H2(m||L||Ui)∀i ∈ 1, 2, · · · , n\s.

2. Choose r′s ∈R Zp , compute Us = r′sQIDs −∑

i 6=sUi + hiQIDi.

3. Compute hs = H2(m||L||Us) and V = (hs + r′s)SIDs .

4. Output the signature on m as σ = ⋃ni=1Ui, V .

Verify. A verifier can check the validity of a signature σ = ⋃ni=1Ui, V for

the message m and a set of identities L as follows.1. Compute hi = H2(m||L||Ui)∀i ∈ 1, 2, · · · , n.

2. Checking whether e(Ppub,∑n

i=1(Ui + hiQIDi)) = e(P, V ).

3. Accept the signature if it is true, reject otherwise.

Discussion. This signature scheme has formally been shown to have uncondi-tional signer anonymity property in [CYH05]. Also, the scheme is proven to beexistentially-unforgeable in the chosen message attack game by reduction to theCDH problem in the random oracle model. The reduction has been shown withthe help of forking lemma for generic ring signatures [HS04].

6.2 New ABS Scheme Construction

We present the construction for our scheme which is based on the ring signatureproposed in [CYH05]. Here, for each set of attributes in the chosen n′, we aggregatethe attributes by summing them up and form n′ components, one for each set.One of these components has the signer’s secret key embedded in it, making ita ring signature. During the verification phase the signer’s component also takescare of eliminating all the attribute sets except the one which is actually used forsigning, thus proving the possession of one among the chosen n′ attribute sets.Our construction also allows the key-generating authority to revoke anonymity ifrequired.

6.2.1 Setup

Let U denote the universe of attributes. U = A1, A2, · · · , An where Ai denotesan attribute. Let t denote the threshold that a user needs to satisfy and U∗ denotethe set of attributes in the predicate. If |U∗| = n∗ then, a user must have atleast tout of the n∗ attributes to be able to produce a valid signature on a message. LetG1 denote a cyclic additive group of prime order p on which the bilinear functionis efficiently computable. Let e(·, ·) be the bilinear function, e : G1 × G1 → G2.Let, H1, H2, H3, and H4 be four hash functions where, H1 : 0, 1∗ → G1,H2 : 0, 1∗ → Z∗p, H3 : 0, 1∗ → 0, 1∗ andH4 : 0, 1∗ → G1. Let the generatorof the group be P ∈R G1, secret key be α ∈R Z∗p, and denote γ = e(P, P ) ∈ G2.The master secret key (msk) is α and Ppub = αP .

52

params = (e,G1,G2, H1(·), H2(·), H3(·), H4(·), P, Ppub, δ) msk = α.

6.2.2 Key Generation

D ← KeyGen(Uβ, ID,msk). Let, Uβ be the set of attributes that a user β has.Let D denote the set of keys given to the user. Say, |Uβ| = nβ. Here, the attributeauthority picks a rβ ∈R Z∗p and then computes the following:

Qi = H1(Ai) Di = rβ · α ·Qi (∀Ai ∈ Uβ)

D0 = rβP D1 = r−1β P

ω = H3(Uβ, ID) W = H4(ω)

D2 = r−1β W

The attribute authority finally gives the key, D =Dii∈1,··· ,nβ, D0, D1, D2, ω

.

Key verification

Here, the user who is receiving the keys for her attributes can verify the secretkeys as follows.

e(D0, D1)?= γ

e(D0, D2)?= e(P,H4(H3(Uβ, ID)))

e(Di, D1)?= e(Qi, Ppub)

6.2.3 Sign

σ ← Sign(U∗, t, D,m, params). The signer who possesses atleast t of the at-tributes in U∗ must be able to produce a valid signature on a message m. LetTβ be the t-element subset of attributes of U∗, that the user chooses inorder togenerate the signature. i.e Tβ ⊆ U∗∩Uβ such that, |Tβ| = t. Let T be a collectionof n′ subsets of attributes from U∗ such that each of these subsets has a cardinalityof exactly t and no two of them are equivalent. We’ll assume that the sets in T areindexed by values from 1 to n′, and we’ll denote by Ti, the elements of T whichare each a subset of the attributes in U∗. So, the signer chooses Tii∈1,··· ,n′where Ti ⊆ U∗ , |Ti| = t , Ti 6= Tj and 2 ≤ n′ ≤

(n∗

t

). Without loss of generality,

we can assume that the set Tβ is present in T and is at a random index s where1 ≤ s ≤ n′. Thus, we refer to Tβ as Ts in our subsequent discussions. Hence, Tsis the set of t attributes that the signer possesses among U∗, and will use for thesignature, and the remaining (n′− 1) sets are used just for the sake of anonymity.Then, the signer computes the following signature components.

The signer first picks n′ random values, ri ∈R Z∗p for i = 1, · · · , n′, and anr∗ ∈R Z∗p and then proceeds to generate the signature on m as follows:

1. Set V0 = r∗D0, V1 = r∗−1D1 and V2 = r∗−1D2

53

2. Ui = ri ·∑

Aj∈TiQj, for i = 1, · · · , n′\s

3. We define, hi = H2(m,Ui, Ti, V0, V1, V2), for all i ∈ 1, · · · , n′\s.

4. Us =

(rs ·

∑Aj∈Ts

Qj

)−

(n′∑

i=1;i 6=s

(ri + hi)∑

Aj∈TiQj

)

5. We define, hs = H2(m,Us, Ts, V0, V1), in a manner consistent to that of thedefinition of the hi values.

6. We set, V = r∗(rs + hs)∑

Ai∈Ts Di and,

The final signature σ is given as:

σ =Tii=1,··· ,n′ , Uii=1,··· ,n′ , V , V0 , V1 , V2, ω

It is important to note in the algorithm that the size of the signature is inde-

pendent of the number of attributes, but depends more on the degree of privacythat the signer prefers. This is because, n′ is a factor that the signer chooses,depending on the amount of information the signer wishes to reveal.

6.2.4 Verify

The verifier can check the signature by performing the following computations:

e(V0 , V1)?= γ

e(V0 , V2)?= e(P,H4(ω))

e(V , V1)?= e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)

The signature is valid only if all the three checks are satisfied, in all other casesit’s considered to be invalid.

Verification Analysis

We argue here that, if the steps of the algorithm are followed without deviationthen, the signature given is valid. We will show a proof of the correctness mathe-matically. Let’s first consider e(V0 , V1):

e(V0 , V1) = e(r∗D0 , r∗−1D1)

= e(r∗rβP , r∗−1r−1β P )

= e(P , P )

= γ

54

Next we check e(V0 , V2):

e(V0 , V2) = e(r∗D0 , r∗−1D2)

= e(r∗rβP , r∗−1r−1β H4(ω))

= e(P , H4(ω))

Now, we will see if the third verification is also valid. i.e Check if,

e(V , V1) = e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)is correct for a valid signature. We

look at the L.H.S and the R.H.S components separately in showing the proof.

Consider the L.H.S:

e(V , V1

)= e

(r∗(rs + hs)

∑Ai∈Ts

Di , r∗−1D1

)

= e

((rs + hs)

∑Ai∈Ts

Di , r−1β P

)

= e

((rs + hs) · rβ · α

∑Ai∈Ts

Qi , r−1β P

)= e

((rs + hs) · α

∑Ai∈Ts

Qi , P)

= e

((rs + hs) ·

∑Ai∈Ts

Qi , α · P)

= e

((rs + hs) ·

∑Ai∈Ts

Qi , Ppub)

(6.1)

Now, for the R.H.S:

e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)

We’ll consider the first componentn′∑i=1

(Ui + hi∑

Aj∈TiQj) and simplify it before we

compute the mapping.

55

n′∑i=1

(Ui + hi∑

Aj∈TiQj) =

n′∑i=1

Ui +n′∑i=1

(hi ·∑

Aj∈TiQj)

= Us +n′∑

i=1;i 6=s

Ui + (hs ·∑

Aj∈TsQj) +

n′∑i=1;i 6=s

(hi ·∑

Aj∈TiQj)

=

(rs ·

∑Aj∈Ts

Qj

)−

(n′∑

i=1;i 6=s

(ri + hi)∑

Aj∈TiQj

)

+ (hs ·∑

Aj∈TsQj) +

n′∑i=1;i 6=s

Ui +n′∑

i=1;i 6=s

(hi ·∑

Aj∈TiQj)

=

(rs ·

∑Aj∈Ts

Qj

)−

(n′∑

i=1;i 6=s

(ri + hi)∑

Aj∈TiQj

)+ (hs ·

∑Aj∈Ts

Qj) +∑i 6=s

(ri∑

Aj∈TiQj) +

∑i 6=s

(hi∑

Aj∈TiQj)

= (rs + hs) ·∑

Ai∈TsQi (6.2)

Using the above we get R.H.S to be,

e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)= e

((rs + hs) ·

∑Ai∈Ts

Qi , Ppub)

(6.3)

Thus, from equations (6.1), (6.2) and (6.3) we can see that the verificationholds and can be performed using the public values.

6.3 Security

We will show that our threshold attribute based signature scheme is existentiallyunforgeable with respect to the chosen message attack (CMA) .

6.3.1 Security Notions

We first define the game under which our threshold attribute based ring signaturescheme is existentially unforgeable.

Setup. The challenger C takes a security parameter k and runs the Setup togenerate common public parameters params and also the master secret key α. Csends params to adversary A.

Attack. The adversary A chooses a specific attribute Ax and gives it to C. Ad-versary can then perform polynomially bounded number of queries in an adaptivemanner (interactively) with the oracles.

56

- Hash functions. A can query for the output of the hash functions H1(·) andH2(·) for any input.

- KeyGen. A is allowed to query the key for any set of attributes ( the setmay include Ax).

- Sign. A picks a set of attributes U ′ (it can contain Ax), a threshold t′, andany message m; C will output (t′, n)-threshold ABS signature on m.

Forgery. At the end of the game, A outputs a threshold attribute based signa-ture σ on the set of attributes U∗. The restriction being Ax must be an element ofevery subset Ti given by A, where |Ti| = t′′ (threshold number of elements). Also,the chosen set of attributes must not have been queried (as a single set) directly oras a subset (of a larger set) during any of the key-generation or signature queries.This ensures that, the adversary has not queried for atleast one element from eachsubset of elements which can possibly satisfy the threshold. This game model alsocaptures the proof of security for the scheme’s collusion-resistant nature. This isbecause, here, the adversary may have the keys for all of the attributes (includingAx) as part of one set or an other, but A should not be able to combine the secretkeys to generate a signature for the given set. A wins the game if the verificationon σ passes the check.

6.3.2 Modified Computational Bilinear Diffie-Hellman As-sumption.

We’ll state the modified computational Diffie-Hellman problem, as we use it, toprove the security of our scheme.

Let e : G × G → GT be an efficiently computable bilinear map, where G hasprime order p. The modified computational bilinear diffie-hellman(m-CBDH) as-sumption is said to hold inG if, given elements P, aP, bP, cP, a−1P, then no prob-abilistic polynomial-time adversary can compute e(P, P )abc with non-negligible ad-vantage, where a, b, c ∈R Z∗p and generator P ∈ G are chosen independently anduniformly at random.

6.3.3 Unforgeability

Theorem 6.3.1 (Unforgeability) In the random oracle model (where the hashfunctions are modeled as random oracles), if there exists an algorithm A thatcan win the existentially unforgeable, chosen message attack game, with non-negligible probability by making a valid ABS in polynomial time, then the modified-computational bilinear Diffie-Hellman (m-CBDH) problem can be solved in poly-nomial time.

Proof: The proof for the unforgeability of our threshold attribute based sig-nature follows, to some extent, that given by Chow et al. in [CYH05]. In the

57

subsequent discussion we will show the reduction of our scheme to solving theCBDH problem.

Inorder to solve the m-CBDH problem, the challenger C receives the instanceP, aP, bP, cP, a−1P and has to finally produce e(P, P )abc as the output. Thechallenger will run A as a subroutine in the existential unforgeability game. Asdefined in the game, A can make queries to the hash functions; although the hashoutputs will be random, the challenger C will maintain separate lists of the queryand response of each oracle in order to simulate proper collision-resistant hashfunctions and avoid inconsistencies. Also, in the proof, we’ll make the assumptionthat all the H1(Ai) queries are made before they are used in any further oraclequeries.

Setting. First, the challenger C sets the public-key as Ppub = aP and mastersecret as α = a. Note that C does not know a, b or c, but it will simulate thosevalues during its responses to A, with the help of aP , bP , cP and a−1P .

H1 queries. When A makes queries to the hash function H1(·) with input assome attribute Ai, C does the following. If Ai was already queried before, the hashvalue will be in the list L1 and C will search and give the stored value. Otherwise,it first picks an si ∈ Z∗p uniformly at random, and then checks if this value ispresent in the list L1. If it is present C re-picks si repeating the process until itgets a new value. Then, if Ai 6= Ax, it sets Qi = H1(Ai) = siP . If Ai = Ax, then itsets Qx = H1(Ax) = sx(bP ). After each response, C makes sure to save the tuple< Ai, si, Qi > in the list L1, if it wasn’t already present.

H3 queries. Queries to the H3 oracle are answered by the challenger as follows.C picks an ω ∈ Z∗p uniformly at random, and then checks if this value is presentin the list L3. If it is present, then it re-picks ω repeating the process until it getsa new value. Then the tuple < Uβ, ID, ω > is added to list L3.

H4 queries. List L4 is used to maintain the queries and responses of this oracle.When an input ω is queried for its hash, the list L4 is looked up to see if a matchingentry already exists, if it is found the corresponding value is returned. In all othercases, an w ∈R Z∗p is picked uniformly at random and W is set to be W = wcP .The tuple of, < ω,W,w > is added to the list, L4.

Key-Gen queries. Adversary A is allowed to request for the private keys onany set of attributes Uβ (including Ax). So, we will consider this in two cases: (1)when the element Ax /∈ Uβ, and (2) when the element Ax ∈ Uβ.

Case-1 : When the challenger gets a query where Ax /∈ Uβ, C first picks rβ′ ∈RZ∗p and then gives the keys as follows:

1. Set, D0 = rβ′P and D1 = r−1β′ P

58

2. Now, ω = H3(Uβ, ID)

3. W = H4(ω), this is set as W = w(cP ) (w ∈R Z∗p)

4. Tuple < Uβ, ID, ω > is added to L3 and tuple < ω,w,W > is added to L4.

5. Compute, D2 = r−1β′ W = r−1

β′ w(cP )

6. It retrieves the tuple < Ai, si, Qi > corresponding to Ai from the list L1.

7. Then, sets Di = rβ′ · si · (aP ) and returns Di.

Case-2: If however, Ax ∈ Uβ, then the keys given are follows. Let, rγ ∈R Z∗p,be chosen at random. Assume, rβ = rγ/a. Then, the rest of the values are set asfollows:

1. Set, D0 = rβP = rγ(a−1P ) and D1 = r−1

β P = r−1γ (aP )

2. Now, ω = H3(Uβ, ID)

3. W = H4(ω), this is set as W = wP (w ∈R Z∗p)

4. Tuple < Uβ, ID, ω > is added to L3 and tuple < ω,w,W > is added to L4.

5. Compute, D2 = r−1β W = r−1

γ w(aP )

6. Finally, Di = rβ · α ·Qi = rγsx(bP ) (∀Ai ∈ Uβ)

The final key is given as, D =Dii∈1,··· ,nβ, D0, D1, D2, ω

.

In both cases, all the intermediate random values that have been chosen by thechallenger are added to the respective lists along with the computed componentsand final responses.

H2 queries. Whenever queries to H2(·) are made, C first looks up entries in L2

to see if the same query was made previously. If a matching entry is found, itgives the corresponding saved hash value, otherwise, it just picks a random valuefrom Z∗p and gives it as output, storing the input and response as a tuple in L2.

Sign. Signature requests are answered by C as follows:

It picks a Ts at random first. If Ax /∈ Ts, then it computes the signatureas in the algorithm in Section(6.2.3) since it knows all the components. It alsomakes sure to save the hash queries and responses, like hi = H2(m,Ui, Ti, V0, V1)components in list L2. If however, Ax ∈ Ts, it first selects n′ random values,ri ∈R Z∗p for i = 1, · · · , n′, and computes the following:

1. V0 = r∗D0 = r∗−1rβ′P, V1 = r∗−1D1 = r∗−1r−1β′ P

V2 = r∗−1D2 = r∗−1r−1β′ H4(ω)

2. Add the values rβ, Uβ, D0, D1, D2, Ts to the sign oracle list.

59

3. Picks z ∈R Z∗p and sets1, V = r∗rβ′ · z · (aP )

4. For i ∈ 1, · · · , n′\s- Computes Ui = ri ·

∑Aj∈Ti

Qj

- Gets hi = H2(m,Ui, Ti, V0, V1, V2) and saves hi in list L2

5. Us = zP −

(h′s ·

∑Aj∈Ts

Qj

)−

(∑i 6=s

(ri + hi)∑

Aj∈TiQj

)

6. V = r∗−1rβ′z(aP )

7. Save the tuple < h′s, Us, Ts, V0, V1, V2, V > in L2.

8. σ =Tii=1,··· ,n′ , Uii=1,··· ,n′ , V , V0 , V1 , V2 , ω

Proof for the verification of this signature can be found in Appendix(A.1).

Forgery. Finally, A will output σ =Ti, Uii=1,··· ,n′ , V , V0 , V1 , V2 , ω

,

the forged signature on the message m such that Ax is present in each of thechosen subsets, Ti, on which the ring signature is given.

Solving CBDH. From the forking lemma for generic ring signature schemes[HS04] it follows that, if with non-negligible probability, A can give a valid forgedsignature in the above interaction within time TA, then we can construct anotheralgorithmA′ which within time 2TA can output two signatures σ and σ′ with valuesσ =

Ti, Uii=1,··· ,n′, V , V0,V1,V2, ω

; σ′ =

Ti, Uii=1,··· ,n′, V ′, V ′0 ,V ′1 ,V ′2 , ω

also with non-negligible probability. It also follows from the lemma that withnon-negligible probability, we can have hi = h′i, for all i ∈ 1, · · · , n′\s. Now,given A′ derived from A, we can solve for e(P, P )abc as follows.

e(P, P )abc =

( e(V, V2)

e(V ′, V ′2)

)w−1(hs−h′s)−1

÷ e

∑Aj∈TsAj 6=Ax

(siaP ), cP

s−1x

This is possible since, sx can be looked up from the list L1, and values of si (forall Ai ∈ Ts, Ai 6= Ax) can also be found from table L1. Also, hs and h′s can bequeried on H2’s list L2 from the given values, and can be found within a constantnumber of trials.

A more detailed derivation, showing the computations involved in extractingthe solution for CBDH can be found in the Appendix(A.2).

1Note: This cannot be done by a normal signer since rβ′ will only be available to the attributeauthority.

60

6.3.4 Anonymity

In this section we will define what anonymity is and prove that our scheme providesunconditional anonymity to the signer’s attribute subset used in the signature.

We define signer ambiguity for our scheme in a manner similar to the one givenin [CYH05] for ring signatures. An attribute-based signature scheme, using thering approach as defined by us, for the threshold access structure, is said to haveunconditional signer attribute-set ambiguity if for any group of n′ attribute subsetsT, where T =

⋃Ti , ∀1 ≤ i ≤ n′ , Ti ⊆ U∗ and |Ti| = t , any message m and

any signature σ, where σ = Sign(m, t, U∗); any verifier A even with unboundedcomputing resources, cannot identify the actual attribute subset of the signer (usedin the signature) with probability better than a random guess. That is, A canoutput the actual signer’s chosen attribute subset (indexed by Ts) with probabilityno better than 1/n′.

Theorem 6.3.2 (anonymity) Our threshold attribute-based signature has un-conditional signer attribute-set anonymity property.

Proof: We first claim that all the Ui’s are uniformly distributed. This is because,each Ui (including Us) is obtained via multiplying the components with a value ri,that is chosen uniformly at random. So, we can say that the Ui’s by themselves(as independent entities) don’t leak any information. Another component of thesignature, ω, is a hash of the attributes of the user, but since it’s a hash and iscreated even before Ts is chosen, it cannot reveal anything about Ts. Also, theother values, V0, V1 and V2 are unrelated to Ts. So, it remains to be seen if V givesaway any information about Ts with the help of the bilinear map function alongwith any of the given components and public values.

So, we will consider if V = r∗(rs + hs)∑

Ai∈Ts Di, leaks anything about Ts.Let us focus on V − r∗hs

∑Ai∈Ts Di = r∗rs

∑Ai∈Ts Di. The hs component can be

obtained publicly since it is a hash. We’ll see if this component gives away infor-mation related to Ts when considered along with V1 = r∗−1r−1

β P , in the bilinearmap. If we manage to get r∗rs

∑Ai∈Ts Di, then we can do the following verifica-

tion test: we check if e(r∗rs∑

Ai∈Ts Di, V1) = e(rs∑

Ai∈Ts Qi, Ppub)? To do this,any user who suspects that the set Tk was used in signing of the message will onlyneed to check if, e(Uk +

∑i 6=k

(Ui + hi∑

Aj∈TiQj), Ppub)

?= e(V, V1)/e(hk

∑Aj∈Tk

Qj, Ppub).

We will now show that, although the above equality is valid for k = s, it isequally valid for any of the other attribute subsets in T i.e the check is symmetricwith respect to any attribute subset and hence does not reveal anything about Ts.

61

To see that, consider:

Uk +∑i 6=k

(Ui + hi∑

Aj∈TiQj), Ppub) = Us +

∑i 6=s(Ui) +

∑i 6=k

(hi∑

Aj∈TiQj

=

(rs ·

∑Aj∈Ts

Qj

)−

(∑i 6=s

(ri + hi)∑

Aj∈TiQj

)+∑i 6=s

(Ui) +∑i 6=k

(hi∑

Aj∈TiQj)

= rs ·∑

Aj∈TsQj −

∑i 6=s

ri∑

Aj∈TiQj −

∑i 6=s

hi∑

Aj∈TiQj

+∑i 6=s

(Ui) +∑i 6=k

(hi∑

Aj∈TiQj)

= rs ·∑

Aj∈TsQj − hk

∑Aj∈Tk

Qj + hs∑

Aj∈TsQj

= (rs + hs)∑

Aj∈TsQj − hk

∑Aj∈Tk

Qj

= (V )r∗−1r−1

β α−1 − hk∑

Aj∈TkQj

Thus,

e(Uk +∑i 6=k

(Ui + hi∑

Aj∈TiQj), Ppub) = e((V )r

∗−1r−1β α−1 − hk

∑Aj∈Tk

Qj, Ppub)

= e(V, V1)/e(hk∑

Aj∈TkQj, Ppub)

This proves that the check is symmetric with all attribute subsets in T =⋃Ti , ∀1 ≤ i ≤ n′. So, the signature components are independent and uniformly

distributed irrespective of the attribute subset being used. Thus, our scheme isunconditionally signer attribute-set anonymous.

6.4 Advantages of the new approach

The proposed threshold scheme has a new property that we can call controlledpartial anonymity which is not known to be present (to the best of the our knowl-edge) in any of the previous threshold attribute based signature schemes. Thisis a feature that would allow the signers to control their anonymity even if thesigning policy is not determined by them. We will illustrate this feature with anexample. Let us say Alice is signing a document which wants the signer to satisfya threshold predicate, and she has sufficient attributes to satisfy the predicate.Say, one of the attributes of the signing policy is CIA officer. Now, Alice beinga CIA officer among other things wishes to highlight this particular fact in her

62

signature (although it may not be necessary). She can choose all the n′ attributesets Tii∈1,··· ,n′ with CIA officer being one of the attributes in each of thesesets. By doing this, she has control over which of her attributes she wants toreveal. But if Alice does not wish to reveal anything about her credentials exceptthat they satisfy the necessary threshold, then she will have to give all the

(n∗

t

)possible sets. If on the other-hand, Alice is completely indifferent about revealingall of her attributes, then she can give a signature and include a single subset ofattributes. And that set should contain just the exact set of attributes used in thesignature inorder to satisfy the given policy. Note that this will also be a constantsize signature, since it will have only one Ti and Ui.

The power that this feature gives is that, even if the signing policy is specifiedby a different authority, the signer can choose to reveal more in the signature thanwhat other schemes would normally allow. In a way, our approach allows thesigner control over the signature size and privacy, although he/she may not havehad the freedom to set the signing policy. If a signer does not care about privacy,then she can go for a constant size signature. On the other-hand if the size ofthe signature components is immaterial, then signer can choose to get completeprivacy by choosing all the subsets of attributes satisfying the policy to be a partof the signature.

We also observe that this scheme can be extended to a multi-level thresholdattribute based signature if each attribute is present only once in the predicate.

63

CHAPTER 7

Conclusions and Directions for Future Work

We conclude our discussions on attribute-based cryptosystems in this chapter. Wewill first recap our work on size efficient attribute based schemes and present someof the challenges this area poses. We will then revisit the security of ABS schemesand outline our inferences. We present some interesting directions for future workin the area of threshold attribute-based signatures with particular focus on ournew approach. We also give some intuitions for potential solutions to some of theproblems we pose. Finally we’ll end this chapter by summarizing our work andpresent the potential this field has in the emerging computing world.

7.1 Conclusion

7.1.1 Threshold CP-ABE

The first problem we looked at was the multi-level threshold attribute-based en-cryption. We focused on ciphertext-policy based schemes since CP-ABE addressesthe problem of attribute-based communication in a natural way, i.e the accesspolicy is associated with the ciphertext during encryption and each user gets keysbased on the attributes/credentials they have. We paid particular attention toefficiency because, almost all attribute-based solutions require a huge number ofcomponents for keys and ciphertext, making them cumbersome for large-scaletasks. Although some constant-size threshold schemes exist, they only supportone gate and are not as expressive as some of the applications and real-world sit-uations require them to be. Ours is an attempt to give an efficient scheme thatdoes not compromise on the expressiveness of the access policy. We also believethat ours is the first multi-level threshold scheme where the size of the ciphertextis proportional to the complexity of the predicate policy as opposed to the numberof attributes involved.

Proposed Extensions. Our scheme appears to be provable only in the genericmodel. An immediate open problem would be to provide a scheme that can bereduced to a well known hard assumption. Additionally, this problem would beconsidered as completely solved only if a scheme that can be proved in the standardmodel is also presented.

Another natural extension to our work would be to design a provably secureconstant-size multi-level threshold CP-ABE scheme. Such a scheme would be mostpractical, both for it’s compactness and the manifold control that it can provideto the access policy.

7.1.2 Attribute Based Signatures

With regard to attribute-based signatures, our study has shown that many of theABS schemes have been influenced by CP-ABE constructions. We also observedthat the idea of secret sharing and use of dummy attributes play an importantrole in the formulation of schemes that support threshold access structures. Theseobservations coupled with our study of Waters’ signature on the attributes gaveus some intuitions for the attacks. However, we have seen other threshold schemesmaking use of secret sharing that do not exhibit this vulnerability. We notice thatsome these schemes use different mechanisms to generate their keys, and someothers using Waters’ signature ensure a check on the dummy values provided tothe user. Modifying the broken schemes to force some properties on number ofdummy values makes them inept for threshold predicates. This has led us toconclude that the schemes for which we presented breaks cannot be fixed easily.

Open Problem. We leave it as an open problem to come up with a provablysecure attribute based signature scheme with a key construct that makes use ofthe linear secret sharing scheme combined with Waters’ signature.

7.1.3 Threshold ABS - New Directions

In our work on threshold attribute based signatures, we give a completely newperspective on the problem of threshold signatures. Instead of viewing it as asingle (k, n) component, we break it up as 1-out-of-n′, k-sized, components. Thisview gives us the flexibility to use the trusted and well established idea of ringsignatures for the signing algorithm. However, there is still the challenge of beingable to aggregate the attributes into k-sized components. While aggregate signa-ture allows one to verify each sub-component’s identity(signer), the fundamentalaspect in ring signature is to give anonymity and prevent anyone from recognizingthe exact signer. The combination of these two contrasting features is critical indevising a scheme based on our new concept. It is easy to see from our scheme thatthe aggregation is required since we want to be able to identify all the attributesin each of the chosen n′ subsets. However, we use the ring externally, to combinethese subsets so that a recipient is not able to identify which of the subsets wasused during the signing algorithm. Our scheme provides a construct that mapsboth features to create an interesting threshold ABS scheme that gives the signera different way to control his/her anonymity.

Future directions. In this thesis we show our scheme can be reduced to a mod-ified version of the CBDH problem with the help of the forking lemma. However,we make use of the forking lemma which does not lead to a tight reduction. Achallenging line of work would be to develop a scheme that can be proved securewithout the use of forking lemma. If such a scheme can be provided it can alsoaddress the open problem of creating a provably secure ring signature scheme witha tight-reduction to some hard problem.

65

7.2 Summary

We began this work by studying various aspects of attribute-based cryptosystems.We looked at the origin of attribute-based encryption and traced its development.We then closely investigated size-efficient CP-ABE schemes. Later, we movedto threshold CP-ABE schemes that had achieved constant-size ciphertexts. Ourobservation that all the proposed constant-size ABE schemes could support onlyone gate, led us to explore and obtain an efficient and expressive threshold CP-ABE scheme. We inferred that an extension of the regular threshold schemes tomulti-level threshold would give them the required expressiveness. The scheme wepropose here supports multiple levels of threshold and at the same time has farfewer ciphertext components than previous such schemes. Our scheme results ina ciphertext-size that is independent of the number of attributes, it depends onlyon the number of gates in the access structure. Although our proposal appearsreliable and robust (which we have seen with an example) it’s security remains tobe formalized. A good extension in this area would be to devise a provably secureconstant-size ciphertext multi-threshold CP-ABE.

Next, we looked at attribute-based signatures, and pointed out vulnerabilitiesin a number of schemes. We closely examined the key-generating algorithm onwhich our attacks were based. Then, we formally presented the different kindof ways in which each of these schemes could be attacked. We concluded thatthe attacks cannot be fixed easily just by changing the number of components(attributes and dummies) given to the user; a fix would require a different key-generating mechanism altogether. But we still think it is a worthwhile ventureto design a threshold attribute-based signature scheme built on Waters’ signatureand secret sharing principle, that is resistant to our attack.

With the momentum of the breaks we decided to explore a new way to per-ceive threshold attribute-based signatures. Threshold is an instantly appealingpredicate primarily due to its versatility. So, we took up the challenge of creatinga novel threshold-ABS scheme founded on the principles of ring signatures. Ourconstruction aggregated attribute sets and gave a signature on a ring comprisingof various attribute subsets. Although our scheme is sound, it has been provedsecure in the selective model with the help of the forking lemma which makes thereduction, and in turn, the security, weak. A good problem in this direction wouldbe to come up with a tightly-reducible scheme based on the proposed approach.This can also lead to resolving some open problems in ring signatures.

Finally, in this chapter, we gave a more complete picture of our work inattribute-based cryptosystems. We consolidated our observations and inferences.We also reflected on some of the interesting lines on which work in this area canproceed. The problems we have looked at are all fundamental issues faced indistributed settings. With large-scale data decentralization and vast networks ofdistributed data (from social networks, cloud-computing, electronic-mail etc.) wecan see a number of avenues where such kind of security is highly pertinent. Bytackling these problems, we not only look at solving some central security issues,we also embrace these emerging technologies and the new revolution in communi-cation that they bring with them.

66

APPENDIX A

Detailed Analysis of Proof

This chapter is dedicated to show the correctness of the verification steps usedin the proof of our scheme in Chapter(6), in particular we look at the proof forTheorem(6.3.1).

A.1 Sign Oracle Correctness

We will show the proof for the verification of the signature generated by the oraclewhile showing the security of the scheme (from Section(6.3.3)).

The signature components generated by the sign oracle are as follows:

1. V0 = r∗D0 = r∗−1rβ′P, V1 = r∗−1D1 = r∗−1r−1β′ P

V2 = r∗−1D2 = r∗−1r−1β′ H4(ω)

2. V = r∗rβ′ · z · (aP )

3. For i ∈ 1, · · · , n′\s- Computes Ui = ri ·

∑Aj∈Ti

Qj

- Gets hi = H2(m,Ui, Ti, V0, V1, V2)

4. Us = zP −

(h′s ·

∑Aj∈Ts

Qj

)−

(∑i 6=s

(ri + hi)∑

Aj∈TiQj

)

5. V = r∗−1rβ′z(aP )

6. σ =Tii=1,··· ,n′ , Uii=1,··· ,n′ , V , V0 , V1 , V2, , ω

Now, the verification has to satisfy the following three equations:

e(V0 , V1)?= γ

e(V0 , V2)?= e(P,H4(ω))

e(V , V1)?= e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)

A.1.1 Verification analysis

Let’s first consider e(V0 , V1):

e(V0 , V1) = e(D0 , D1) = e(rβP , r−1β P ) = e(P , P ) = γ

Similarly, for e(V0 , V2):

e(V0 , V2) = e(D0 , D2) = e(r∗rβP , r∗−1r−1β H4(ω)) = e(P , H4(ω)) = δ

Now, we will see if e(V , V1) = e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)will hold true.

Consider the L.H.S:

e(V , V1

)= e

(rβ′ · z · (aP ) , r−1

β P)

= e (z · (aP ) , P )

= e (zP , Ppub) (A.1)

Now, for the R.H.S:

e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)Let’s just consider the first component:

n′∑i=1

(Ui + hi∑

Aj∈TiQj) =

n′∑i=1

Ui +n′∑i=1

(hi ·∑

Aj∈TiQj)

= Us +n′∑

i=1;i 6=s

Ui + (h′s ·∑

Aj∈TsQj) +

n′∑i=1;i 6=s

(hi ·∑

Aj∈TiQj)

= zP −

(h′s ·

∑Aj∈Ts

Qj

)−

(∑i 6=s

(ri + hi)∑

Aj∈TiQj

)

+ (h′s ·∑

Aj∈TsQj) +

n′∑i=1;i 6=s

Ui +n′∑

i=1;i 6=s

(hi ·∑

Aj∈TiQj)

= zP −

(n′∑

i=1;i 6=s

(ri + hi)∑

Aj∈TiQj

)+∑i 6=s

(ri∑

Aj∈TiQj) +

∑i 6=s

(hi∑

Aj∈TiQj)

= zP (A.2)

68

Thus, R.H.S also reduces to,

e

(n′∑i=1

(Ui + hi∑

Aj∈TiQj) , Ppub

)= e(zP, Ppub) (A.3)

From equations (A.1), (A.2) and (A.3) we can see that the verification holds forthe constructed signature.

A.2 Correctness of Solving CBDH

After using the forking lemma (refer Section(6.3.3)), let us say we have two sig-natures σ and σ′ which have the following components:

V = r∗1(rs + hs)∑Ai∈Ts

Di V ′ = r∗2(rs + h′s)∑Ai∈Ts

Di

V2 = r∗1−1rβ1

−1wcP V ′2 = r∗2−1rβ2

−1wcP

V = r∗rβ1(rs + hs)(absxP + a∑

Ai∈TS ,i 6=x

Qi)

= r∗rβ1(rs + hs)(absxP + a∑

Ai∈TS ,i 6=x

siP )

W1 = e(V, V2)

= e(P, P )(rs+hs)(absxP+a

∑Ai∈TS,i 6=x

si)(wc)

X1 = Ww−1

1 = γ(rs+hs)(abcsxP+ac

∑i 6=x

si)

(A.4)

Similarly, set W2 = e(V ′, V ′2) and get X2 as follows:

X2 = Ww−1

2 = γ(rs+h′s)(abcsxP+ac

∑i 6=x

si)

Now, we do the following,

Y1 =X1

X2

= γ(hs−h′s)(abcsxP+ac

∑i 6=x

si)

Y = Y(hs−h′s)−1

1 = γ(abcsxP+ac

∑i 6=x

si)

Y = e(∑

i∈Ts,i 6=x

si(aP ), cP ) = γac

∑i 6=x

si

Z =Y

Y= γabc·sx

(Z)−sx = γabc = e(P, P )abc (A.5)

69

REFERENCES

[Boy07] Xavier Boyen. Mesh signatures. In Proceedings of the 26th annualinternational conference on Advances in Cryptology, EUROCRYPT’07, pages 210–227, Berlin, Heidelberg, 2007. Springer-Verlag.

[BS04] Dan Boneh and Hovav Shacham. Group signatures with verifier-localrevocation. In ACM Conference on Computer and CommunicationsSecurity, pages 168–177, 2004.

[BSW07] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policyattribute-based encryption. In IEEE Symposium on Security andPrivacy, pages 321–334, 2007.

[Cam97] Jan Camenisch. Efficient and generalized group signatures. InProceedings of the 16th annual international conference on Theoryand application of cryptographic techniques, EUROCRYPT’97, pages465–479, Berlin, Heidelberg, 1997. Springer-Verlag.

[CN07] Ling Cheung and Calvin Newport. Provably secure ciphertext policyabe. In Proceedings of the 14th ACM conference on Computer andcommunications security, CCS ’07, pages 456–465, New York, NY,USA, 2007. ACM.

[CYH05] Sherman S. M. Chow, S. M. Yiu, and Lucas C. K. Hui. Efficient iden-tity based ring signature. In Applied Crypto and Network Security -ACNS 2005, LNCS 3531, pages 499–512. Springer, 2005.

[DP08] Cécile Delerablée and David Pointcheval. Dynamic threshold public-key encryption. In Proceedings of the 28th Annual conference onCryptology: Advances in Cryptology, CRYPTO 2008, pages 317–334,Berlin, Heidelberg, 2008. Springer-Verlag.

[EMN+09] Keita Emura, Atsuko Miyaji, Akito Nomura, Kazumasa Omote,and Masakazu Soshi. A ciphertext-policy attribute-based encryptionscheme with constant ciphertext length. In Proceedings of the 5thInternational Conference on Information Security Practice and Ex-perience, ISPEC ’09, pages 13–23, Berlin, Heidelberg, 2009. Springer-Verlag.

[GJPS08] Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai.Bounded ciphertext policy attribute based encryption. In Proceed-ings of the 35th international colloquium on Automata, Languagesand Programming, Part II, ICALP ’08, pages 579–591, Berlin, Hei-delberg, 2008. Springer-Verlag.

70

[GNSN10] Martin Gagné, Shivaramakrishnan Narayan, and Reihaneh Safavi-Naini. Threshold attribute-based signcryption. In SCN, pages 154–171, 2010.

[GPSW06] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters.Attribute-based encryption for fine-grained access control of en-crypted data. In Proceedings of the 13th ACM conference on Com-puter and communications security, CCS ’06, pages 89–98, New York,NY, USA, 2006. ACM.

[GS08] Jens Groth and Amit Sahai. Efficient non-interactive proof systemsfor bilinear groups. In EUROCRYPT, pages 415–432, 2008.

[HLR10] Javier Herranz, Fabien Laguillaumie, and Carla Ràfols. Constant sizeciphertexts in threshold attribute-based encryption. In Public KeyCryptography, pages 19–34, 2010.

[HS04] Javier Herranz and Germán Sáez. New identity-based ring signatureschemes. In ICICS’04, pages 27–39, 2004.

[KABPR10] Swarun Kumar, Shivank Agrawal, Subha Balaraman, andC Pandu Rangan. Attribute based signatures for bounded multi-levelthreshold circuits. In Proceedings of the 7th European Workshop onPublic Key Services, Applications and Infrastructures, EuroPKI ’10,2010.

[Kha07a] Dalia Khader. Attribute based group signature with revocation.Cryptology ePrint Archive, Report 2007/241, 2007. http://eprint.iacr.org/.

[Kha07b] Dalia Khader. Attribute based group signatures. Cryptology ePrintArchive, Report 2007/159, 2007. http://eprint.iacr.org/.

[LAS+10] Jin Li, Man Ho Au, Willy Susilo, Dongqing Xie, and Kui Ren.Attribute-based signature and its applications. In Proceedings of the5th ACM Symposium on Information, Computer and Communica-tions Security, ASIACCS ’10, pages 60–69, New York, NY, USA,2010. ACM.

[LK08] Jin Li and Kwangjo Kim. Attribute-based ring signatures. Cryptol-ogy ePrint Archive, Report 2008/394, 2008. http://eprint.iacr.org/.

[LK10] Jin Li and Kwangjo Kim. Hidden attribute-based signatures withoutanonymity revocation. Inf. Sci., 180:1681–1689, May 2010.

[MPR08] Hemanta Maji, Manoj Prabhakaran, and Mike Rosulek. Attribute-based signatures: Achieving attribute-privacy and collusion-resistance. Cryptology ePrint Archive, Report 2008/328, 2008.http://eprint.iacr.org/.

71

[MPR10] Hemanta K. Maji, Manoj Prabhakaran, and Mike Rosulek.Attribute-based signatures. Cryptology ePrint Archive, Report2010/595, 2010. http://eprint.iacr.org/.

[NYO09] Takashi Nishide, Kazuki Yoneyama, and Kazuo Ohta. Attribute-based encryption with partially hidden ciphertext policies. IEICETransactions, 92-A(1):22–32, 2009.

[OSW07] Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-basedencryption with non-monotonic access structures. In Proceedings ofthe 14th ACM conference on Computer and communications security,CCS ’07, pages 195–203, New York, NY, USA, 2007. ACM.

[RST01] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak asecret. In Proceedings of the 7th International Conference on theTheory and Application of Cryptology and Information Security: Ad-vances in Cryptology, pages 554–567. Springer-Verlag, 2001.

[Sha79] Adi Shamir. How to share a secret. Commun. ACM, 22(11):612–613,1979.

[SSN09] Siamak F. Shahandashti and Reihaneh Safavi-Naini. Thresholdattribute-based signatures and their application to anonymous cre-dential systems. In Proceedings of the 2nd International Conferenceon Cryptology in Africa: Progress in Cryptology, AFRICACRYPT’09, pages 198–216, Berlin, Heidelberg, 2009. Springer-Verlag.

[SW05] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. InEUROCRYPT, pages 457–473, 2005.

[Wat05] Brent Waters. Efficient identity-based encryption without randomoracles. In EUROCRYPT, pages 114–127, 2005.

[Wat08] Brent Waters. Ciphertext-policy attribute-based encryption: An ex-pressive, efficient, and provably secure realization. Cryptology ePrintArchive, Report 2008/290, 2008. http://eprint.iacr.org/.

[ZH10] Zhibin Zhou and Dijiang Huang. On efficient ciphertext-policy at-tribute based encryption and broadcast encryption: extended ab-stract. In Proceedings of the 17th ACM conference on Computer andcommunications security, CCS ’10, pages 753–755, New York, NY,USA, 2010. ACM.

72