Complex Multiplication Method

In the previous Section, we know that the embedding degrees of supersingular curves are small. But there are also ordinary curves with low embedding degrees.

All known techniques for generating ordinary curves with low embedding degrees are based on the Complex Multiplication (CM) method.

Let 𝑞 be a prime. The CM method is an algorithm for finding an elliptic curve 𝐸 over 𝐹_𝑞 that 𝐸 has 𝑞 + 1 − 𝑡 points in 𝐹_𝑞 and −2√𝑞 ≤ 𝑡 ≤ 2√𝑞.

11

The CM equation is

𝐷𝑉² = 4𝑞 − 𝑡²,

where the discriminant 𝐷 is positive. We omit the details of the CM method here. The algorithm is described in [33].

Miyaji et al. construct a method for finding ordinary curves with embedding degree 3, 4 or 6 [27]. Freeman shows a method for finding ordinary curves with embedding degree 10 [14]. The above works are all based on the CM method.

12

Chapter 3

Secret Sharing Schemes

A secret sharing scheme is composite of a dealer, a set of 𝑛 parties, and a collection 𝛢 of subsets of parties. We call 𝛢 the access structure. The dealer has a secret, and he distributes the shares of the secret to the parties. The scheme ensures two things. First any subset in 𝛢 can reconstruct the secret from its shares. Secondly, any subset not in 𝛢 cannot get any partial information on the secret. The first property is called correctness and the second is called perfect privacy.

Definition 3.1 (Monotone Access Structure). [5] Let

{𝑃₁, 𝑃₂, … , 𝑃_𝑛} be a set of parties. A collection 𝛢 ⊆ 2^{{𝑃1,𝑃2,…,𝑃𝑛}} is monotone if 𝐵 ∈ 𝐴 and 𝐵 ⊆ 𝐶 then 𝐶 ∈ 𝐴 . A monotone access structure is a monotone collection 𝐴 of non-empty subsets of 2^{{𝑃1,𝑃2,…,𝑃𝑛}}. The sets in 𝐴 are called the authorized sets, and the sets not in 𝐴 are called the unauthorized sets.

Most well-known secret-sharing schemes are linear. In a linear secret sharing scheme, the secret is an element of a finite field and the generation of shares is done by a linear combination of the secret and some random numbers. In the following, we present two important linear secret sharing schemes.

13

3.1 Shamir’s Threshold Secret Sharing Scheme

Consider the 𝑡 − 𝑜𝑢𝑡 − 𝑜𝑓 − 𝑛 access structure

𝐴_𝑡 = {𝑠 ⊆ {𝑃₁, 𝑃₂, … , 𝑃_𝑛} | |𝑠| < 𝑡} where 𝑠, 𝑡 ∈ 𝑁 and 1 ≤ 𝑡 ≤ 𝑛 . If a secret sharing scheme’s access structure is 𝑡 − 𝑜𝑢𝑡 − 𝑜𝑓 − 𝑛, we define it as threshold secret sharing scheme. Shamir gave an elegant construction based on the well-known fact that it takes d points to define a polynomial of d − 1 degree where 𝑑 ∈ 𝑁 and 𝑑 ≥ 1 [32].

Suppose the dealer has a secret 𝑠 ∈ 𝐹_𝑞 and he wants to use a 𝑡 − 𝑜𝑢𝑡 − 𝑜𝑓 − 𝑛 access structure 𝐴_𝑡 to share the secret. The dealer chooses a random polynomial 𝑝(𝑥) of degree t and set 𝑝(0) = 𝑠. The shares of party 𝑃_𝑗 is 𝑝(𝑗).

Any authorized sets can reconstruct the secret by using Lagrange’s interpolation.

Theorem 3.2 (Lagrange interpolation). Given

𝑡 distinct points (𝑥_𝑖, 𝑦_𝑖) ,

14

𝑝(5) ≡ 91. If 𝑃₁

,

𝑃₃, and 𝑃₄ want to reconstruct the secret, they will first compute the Lagrange coefficients:

𝑙₁ = (0 − 3)(0 − 4) (1 − 3)(1 − 4)⁄ ≡ 2 𝑚𝑜𝑑 101, 𝑙₃ = (0 − 1)(0 − 4) (3 − 1)(3 − 4)⁄ ≡ 99 𝑚𝑜𝑑 101, and 𝑙₄ = (0 − 1)(0 − 3) (4 − 1)(4 − 3)⁄ ≡ 1 𝑚𝑜𝑑 101.

Then they get 𝑠 after computing ∑ 𝑦_𝑖𝑙_𝑖 = 87 × 2 + 98 × 99 + 1 × 21 = 9897 ≡ 101 𝑚𝑜𝑑 100.

Shamir’s secret sharing scheme is a key technique to many attribute-based encryption schemes [16, 31]. In [16], Goyal et al. construct an access tree based on Shamir’s secret sharing scheme. We will discuss their construction in Chapter 4.

3.2 Monotone Span Program Construction

Definition 3.3 (Monotone Span Program) [20]. A monotone span program

(MSP) is a quadruple ℳ = (𝐹, 𝑀, 𝜋, 𝑒), where 𝐹 is a field and 𝑀 is a 𝑟 × 𝑐 matrix over F. 𝜋: {1, … , 𝑟} → {𝑃₁, … , 𝑃₁} maps each row of 𝑀 to a party, and 𝑒 = (1, 0, 0, … ) ∈ 𝐹^𝑐 is called target vector. The size of ℳ is the number 𝑟 of rows and is denoted as 𝑠𝑖𝑧𝑒(ℳ). Let 𝐵 be a set of parties, we denote 𝑀_𝐵 by restricting 𝑀 to the rows labeled by parties in 𝐵. We define that 𝑀 accepts 𝐵 if rows of 𝑀_𝐵 span the vector 𝑒. We also define that 𝑀 accepts an access structure 𝐴 if 𝑀 accepts a set 𝐵 if and only if 𝐵 ∈ 𝐴.

We now describe how to use the MSP to construct a secret sharing scheme [5].

First we have an MSP ℳ = (𝐹, 𝑀, 𝜋, 𝑒) corresponding to an access structure 𝐴. Then we consider the column vector 𝑣 = (𝑠, 𝑟₂. . . 𝑟_𝑐), where 𝑠 is the secret and 𝑟₂. . . 𝑟_𝑐 are randomly chosen. Then we compute 𝑀𝑣. 𝑀𝑣 is the vector of 𝑟 shares according to ℳ. The shares (𝑀𝑣)_𝑖 belongs to the party π(i).

15 𝑃₃ wants reconstruct the secret, they first apply Gauss-Jordan elimination to the following matrix: boolean formula directly. For example, consider the following MSP matrix:

16

(

1 1 1 0

0 −1 0 0

0 0 −1 0

1 0 0 1

1 0 0 2

1 0 0 3)

.

And we set 𝜋(𝑖) = 𝑃_𝑖 ∀𝑖 ≤ 6, 𝑖 ∈ 𝑁 . The MSP describes the boolean formula (𝑃₁ 𝐴𝑁𝐷 𝑃₂ 𝐴𝑁𝐷 𝑃₃) 𝑂𝑅 2 𝑂𝐹 (𝑃₄, 𝑃₅, 𝑃₆) . We can verify that by examining if the parties’ corresponding rows can span (1,0,0,0).

Although an MSP can describe a boolean formula, the conversion from a boolean formula to an MSP is not trivial. In Chapter 5, we give an algorithm which converts any monotone boolean formula to an MSP.

17

Chapter 4

Attribute-Based Encryption

In this chapter, we will review the variants of attribute-based encryption (ABE) in recent researches.

4.1 Threshold ABE

In a threshold ABE scheme [31], the authority will publish the set 𝑈 of attributes it controls and the set of public keys 𝑃𝐾 in which every public key corresponds to an attribute. The authority also decides the threshold 𝑡 ∈ 𝑁. The encryptor can choose a subset 𝜔 ⊆ 𝑈 and encrypt the plaintext 𝑀 under corresponding public keys. The decryptor will receive his private keys corresponding to a subset 𝜔′ ⊆ 𝑈 from the authority. If |𝜔 ∩ 𝜔′| ≥ 𝑡, then the ciphertext can be recovered.

We will discuss their construction in details and the relationship between Shamir’s secret sharing scheme and Threshold ABE.

Setup First, the authority chooses a symmetric pairing

𝑒: 𝐺₁× 𝐺₁ → 𝐺_𝑇. The order of 𝐺₁ is a prime 𝑟 and 𝑔 is a generator of 𝐺₁.

Next, the authority decides the set U of attributes. Each attribute is labeled form 1 to |𝑈| and the number is used to index the attributes. The authority

18

then choose 𝑡₁… 𝑡_|𝑈| uniformly at random from 𝑍_𝑟 and choose 𝑦 uniformly at random from 𝑍_𝑟.

Finally, the public parameters are:

𝑇₁ = 𝑡₁𝑔, … , 𝑇_|𝑈| = 𝑡_|𝑈|𝑔, 𝑌 = 𝑒(𝑔, 𝑔)^𝑦.

Each 𝑇_𝑖 represents an attribute’s public key and each 𝑡_𝑖 represents an attribute’s secret key. The authority keeps 𝑡₁… 𝑡_|𝑈|

,

𝑦 in secret.

Encryption If Alice wants to encrypt a message

𝑀 ∈ 𝐺_𝑇 under attribute set 𝜔′ ⊆ 𝑈, she first chooses a random 𝑠 ∈ 𝑍_𝑟. The ciphertext is

𝐸 = (𝜔^′, 𝑀𝑌^𝑠, (𝑠𝑇_𝑖)_𝑖∈𝜔^′).

Key Generation If Bob wants apply his private keys for his attribute set

𝜔 ⊆ 𝑈, the authority first chooses a (𝑡 − 1) degree polynomial 𝑝 and sets 𝑝(0) = 𝑦. The authority then computes 𝑝(𝑗) ∀ 𝑗 ∈ 𝜔. The private key consists of

(𝐷_𝑗)_𝑗∈𝜔 =𝑝(𝑗)

𝑡_𝑗 𝑔 ∀ 𝑗 ∈ 𝜔.

We note that this procedure is similar to Shamir’s threshold secret scheme as described in Section 3.1. The difference is that each share is binding to an attribute rather than a party and each share is represented as an element in 𝐺₁.

Decryption

If Bob wants to decrypt Alice’s ciphertext 𝐸 = (𝜔^′, 𝑀𝑌^𝑠, (𝑠𝑇_𝑖)_𝑖∈𝜔^′) with his private keys associated with 𝜔 ⊆ 𝑈 .

19

Suppose that 𝑆 = 𝜔 ∩ 𝜔^′ and |𝑆| ≥ 𝑡. In the view of secret sharing, this means Bob has authorized sets. Therefore, Bob has the ability to decrypt the ciphertext.

First he chooses an arbitrary subset 𝑆′ ⊆ 𝑆 where |𝑆^′| = 𝑡 and computes

Different users cannot collude to decrypt a ciphertext when neither of them can decrypt the ciphertext. In this scheme, the collusion is not allowed because each user’s private keys corresponding to a different polynomials. For example, if Eve has private keys associated with attribute set 𝑠 = {1,2} and Alice has private keys associated with attribute set 𝑠′ = {3} . There is a ciphertext associated with attribute set 𝜔 = {1,2,3} and the threshold 𝑡 is 3. Suppose that Eve steals Alice’ private keys, she cannot decrypt the ciphertext because Alice’s keys are binding to another polynomial from Eve’s. Therefore she cannot interpolate the secret 𝑒(𝑔, 𝑔)^𝑠𝑦.

4.2 Key-Policy ABE

In a key-policy ABE (KP-ABE) [16] scheme, each ciphertext is associated with a set of attributes and each private key is associated with an access formula. The access formula describes which type of ciphertexts the key can decrypt.

For example, a stream video online may be encrypted with the attributes:

“NBA”, “Season2012”, and “Playoffs”. If Alice receives her private key for the

20

access formula “NBA” AND “Season2012” AND “Regular Season”, then Alice can only watch the regular season games of NBA 2012 but not the playoffs.

Therefore she cannot decrypt the encrypted stream. On the other hand, If Bob receives his private key for the access formula “NBA” AND “Season=2012”, which means Bob can watch all NBA games in 2012 no matter regular season or playoffs.

Goyal et al. (GPSW) constructs the scheme based on the access tree technique. Given an access formula, we can easily construct an access tree represents the access formula. Every non-leaf node of the tree represents a 𝑡 − 𝑜𝑢𝑡 − 𝑜𝑓 − 𝑛 threshold gate. We note that when 𝑡 = 1 and 𝑛 = 2, the threshold gate is an OR gate. And when 𝑡 = 2 and 𝑛 = 2, the threshold gate is an AND gate. Each leaf node 𝑥 of the tree represents an attribute. We define the function 𝑝𝑎𝑟𝑒𝑛𝑡(𝑥) as returning the parent of the node 𝑥 . The function 𝑎𝑡𝑡𝑟(𝑥) is defined only if x is a leaf node and returns the attribute the leaf node represents.

We also define an ordering between the children of every node, i.e., the children of a node are numbered from 1 to 𝑛 . Therefore, the function 𝑖𝑛𝑑𝑒𝑥(𝑥) is defined as returning the number associated with the node 𝑥.

Figure 4.1 is an example of access tree 𝑇. In this example, 𝑇 describes an access formula: (𝐴₁ 𝑂𝑅 𝐴₂) 𝐴𝑁𝐷 2 𝑂𝐹 (𝐴₃, 𝐴₄, 𝐴₅). The access formula and the access tree can be easily transformed to each other. The access structure is { (𝐴₁, 𝐴₃, 𝐴₄), (𝐴₁, 𝐴₃, 𝐴₅), (𝐴₁, 𝐴₄, 𝐴₅), (𝐴₂, 𝐴₃, 𝐴₄), (𝐴₂, 𝐴₃, 𝐴₅), (𝐴₂, 𝐴₄, 𝐴₅), (𝐴₁, 𝐴₂, 𝐴₃, 𝐴₄), (𝐴₁, 𝐴₂, 𝐴₃, 𝐴₅), (𝐴₁, 𝐴₂, 𝐴₄, 𝐴₅), (𝐴₁, 𝐴₃, 𝐴₄, 𝐴₅),

(𝐴₂, 𝐴₃, 𝐴₄, 𝐴₅), (𝐴₁, 𝐴₂, 𝐴₃, 𝐴₄, 𝐴₅) }.

21

We now give GPSW construction in the below.

Setup First, the authority chooses a symmetric pairing

𝑒: 𝐺₁× 𝐺₁ → 𝐺_𝑇. The order of 𝐺₁ is a prime 𝑟 and 𝑔 is a generator of 𝐺₁.

Next, the authority decides the set 𝑈 of attributes. Each attribute is a string and labeled form 1 to |𝑈| and the number is used to index the attributes. The authority then choose 𝑡₁… 𝑡_|𝑈| uniformly at random from 𝑍_𝑟 and choose 𝑦 uniformly at random from 𝑍_𝑟.

Finally, the public parameters are:

𝑇₁ = 𝑡₁𝑔, … , 𝑇_|𝑈| = 𝑡_|𝑈|𝑔, 𝑌 = 𝑒(𝑔, 𝑔)^𝑦.

The authority keeps 𝑡₁… 𝑡_|𝑈|

,

𝑦 in secret.

Encryption If Alice wants to encrypt a message

𝑀 ∈ 𝐺_𝑇 under attribute set 𝜔′ ⊆ 𝑈, she first chooses a random 𝑠 ∈ 𝑍_𝑟. The ciphertext is

AND

OR 2 OF 3

A

2

A

1

A

3

A

4

A

5

2

2

1 2

1 3

1

Figure 4.1: An example of access tree

22

𝐸 = (𝜔^′, 𝑀𝑌^𝑠, (𝑠𝑇_𝑖)_𝑖∈𝜔^′).

Key Generation If Bob wants apply his private keys for his access formula,

the authority first coverts the formula to an access tree 𝑇.

Then for each node 𝑥 in the tree 𝑇, the authority chooses a random polynomial 𝑝_𝑥 and the degree 𝑑_𝑥 of 𝑝_𝑥 is 𝑡 − 1. For the root node 𝑘, the authority sets 𝑝_𝑘(0) = 𝑠 and for any other node 𝑥 , he sets 𝑝_𝑥(0) = 𝑝_{𝑝𝑎𝑟𝑒𝑛𝑡(𝑥)}(𝑖𝑛𝑑𝑒𝑥(𝑥)).

Finally, for each leaf node 𝑥, the authority gives the following private key to Bob:

𝐷_𝑥 = 𝑝_𝑥(0)

𝑡_𝑗 𝑔 𝑤ℎ𝑒𝑟𝑒 𝑗 = 𝑎𝑡𝑡𝑟(𝑥).

Decryption If Bob wants to decrypt Alice’s ciphertext 𝐸 = (𝜔

^′, 𝑀𝑌^𝑠, (𝑠𝑇_𝑖)_𝑖∈𝜔^′) with his private key associated with access tree T. Suppose that 𝜔^′ can satisfy the access tree 𝑇, then Bob has the ability to decrypt the ciphertext. For each leaf node 𝑥, he computes

𝑒(𝐷_𝑥, 𝑠𝑇_𝑖) = 𝑒 (𝑝_𝑥(0)

𝑡_𝑖 𝑔, 𝑠𝑡_𝑖𝑔) = 𝑒(𝑔, 𝑔)^{𝑠𝑝𝑥(0)} 𝑓𝑜𝑟 𝑎𝑡𝑡𝑟(𝑥) = 𝑖.

Because 𝑝_𝑥(0) = 𝑝_{𝑝𝑎𝑟𝑒𝑛𝑡(𝑥)}(𝑖𝑛𝑑𝑒𝑥(𝑥)) . As a result, Bob can then interpolate 𝑒(𝑔, 𝑔)^{𝑠𝑝𝑝𝑎𝑟𝑒𝑛𝑡(𝑥)(0)} for node 𝑥. Bob repeats this approach until he meets root node 𝑘. Therefore, 𝑒(𝑔, 𝑔)^{𝑠𝑝𝑟(0)} = 𝑒(𝑔, 𝑔)^𝑠𝑦 is computed and he gets 𝑀𝑌^𝑠⁄𝑒(𝑔, 𝑔)^𝑠𝑦 = 𝑀.

We can view threshold ABE as a special case of KP-ABE, because in a

23

Threshold ABE scheme the private key is associated with an access tree having just one threshold gate.

We also note that the access tree can be replaced with an MSP. If the MSP is used, we only need to apply Gauss-Jordan elimination one time rather than interpolate the polynomials multiple times. Therefore, in subsequent research [23, 34], the MSP is used in place of the access tree.

4.3 Ciphertext-Policy ABE

The concept of ciphertext-policy ABE (CP-ABE) is introduced in [16] and Bethencourt et al. (BSW) give the first construction [6]. The roles of ciphertexts and keys are reversed. Each ciphertext is associated with an access formula and each private key is associated with a set of attributes.

For example, a job posting may be encrypted under the access formula:

“master degree” and “two years’ work experience”. Suppose Alice has two private keys. One is for attribute “master degree”. The other is for attribute “two years’ work experience”. Therefore Alice can decrypt the job posting.

The security of BSW construction is argued in the generic group model.

Subsequently Waters [34] proposed ciphertext-policy ABE constructions in the standard model. We now give Water’s construction in the below.

Setup First, the authority chooses a symmetric pairing

𝑒: 𝐺₁× 𝐺₁ → 𝐺_𝑇. The order of 𝐺₁ is a prime 𝑟 and 𝑔 is a generator of 𝐺₁. Next, the authority decides the set 𝑈 of attributes. Each attribute is a string and labeled form 1 to

|𝑈| and the number is used to index the attributes. The authority then choose ℎ₁… ℎ_|𝑈| uniformly at random from 𝐺₁. In addition he chooses random exponents 𝛼, 𝑎 ∈ 𝑍_𝑟.

24

Finally, the public parameters are:

ℎ₁, … , ℎ_|𝑈|, 𝑔, 𝑒(𝑔, 𝑔)^𝛼, 𝑎𝑔.

The authority keep 𝛼𝑔 in secret.

Encryption If Alice wants to encrypt a message

𝑀 ∈ 𝐺_𝑇 associated with an access formula, she first converts the access formula to the MSP ℳ. Assume that the MSP matrix 𝑁 of ℳ is a 𝑛 × 𝑐 matrix and 𝜋 mapping its rows to attributes.

She then choose a random 𝑠 ∈ 𝑍_𝑟, and computes the shares of 𝑠 by using the MSP ℳ. The shares of 𝑠 is the set {𝜆₁, 𝜆₂, … , 𝜆_𝑛 }. In addition, she chooses a set of n random numbers {𝑟₁, 𝑟₂, … , 𝑟_𝑛} where each 𝑟_𝑖 ∈ 𝑍_𝑟.

For each {𝜆_𝑖, 𝑟_𝑖}, Alice computes 𝐶_1,𝑖 = 𝜆_𝑖𝑎𝑔 + (−𝑟_𝑖ℎ_𝜋(𝑖)), 𝐶_2,𝑖 = 𝑟_𝑖𝑔. We note that 𝑎𝑔 and ℎ_𝜋(𝑖) are public keys.

Finally, the ciphertext is:

𝐶 = {𝐶₀ = 𝑀𝑒(𝑔, 𝑔)^𝛼𝑠, 𝐶^′ = 𝑠𝑔, { 𝐶_1,𝑖, 𝐶_2,𝑖 ∀𝑖}, ℳ}.

Key Generation If Bob wants to apply his private keys for his attribute set

𝜔 ⊆ 𝑈, then the authority first chooses a random 𝑡 ∈ 𝑍_𝑟. Next, it creates the private key as

{𝐾 = 𝛼𝑔 + 𝑎𝑡𝑔, 𝐿 = 𝑡𝑔, {𝐾_𝑗 = 𝑡ℎ_𝑗} ∀ 𝑗 ∈ 𝜔}.

Decryption Suppose that Bob has enough private keys to decrypt

C. That is, he has the private keys {𝐾_𝜋(𝑖)} for a subset of rows 𝑁_𝑖 of 𝑁 such that (1,0, … ,0) can be spanned by these rows. Recall that 𝜆_𝑖’s are shares of secret 𝑠.

25

Therefore, Bob can compute a set of 𝑐_𝑖

’s

∈ 𝑍_𝑟 by applying Gauss-Jordan elimination such that ∑𝑐_𝑖𝜆_𝑖 = 𝑠. Bob first computes:

𝑒(𝐶^′, 𝐾) ∏ (𝑒(𝐶_1,𝑖, 𝐿)𝑒(𝐶_2,𝑖, 𝐾_𝜋(𝑖)))^𝑐𝑖

𝑖

⁄ =

𝑒(𝑔, 𝑔)^𝛼𝑠𝑒(𝑔, 𝑔)^𝑎𝑠𝑡 ∏(𝑒(𝑔, 𝑔)^{𝑡𝑎𝜆𝑖})^𝑐𝑖 =

𝑖

⁄ 𝑒(𝑔, 𝑔)^𝛼𝑠.

Then the plaintext 𝑀 can be obtained as 𝑀 = 𝐶₀⁄𝑒(𝑔, 𝑔)^𝛼𝑠.

In a CP-ABE scheme, the key technique to avoid collusion attack is that each user’s private keys are binding to a random exponent 𝑡. Therefore different users cannot collude. This is different from the threshold ABE scheme. In the threshold ABE scheme, the technique to avoid collusion is that each user’s key is binding to different random numbers in the linear secret sharing scheme. So each user actually solves different secret sharing problems. But in the CP-ABE scheme, the random numbers in the secret sharing scheme are decided by the encryptor and those random numbers are binding to the ciphertext, so each user tries to solve the same secret sharing problem. Therefore we must choose another random number t to “personalize” the private keys.

4.4 Dual-Policy ABE

Dual-policy ABE (DP-ABE) conjunctively combines KP-ABE with CP-ABE. The ciphertext is associated with an access formula and a set of attributes simultaneously. The private key is also associated with an access formula and a set of attributes. The decryption can be done if and only if the ciphertext’s attributes satisfies the private key’s access formula and the private key’s attributes satisfies the ciphertext’s access formula in the same time.

26

The trivial construction is that we encrypt the plaintext twice. First we encrypt the plaintext using CP-ABE, and then we encrypt the previous result again using KP-ABE. The decryption is also two-step. First we decrypt the ciphertext under KP-ABE private keys, and then we decrypt again under CP-ABE private keys.

Attrapadung et al. [3] proposed a non-trivial DP-ABE construction. Their construction combines [16] with [34]. In their construction, the encryption and the decryption can be done in one step.

4.5 ABE with Multiple Authorities

[16, 28, 31, 34] are all single authority constructions. However, in real world, there are many authorities who control their own attributes. For example, two universities may have a joint research project. But the two universities do not want a third single authority is responsible for their attributes and issues private keys for them. They want to control their attributes themselves. Therefore, they need a multi-authority scheme.

Chase [11] presents a KP-ABE scheme with multi authorities. In Chase’s scheme, global identifiers (GID) are introduced and every user is binding to a unique GID. The GID is used to “link” private keys from different authorities together. There is also a central authority (CA) in Chase’s scheme. The CA is responsible for choosing the system master key and controlling all the other authorities’ authority secret key. Therefore, in Chase’s system, we still need to trust a single authority. In addition, the number of authorities is decided in CA’s setup procedure. After CA’s setup, no more authorities can join the system.

Moreover, her system is restricted to express a conjunctive access formula across the set of authorities. That is, the access tree of Chase’s scheme will be

27

like Figure 4.2. Each subtree represents an authority’s access tree. The decryption is permitted if and only if all subtrees are satisfied. We also note that one authority’s attributes can just appear in its own subtree.

Figure 4.2: An example of access tree in Chase’s scheme

Chase and Chow [12] modified the above construction. They remove the CA by using distributed pseudo random functions. But the restriction of expressiveness and the pre-determined set of authorities still remained.

Lewko and Waters (LW) [23] propose a multi-authority CP-ABE scheme.

Their system does not require any CAs. In addition, any party can become an authority after the system’s setup. Moreover, the plaintext can be encrypted under any monotone boolean formulas over attributes.

LW construction requires global identifiers (GID) as [11] suggested. We will show our implementation of LW scheme in Chapter 5.

AND

subtree subtree subtree

28

Chapter 5

Implementation and Applications

In this chapter, we first discuss our implementation of CP-ABE with multiple authorities. Next we give an algorithm that can convert an access formula to an MSP. Finally we discuss many applications of CP-ABE with multiple authorities.

5.1 Implementation of CP-ABE with Multiple Authorities

The implementation is based on the scheme described in [23]. We will first discuss the library we use and then describe the algorithms in the scheme in detail. And the experiment result will be given in the end.

5.1.1 The Pairing-based Cryptography Library

The pairing-based cryptography (PBC) library [25] is an open source library that is released under the GNU Lesser General Public License. The PBC library is written in C and provides routines such as elliptic curve generation, elliptic curve arithmetic and pairing computation. Many projects are based on the PBC library, such as [1, 2, 28].

29

We have tested the speed of the PBC library. We performed our experiments on a 2.4 GHz Intel Xeon E5620 processor running Ubuntu 11.10. The security level we choose is 128-bit. Table 5.1 is the key size comparison under different security levels [36].

Table 5.1: NIST recommended key sizes (bits)

There are seven types of pairings defined in the PBC library. The seven types are type A, type B, type C, type D, type E, type F and type G. Type A, type B and Type C are supersingular curves. Type D, type E, type F and type G are based on the complex multiplication (CM) method. However, type B and type C are not implemented yet.

Type A pairings are constructed on the curve 𝐸: 𝑦² = 𝑥³+ 𝑥 over 𝐹_𝑞, where 𝑞 is a prime and 𝑞 ≡ 3 (𝑚𝑜𝑑 4). E is a supersingular curve, so this pairing is a symmetric pairing 𝑒: 𝐺₁× 𝐺₁ → 𝐺_𝑇. 𝐺_𝑇 is a subgroup of 𝐹_𝑞² because the embedding degree is 2. Therefore we choose the group order 𝑟 to be 256-bit long and 𝑞 to be 1536-bit long, because 𝑞² must be 3072-bit long to achieve the same security level as 256-bit long in elliptic curve.

Type D pairings are constructed on the MNT curves of embedding degree 6 [27]. This pairing is an asymmetric pairing 𝑒: 𝐺₁× 𝐺₂ → 𝐺_𝑇. 𝐺_𝑇 is a subgroup of 𝐹_𝑞⁶ because the embedding degree is 6. Given different discriminant in the CM equation, the bits in 𝑞 and the bits in 𝑟 are determined.

30

Therefore we choose two suitable type D pairings. One is that the discriminant is 31387, 𝑞 is 522-bit long and 𝑟 is 514-bit long. The other is that discriminant is 873867, 𝑞 is 486-bit long and 𝑟 is 442-bit long

Type E pairings are constructed on the curves of embedding 1 [21]. The pairing is a symmetric pairing e: G₁× G₁ → G_T. G_T is a subgroup of F_q because the embedding degree is 1. Therefore we choose the group order 𝑟 to be 256-bit long and 𝑞 to be 3072-bit long, because 𝑞 must be 3072-bit long to achieve the same security level as 256-bit long in elliptic curve.

Type F pairings are constructed on the curves of embedding 12 [4]. This pairing is an asymmetric pairing 𝑒: 𝐺₁× 𝐺₂ → 𝐺_𝑇. 𝐺_𝑇 is a subgroup of 𝐹_𝑞¹² because the embedding degree is 12. Therefore we choose the group order 𝑟 to be 256-bit long and 𝑞 to be 256-bit long.

Type G pairings are constructed on the curves of embedding 10 which Freeman suggests [14]. Given different discriminant in the CM equation, the bits in 𝑞 and the bits in 𝑟 are determined. Therefore we choose one suitable type G pairings. The curve is that the discriminant is 35707, 𝑞 is 301-bit long and 𝑟 is 279-bit long. Table 5.2 is a comparison of the pairings in the PBC library.

Embedding

Table 5.2: Pairings in the PBC library

31

Table 5.3: Comparison of speed of different pairings

For each type, we choose 10 random inputs of the pairing function and compute the average time. We also choose 100 random elements for G₁, G₂ and G₃ for each type and compute the average time of an addition or an multiplication. The result of our test is shown in Table 5.3. We note that in our encryption scheme, we need a symmetric pairing. Therefore, in our implementation, we choose the type A pairing, because the type E pairing is the

For each type, we choose 10 random inputs of the pairing function and compute the average time. We also choose 100 random elements for G₁, G₂ and G₃ for each type and compute the average time of an addition or an multiplication. The result of our test is shown in Table 5.3. We note that in our encryption scheme, we need a symmetric pairing. Therefore, in our implementation, we choose the type A pairing, because the type E pairing is the

在文檔中 多授權中心的屬性加密及其實現 (頁 19-0)