Transcript 下載/瀏覽
多媒體網路安全實驗室
Extended Attribute Based Encryption for
Private Information Retrieval
指導教授:鄭錦楸、郭文中
報告者 :許偉德
日期
:2010/07/02
多媒體網路安全實驗室
Outline
1
INTRODUCTION
2
PRELIMINARY
3
CONSTRUCTION
4
SECURITY AND PRIVACY EVALUATION
35
PERFORMANCE ANALYSIS
46
CONCLUSION
多媒體網路安全實驗室
INTRODUCTION
PIR enables the sensitive data to be obtained
only if the data authorizers allow the data
receivers to access to the data.
ABE(attribute based encryption):a user is
identified by a certain set of attributes, and
ciphertext is encrypted under another set of
attributes.
多媒體網路安全實驗室
Our Contribution.
EABE(Extended Attribute Based Encryption):
authorizers could authorize the data receiver
separately by signing a signature.
Sender will encrypt the required data with the
access structure and send the ciphertext to data
receiver.
Only if the receiver gets enough authorizations
which satisfy the access structure can he or she
decrypts the ciphertext.
多媒體網路安全實驗室
IEABE(Improved EABE):
by using the ASPIR scheme
Each authorizer will generate an authorization on a
requirement which includes the receiver identity,
index of the data and some other policy.
The sender will also generate a ciphertext based on
the requirement and the access structure.
Receiver could retrieve the data from the ciphertext
obtained through ASPIR scheme if the access
structure is satisfied.
多媒體網路安全實驗室
Sahai and Waters firstly proposed a attribute
based encryption (ABE) scheme called fuzzy
identity based encryption scheme in 2005.
Goyal, Pandey, Sahai and Waters further
defined the concept of ABE:key-policy ABE
(KPABE) and ciphertext-policy ABE(CPABE).
KPABE:which allows keys to be expressed by any
monotonic formula over encrypted data.
CPABE:in standard model with the use of linear
secret sharing scheme (LSSS) which is also
expressive and efficient.
多媒體網路安全實驗室
PRELIMINARY
A. Access structure
Definition 1 (Access Structure)
Let A { A1 , A2 ,..., An }
A
A
collection
2
is monotone
if for all B, C A, if B and B C then C .
The sets in r are called the authorized sets, and the
sets not in r are called the unauthorized sets.
多媒體網路安全實驗室
B. Linear Secret Sharing Schemes
Definition 2 (Linear Secret-Sharing Scheme
(LSSS)).
A secret-sharing scheme II over a set of parities A
is called linear.
1)The shares for each party form a vector over Zp.
2) There exists a matrix M lw called the share - generating matrix
Mv is the vector of l shares of the secret s according to
(consider t he column vec tor v ( s, r2 ,..., rw ), where
s Z p is the secret to be shared, and r2 , ...,rw Z p )
多媒體網路安全實驗室
C. Bilinear Maps
Definition 3 (Bilinear Maps).
Let G and GT be two multiplicative cyclic groups
of prime order p.
多媒體網路安全實驗室
D. Decisional Bilinear Diffie-Hellman
Assumption
Let a, b,s Z p be chosen at random and g be a generator of G
a b c
When given ( g , g g g ) the adversary must
abs
e
(
g
,
g
)
GT from a random
distinguish a valid tuple
element R in GT
多媒體網路安全實驗室
E. participants in our scheme
EABE and IEABE involve the initializer, a sender, a
receiver, and authorizers, denoted by I, S, R and
A { A1 , A2 ,..., An }
I: generates a common parameter PK and then
publishes PK authentically
S: has a data d which should be authorized by an
authorized set A' in an access structure .
Ai generates their private/public key pair to sign
message.
多媒體網路安全實驗室
In EABE,the ciphertext is generated according
to the access structure
The authorization from Ai generated according to
the identity of R.
In IEABE,S and/or R choose a message m to be
signed as a proof of authorization.
多媒體網路安全實驗室