240 likes | 410 Views
An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data. Chuang Wang a,b and Wensheng Zhang a a Department of Computer Science Iowa State University b Symantec Corporation. Background: Data Outsourcing. author. remote un-trusted data storage server.
E N D
An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wanga,b and Wensheng Zhanga aDepartment of Computer Science Iowa State University bSymantec Corporation
Background: Data Outsourcing author remote un-trusted data storage server encrypt decrypt authorized users
ABE (Attribute-based Encryption) retrieve derive key based on secrets associated with his attributes decrypt OR Graduate student @cs.iastate AND “PrivacyGrp@Symantec” “Computer Science” “ISU” Access Structure retrieve X decrypt
Accountability? What if the secret doc is found exposed? A trusted third-party authority should be able to find out who have accessed the data (accountability/ traceability) Meanwhile, anonymity of users should be kept from entities other than the authority (including the un-trusted storage server) OR AND “Privacy@Symantec” “Computer Science” “ISU” Access Structure
Group Signature Scheme m A user i’s personalized private key (gski) σm = sign(gpk, gski, m) group public key (gpk) Verify(gpk, σm)=1? Record σm (Authority is able to trace the signature to user i.) OR AND “Privacy@Symantec” “Computer Science” “ISU” Access Structure Authorized Users
Group Signature Scheme: Problem Access structures may be defined on the fly (when a document is outsourced) A user i’s personalized private key (gski) group public key (gpk) The groups of users satisfying the access structures are formed dynamically OR Significant communication overheads may need to set up private keys for the members of dynamic groups AND “Privacy@Symantec” “Computer Science” “ISU” Access Structure Authorized Users
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design Goals Objective: ad hoc group signature scheme. Design Requirements User anonymity: A successfully verified user could be any one of the authorized users. Ex: Access Structure = “a AND b”; a successfully-verified user could be any one owning attributes a and b. Ex: Access Structure = “(a AND b) OR c”; a successfully-verified user could be any one owning attributes a and b, orany one owning c, and the server and other users cannot know which of the above two cases occurs. Traceability: The authority is able to trace a signature to a user.
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Design Goals Objective: ad hoc group signature scheme. Design Requirements User anonymity: A successfully verified user could be any one of the authorized users. Accountability (traceability): The authority is able to trace a signature to a user. Efficiency in communication (for group management): when a new access structure is created, no extra communication for group management (e.g., distributing keys) is required.
Our Proposal: Ad Hoc Group Signature (AdHocSign) – Key Ideas When a user joins: he/she is preloaded key materials for each attribute assigned. Storage Cost Communication Cost When a document (and associated access structure) posted to server: server is given key materials for the access structure (AS). A user’s attributes satisfy the AS Y Obtain: the user-specific and access structure-specific privacy key for group signature
Basis: Group Signature [BonehShacham’04] Complexity Assumptions: q-SDH problem Decision Linear problem System-wide secret user i’s private key (gski) public key (gpk) ζ 1/(ζ+xi) xi, Ai=g g, g’=g xi e(Ai, g’×g ) = e(g, g) bilinear mapping • Signing: sign(gpk, gski, m) σm • Verifying: verify(gpk, m, σm) 1/0
AdHocSign: Roadmap of the Design What to do? Construct and give appropriate key materials to users and storage server, s.t., an authorized user is able to derive his/her private key as in the BS group signature scheme How? Consider a conjunction-only access structure Ex: “a AND b” Consider a disjunction-only access structure Ex: “a OR b” Consider a general (i.e., conjunction of disjunctive) access structure Ex: “(a OR b) AND (c OR d)”
AdHocSign for Conjunction-only Access Structures: Intuition Access structure: T Key materials: ra, rb AND • Public key: • gT = g • gT’ = gT a b αa×ra+αb×rb Authority αa , αb Secrets: ζ Server • Private key: • xi <T=“a AND b”; ra, rb> ra rb (αa×ra+αb×rb)/(ζ+x i) • AiT = gi,a ×gi,b = g • Key materials: • for attribute a: gi,a=g • for attribute b: gi,b=g • … … e(AiT, gT’×gTxi) = e(gT, gT) αa/(ζ+x i) αb/(ζ+x i) User i
AdHocSign for Disjunction-only Access Structures: Intuition (1) Key materials: ra= rT/αa ; rb= rT/αb Access structure: T OR • Public key: • gT = g • gT’ = gT a b rT Authority αa, αb, rT Secrets: Server ζ • Private key: • xi <T=“a OR b”; ra, rb> ra rT/(ζ+x i) • AiT = gi,a = g • Key materials: • for attribute a: gi,a=g • for attribute c: … • … … e(AiT, gT’×gTxi) = e(gT, gT) αa/(ζ+x i) User i
AdHocSign for Disjunction-only Access Structures: Intuition (2) Key materials: ra= rT/αa ; rb= rT/αb Access structure: T OR a b Server Authority αa, αb, rT, ζ Secrets: <T=“a OR b”; ra, rb> <T=“a OR b”; ra, rb> • Key materials: • for attribute a: gi,a=g • … … • … … αa/(ζ+x i) ra/rb Problem: User i can derive gi,b = gi,a, User i though user i does not own attribute b. Later on, user i can satisfy access structures such as “a AND b”, “b OR x”.
AdHocSign for Disjunction-only Access Structure: Intuition (3) The authority For each attribute a, multiple (instead of a single) secret numbers are picked: αa,1, αa,2, …, αa,N Each user i who owns attribute a is preloaded with N secrets (key materials): gi,a,1, gi,a,2, …, gi,a,N, where gi,a,k = g Every time when a new disjunction-only access structure, e.g., T=“a OR b”, is defined: rT is selected randomly rT,a = rT/αa,k1 and rT,b = rT/αb,k2, where αa,k1 and αb,k2 have not been used before A user i with attribute a or b should use gi,a,k1 or gi,b,k2 to derive its private key αa, k/(ζ+ xi)
AdHocSign for General Access Structures: Intuition Access structure AND rT1 rT2 OR OR Authority c d b a αb,k2 αc,k3 αd,k4 αa,k1 Key materials given to server: • Public key: • gT = grT1+rT2 • gT’ = gTζ (a, k1, rT,a = rT1/αa,k1) (b, k2, rT,b = rT1/αb,k2) (c, k3, rT,c = rT2/αc,k3) Server (d, k4, rT,d = rT2/αd,k4)
AdHocSign for General Access Structures: Intuition Assume the user owns attributes a and d • Key materials assigned to user i: • For attribute a • … • gi,a,k1 = g • … • For attribute d • … • gi,d,k4 = g • … User i Key materials provided by server: (a, k1, rT,a = rT1/αa,k1) … …. (d, k4, rT,d = rT2/αd,k4) αa,k1/(ζ+xi) rT, a rT, d AiT = gi,a,k1 × gi,d,k4 = g (rT1+rT2)/(ζ+xi) αd,k4/(ζ+xi) Private key: (xi, AiT)
Security Features Traceability Intuitively: Storage server and/or collusive users are hard to forge valid signatures that cannot trace back to any of them, as long as the SDH problem is hard. Formally: Our proposed AdHocSign scheme is (t, qH, qS, n, m,ε) traceable if (q, t’, ε’)-SDH assumption holds, where n = q-1, ε= 8n*sqrt(ε’qH) + 2n/q, t’=O(tmN).
Security Features Selfless-anonymity Intuitively: Storage server and/or others are hard to determine if two signatures are pertinent to the same user or not, as long as the Decision Linear problem is hard. Formally: Our proposed AdHocSign scheme is (t, qH, qS, n, m,ε) selflessly anonymous if (t’, ε’) Decision Linear assumption holds, where ε’ = ε(1/n2 – qSqH/p)/2.
Cost Analysis Computational cost User’s cost Private key preparation x exponential ops, where x is the number of disjunctive components in the access structure typically lower than signing cost as long as x is not too large Signing (using BS Group Signature Signing) Server’s cost Verification (using BS Group Signature Signing) Overall: Typically less than twice of that of BS Group Signature scheme
Cost Analysis Communication cost O(L): L is the length of an access structure Storage cost O(Nx) x - total number of attributes owned by a user N - total number of secrets preloaded for each attribute N: the minimum number of different access structures that can be defined dynamically; in practice, more different access structures can be defined dynamically
Conclusion We design a new group signature scheme for dynamically-formed groups Selfless-anonymity Traceability No user key distribution at dynamic group forming time at the cost of storing extra key materials when a user joins the system Applicable when: storage is cheaper than communication (cost for dynamic management of groups)
Thank you! Contacts of the authors {wzhang, chuangw}@iastate.edu Full paper: www.cs.iastate.edu/~wzhang/papers/adhocsign.pdf
Implementation Prototype development Based on jPBC (java pairing-based library) Adopting the type A curve Evaluation setup User: desktop with 1.83 GHz Genuine Intel processor and 3GB RAM Server: workstation with two 2.13 GHz Intel Xeon processors and 24 GB RAM Evaluation results BS Group Signature Signing cost – 1.65 seconds by average Verification cost – 0.28 seconds by average Private key computation in AdHocSign ~0.1 second for each disjunctive component in the access structure