Attribute Based Cryptology

A Project Report
submitted by
SUBHASHINI VENUGOPALAN
in partial fullment of the requirements
for the award of the degree of
MASTER OF TECHNOLOGY
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING
INDIAN INSTITUTE OF TECHNOLOGY MADRAS
April 2011
THESIS CERTIFICATE
This is to certify that the thesis titled Attribute Based Cryptology, submitted
by Subhashini Venugopalan, to the Indian Institute of Technology, Madras, for
the award of the degree of Master of Technology, is a bona de record of the
research work done by her under our supervision. The contents of this thesis, in
full or in parts, have not been submitted to any other Institute or University for
the award of any degree or diploma.
Prof. C. Pandu Rangan
Research Guide
Professor
Dept. of Computer Science and Engg
IIT-Madras, 600 036
Place: Chennai
Date: 30 April 2011
To the memory of my grandparents
This work is licensed under the Creative Commons Attribution 3.0 License.
ACKNOWLEDGEMENTS
I am deeply indebted to Prof. C. Pandu Rangan for his inspiration, support and guid-
ance throughout my course here. His passion and enthusiasm for teaching, sharing his
knowledge and motivating students has not only amazed me, but has made an admirer of
everyone who has been taught by him. To me, he has been more than a research advisor,
his advice on topics ranging from philosophy to sports have beneted and enriched me
in several ways. Whenever I have approached him to discuss ideas for my project, or
any generic problem, or even something personal, I have always found an eager listener.
He has also been a fun and enthusiastic partner to discuss various puzzles and riddles.
Im grateful to him for being very supportive in letting me pursue my interests outside
of academics, and encouraging me to learn and read widely. Im happy to be a part
of his lab which is a treasure house of knowledge and a place that oers an excellent
environment for research. Not to forget, his sense of humour, and his jovial and aec-
tionate nature have made the lab a lively and fun place to be in. Im grateful for this
opportunity and look forward to continue my interactions with him in future.
I would like to express my gratitude to Sharmi and Vivek with whom I have had
many insightful discussions, which have bettered my understanding of various topics
in cryptography. My debates with Sharmi were thoroughly enjoyable and have been
rewarding in terms of the sheer number of ideas that have resulted from them. My other
labmates, Akash, Bhargav, Billy, Chaya, Esha, Prateek, Preetha maam, and Sangeetha
have been a wonderful peer group to bounce o thoughts on various topics academic
and otherwise. The company of Bhargav, Pandu Rangan sir, and Venkie (of Microsoft
Research) always results in some rib-tickling jokes that have had the lab rolling with
laughter for days on end. Bhargav, apart from being the entertainer, along with Chaya
are great companions to brainstorm on math games and puzzles as well. All of these
people along with former labmates Sai, Shinku and Swarun have made my time in the
TCS lab stimulating and memorable.
Id like to extend my thanks to Dr. Shankar Balachandran; his dedication and energy
are infectious, and Im glad I had the opportunity to be his teaching assistant for 3
semesters. Working with him has been a delightful experience. I am also grateful to
Dr. Narayanaswamy for the interesting interactions we have had, and for the time and
energy he has devoted to me. I also take this opportunity to thank Professors Kamakoti,
Krishna Sivalingam, Kamala Krithivasan, Sreenivasa Kumar, Hema Murthy, Dr. Shailesh
Vaya, and Dr. Alan Davy who have all made my courses here pleasurable. I thank my
faculty advisors Prof. Janakiram and Dr. Madhu Mutyam; and also Dr. Ashish , Dr.
Chandra Sekhar, Prof. Siva Ram Murthy, and Dr. Ravindran for their constant support
and words of encouragement. Special thanks to Dr. Jayalal for instituting the theory
seminars which are exciting and informative. I am grateful to the entire computer science
department for their words of appreciation and the faith they have shown in me.
My thanks also goes to all my batchmates who have made the atmosphere in my
classes lively and thought provoking. Special mention to Smruthi and her wonderful circle
of friends who have made my life at IITM complete. Last, but most importantly, Im
grateful to my parents, sister, and family for their love, blessings and support throughout
this endeavour.
i
ABSTRACT
KEYWORDS: attribute based, cryptosystems, encryption, signatures, e-
cient, multi-level, threshold, security.
The problems of condentiality, authenticity and anonymity have been studied
for long in cryptography, and the notion of provable security is the foundation
for most, if not all, modern cryptographic research. With great advancements
in technology, there is also a need to dene and view these concepts of security
under various dimensions. One such recent dimension of security is the attribute
based view that has been conceived by the requirements in a distributed setting.
Attribute based encryption and signature schemes have been developed in order
to give a more ne grained access control. Presently attribute-based systems have
wide applicability in a number of new decentralized settings and address some
exciting problems. In this thesis we propose an ecient attribute-based encryp-
tion(ABE) scheme , with support for multi-level threshold predicates.We also dis-
cuss regarding the security of some attribute-based signature(ABS) schemes and
give the construction for a threshold ABS scheme based on a novel approach.
In this work we rst look at ABE. Anonymous access control is a very de-
sirable property in various applications, e.g. encrypted storage in distributed
environments; and attribute based encryption is a cryptographic scheme that is
targeted to achieve this property. ABE is an encryption mechanism that is useful
in settings where the list of users may not be known apriori. Here, all users may
possess some credentials, and these are used to determine access control and also
provide a reasonable degree of anonymity with respect to the users identity. Ci-
phertext policy attribute based encryption is a scheme that gives a natural way
to separate the credentials from the access policy and cleverly combine them at a
later stage to provide secure access to protected data. In most ABE schemes the
size of the ciphertext is quite large and is of the order of the number of attributes.
In this work we present our approach for a multi-level threshold attribute based
encryption which is independent of the number of attributes.
Secondly, we consider ABS schemes. Attribute-based signatures allow users
possessing a set of credentials to sign documents; although the credentials of the
signer can be veried, signers can still continue to retain a reasonable degree of
anonymity. This thesis discusses certain aspects regarding the security of some
attribute based signature schemes. In particular we show multiple breaks in the
existing threshold attribute based signature schemes in [LAS
+
10]. We rst claim
that the scheme is not secure since it allows, a signer without sucient attributes
- to satisfy the threshold of the access policy to sign a document and pass the
necessary verication. Then, we show that a signer possessing keys for some
attributes can perform universal forgery and produce a signature that can satisfy
ii
the threshold for a set of attributes she does not possess. Finally, we show a total
break in the system, where the attacker can act as the key generating authority
and use her knowledge of the secret key to generate private keys for other users.
We also include examples of the attacks to highlight the aws of this scheme and
other schemes appearing in [LK08, SSN09, KABPR10, LK10] which have the same
or a similar key construct.
Our next move aims at overcoming the above mentioned attacks. For that, we
propose a novel threshold ABS scheme based on the concept of ring signatures.
Ring signatures [RST01] enable a signer to keep her identity hidden within the
identities of a group of n people who form the ring. We use this as a foundation
and create a threshold ABS scheme, where the signer has to keep a threshold
of t attributes, in her possession, anonymous from a given set of n

attributes.
Previous ABS schemes were largely derived from ideas in the encryption(ABE)
schemes. This thesis proers a new ABS scheme based on ring signatures and
lends attribute-based signatures a dierent outlook.
iii
TABLE OF CONTENTS
ACKNOWLEDGEMENTS i
ABSTRACT ii
LIST OF TABLES viii
LIST OF FIGURES ix
ABBREVIATIONS x
NOTATION xi
1 Introduction 1
1.1 Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . 1
1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . . . . . . 4
1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 Ecient ciphertext-size threshold ABE . . . . . . . . . . 6
1.4.2 Security of threshold ABS . . . . . . . . . . . . . . . . . 6
1.4.3 New threshold ABS scheme . . . . . . . . . . . . . . . . 7
1.5 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . 7
2 Preliminaries 9
2.1 Bilinear Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Hardness Assumptions . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Computational Die-Hellman Assumption . . . . . . . . 9
2.2.2 Decisional Die-Hellman Assumption . . . . . . . . . . . 9
2.2.3 Computational Bilinear Die-Hellman Assumption. . . . 10
2.2.4 Decisional Bilinear Die-Hellman Assumption . . . . . . 10
iv
2.2.5 Decision Linear Assumption . . . . . . . . . . . . . . . . 10
2.2.6 Bilinear Die-Hellman Exponent Assumption . . . . . . 10
2.2.7 Augmented Multi-sequence of Exponents D-H Problem . 10
2.3 Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.1 Linear secret sharing schemes . . . . . . . . . . . . . . . 11
2.3.2 Shamirs secret sharing scheme . . . . . . . . . . . . . . 12
2.3.3 Lagrange interpolation . . . . . . . . . . . . . . . . . . . 12
2.4 Primitives for Attribute-based Encryption and Signatures . . . . 13
2.4.1 CP-ABE scheme algorithms . . . . . . . . . . . . . . . . 13
2.4.2 ABS algorithms . . . . . . . . . . . . . . . . . . . . . . . 13
2.5 Waters signature . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.6 Forking Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Existing Threshold Attribute-based Cryptosystems 17
3.1 Inception of Attribute Based Encryption . . . . . . . . . . . . . 17
3.2 CP-ABE Schemes with Efficient Ciphertext-Size . . . . . . . . . 19
3.3 Development of Attribute Based Signatures . . . . . . . . . . . 21
3.4 Threshold Attribute-Based Signatures . . . . . . . . . . . . . . . 22
4 Ecient Multi-level Threshold CP-ABE 25
4.1 Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2 Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.4 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.4.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.2 Generating the keys . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Encrypting a message . . . . . . . . . . . . . . . . . . . . 31
4.4.4 Decrypting the ciphertext . . . . . . . . . . . . . . . . . 32
v
5 On The Security of Attribute Based Signatures 35
5.1 Ecient Threshold ABS Scheme . . . . . . . . . . . . . . . . . . 35
5.1.1 Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.1.2 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.1.3 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.4 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.1.5 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.2 Extract . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2.3 Preliminaries for the attack . . . . . . . . . . . . . . . . 37
5.2.4 Attack 1: Forgery without satisfying threshold . . . . . . 39
5.2.5 Attack 2: Universal forgery . . . . . . . . . . . . . . . . 40
5.2.6 Attack 3: Total break - impersonating key issuing authority 41
5.3 Attacks on schemes with similar key construct . . . . . . . . . . 41
5.3.1 Total break on attribute based ring signature scheme . . 42
5.3.2 Break on threshold attribute based signature scheme . . 42
5.3.3 Attack on ABS with multiple attribute authorities . . . . 43
5.3.4 Attack on multi-level threshold ABS scheme . . . . . . . 46
5.3.5 Total break on hidden ABS without anonymity revocation 48
5.4 Summary of attacks . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.5 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6 New Threshold Attribute-Based Signature Scheme 50
6.1 Underlying Ring Signature . . . . . . . . . . . . . . . . . . . . . 51
6.1.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . 51
6.2 New ABS Scheme Construction . . . . . . . . . . . . . . . . . . 52
6.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.2.2 Key Generation . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.3 Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2.4 Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
vi
6.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.3.1 Security Notions . . . . . . . . . . . . . . . . . . . . . . 56
6.3.2 Modied Computational Bilinear Die-Hellman Assump-
tion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.3 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . 57
6.3.4 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.4 Advantages of the new approach . . . . . . . . . . . . . . . . . . 62
7 Conclusions and Directions for Future Work 64
7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
7.1.1 Threshold CP-ABE . . . . . . . . . . . . . . . . . . . . . 64
7.1.2 Attribute Based Signatures . . . . . . . . . . . . . . . . 65
7.1.3 Threshold ABS - New Directions . . . . . . . . . . . . . 65
7.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
A Detailed Analysis of Proof 67
A.1 Sign Oracle Correctness . . . . . . . . . . . . . . . . . . . . . . 67
A.1.1 Verication analysis . . . . . . . . . . . . . . . . . . . . . 68
A.2 Correctness of Solving CBDH . . . . . . . . . . . . . . . . . . . 69
References 70
LIST OF TABLES
3.1 Comparison of PK, SK and ciphertext sizes . . . . . . . . . . . 20
5.1 Table summarizing the attacks . . . . . . . . . . . . . . . . . . . 48
viii
LIST OF FIGURES
1.1 Representation of the access policy as a tree. . . . . . . . . . . . 2
1.2 Threshold access policy to represent 3-out-of(Colonel, Major,
Navy, Op-X, Op-Y , Op-Z). . . . . . . . . . . . . . . . . . 3
4.1 Multi-level threshold tree. . . . . . . . . . . . . . . . . . . . . . 25
4.2 Access tree structure for a multi-level predicate. . . . . . . . . . 30
4.3 Examples of access tree satisfaction. . . . . . . . . . . . . . . . . 31
4.4 Encryption - Generating shares using the Shamirs secret sharing
idea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6.1 Ring ABS where each alleged member of the ring has 4 attributes. 50
ix
ABBREVIATIONS
ABE Attribute-Based Encryption
ABGS Attribute Based Group Signature
ABS Attribute-Based Signature
aMSE-DDH Augmented Multi-sequence of Exponents Die-Hellman Assump-
tion
CBDH Computational Bilinear Die-Hellman Assumption
CDH Computational Die-Hellman Assumption
CMA Chosen Message Attack
CP-ABE Ciphertext-Policy Attribute Based Encryption
CPA Chosen Plaintext Attack
DBDH Decisional Bilinear Die-Hellman Assumption
DDH Decisional Die-Hellman Assumption
DLIN Decision Linear Assumption
KP-ABE Key-Policy Attribute Based Encryption
LSSS Linear Secret Sharing Schemes
m-CBDH modied Computational Bilinear Die-Hellman Assumption
MK Master Secret Key
MSP Monotone Span Program
NIWI Non-Interactive Witness Indistinguishability
NIZK Non-Interactive Zero Knowledge
PK Public Key
q-BDHE q-Bilinear Die-Hellman Exponent Assumption
SK Secret Key
t-ABS threshold Attribute Based Signature
TA Trusted Authority
x
NOTATION
G, G
1
, G
2
, G
T
Cyclic groups of prime order p
g Generator of group G
p, q Large primes
e(, ) A bilinear pairing

i,S
(x) Co-ecient for Lagranges interpolation
T Multi-level threshold circuit
Z
p
Finite eld of prime order p
CT Ciphertext
Null
D Users signing secret keys
Signature
Signing Predicate (policy)
C Challenger
A Adversary
k, Security parameter
m Message
msk Master secret key
params Public Parameters
xi
CHAPTER 1
Introduction
A public-key cryptosystem comprises of mechanisms to provide condentiality,
through public key encryption, and authenticity, through digital signatures. In
such a system, the parties involved in communication - sender and receiver -
maintain a pair of keys each, in order to perform either of the two operations of
encryption or signing. Depending on the application, there have been a variety of
public key cryptosystems proposed. A recent addition to this assortment is the
attribute based system. Unlike in traditional cryptography where the intended
recipient or the signers identity is clearly known, in an attribute based systems
one only needs to specify the attributes or credentials of the recipient(s) or the
signer in the form of a predicate that is to be satised. This feature enables secure
data sharing even in a decentralized setting, providing both ne-grained control
on access and some degree of anonymity for the participants. In this thesis, we will
look at attribute-based systems with special focus on those that support threshold
predicates.
1.1 Attribute-Based Encryption
There are several settings where a user would want to give access to documents
based on certain credentials or the position/role of a person. This may be com-
parable with Views in a database. We would want dierent kind of users of the
database to be able to see only those contents that are relevant to them. Similarly,
in a distributed setting where all the data may be stored in a server, the server
might allow access to les and documents based on some predened access control
policy, for instance, clients may have to provide proper certication to retrieve
specic les. In such cases, if the data(storage) in the database or server is com-
promised, then although it may be in the encrypted form, anyone who has access
to the database or server may be able to retrieve all information including those
documents that may not be relevant to them. To be more specic, any normal
user of the database who gets his/her hands on the compromised data may now
be able to get those les which were restricted and whose access was determined
by some application in the database or server.
ABE. ABE was rst introduced by Sahai and Waters in [SW05, GPSW06]. It
provides a mechanism by which we can ensure that even if the storage is com-
promised, the loss of information will only be minimal. What attribute based
encryption does is that, it eectively binds the access-control policy to the data
and the users(clients) instead of having a server mediating access to les. To
understand this better, we will take a closer look at what constitutes an attribute-
based system, with particular attention to ABE.
Access Policy. An access control policy would be a policy that denes the kind
of users who would have permissions to read the documents. e.g In an academic
setting, grade-sheets of a class may be accessible only to a professor handling the
course and some teaching assistants (TAs) of that course. We can express such a
policy in terms of a predicate:
( (Professor CS dept.)
_
(M.tech student CS-410 TA CS dept.) )
OR
AND
AND
Prof CS
M.Tech
CS CS410-TA
Figure 1.1: Representation of the access policy as a tree.
We will call the various credentials (or variables) of the predicate as attributes
and the predicate itself which represents the access policy as the access-structure.
In the example here the access structure is quite simple. But in reality, access
policies may be quite complex and may involve a large number of attributes.
Properties. There are two major features to attribute based encryption:
1. It has the capacity to address complex access control policies.
2. The exact list of users need not be known apriori. Knowledge of the access
policy is sucient.
Also, an important property that attribute based encryption schemes must
satisfy is that of collusion resistance. Collusion resistance means that, if 2 or
more users possessing dierent keys combine to decrypt the ciphertext, they will be
successful if and only if any one of the users could have decrypted it individually.
In other words, even if multiple parties collude, they should not be able to decrypt
the ciphertext unless one of them was able to decrypt it completely by herself.
These properties ensure that only users possessing the right keys have access to
the information. Moreover, as the encryption is based on the access-structure it
implicitly assures anonymous access control.
2
Types of ABE. ABE can be categorized in to two types depending on whether
the attributes are embedded in the ciphertext or whether the access-structure is
embedded in the ciphertext. The rst is the Key-policy based ABE (KP-ABE)
which was infact the initial form of attribute based encryption that was developed.
It was originally introduced in [SW05] and later by Goyal et al. in [GPSW06] and
by Ostrovsky et al. [OSW07]. In KP-ABE they encrypt the attributes along with
the data and give the access structure to each user as part of their secret key. But
attribute based encryption is more applicable in the regular world if the access-
structure can be embedded in the ciphertext and the users can have their attributes
saved in their secret keys. This second form of ABE is known as ciphertext-policy
based (CP-ABE) and was introduced by Bethencourt et al. [BSW07]. Both these
initial schemes [GPSW06, BSW07] were largely based on the secret sharing scheme
developed by Shamir [Sha79]. However, it is ciphertext policy based ABE that has
become more popular in later schemes like in [CN07, GJPS08, NYO09, GNSN10]
and others. This might be largely due to the fact that CP-ABE represents a
natural and more intuitive way to view attribute based encryption.
Threshold. In this thesis we will be targeting threshold access policies. Lets
take an example to understand what a threshold predicate is. Say Bob wants to
encrypt and send a message to people who have atleast 3 out of 6 properties - {
Colonel, Major, Navy, Op-X, Op-Y , Op-Z }. i.e The recipient should have any 3 of
the properties: a) Colonel, b) Major, c) Navy, d) worked in operation-X, e) worked
in operation-Y, f) worked in operation-Z . For instance, a person who successfully
decrypts the message may be an army major with experience in operations X and
Y. Equivalently, the message can be opened by a naval colonel who has worked in
operation Z. Thus 3 is just a minimum threshold of the attributes that must be
satised by the recipient. In general, if the threshold is (t, n); then the decryptor
must have t or more of the specied n attributes.
3-of-6
Colonel Major Navy Op-X
Op-Y Op-Z
Figure 1.2: Threshold access policy to represent 3-out-of(Colonel, Major,
Navy, Op-X, Op-Y , Op-Z).
The above gure [1.2] is an example where the threshold gate is a single pred-
3
icate. A regular access policy may consist of just a single threshold gate or there
may be even predicates where the threshold gate is a sub-node under some other
operation like AND or OR.
We will look at attribute based encryption and threshold CP-ABE schemes in
greater detail in Chapter(3) of this thesis.
1.2 Attribute Based Signatures
There are several situations where one may need to obtain some permissions or a
signature from an authority having certain credentials, but it may be immaterial
as to who the specic authorizer is. For example, Alice may need an approval
from a major in the army or a captain in the navy but it may not matter as to
who exactly gave her the permissions. There are also other situations where one
may need to prove that they possess specic credentials but would not want to
reveal all their personal details in doing so. Lets take an example where Bob, a
captain in the navy, is going to a secret ocers meet. He wouldnt want to reveal
more about himself except to prove that he is an ocer who is within his rights
in attending the meet. These are cases where attribute based signatures can be
useful.
ABS. Attribute based signature is a cryptographic primitive in which users pro-
duce signatures based on some predicate of attributes, using keys issued by one
or more attribute authorities. ABS has largely been inspired by attribute based
encryption schemes [GPSW06, BSW07, Wat08]. Attribute based systems are ap-
plicable in settings where there is a need for a complex policy to govern the access
of a document or provide authentication. These systems are also privacy-friendly
since they deal with the attributes of a user and not with any direct identity that is
associated with the signer. In this sense, ABS is similar to signature variants like
Group signatures [Cam97], Ring signatures [RST01] and Mesh signatures [Boy07].
The dominant idea of all these signature primitives is that they allow the signer
ne-grained control over the amount of personal information exposed. However,
it is important to note that a valid ABS signature guarantees that only a per-
son possessing the required attributes that satisfy the predicate can produce a
signature.
Signing policy. A notable feature of ABS is that, unlike other signature schemes
attribute based systems are capable of supporting complex predicate policies. For
instance, some permissions can be approved only by a person who is:
_
((Major)
AND (in Army OR Navy)) OR (Captain AND in Operation-Star) OR (Com-
mander AND in Operation-X)
_
. Moreover, a valid signature based on the above
predicate would only indicate one of the four possibilities for the signer: a) Major
in Army or b) Major in Navy or c) Captain in Operation-Star or d) Commander in
Operation-X; but it would not reveal which of these the signer actually is. Also, a
person who is not any of the four would not be able to produce a valid signature.
4
We would like to remark here that, signing policies are similar to access policies
and both of them are predicates on some attributes.
Collusion. Another important property of attribute based systems is collusion
resistance. This essentially means that multiple parties cannot collude and com-
bine all their attributes to produce a valid signature if any one party could not
do it individually. For example, a commander in the airforce and a captain in
operation-X should not be able to somehow combine their attributes to produce
a valid signature for the above predicate.
1.3 Motivation
In our thesis we look at threshold ABE and ABS schemes. The most appealing
fact about threshold gates is that they are very expressive and encompass the
other common AND and OR gate access structures as well.
In most of the existing ABE schemes, the size of the ciphertext is very large,
it is usually in the order of the number of attributes under consideration. Most
ecient schemes with expressive access control have ciphertext size proportional
to the number of attributes involved [Wat08]. There have also been works on
constant size CP-ABE schemes. A good number of the constant size ciphertext
schemes are applicable only to some restricted access structures that use only AND
gates [ZH10, EMN
+
09]; and those that support threshold, like the work of Herranz
et al. [HLR10], are suitable only in the case where the predicate has a single gate
(threshold or otherwise). This motivates us to work towards obtaining a more
expressive, multi-level threshold CP-ABE whose ciphertext-size is independent of
the number of attributes.
Aside from that, endeavors in ABE have also spurned attribute based signa-
tures. Hence, it is not surprising that attribute based signature constructions have
properties like collusion resistance and predicate policies similar to that of ABE;
additionally, they borrow some of the building blocks, like secret sharing, to en-
gender these features. Our study on threshold attribute-based signature schemes
have led us to observe that, unlike in most threshold ABE constructions, threshold
ABS schemes using secret sharing give the signer more secret components (in the
form of dummy attributes) than he/she should possess. Primary objective of that
is to enable the signer with more components so as to reveal less about his/her
identity and give a greater degree of anonymity. This instigates us to probe the
schemes from an adversarial standpoint and inspires us to make a detailed study
on the security aspects of ABS schemes.
5
1.4 Contributions
1.4.1 Ecient ciphertext-size threshold ABE
A part of this work focuses on an approach to get a multi-level threshold CP-ABE
where the ciphertext size is independent of the number of attributes. The multi-
level threshold access structure is more expressive and can be used to represent
complex access control policies. To be more specic, this access predicate can
have a threshold gate at every level of the access tree i.e. we can have a node
as a threshold-gate and further, even the children of that node can be threshold
nodes until we reach the leaves which form the attributes. We propose a scheme
that supports such an access structure and at the same time is ecient in terms of
the number of ciphertext components. The main advantage of such a multi-level
threshold structure is that, the threshold-gate can also be converted to just AND
or OR gate. Hence, a scheme that can support threshold gates at every level
of the access tree, can essentially be transformed to suit any complicated access
predicate, making it highly expressive. In addition, the size of the ciphertext in
our scheme depends on the complexity of the access policy as opposed to the
cardinality of the universe of attributes.
1.4.2 Security of threshold ABS
In the second part of this thesis we show attacks on the threshold attribute based
signature scheme proposed by Li et al. [LAS
+
10]. We claim that the scheme is
insecure since,
a signer who does not possess the necessary number of attributes to satisfy
the threshold of the predicate can still produce a valid signature.
a signer with some attributes, completely unrelated to the attributes of the
predicate can perform universal forgery.
an attacker can nd a total break in the system and obtain a component of
the secret key with which she can pose as the key generating authority.
Since our attack is based on the key construct in the scheme, we show that
one or more of these breaks also hold for the following schemes which have similar
key generation algorithm:
a) The ABS scheme with multiple attribute authorities, which is the second
scheme proposed in [LAS
+
10];
b) Attribute based ring signature scheme in [LK08];
c) The threshold attribute based signature by Shahandashti et al. [SSN09] which
is derived based on [LK08];
d) ABS for multi-level threshold circuits by Kumar et al. [KABPR10] and
6
e) Hidden attribute-based signatures without anonymity revocation by [LK10].
We also give our observations on why these attacks are applicable on these
schemes and mention our inferences.
1.4.3 New threshold ABS scheme
This thesis also proers a novel approach to threshold attribute based signatures.
Our approach is based on ring signature schemes and looks at forming a ring
of aggregated sets of attributes. Using this idea, we provide a threshold ABS
construction based on the ecient ID-based ring signature scheme in [CYH05].
We have shown the security of our scheme in the random oracle model.
1.5 Organization of the Thesis
In Chapter 2, we begin with the formal denitions and fundamental concepts
needed to follow attribute-based encryption and signature schemes . We dis-
cuss some preliminaries and then proceed to the hardness assumptions used in
select ABE and ABS proofs. We then present the basic ideas on which thresh-
old attribute-based cryptosystems are built on, like Shamirs secret sharing and
Waters signature.
Chapter 3 contains the development of attribute-based encryption, signatures
and some applications. It is a survey of the literature related to our problems.
We devote specic sections for ecient ciphertext-size CP-ABE schemes and show
how each of them compare with respect to their key and ciphertext sizes. We also
discuss threshold ABS schemes at length and introduce our interest in working in
this area.
In chapter 4, we present the details for a multi-level threshold CP-ABE scheme
and give our approach to solve the problem. We start by providing the exact model
of the access structure that we intend to facilitate and then give the algorithms
for encryption and decryption. We also illustrate our scheme with the help of an
example.
Chapter 5 looks at the security of some attribute-based signature schemes. We
take the particular case of the ecient threshold ABS scheme proposed by Li et
al. in [LAS
+
10] and show that an adversary can not only create forgeries but
also get a part of the secret component which can be used to impersonate the
key-generating authority. We also look at other ABS schemes which incorporate
a similar mechanism for key-generation and demonstrate the attacks in each of
them. We conclude the chapter with our observations on the vulnerabilities of
these schemes.
In chapter 6, we propose a new threshold ABS scheme based on the concept
of ring signatures. We explain how we imbibe the spirit of ring signatures to the
threshold ABS problem and then follow it with the construction of the scheme.
7
Then, we prove our scheme to be unforgeable in the random oracle model. We
also mention an interesting new property, controlled partial anonymity, that arises
out of our approach.
In chapter 7, we presents our conclusions and potential directions for future
work. We also summarize the problems we discuss and the solutions that this
thesis has to oer along with their relevance in the current computing world.
8
CHAPTER 2
Preliminaries
2.1 Bilinear Pairing
Let G
1
, G
2
, G
T
be multiplicative groups of prime order p. The elements g
1
G
1
and g
2
G
2
are generators of G
1
and G
2
respectively. A bilinear pairing is a map
e : G
1
G
2
G
T
with the following properties:
1. Bilinear: e(g
1
a
, g
2
b
) = e(g
1
, g
2
)
ab
for all g
1
G
1
,g
2
G
2
, where a, b Z
p
.
2. Non-degenerate: There exists g
1
G
1
and g
2
G
2
such that e(g
1
, g
2
) = 1;
in other words, the map does not send all pairs in G
1
G
2
to the identity
in G
T
.
3. Computability: There is an ecient algorithm to compute e(g
1
, g
2
) for all
g
1
G
1
and g
2
G
2
.
2.2 Hardness Assumptions
2.2.1 Computational Die-Hellman Assumption
Let G be a cyclic multiplicative group and g be its generator. The computational
die-hellman(CDH) assumption holds in G if, given g, g
a
, g
b
G for unknown
a, b Z

p
, it is computationally infeasible to compute g
ab
.
We say that the (t, )-CDH assumption holds in G if no adversary running in
time less than t can solve the CDH problem with success probability greater than
, where is negligible.
2.2.2 Decisional Die-Hellman Assumption
Let G be a cyclic multiplicative group and g be its generator. Given two tuples
c
0
= (g, g
a
, g
b
, g
ab
) and c
1
= (g, g
a
, g
b
, g
c
) for random a, b, c Z

p
. The (t, )-
DDH assumption holds in G if there is no probabilistic polynomial-time adversary
whose probability of successfully distinguishing between the tuples c
0
and c
1
is
better than
1
2
+, where is negligible.
2.2.3 Computational Bilinear Die-Hellman Assumption.
Let e : GG G
T
be an eciently computable bilinear map, where G has prime
order p. The computational bilinear die-hellman(CBDH) assumption is said to
hold in G if, given elements {P, aP, bP, cP}, then no probabilistic polynomial-time
adversary can compute e(P, P)
abc
with non-negligible advantage, where a, b, c
R
Z

p
and generator P G are chosen independently and uniformly at random.
2.2.4 Decisional Bilinear Die-Hellman Assumption
Let e : GG G
T
be an eciently computable bilinear map, where G has prime
order p. The decisional bilinear die-hellman(DBDH) assumption is said to hold
in G if no probabilistic polynomial-time adversary is able to distinguish the tuples
c
0
= (g, g
a
, g
b
, g
c
, e(g, g)
abc
) and c
1
= (g, g
a
, g
b
, g
c
, e(g, g)
z
) with non-negligible
advantage, where a, b, c, z
R
Z

p
and generator g G are chosen independently
and uniformly at random.
2.2.5 Decision Linear Assumption
Let e : GG G
T
be an eciently computable bilinear map, where G has prime
order p with generator g. The decision-linear (DLIN) assumption holds in G if,
given the elements (g
a
, g
b
, g
ra
, g
sb
, g
t
) G , for a random choice of a, b, r, s Z
p
,
it is computationally infeasible to determine whether t = r + s or t is random in
Z
p
.
2.2.6 Bilinear Die-Hellman Exponent Assumption
Let e : GG G
T
be an eciently computable bilinear map, where G has prime
order p with generator g. Let a, s Z
p
be chosen at random. Let g
i
denote g
a
i
.
The q-Bilinear die-hellman exponent(q-BDHE) assumption holds in G if, given
the following vector of 2q + 1 elements, y = (g, g
1
, , g
q
, g
q+2
, , g
2q
, g
s
) (note
that the g
q+1
is not in the list); it is infeasible for a polynomial time adversary to
compute e(g, g)
a
q+1
s
.
2.2.7 Augmented Multi-sequence of Exponents Die Hell-
man Problem
We present this problem as dened by Herranz et al. [HLR10]. Let G
1
, G
2
, G
T
be multiplicative groups of prime order p, and let e : G
1
G
2
G
T
be a non-
degenerate and eciently computable bilinear map. Let g
1
be a generator of G
1
and g
2
be a generator of G
2
. Let

l, m,

t be three integers. The (

l, m,

t)-augmented
multi-sequence of exponents decisional Die-Hellman problem ((

l, m,

t)-aMSE-
DDH) related to the group triplet (G
1
, G
2
, G
T
) is as follows:
10
Input: the vector

x

l+ m
= (x
1
, , x

l+ m
) whose components are pairwise dis-
tinct elements of (Z/pZ)

which dene the polynomials

f(x) =

i=1
(X +x
i
) and g(x) =

l+ m

i=

l+1
(X +x
i
) ,
the values
g
1
, g

1
, , g

l+

t2
1
, g
f()
1
(2.1)
g

1
, , g

l+

t2
1
(2.2)
g

1
, g

1
, , g

l+

t
1
(2.3)
g
2
, g

2
, , g

m2
2
, g
g()
2
(2.4)
g

2
, g

2
, , g

m1
2
(2.5)
g

2
, g

2
, , g

2 m

t+3
2
(2.6)
where , , , are unknown random elements of (Z/pZ)

, and nally an element

T
R
G
T
(chosen uniformly at random).
Output: a bit b.
The problem is correctly solved if the output is b = 1 when T = e(g
1
, g
2
)
f()
or if the output is b = 0 when T is a random value from G
T
. In other words, the
goal is to distinguish if T is a random value or if it is equal to e(g
1
, g
2
)
f()
.
The aMSE-DDH assumption holds if there is no probabilistic polynomial-
time adversary who can distinguish between a T chosen randomly from G
T
and
e(g
1
, g
2
)
f()
with non-negligible probability.
2.3 Secret Sharing
2.3.1 Linear secret sharing schemes
Attribute based cryptosystems make substantial use of LSSS (linear secret sharing
schemes) . We borrow the following denition from Waters work in [Wat08].
A secret-sharing scheme over a set of parties P is called linear (over Z
p
) if
1. The shares for each party form a vector over Z
p
.
2. There exists a matrix M with l rows and n columns called the share-
generating matrix for . For all i = 1, , l, the ith row of M we let
the function dened the party labeling row i as (i). When we consider
the column vector v = (s, r
2
, , r
n
), where s Z
p
is the secret to be shared,
and r
2
, , r
n
Z
p
are randomly chosen, then Mv is the vector of l shares
of the secret s according to . The share (Mv)
i
belongs to party (i).
11
It is further shown that every linear secret sharing-scheme according to the
above denition also enjoys the linear reconstruction property, dened as follows:
Suppose that is an LSSS for the access structure A. Let S Abe any authorized
set, and let I {1, 2, , l} be dened as I = {i : (i) S}. Then, there exist
constants {
i
Z
p
}
iI
such that, if {
i
} are valid shares of any secret s according
to , then

iI

i

i
= s. Furthermore, these constants {
i
} can be found in time
polynomial in the size of the share-generating matrix M.
2.3.2 Shamirs secret sharing scheme
Shamirs secret sharing scheme is a linear secret sharing scheme. Since this thesis
discusses threshold attribute-based cryptosystems and our ABE construction also
makes use of this idea, we make a brief presentation of this scheme here.
Shamirs secret sharing is a form of secret sharing where a secret (S) is divided
into n parts and each part is given to one of the participants. The idea is that,
only if all (or t, as in the case of threshold) participants combine their shares
meaningfully will they be able to reconstruct the original secret. It is important
to note here that, if fewer than n (or t, as in the case of threshold) participants
co-operate they must not be able to retrieve the secret.
Let us look at the case where we want to use (t, n) threshold to share the secret
S. Without loss of generality we can assume S to be an element in a nite eld
F. We know that it takes t points to dene a polynomial of degree t 1. Shamirs
secret sharing uses this idea to give the shares. We can now look at the scheme
as an algorithm:
Algorithm 1 Shamirs secret sharing
1: Choose t 1 co-ecients a
1
, , a
t1

R
F
2: Set a
0
= S
3: Construct polynomial f(x) = a
0
+a
1
x +a
2
x
2
+ +a
t1
x
t1
4: Sharing: Evaluate the polynomial at n points
5: Set each partys share as (i, f(i))
6: Reconstruction: Get the share of t or more parties
7: Use Lagranges interpolation (Section[2.3.3]) to evaluate f(0) and get S.
We note here that, with fewer than t shares it is highly improbable to recon-
struct the original polynomial exactly. Hence, by combining the shares of less than
t parties, no one gets any clue on the secret S. But when t or more parties of the
n combine, then we are able to get S precisely.
2.3.3 Lagrange interpolation
Let q(x) be a d 1 degree polynomial with each of its co-ecients as elements
of Z
p
. Then, given any set S of d points and the evaluation of the polynomial at
these points, q(a
1
), , q(a
d
); we can use Lagranges interpolation to compute q(i)
12
for any i Z
p
. We dene the Lagrange coecient
i,S
of q(i) in the computation
of q(j) for j Z
p
and a set, S, of elements in Z
p
as
i,S
(j) =

kS,k=i
jk
ik
. Thus,
q(j) =

iS
q(i)
i,S
(j), where
i,S
(j) =

kS,k=i
j k
i k
2.4 Primitives for Attribute-based Encryption and
Signatures
2.4.1 CP-ABE scheme algorithms
Setup. A randomized algorithm Setup(k) takes in as input a security
parameter and provides a set of public parameters (PK) and the master key
values (MK) .
Encryption. The algorithm Enc(M, T , PK) is a randomized algorithm
that takes as input the message M to be encrypted, the access structure
T which needs to be satised and the public parameters PK to output
the ciphertext CT. We can say, that the encryption algorithm embeds the
access structure in the ciphertext such that only those users with attributes
satisfying T will be able to decrypt and retrieve the message M.
Key-Generation. The KeyGen(MK, PK, A) algorithm takes as input
the master key values MK, the public parameters PK and the attribute set
A of the user, and outputs for the user a set of decryption keys SK which
conrms the users possession of all the attributes in A and no other external
attribute.
Decryption. The decryption algorithm Dec(CT, SK, PK) takes as in-
put the ciphertext CT, the user secret keys SK and the public parameters
PK, and it outputs the encrypted message M, if and only if the attributes
A embedded in SK satisfy the access structure T which was used while
encrypting the ciphertext CT. i.e If T (A) = 1 then message M is output
else, it outputs .
2.4.2 ABS algorithms
Setup. A randomized algorithm Setup(k) takes in as input a security
parameter and provides a set of public parameters params and the master
secret key values MK .
Key-Generation. The algorithm Key-Gen( , MK, params) is a ran-
domized algorithm that takes as input which are the attributes of the
user, the master secret key MK and public parameters params. It gives as
output a set of secret keys D corresponding to the attributes of the user; D
would indicate that the user has all the attributes in the set . This phase
is sometimes also known as key-extraction phase.
13
Sign. The Sign(m, , D) algorithm takes as input the message m, the
signing policy or predicate and the secret key of the signer D. It outputs
the signature on message m, which indicates that the signer has a set of
attributes that satisfy the predicate .
Verify. The verication algorithmVer(, , params, m) takes as input the
signature , the predicate , the public parameters params and the message
m. And the verication test passes, if and only if the subset of attributes
of the signer embedded in satisfy the access structure which was used
while signing. i.e If () = 1 then verication passes, else it outputs .
2.5 Waters signature
The ABS schemes we discuss in this thesis make extensive use of Waters signature
[Wat05] for generating keys in the key-extraction phase, for each of the users
attributes. Here, we will take a quick look at the signature scheme. The following
algorithms constitute the scheme:
Setup()
Let G
1
, G
2
and G
T
be multiplicative groups of prime order p where
bilinear map function is ecient. And, e : G
1
G
2
G
T
n = |m|, length of the message
Pick g
R
G
1
and g
2
, u

, u
1
, u
2
, , u
n

R
G
2
.
Set g
1
= g

where
R
Z

p
Public parameters params are g, g
1
, g
2
, u

, {u
i
}
i{1, ,n}
SK =
Sign(m, SK)
Let m = m
1
m
2
m
n
{0, 1}
n
and r
R
Z

p

1
= g

2
_
u

i=1
u
m
i
i
_
r

2
= g
r
Verify(m, = (
1
,
2
))
Check e(g,
1
)
?
= e(g
1
, g
2
) e(
2
, u

i=1
u
m
i
i
)
Note here that inorder for the verication to pass it is necessary for g

2
to be in
1
. That ensures the use of the secret key .
14
Modication. The above scheme is proved secure in the standard model. A
modied simpler version of this is used in most of the ABS schemes where the
sign on the message, u

i=1
u
m
i
i
is replaced by a simple hash as H(m) and the rest
of the procedure remains the same. This modied scheme is proven secure in the
random oracle model. We will look at the changes to the scheme and an intuition
towards the proof.
Setup() It remains the same except that a new hash function is dened
and the u
i
components are not chosen.
A hash function H : {0, 1}

G
1
Public parameters params are H and g, g
1
= g

, g
2
G
SK =
Sign(m, SK)

1
= g

2
H(m)
r

2
= g
r
Verify(m, = (
1
,
2
))
Check e(g,
1
)
?
= e(g
1
, g
2
) e(
2
, H(m))
Proof Sketch. The proof for this is given in the random oracle model. The
security of this signature is reduced to solving the CDH problem. That is, given
the tuple g, A = g
a
and B = g
b
, we need to obtain g
ab
using an attacker who can
break the above signature scheme.
First we set = a and g
2
= g
b
, hence g
1
= A and g
2
= B. Now, inorder to
give the signature on a message m, we will set H(m) = g
bx
m
where x
m

R
Z

p
and
then pick a random r and assume that there exists an r

such that r

= r a/x
m
.
Then we give the signature as:

1
= g
rbx
m

2
= g
r
A
1
x
m
To see how this is the same as what a genuine signer would give:

1
= g
a
2
H(m)
r

= g
ab
(g
bx
m
)
ra/x
m
= g
ab
g
rbx
m
ab
= g
rbx
m

2
= g
r

= g
ra/x
m
= g
r
g
a
x
m
= g
r
A
1
x
m
Now, we will see how it is possible for the challenger to solve CDH with the
components given by the forger. Note that, when a chosen message m

is given
for hashing, the challenger will out put as hash just g
x
m

. If the adversary asks

a signature on that message(m

) then, the challenger will abort. But, if the

adversary gives a signature on the message m

1
= g
ab
H(m

)
r

2
= g
r

15
Then challenger does the following:

1
(
2
)
x
m

=
g
ab
H(m

)
r

g
r

x
m

=
g
ab
g
r

x
m

g
r

x
m

= g
ab
This allows the challenger to solve the CDH problem with the help of a forger
on this scheme.
2.6 Forking Lemma
We make use of the forking lemma to give the proof for unforgeability of the
threshold attribute based signature that we propose in Chapter(6). Here, we will
rst present the conditions that are necessary for a ring signature to be consid-
ered generic and then dene the forking lemma for generic ring signatures. The
denitions are borrowed from those given by Herranz et al. in [HS04].
Generic Ring Signature. We denote by H(), a cryptographic hash function
that outputs k bits, where k is the security parameter. Consider a group of n
ring members. Now, given the input message m, a generic ring signature scheme
produces a tuple (m, R
1
, , R
n
, h
1
, , h
n
, ), where R
1
, , R
n
(randomness)
take their values randomly in a large set G in such a way that R
i
= R
j
for all
i = j, h
i
is the hash value of (m, R
i
), for 1 i n, and the value is fully
determined by R
1
, , R
n
, h
1
, , h
n
and the message m.
Another required condition is that no R
i
can appear with probability greater
than 2/2
k
, where k is the security parameter. This condition can be achieved by
choosing the set G as large as necessary.
Forking lemma. The forking lemma for adaptive chosen message attacks with
respect to generic ring signature schemes, as given in [HS04] is as follows. Let
A be a probabilistic polynomial time Turing machine whose input only consists
of public data. We denote by q
h
and q
s
, the number of queries that A can ask
to the random oracle and to some real signers of the ring, respectively. Assume
that, within time bound T, A produces with non-negligible probability , a valid
ring signature (m, R
1
, R
2
, , R
n
, h
1
, h
n
, ). Suppose, the valid ring signature
can be simulated with a polynomially indistinguishable distribution of probabil-
ity, without knowing any of the secret keys of the ring , within a time bound
of T
s
. Then there exists another probabilistic polynomial time Turing machine
which can, by a replay of attacker A where the interactions with the signer are
simulated, produce two valid ring signatures (m, R
1
, R
2
, , R
n
, h
1
, h
n
, ) and
(m, R
1
, R
2
, , R
n
, h

1
, h

n
,

) such that h
j
= h

j
, for some j {1, , n} and
h
i
= h

i
for all i = 1, , n such that i = j, within a bounded time and non-
negligible probability.
16
CHAPTER 3
Existing Threshold Attribute-based Cryptosystems
In this chapter we will briey view the emergence of attribute based cryptosystems
and the problems they address. We will make a survey of existing literature
on attribute based encryption and signature schemes with particular focus on
those constructions that support threshold predicates. This chapter also pays
specic attention to cipher-text policy ABE schemes and motivates our study on
constructions that are ecient in terms of the ciphertext length. We will also
remark on some of the similarities in threshold ABS and ABE constructions here.
3.1 Inception of Attribute Based Encryption
The notion of attribute-based encryption was rst introduced by Sahai and Wa-
ters [SW05] in their work titled Fuzzy Identity-based encryption. Here, they viewed
identities as a set of attributes and extended identity based encryption by making
it more ne-grained. Their construction allows attributes to be dened by arbi-
trary strings. In order to generate the keys for each identity and distribute it in
the attributes, their scheme uses the idea of Shamirs secret sharing. The scheme
is proved secure in the selective-ID model by showing a reduction to the Decisional
Bilinear Die-Hellman assumption. They also pose the problem of whether at-
tributes can be certied by multiple authorities, i.e dierent attributes are given
by dierent authorities instead of one single attribute authority.
KP-ABE. The concept of ABE became more formal with the work of Goyal et
al. [GPSW06]. They established the rst key-policy attribute-based encryption.
Although, their concept is reminiscent of secret sharing schemes, they were the
rst to dene the idea of collusion-resistance, where they disallow parties from co-
operating inorder to decrypt the ciphertext. They also use the tree-access structure
to represent the predicate policy that allows a user to decrypt the message. Their
scheme also highlights ne-grained access control that can be provided by ABE
schemes. They use the concepts of LSSS and monotone span programs to develop
the scheme. As in [SW05] their scheme is also proved secure by reduction to
DBDH in the selective-ID model. The authors suggest the applicability of their
scheme for encryption of audit logs and broadcast encryption. They leave the task
of creating a scheme that provides better anonymity as an open problem. i.e. An
encryption scheme that does not require one to reveal all the necessary attributes
required by the decryptor very precisely.
CP-ABE. CP-ABE which came up next addressed the issue of anonymity to
some extent and actually gave a dierent kind of expressibility to attribute-based
systems. The rst ciphertext-policy ABE scheme was developed by Bethencourt
et al. [BSW07]. Their denition of tree-access structure and the secret sharing
concept was largely borrowed from [GPSW06]. However, CP-ABE was a more
intuitive representation of ABE. The scheme in [BSW07] also supported threshold
gates at every node of the tree. With CP-ABE, there was now better scope for
providing stronger anonymity to decryptors. Since only the access structure is
made public and the attributes that a user has is not required to be revealed to
others, it gives a greater sense of privacy to the decryptor. However, the major
drawback of this scheme is that, it is proved to be secure only in the generic group
heuristic and does not reduce to any of the known hardness assumptions. The
authors felt that a challenging line of work would be to come up with a provably
secure system (may be dierent from CP-ABE and KP-ABE) that could probably
have more elegant forms of expression.
CCA secure. This was soon followed by Cheung and Newport [CN07] propos-
ing a provably secure CP-ABE scheme. Inorder to give a secure scheme, they
considered only those access structures with AND gates. However, their scheme
added support for negated attributes, in the words of the authors, their construc-
tion was for access structures with AND gates on positive and negative attributes.
They were able to give the proof for chosen plaintext (CPA) security by reducing
it to the DBDH problem. Further, they use the Cannetti-Halevi-Katz technique to
convert their scheme to a chosen ciphertext (CCA) secure scheme. Their work also
shows possible directions to extend the idea for threshold ABE and construction
of hierarchical attributes.
Non-monotone. Soon after that, Ostrovsky et al. [OSW07] proposed a KP-
ABE scheme that could support non-monotone access structures. In the previous
schemes, if an encryptor wanted to specify the negation of an attribute in the pred-
icate then (s)he had to have both the attribute and its negation for all attributes
in the universal set. However, Ostrovsky et als scheme gave a more elegant con-
struction to overcome that problem. They were able to give more expressiveness
to their predicates by employing revocation methods in their ABE scheme. They
also give a sketch of how to obtain the same property in a CP-ABE construction.
The authors prove their scheme to be secure by reducing it to the DBDH problem.
They also give a lead on how the idea can be used to realize any access formula.
Recipient-anonymous. The open problem of designing a more privacy-friendly
ABE, which was posed by [GPSW06] was answered by Nishide et al. [NYO09].
They presented ABE schemes that partially hid the access structures. This was,
in a sense, the rst attempt to give privacy not only to the decryptor but also to
the predicate which is used in creating the ciphertext. Since it was the rst step
towards recipient anonymity their scheme employed only the AND gate access
structure. The schemes are proved to be secure using the DBDH and DLIN
assumptions. They also discuss on how attributes can be added to the universe
(which is usually xed during the setup phase) after secret keys are generated.
18
3.2 CP-ABE Schemes with Efficient Ciphertext-
Size
With attribute-based schemes gaining signicance and relevance in various modern
decentralized environments, the foremost challenge was to make it more ecient
inorder to reduce the communication costs. This instigated the research commu-
nity to now focus on schemes that were more size-conserving. Almost all the initial
schemes had the number of keys and ciphertext components proportional to the
number of attributes. In most of the practical large-scale applications where the
universe of attributes can be numerous, the previous ABE schemes would result
in a huge set of keys for each user and an immensely lengthy ciphertext. It is at
this time that ecient ciphertext size CP-ABE schemes gained importance.
Ecient. The pioneering steps towards ecient CP-ABE was taken up by Wa-
ters in [Wat08]. The scheme proposed in that work was more ecient than all
previous schemes both in terms of the size of the components (key and cipher-
text) and also in the running time. Waters gave the construction of a CP-ABE
scheme that made use of LSSS to express access control and it was proved secure
in the standard model. In the same paper, the author provides two additional
constructions, which make a small compromise with respect to performance but
are proved secure in the decisional bilinear Die-Hellman exponent assumption
and the DBDH assumption. To see the improvement that their scheme oered
empirically, let us denote the number of attributes in the universe as n
U
, number
of attributes possessed by the user(recipient) as n
r
and that used by the sender
in encryption of the access structure as n
s
. Then, Waters scheme gives n
U
+ n
r
secret key components and n
U
n
S
ciphertext components. In comparison with
the other schemes this reduced the number of components by atleast half.
Constant-size AND. Taking eciency as the new challenge, Emura et al.
[EMN
+
09] gave the rst CP-ABE scheme with constant size ciphertext. Their
construction uses the idea of summing up the master keys inorder to get a con-
stant size ciphertext and hence, their scheme supported only AND-gate predicate
structures. However, their scheme allowed multi-valued attributes as part of the
universe set of attributes. Their work was proved secure by reduction to the
DBDH assumption. Although this scheme had large number of public and master
secret key components, which was comparable to previous schemes like [NYO09],
the number of user secret key components are just two and the ciphertext compo-
nents are just three! In eect, their work was a tremendous improvement in terms
of ciphertext size, secret key size as well as the running time of the encryption and
decryption algorithms. More importantly it was the rst time that there was an
ABE construction with a ciphertext size that was independent of the number of
attributes.
Constant-size non-monotone. Building on that, Zhou and Huang [ZH10] pro-
posed another constant-size CP-ABE scheme. Their scheme also supported multi-
19
valued attributes with wildcards. In addition to that, they were also able to
incorporate non-monotone access structures and have both positive and negative
attributes in their construction. However, as with [EMN
+
09], they could only
account for AND gates in the predicate. The primary focus of their scheme was
to enable attribute-based broadcast encryption, and they modied their construc-
tion to also create a scheme for broadcast encryption. The secret key size in their
scheme is proportional to the number of attributes involved, but the ciphertext
components is limited to three, excluding the access structure that is also passed to
the receiver. Their scheme was proved secure by reducing to the q-BDHE assump-
tion. They also show that their broadcast encryption scheme reduces the storage
overhead to a value proportional to the number of users and is independent of the
number of attributes.
Constant-size threshold. In the mean while, the task of coming up with a
constant-size CP-ABE scheme which supported more complex access structures
(other than AND gates) was accomplished by Herranz et al. [HLR10]. They
proposed an elegant constant size ciphertext CP-ABE that supported threshold
access policies. Since it was a threshold scheme it could also be used to represent
AND and OR gates as well. The work in [HLR10] makes use of a novel aggregate
function proposed originally by Delerable and Pointcheval [DP08]. The aggregate
function acts similar to summing of the keys as in Emura et al.s work [EMN
+
09].
When it comes to comparing the size-eciency, like in [ZH10], the size of the
secret key is proportional to the number of attributes but the ciphertext consists
of just 3 components. Their scheme was proved secure by reducing it to the a-
MSE-DDH (augmented multi-sequence of exponents die-hellman) assumption.
One shortcoming of this scheme is that, it supports only a single threshold gate
and there does not seem to be an easy way to extend it to incorporate multi-level
threshold access structures.
Comparison. Here is a table comparing the key and ciphertext sizes in the
papers discussed. This is a modied extension to the table given in [EMN
+
09].
Paper PK SK Ciphertext
[SW05] n|G
1
| +|G
T
| n
u
|G
1
| n
T
|G
1
| +|G
T
|
[GPSW06] n|G
1
| +|G
T
| n
u
|G
1
| n
T
|G
1
| +|G
T
|
[CN07] (3n + 1)|G
1
| +|G
T
| (2n + 1)|G
1
| (n + 1)|G
1
| +|G
T
|
[BSW07] 3|G
1
| +|G
T
| (2n + 1)|G
1
| (2n
u
+ 1)|G
1
| +|G
T
|
[NYO09] (2N

+ 1)|G
1
| +|G
T
| (3n + 1)|G
1
| (2N

+ 1)|G
1
| +|G
T
|
[Wat08] 2|G
1
| +|G
T
| (1 +n +n
u
)|G
1
| (1 +n
T
n)|G
1
| +|G
T
|
[EMN
+
09] (2N

+ 3)|G
1
| +|G
T
| 2|G
1
| 2|G
1
| +|G
T
|
[ZH10] (6n + 1)|G
1
| (3n
u
+ 1)|G
1
| 2|G
1
| +|G
T
|
[HLR10]
(n 1)|Z
p
| + |G
T
| +
(2n + 1)|G
1
|
(n +n
u
)|G
1
| 1|G
1
| + 1|G
2
| + 1|G
T
|
Table 3.1: Comparison of PK, SK and ciphertext sizes
20
Here n denotes the total number of attributes in the universe set. n
u
de-
notes the attributes possessed by the user; n
T
denote the attributes in the access-
structure and N

n
i=1
n
i
which is the possible subsets of attributes. And
G
1
, G
2
, and G
T
is a triple of groups on which the bilinear map is eciently com-
putable.
Our work. In our work, we try to extend the work of Herranz et al. [HLR10] and
combine it with [BSW07] to support better access policies. The rst part of this
thesis will look at a CP-ABE scheme that can support multi-level threshold access
structures. Although, the scheme does not result in a constant sized ciphertext, it
will look at generating a ciphertext whose length is independent of the number of
attributes involved. Infact it is dependent on the size of the predicate and more
precisely, the number of leaf nodes in the tree-structure of the access policy.
3.3 Development of Attribute Based Signatures
The work on attribute based signature schemes began only after ABE schemes
became more prominent. Attribute based signatures, like the encryption schemes,
have a natural property of anonymity which can enhance some authorization appli-
cations. Initial ABS schemes were largely motivated by the constructions in ABE
schemes and in particular were inuenced by the CP-ABE schemes of [GPSW06]
and [GJPS08] due to their support for a wide range of access policies.
ABGS. ABS was introduced into group signatures by Khader [Kha07b]. In
their work on attribute based group signatures, they built their scheme on the
tree structure dened in Goyal et al. [GPSW06]. They extended the concept
of identity-based group signatures to an attribute based signature in order to
associate additional credentials to a signer (member of the group) and at the
same time prevent collusion among group members. They base their construction
on the concepts of secret sharing and linear encryption. They prove their scheme
to be CPA-secure in the random-oracle model with the help of the q-strong Die-
Hellman assumption, the DLIN assumption and the forking lemma. In a second
work [Kha07a] by the same authors, they extended their rst scheme to include the
idea of revoking attributes. They base their revocation capability on the paper by
Boneh and Sacham [BS04]. However, the security of this extended paper is similar
to their rst attribute based group signature paper.
Formalization of ABS. Although Khader [Kha07b] gave the notion of at-
tribute based signatures, the rst formal denition of ABS was given by Maji et
al. [MPR08]. They also dened the properties of strong unforgeability and strong
privacy(to the signer) that an attribute-based signature must provide. Their con-
struction uses monotone span programs (MSP) to represent access policies. Their
scheme also discusses the feature of unlinkability, where, given multiple signa-
tures by the same signer, they cannot be identied as being signed by the same
21
party. The authors further provide a second scheme inorder to account for mul-
tiple attribute authorities (multi-authority). The security of their schemes rely
on the generic group model. The authors further propose applicability of ABS
in attribute based messaging, attribute-based authentication and as a stronger
variation of mesh signatures.
Attiribute-based ring signature. With the anonymity features of attribute-
based signatures becoming more prominent, it seemed natural to incorporate it
in ring signatures. Ring signature schemes, introduced by Rivest et al. [RST01]
essentially give the signer a means to remain hidden (anonymous) amongst a set
of n users who form the ring. To create a ring signature, it is sucient for one to
have the secret key of a single member (usually the signer himself) of the ring and
have public keys of the others. With ABS, the signers identity remains hidden
and only the attributes possessed by the signer can be guessed based on the signing
policy. The rst attribute-based ring signature scheme was proposed by Li and
Kim [LK08]. Their scheme uses the idea of Shamirs secret sharing to share the
secret in the keys of the signers attributes. Only those signers with the right
combination of attributes can successfully sign a message to pass the verication
for a given predicate. The authors give two schemes in their paper, one whose
security is shown in the random oracle model and the other is proved without
random oracles. Both schemes are shown to be secure by reduction to the CDH
problem.
Without anonymity revocation. Extending the property of anonymity in
the ring signature, is the work on hidden ABS without anonymity revocation
by [LK10]. Like many of the attribute-based primitives, this is also based on a
problem in the identity-based setting called hidden identity-based signatures. In
schemes with anonymity revocation, although the construction by itself provides
anonymity, there is a trapdoor which some designated authority can use inorder
to reveal the exact identity of the signer. This might be necessary in some appli-
cations. Here, however, the scheme composed by Li and Kim ensures that such
a revocation is not possible by any authority. This scheme actually borrows this
property directly from the ring signature scheme in [LK08].
3.4 Threshold Attribute-Based Signatures
(k, n)-threshold. Our interest in threshold ABS (t-ABS) schemes is motivated
by the similarities in threshold ABE and ABS constructions. The initial thresh-
old ABS scheme was dened and formalized by Shahandashti and Safavi-Naini
[SSN09]. However it is interesting to note that the ring signature scheme by Li
and Kim [LK08] can be considered as an (n, n) threshold ABS scheme since the
signer needs to have all the attributes of the predicate to be a part of the ring. But
Li and Kim [LK08] do not explicitly make a mention of threshold ABS in their
work. The work by Shahandashti and Safavi-Naini [SSN09] is the rst to formalize
22
the notion of t-ABS. They propose two threshold-ABS schemes which can sup-
port any (k, n) threshold gate. Their constructions use Shamirs secret sharing
concept to distribute the secret in the attributes and use Lagranges interpolation
technique to retrieve the secret component. Their key generation (which makes
use of Waters signature) and verication are similar to that in [LK08]. However,
their second scheme which is a modied version of their rst basic scheme makes
use of zero-knowledge proof-of-knowledge and commitment schemes to make it ex-
istentially unforgeable. Their basic scheme is only selectively unforgeable. The
security of both their schemes is shown in the standard model by reduction to the
CDH problem. Further, the authors show how t-ABS can be extended and can
be used to obtain a threshold attribute-based anonymous credential system. Here
again, as with threshold ABE schemes, Shahandashti and Safavi-Nainis scheme
supports only a single threshold gate and cannot be used with complex access
control policies. Hence, it provided good scope for someone to come up with a less
restrictive and a more expressive threshold scheme. Also, with the establishment
of the t-ABS framework, the task of coming up with a scheme that can be proved
to have tight existential unforgeability was still open.
Ecient threshold. Instigated by the new concept of threshold in ABS schemes
Li et al. [LAS
+
10] extended the work of [LK08] and [SSN09] to come up with an
ecient (k, n) t-ABS scheme. They propose three schemes in their paper. The rst
two are for ecient t-ABS and the third extends their idea in t-ABS to address the
case where there can be multiple attribute authorities. Their schemes again make
use of the secret sharing concept. The eciency they gain is by reducing the sizes
in both the key and signature elements. Their signature technique integrates the
attributes to give a component that can be used to sign the document in a single
step instead of separately signing with each individual attribute as in [SSN09].
They show their scheme to be selectively unforgeable by reduction to the CDH
problem. The rst scheme that they proer is proved secure with the help of
random oracles, their other scheme is proved in the standard model. The proof
for their multi-authority ABS also makes use of random oracles. The authors also
propose new directions to use ABS for access control with non-transferability.
Multi-level threshold. Next came the work of Kumar et al. [KABPR10] which
gave an ABS scheme for bounded multi-level threshold access structures. The
denition of their bounded tree structure is based upon the work by Goyal et al.
[GJPS08]. To support multiple-levels of threshold nodes, the authors extend the
secret sharing scheme to each node of the bounded-tree. This enables them to
keep the nal secret at the root of the tree, and hence only those users whose
attributes satisfy the access tree will be able to travel all the way up to the root
to get the portion of the secret component that is required for the signature to
pass the verication. The key-generation for the construction here is a slightly
modied version of the one in [LAS
+
10]. Kumar et al. rst present a scheme
that is proven secure in the random oracle model. They modify the rst scheme
by dening the hash functions explicitly to give another scheme which is proved
secure in the standard model. The schemes are shown to be secure by reduction
23
to the CDH problem.
ABS general framework. More recently, Maji et al. [MPR10] give a general
framework for constructing ABS schemes. Their scheme uses monotone span pro-
grams to incorporate the access structure and also make use of non-interactive
witness indistinguishability (NIWI) to add to the anonymity of the signer. The
authors also introduce a new generic primitive called credential bundle which is
used in the key generating phase to bundle the attributes of the signer; this helps
in making their scheme collusion resistant. The given framework allows the users
to choose a zero-knowledge proof system as the NIWI component and also select
a signature scheme to provide the credential bundle. Furthermore, the authors
have shown three instantiations of their scheme a) one using non-interactive zero-
knowledge (NIZK) proof of Groth and Sahai [GS08] for the NIWI component and
Boneh-Boyens digital signature scheme to construct the credential bundle. b) the
second uses Waters signature for the credential bundle, this, unlike Boneh-Boyens
signature, prevents the signer from committing to some of the credential bundle
components in a bit-wise fashion. c) their third scheme uses the credential bundle
from the second scheme however, they use their own randomization to generate
the keys instead of using NIZK proofs.
The authors also mention some applications for ABS which are the same as the
ones in their earlier work in [MPR08] (which we have discussed in the previous
section).
Our work. In this thesis we discuss some of the security issues in the schemes
given in [LAS
+
10, LK08, SSN09, KABPR10, LK10] that employ the secret sharing
scheme to generate the keys. We give a detailed view of how the aws in these
schemes can be used by an attacker to create forgeries; and we also present our ob-
servations on the short-comings of the existing key-generation techniques employed
by these schemes. We further provide a new approach towards threshold-ABS in-
spired by ring signatures. We also provide a provably secure t-ABS construction
using the approach.
24
CHAPTER 4
Ecient Multi-level Threshold CP-ABE
In this chapter we present our approach for an ecient ciphertext-size, multi-level
threshold CP-ABE. An ecient multi-level threshold ciphertext policy attribute-
based encryption scheme is one where, the sender can encrypt a message using an
access structure that may be complex and have multiple threshold nodes (refer
to gure[4.1]); but the encryption algorithm should output a ciphertext whose
number of components are signicantly smaller than the total number of attributes
involved. We have seen in section[3.2] that Herranz et al.[HLR10] have presented
an elegant constant-size ciphertext scheme that appears to be a suitable model for
such a task. However, like we have remarked earlier, their method does not seem
to have the capacity to extend and include multiple threshold gates. We have also
observed that, secret sharing is an important concept that can allow us to expand
a threshold gate to multiple levels. We also notice that the access trees as dened
in [GPSW06] and [GJPS08] allow threshold gates at each of the internal nodes
and by default support multiple-levels. Thus, our scheme proposes to combine all
these aspects inorder to arrive at a size-ecient multi-level threshold CP-ABE.
k-of-n
k-of-n
k"-of-n"
k*-of-n*
k-of-n
Figure 4.1: Multi-level threshold tree.
In this chapter we present the construction of our CP-ABE scheme. We will
start by giving the model of our access tree and attributes and then move on to the
description of the ciphertext and the secret keys. We will then show the algorithm
for decryption and verify its correctness. Then, we proceed to demonstrate our
scheme with the help of a simple example.
4.1 Model
We denote the universe set of attributes by P. Let m be the cardinality of P. A
party who wishes to encrypt a message will specify the access control predicate
through an access tree structure, which we denote by T . Any party who wishes to
decrypt the ciphertext must be able to satisfy the access tree inorder to retrieve
the message.
The tree model we follow is similar to that described in [BSW07]. We treat
each individual non-leaf node of the tree to be a threshold gate. Note that this
representation of the access policy is very expressive since an AND gate can be
represented as an n-out-of-n threshold gate and an OR can be represented with
1-out-of-n threshold gate.
Access Tree T . The tree representing the access structure is denoted by T . Let
s
x
denote the number of children that each node x has. We will use k
x
to denote
the threshold value that needs to be satised at node x. And by par(x) we denote
the parent of the node x. The access tree T also denes an ordering between the
children of every node, that is, the children of a node are numbered from 1 to s
x
.
The function index(x) returns such a number associated with the node x, where
the index values are uniquely assigned to nodes in the access structure for a given
key in an arbitrary manner. An important point to note is that, all the attributes
of the access policy form the leaves of the access tree. We will use the notation
T
to denote the set of last level of non-leaf nodes (i.e. those nodes whose children
are all attributes/leaves).
Satisfying the tree. Let r denote the root node of the tree. T
x
denotes the
subtree at the node x. Essentially T
r
is equivalent to T . If a set of attributes
A satisfy the subtree T
x
then we will denote it as T
x
(A) = 1. At each node x,
T
x
(A
x
) = 1 if and only if atleast k
x
(threshold of node x) of the children node
return 1 from their subtree. By this recursive denition, if the attribute set satises
the entire tree then T (A) = 1.
4.2 Denitions
Denition 1: [Lagrange Co-ecient]
We recall the denition of Lagrange coecient:
i,S
for i Z

p
and a set, S, of
elements in Z

p
:
i,S
(x) =

jS,j=i
xj
ij
.
Denition 2: [Aggregate Function] Aggregate function (as dened originally in
[DP08]) does:
Aggregate({g
r
+x
i
, x
i
}
1in
) = g
r

n
i=1
(+x
i
)
in O(n
2
) exponentiations.
26
4.3 Construction
4.3.1 Setup
The setup algorithm chooses bilinear group triple (G
1
, G
2
, G
T
) of prime order p
and a bilinear map e : G
1
G
2
G
T
. The algorithm also picks generators g of
G
1
and h of G
2
. Then it chooses 3 random exponents , , in Z

p
. It then sets
u = g

and v = e(g

, h).
After that it chooses a suitable encoding sending each of the m attributes
at P onto a (dierent) element (at) = x Z

p
. It then chooses a set of m 1
dummy attributes D = {d
1
, , d
m1
}. By the notation D
i
for i < m1, we will
denote the set of the dummy attributes from d
1
to d
i
.
PK (public parameters): { P, u, v, h

, {h

i
}
i=0, ,2m1
, D, }
MK (master secret key): { , , , g, h }
4.3.2 Key Generation
KeyGen(PK, A, MK)
Given a set of attributes A P, the central authority picks an r Z

p
at random
and computes the secret key for the user as follows:
SK
A
=
_
{g
r
+(at)
}
atA
, {h
r
i
}
i=0, ,m2
, g
(1r)

_
4.3.3 Encryption
Enc(PK, T , M)
For every non-leaf node x of the access tree T , we choose a polynomial q
x
. We,
proceed in a top down manner in selecting the polynomials, starting from the root
R. For a node x we set the degree of the node d
x
= k
x
1, one less than the
threshold value that needs to be satised at the gate at that node.
Now, beginning at the root, we choose a random s
R
Z

p
and set q
r
(0) = s.
Then choose d
r
other points of the polynomial q
r
to dene it completely. For all
other non-leaf nodes x, we set q
x
(0) = q
parent(x)
_
index(x)
_
and choose d
x
other
points to completely dene q
x
.
For the last level of non-leaf nodes, x
T
, we compute the following two
values:
C
x1
= u
q
x
(0)
C
x2
= h
q
x
(0).

atS
x
(+(at))

dD
m+k
x
1s
x
(+d)
27
The ciphertext is given by:
CT = {

C = M e(g, h)
s
, C
0
= h
s
, {C
x1
, C
x2
}
x
T
, T }
4.3.4 Decryption
Dec(CT, SK, PK)
Let A denote the users attribute set and S
x
denote the set of attributes involved
at each non-leaf node x
T
. Let A
S
x
= AS
x
. Any decryptor whose attributes
satisfy the access tree can decrypt the message as follows:
For last level non-leaf nodes, x
T
do the following:
1. Compute Aggregate[HLR10]:
Aggregate
_
_
g
r
+(at)
, (at)
_
atA
S
x
_
= g
r

atA
S
x
(+(at))
2. L
x
= e(Aggregate, C
x2
)
L
x
= e(g, h)
rq
x
(0)

atS
x
\A
S
x
( +(at))

dD
m+k
x
1s
x
( +d)
3. Dene P
(A
S
x
,S
x
)
() to be equal to
1

_
_

at(S
x
D
m+k
x
1s
x
)\A
S
x
( +(at))

at(S
x
D
m+k
x
1s
x
)\A
S
x
(at)
_
_
4. Compute
e(C
x1
, h
rP
(A
S
x
,S
x
)
()
)
1
L
x
= e(g, h)
q
x
(0).r..
at(S
x
D
m+k
x
1s
x
)\A
S
x
(at)
5. Now, raise the above value to the exponent 1/

at(S
x
D
m+k
x
1s
x
)\A
S
x
(at)
to get e(g, h)
rq
x
(0)
. We denote this by F
x
.
6. For the other nodes we consider the recursive case of moving up the tree.
For all nodes z which are children of a higher level non-leaf node x, let F
z
denote the decryption upto that node. Then, for each x we chose a set S
x
consisting of k
x
child nodes z for whom F
z
= . If no such set exists then
F
x
= else,
1
h
rP
(A
S
x
,S
x
)
()
can be computed from the components given in the secret key.
28
F
x
=

zS
x
F

i,

S
x
(0)
z
, where i = index(z) and

S
x
= {index(z) : z S
x
}
=

zS
x
_
e(g, h)
rq
z
(0)
_

i,

S
x
(0)
=

zS
x
_
e(g, h)
rq
parent(z)
(index(z))
_

i,

S
x
(0)
, (by construction)
=

zS
x
e(g, h)
rq
x
(i)
i,

S
x
(0)
= e(g, h)
rq
x
(0)
, (polynomial interpolation)
Hence, we eventually get e(g, h)
rq
x
(0)
which is nothing but e(g, h)
rs
.
7. When then do the last few steps to un-blind the message. We compute,
e(g
(1r)

, h
s
) = e(g, h)
srs
This is multiplied with e(g, h)
rs
which we obtained in our previous step.
This nally gives us e(g, h)
s
which is the blinding factor. We divide

C by
this to retrieve the message M.

C
e(g
(1r)

, h
s
) e(g, h)
rs
=
M e(g, h)
s
e(g, h)
srs
e(g, h)
rs
= M
4.4 Example
We will analyze the scheme with the help of an example. Lets consider a situation
where we have a top secret defence document. Say, the document can be accessed
only by a personnel who is a general in the army AND has experience in 2 out
of 4 operations, namely, Op-X, Op-Y, Op-Z and Op-Star. We re-write the access
policy as follows:
_
(General Army)

(2-out-of { Op-X, Op-Y, Op-Z, Op-Star })

_
We can represent the access policy as a tree structure as in the gure below:
Lets now look at an example where some personnel have the access rights and
others whose attributes are insucient to satisfy the predicate.
Lets take the case where we have 4 people each with a dierent attribute set.
In the gure[4.3], we illustrate the case where two people have attributes that
satisfy the access policy and two others who dont. We will show the various
phases of the encryption scheme for the person who is a general in the army with
experience in operations Op-Y and Op-Z as in the gure.
29
AND
AND
General
Army
2-of-4
Op-X Op-Y
Op-Z Op-Star
Figure 4.2: Access tree structure for a multi-level predicate.
4.4.1 Setup
The setup algorithm chooses bilinear group triple (G
1
, G
2
, G
T
) of prime order p
and a bilinear map e : G
1
G
2
G
T
. The algorithm also picks generators g of
G
1
and h of G
2
. Then it chooses 3 random exponents , , in Z

p
. It then sets
u = g

and v = e(g

, h).
Let the universe of attributes be P ={Army (A), Captain (C), General (G),
Op-X (X), Op-Y (Y), Op-Z (Z), Op-Star (S) }. So, m = 7. The dummy attributes
are m1 in number, so we have D = {d
1
, , d
6
}. Now, for simplicity well say
that A,C,G,X,Y,Z,S and the d
i
s are all values in Z

p
and the function when
applied on these attributes give the same value.
PK (public parameters): { P, u, v, h

, {h

i
}
i=0, ,13
, D, }
MK (master secret key): { , , , g, h }
4.4.2 Generating the keys
KeyGen(PK, A, MK)
We will generate the keys for the person with attributes A ={Army, General,
Op-Y, Op-Z}. Here, A P, the central authority picks an r Z

p
at random and
computes the secret key for the user as follows:
SK
A
=
_
{g
r
+A
, g
r
+G
, g
r
+Y
, g
r
+Z
} , {h
r
i
}
i=0, ,5
, g
(1r)

_
30
Figure 4.3: Examples of access tree satisfaction.
4.4.3 Encrypting a message
Enc(PK, T , M)
For every non-leaf node x of the access tree T , we choose a polynomial q
x
. We,
proceed in a top down manner in selecting the polynomials, starting from the root
R. For a node x we set the degree of the node d
x
= k
x
1, one less than the
threshold value that needs to be satised at the gate at that node.
Now, beginning at the root, we choose a random s
R
Z

p
and set q
r
(0) = s.
Then choose d
r
other points of the polynomial q
r
to dene it completely. For all
other non-leaf nodes x, we set q
x
(0) = q
parent(x)
_
index(x)
_
and choose d
x
other
points to completely dene q
x
.
Following the procedure, we get the following tree:
For the last level of non-leaf nodes, x
T
, we compute the following values.
For node 1:
C
11
= u
(s+10)
C
12
= h
(s+10)..(+A)(+G)(+d
1
)(+d
2
)(+d
3
)(+d
4
)(+d
5
)(+d
6
)
For the second node:
C
21
= u
(s+20)
C
22
= h
(s+20)..(+X)(+Y )(+Z)(+S)(+d
1
)(+d
2
)(+d
3
)(+d
4
)
The ciphertext is given by:
CT = {

C = M e(g, h)
s
, C
0
= h
s
, {C
11
, C
12
, C
21
, C
22
}}
31
Figure 4.4: Encryption - Generating shares using the Shamirs secret sharing idea
4.4.4 Decrypting the ciphertext
Dec(CT, SK, PK)
Well show the decryption for the case of the given secret key components. We
rst do the computations for the last level non-leaf nodes, x
T
.
For node 1:
1. Compute Aggregate: Aggregate
__
g
r
(+G)
, g
r
(+A)
, (A), (G)
__
= g
r
(+G)(+A)
2. L
1
= e(Aggregate, C
12
)
L
1
= e(g, h)
r(s+10)(+d
1
)(+d
2
)(+d
3
)(+d
4
)(+d
5
)(+d
6
)
3. Dene P
(A
S
1
,S
1
)
() to be equal to:
1

(( +d
1
)( +d
2
)( +d
3
)( +d
4
)( +d
5
)( +d
6
) (d
1
d
2
d
3
d
4
d
5
d
6
))
4. e(C
11
, h
rP
(A
S
x
,S
x
)
()
) equals
e(g, h)
(s+10).r..((+d
1
)(+d
2
)(+d
3
)(+d
4
)(+d
5
)(+d
6
)(d
1
d
2
d
3
d
4
d
5
d
6
))
5. Multiplying the above with L
1
, we get, e(g, h)
(s+10).r..(d
1
d
2
d
3
d
4
d
5
d
6
)
6. Now, F
1
=
_
e(C
11
, h
rP
(A
S
x
,S
x
)
()
) L
1
_
1/(d
1
d
2
d
3
d
4
d
5
d
6
)
= e(g, h)
r(s+10)
.
For node 2:
1. Aggregate:
__
g
r
(+Y )
, g
r
(+Z)
, (at)
at={Y,Z}
__
= g
r
(+Y )(+Z)
32
2. L
2
= e(Aggregate, C
22
)
L
2
= e(g, h)
r(s+20)(+X)(+S)(+d
1
)(+d
2
)(+d
3
)(+d
4
)
3. Dene P
(A
S
2
,S
2
)
() to be equal to
1

(( +X)( +S)( +d
1
)( +d
2
)( +d
3
)( +d
4
) (XSd
1
d
2
d
3
d
4
))
4. e(C
21
, h
rP
(A
S
x
,S
x
)
()
) equals
e(g, h)
(s+20).r..((+X)(+S)(+d
1
)(+d
2
)(+d
3
)(+d
4
)(XSd
1
d
2
d
3
d
4
))
5. Multiplying the above with L
2
, we get, e(g, h)
(s+20).r..(XSd
1
d
2
d
3
d
4
)
6. Now, F
1
=
_
e(C
21
, h
rP
(A
S
x
,S
x
)
()
) L
2
_
1/(XSd
1
d
2
d
3
d
4
)
= e(g, h)
r(s+20)
.
Now, we move to the next higher level of non-leaf nodes. Here, we remain with
just the root. For all nodes z which are children of a higher level non-leaf node x,
let F
z
denote the decryption upto that node. So, for the root we consider F
1
and
F
2
.
F
x
=

zS
x
F

i,

S
x
(0)
z
, where i = index(z) and

S
x
= {1, 2}
= F

1,

S
1
(0)
1
F

2,

S
2
(0)
2
=
_
e(g, h)
r(s+10)
_

1,

S
1
(0)
_
e(g, h)
r(s+20)
_

2,

S
2
(0)
=
_
e(g, h)
r(s+10)
_
2
_
e(g, h)
r(s+20)
_
1
= (e(g, h))
(2r(s+10))(r(s+20))
= e(g, h)
rs
Now, we can unblind the message from

C = M e(g, h)
s
as follows:
1. e(g
(1r)

, h
s
) = e(g, h)
srs
2. Multiply the above with e(g, h)
rs
to get e(g, h)
s
.
3.

C/e(g, h)
s
= M
Conclusion. This example show that the scheme is correct, however we still
need to establish its security. Although the scheme appears to be reliable and
robust we need to formally prove it to be secure under some hard cryptographic
assumption. The secret key and public key components used in the scheme point
33
us to the Augmented Multi-sequence of Exponents Die-Hellman Problem (aMSE-
DDH)[HLR10] as a potential hardness assumption. But, based on the fact that our
scheme provides extension of the threshold gate to multiple levels as in [BSW07],
we believe that the scheme can only be proved secure in the generic group model.
34
CHAPTER 5
On The Security of Attribute Based Signatures
In this chapter we present our observations on the security of some attribute-based
signature schemes. We rst take a detailed look at the ABS scheme in [LAS
+
10].
Then we show that the scheme does not ensure the threshold property and is also
universally forgeable by formulating attacks on it. Further, we illustrate with an
example that the scheme can be broken in a manner where an adversary can obtain
a secret component (not actually the secret key) with which she can generate valid
secret keys for any signer. Subsequently, we present the attacks on various related
schemes having the same or similar key construction algorithm. This body of work
also comprises of the forgeries on the attribute based ring signature scheme by Li
and Kim [LK08]; a total break on the threshold ABS scheme by Shahandashti and
Safavi-Naini [SSN09]; universal forgery on the multi-authority ABS scheme by Li
et al. [LAS
+
10]; a total break on multi-level threshold ABS scheme by Kumar et
al. [KABPR10] and nally a total break on the hidden attribute-based signatures
without anonymity revocation proposed by Li and Kim [LK10].
5.1 Ecient Threshold ABS Scheme
In this section we present the construction of the ecient threshold ABS scheme
by Li et al [LAS
+
10]. Let us briey recall some denitions before going to the
construction.
5.1.1 Denitions
Bilinear Pairing Recall the denition of bilinear pairing dened in Section(2.1).
Lagrange Co-ecient Recall the denition from Section(2.3.3)
5.1.2 Setup
Setup(d)(params, msk).
First, dene the attributes in universe U as elements in Z
p
. A d 1 default
attribute set from Z
p
is given as = {
1
,
2
, ,
d1
}. Select a random gener-
ator g G
1
, a random x Z
p
, and set g
1
= g
x
. Next, pick a random element
g
2
G
1
and compute Z = e(g
1
, g
2
). Two hash functions are also chosen such that
H
1
, H
2
: {0, 1}

G
1
. The public parameters is params and the master secret
key is msk.
params = (g, g
1
, g
2
, Z, d, H
1
, H
2
) msk = x
5.1.3 Extract
To generate a private key for an attribute set , the following steps are taken:
First, choose a d 1 degree polynomial q(y) randomly such that q(0) = x;
Generate a new attribute set = . For each i , choose r
i

R
Z
p
and compute
d
i0
= g
q(i)
2
H
1
(i)
r
i
and d
i1
= g
r
i
Finally, output D
i
= (d
i0
, d
i1
) as the private key for each i
5.1.4 Sign
Suppose one has a private key for the attribute set . To sign a message m
with predicate
k,
(), namely, to prove owning at least k attributes among an
n-element attribute set

, signer selects a k-element subset

and
proceeds as follows:
First, the signer selects a default attribute subset

with |

|= d k
and chooses n +d k random values r

i
Z
p
for i

.
The signer then computes,

0
= [
i

i,S
(0)
i0
][
i

H
1
(i)
r

i
]H
2
(m)
s

i
=
_
d

i,S
(0)
i1
g
r

i
for i

g
r

i
for i

0
= g
s
, with a randomly chosen value s Z
p
Signature: = (
0
, {
i
}
i

0
)
5.1.5 Verify
To verify the signature = (
0
, {
i
}
i

0
) on message m with threshold
k for attributes

, check if the following equation holds:

e(g,
0
)
[
i

e(H
1
(i),
i
)]e(H
2
(m),

0
)
?
= Z
5.2 Attacks
In this section we present the attacks on the above scheme. Well take the following
example case into consideration for the attack:
- Let d = 2 (for simplicity)
36
- Accordingly =
1
; (||= d 1)
- Users attributes = {A, B, C, D}
- Signing attributes

= {A, P}
- Let the threshold k = 2 i.e the user needs to have both attributes in

to
generate a valid signature.
- For simplicity we will denote H
1
(i) by H
i
.
5.2.1 Setup
At the end of Setup(d), we have params = (g, g
1
, g
2
, Z, d, H
1
, H
2
) and msk = x.
5.2.2 Extract
1. Since d = 2 we consider a one-degree polynomial q(y) whose constant is set
to x and we pick a random value in Z

p
as the other co-ecient. So, q(0) = x.
And set, q(y) = 7y +x.
2. = = {A, B, C, D,
1
}.
So we have the following secret key values:
D
A
=
_
d
A0
= g
q(A)
2
H
r
A
A
, d
A1
= g
r
A
_
D
B
=
_
d
B0
= g
q(B)
2
H
r
B
A
, d
B1
= g
r
B
_
D
C
=
_
d
C0
= g
q(C)
2
H
r
C
A
, d
C1
= g
r
C
_
D
D
=
_
d
D0
= g
q(D)
2
H
r
D
A
, d
D1
= g
r
D
_
D

1
=
_
d

1
0
= g
q(
1
)
2
H
r

1
, d

1
1
= g
r

1
_
5.2.3 Preliminaries for the attack
Attacker picks d secret keys at a time and does the following computations:
Notations. For a set S = {A, B} when we evaluate the Lagrange co-ecient

i,S
(0) at i = A, we will denote the value as
AB
. If i = B, then we denote it as

BA
. Please note that
AB
need not equal
BA
.
37
Computations done by signer . We will evaluate
iS
d

i,S
(0)
i,0
for pairs of
attributes, S {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to get:
X
1
= g
x
2
H
r
A

AB
A
H
r
B

BA
B
X
2
= g
x
2
H
r
A

AC
A
H
r
C

CA
C
X
3
= g
x
2
H
r
A

AD
A
H
r
D

DA
D
X
4
= g
x
2
H
r
B

BC
B
H
r
C

CB
C
X
5
= g
x
2
H
r
B

BD
B
H
r
D

DB
D
X
6
= g
x
2
H
r
C

CD
C
H
r
D

DC
D
_

_
(5.1)
We will use the following notations for simplicity:

A1
=
AB

AC

B1
=
BA

BC

A2
=
AB

AD

B2
=
BA

BD
Now, the user computes the following:
Y
1
=
X
1
X
2
= H
r
A

A1
A
H
r
B

BA
B
H
r
C

CA
C
Y
2
=
X
1
X
3
= H
r
A

A2
A
H
r
B

BA
B
H
r
D

DA
D
Y
3
=
X
1
X
4
= H
r
A

AB
A
H
r
B

B1
B
H
r
C

CB
C
Y
4
=
X
1
X
5
= H
r
A

AB
A
H
r
B

B2
B
H
r
D

DB
D
We extend our notations to include:

A3
=
A1

A2
=
AD

AC

B3
=
BA

CB

B1

CA

A4
=
A1

CB

AB

CA

B4
=
BA

DB

B2

DA

A5
=
A2

DB

AB

DA

B5
=
B2

A5

B4

A4
Then, the user does the following computations:
Z
1
=
Y
1
Y
2
= H
r
A

A3
A
H
r
D

DA
D
H
r
C

CA
C
Z
2
=
Y

CB
1
Y

CA
3
= H
r
A

A4
A
H
r
B

B3
B
Z
3
=
Y

DB
2
Y

DA
4
= H
r
A

A5
A
H
r
B

B4
B
(5.2)
Z
4
=
Z

A5
2
Z

A4
3
= H
r
B

B5
B
(5.3)
Z
5
= Z
1

B4
3
= H

A5
/
B4
A
H
r
B
B
= H
r
A

A
H
r
B
B
(5.4)
With these computations the signer is now ready to forge.
38
5.2.4 Attack 1: Forgery without satisfying threshold
The attacker (who possesses attributes in ) is now, going to sign a document
claiming (s)he has attribute 2-out-of-{A,P}. Note, here that the attacker does
not have the attribute P and has not received any secret key pertaining to the
attribute P. Recall,
= {A, B, C, D}
d = 2 So, (d 1) = 1
= {
1
}

= {A, P}
Sign
The attacker computes the following

0I
= [{g
q(A)
2
H
r
A
A
}

AB
{g
q(B)
2
H
r
B
B
}

BA
][H
r

A
A
H
r

P
P
]H
2
(m)
s
(5.5)
Note that, r

A
, r

P
and s are values that the signer picks during signing. Now, the
attacker raises (5.4) to the exponent (
BA
) and multiplies with
0I
.

0
= Z
(
BA
)
5

0I
= g
x
2
H
r
A
C
A
[H
r

A
A
H
r

P
P
]H
2
(m)
s
(5.6)
Here C is a constant, which can be computed by the signer. Now for the
i
values:

A
= (g
r
A
)
C
.g
r

A
,
P
= g
r

P
Finally,

0
= g
s
. The signature is = {
0
, {
i
}
i{A,P}
,

0
}
Verication
e(g,
0
)
[
i

e(H
1
(i),
i
)]e(H
2
(m),

0
)
=
e(g, g
x
2
)e(g, H
r
A
C
A
)e(g, H
r

A
A
)e(g, H
r

P
P
)e(g, H
2
(m)
s
)
[e(H
A
,
A
)e(H
P
,
P
)]e(H
2
(m), g
s
)
=
e(g, g
x
2
)e
_
g, H
r
A
C
A
_
e
_
g, H
r

A
A
_
e
_
g, H
r

P
P
_
[e (H
A
, (g
r
A
)
C
g
r

A
)e (H
P
, g
r

P
)]
= e(g, g
x
2
)
= Z
39
5.2.5 Attack 2: Universal forgery
We now show universal forgeability in the proposed scheme by extracting the
secret component hidden in the signers keys.
Computations for launching the attack. We will continue with the prelim-
inary computations that we have already done. We also know that the Lagrange
coecients for any set of attributes can be found. Thus, the
ij
values can be
computed and therefore we can proceed to nd:

B
= Z

B5
1
4
= H
r
B
B
(5.7)

A
=
_
Z
3
(
B
)

B4
_

A5
1
= H
r
A
A
(5.8)
Using the components
A
and
B
, we can now do the following:
=
X
1

AB

BA
= g
x
2
(5.9)
Now, with the value of g
x
2
the attacker will be in a position to forge for any
threshold of attributes and provide the appropriate
i
components to pass the
verication tests.
Sign (Universal forgery)
The attacker (who possesses attributes in ) is now, capable of signing a document
claiming (s)he has attributes 2-out-of-{L,M}. Note here that the signer does
not have either of the 2 attributes L or M and has not received any secret key
pertaining to these attributes. We are now looking at the following situation:
= {A, B, C, D}
d = 2 So, (d 1) = 1
= {
1
}

= {L, M}
The forger generates the following signature:

0
= g
x
2
[H
r

L
L
H
r

M
M
]H
2
(m)
s

L
= g
r

L
,
M
= g
r

0
= g
s
Final signature is given as = {
0
, {
i
}
i{L,M}
,

0
}.
40
Verify
e(g,
0
)
[
i

e(H
1
(i),
i
)] e(H
2
(m),

0
)
=
e(g, g
x
2
)e
_
g, H
r

L
L
H
r

M
M
_
e (g, H
2
(m)
s
)
[e (H
L
,
L
) e (H
M
,
M
)] e (H
2
(m), g
s
)
=
e(g, g
x
2
)e
_
g, H
r

L
L
_
e
_
g, H
r

M
M
_
[e (H
L
, g
r

L
)e (H
M
, g
r

M
)]
= e(g, g
x
2
)
= Z
5.2.6 Attack 3: Total break - impersonating key issuing au-
thority
The attacker now holds g
x
2
. With this, we show how (s)he can generate the private
keys for anyone.
To generate a private key for an attribute set , the attacker does the following:
First, choose a d 1 degree polynomial q(y). Say q(y) = 10y +x
Generate a new attribute set = . For each i , choose r
i

R
Z
p
and compute d
i0
and d
i1
.
d
i0
= g
q(i)
2
H
1
(i)
r
i
= g
10i
2
g
x
2
H
1
(i)
r
i
and d
i1
= g
r
i
Finally, output D
i
= (d
i0
, d
i1
) as the private key for each i
This shows a total break on the system.
In this section we have shown how an attacker of the scheme can compute
certain intermediate values from some attributes and dummy attributes that are
available to any user. With the help of these values, an adversary is not only able
to launch multiple attacks on the scheme, but also procure g
x
2
, which holds the
secret and can be used to completely break the system. The subsequent section
shows how the same intermediate values can be obtained in other schemes and
how those schemes can also be broken based on similar principles.
5.3 Attacks on schemes with similar key construct
In this section, we explore how we can attack other schemes whose key construction
is congruent to [LAS
+
10]. Well rst look into the attribute based ring signature
scheme of Kim and Li in [LK08]. We will then show the attack on the (k, n)
41
threshold scheme by Shahandashti and Safavi-Naini in [SSN09], then on the ABS
with multiple attribute authorities [LAS
+
10]. We then proceed to show that the
attacks are also applicable on the ABS scheme for bounded multi-level threshold
circuits [KABPR10] and also on the scheme for hidden ABS without anonymity
revocation presented in [LK10].
5.3.1 Total break on attribute based ring signature scheme
Here we would like to remark that [LAS
+
10] has been derived from [LK08] and
that both their key extract phases are exactly the same. We rst present the key
extraction phase of [LK08].
Key Extract
To generate a private key for an attribute set , the following steps are taken:
First, choose a d 1 degree polynomial q(y) randomly such that q(0) = x;
Generate a new attribute set = . For each i , choose r
i

R
Z
p
.
Compute, d
i0
= g
q(i)
2
(H
1
(i))
r
i
and d
i1
= g
r
i
;
Finally, output D
i
= (d
i0
, d
i1
) as the private key for each i
Total break
Its now easy to see that the d
i0
components in [LK08] are exactly the same as
before. This allows us derive the set of equations (5.1) which are the primary set of
equations used in deriving the rest of the values. From there we can proceed in the
exact same manner to get equations (5.2), then (5.3), (5.7), (5.8) and nally (5.9).
This will allow the attacker to get g
x
2
. Now, the attacker can use the strategy in
Section[5.2.6] and impersonate the key generating authority.
5.3.2 Break on threshold attribute based signature scheme
The threshold attribute based signature scheme by Shahandashti and Safavi-Naini
in [SSN09] has been extended from the previous ring signature scheme [LK08]
to support (k, n) threshold. We will take a closer look at their setup and key
extraction phases before we identify the similarities and describe how the attack
is applicable.
Setup
Setup(1
k
): Pick y randomly from Z
p
and set g
1
= g
y
. Pick random elements
from G
1
, g
2
, h, t
1
, t
2
, , t
n+1

R
G
1
. Dene and output the following: T(x)

=
42
g
x
n
2
n+1

i=1
t

i,N
(x)
i
and msk = y and mpk = (g, g
1
, g
2
, t
1
, t
2
, , t
n+1
, h)
KeyGen
KeyGen(msk, A): To generate keys for the user attribute set A. Choose a random
d 1 degree polynomial q(x) such that q(0) = y, choose random elements r
i
Z
p
for i A, and output:
ssk =
_
g
q(i)
2
T(i)
r
i
, g
r
i
_
iA
Attack
We will rst establish the congruence of the key generation in this scheme to that
of [LAS
+
10]. Here, we can note that T(i) is a publicly computable function, the
denition of which has been established in the setup. Thus, we can consider it to
be equivalent to the hash function H
1
(i) as used in schemes [LAS
+
10, LK08] for
the purposes of this attack. If we now use the notation T
i
to indicate the value of
T(i) where i is the attribute under consideration and then evaluate
iS
ssk

i,S
(0)
i0
for pairs of attributes, S {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to
get:
X
1
= g
y
2
T
r
A

AB
A
T
r
B

BA
B
X
2
= g
y
2
T
r
A

AC
A
T
r
C

CA
C
X
3
= g
y
2
T
r
A

AD
A
T
r
D

DA
D
X
4
= g
y
2
T
r
B

BC
B
T
r
C

CB
C
X
5
= g
y
2
T
r
B

BD
B
T
r
D

DB
D
X
6
= g
y
2
T
r
C

CD
C
T
r
D

DC
D
If we now use the notation H
i
to indicate the value of T(i) and also replace
the msk which is y here, with x. Then, we can get the same set of preliminary
equations as in (5.1). From here on, the rest of the steps in extracting g
y
2
is exactly
the same as before. Thus, with the help of g
y
2
, the attacker is capable of producing
keys for any set of attributes.
Generating Keys. To generate keys for the user attribute set A. The attacker
chooses a random d 1 degree polynomial q(x), such that q(0) = y, say q(x) =
10x +y. And chooses random elements r
i
Z
p
for i A, and outputs:
ssk =
_
g
10i
2
g
y
2
T(i)
r
i
, g
r
i
_
iA
5.3.3 Attack on ABS with multiple attribute authorities
ABS scheme with multiple attribute authorities is the second ABS scheme pro-
posed in [LAS
+
10]. Here, we assume that there are k attribute authorities in
addition to one central authority. This scheme has some variations in its con-
struction since it needs to be able to address multiple authorities. We will review
43
the phases of the construction of their scheme before we show how an attacker can
break the system.
Setup
Assume that there are k distributed attribute authorities. Each of them is in
charge of the issue of attribute set A
i
for 1 i k. Dene a default attribute
set
i
of d elements for each attribute authority. The central authority chooses
s
1
, , s
k
for all attribute authorities and hash functions H
1
, H
2
, , H
k
, H :
{0, 1}

G
1
. In addition, the central authority chooses a random generator
g G
1
, a random x Z

p
, and sets g
1
= g
x
. Next, she picks a random element
g
2
G
1
and computes Z = e(g
1
, g
2
). For the attribute authority i, the secret key
is s
i
, which is assigned by the central authority.
Extract
First, a user with identity u gets a secret key from the central authority as d
ca
=
g
x
k
i=1
f
s
i
(u)
2
. Then, she can request attribute private key from the i-th attribute
authority as follows: Assume the user u is eligible to get an attribute set A
i,u
from
the attribute authority i. The attribute authority i chooses a random d1 degree
polynomial q
i
() such that q
i
(0) = f
s
i
(u) and computes the secret key q(j) for user
u as
_
d
ij0
= g
q
i
(j)
2
H
i
(j)
r
ij
, d
ij1
= g
r
ij
_
jA
i,u

i
.
Sign
Suppose one has a private key for attribute set A
i,u
for 1 i k. To sign a
message with predicate that for each i, at least k
i
out of n
i
attributes

i
are
issued from the attribute authority i (Note k
i
could be equal to 0). The user
selects a k
i
-value attribute subset

i
A
i,u

i
. The following steps are taken:
First, the user chooses r
i1
, r
i2
, , r
i,n
i
+dk
i
Z

p
and selects a dk
i
default
attribute subset

i

i
. Dene S
i
=

i
;
She also computes (
0
, {
ij
}
j

i
,

0
), where:

0
=

1ik
_
_

jS
i
d

j,S
i
(0)
ij0

i
\

i
H
i
(j)
r

ij
_
_
(H(m))
s
_

ij
= d

i,S
(0)
ij1
g
r

ij
_
jS
i
,
_

ij
= g
r

ij
_
j

i
\

i
,

0
= g
s
44
Verify
On input the signature (
0
, {
ij
}
j

i
,

0
) with predicate , compute
e(g,
0
)
?
= Z

1ik

i
e(H
i
(j),
ij
)e(H(m),

0
)
If the equation holds, the signature is valid and the algorithm outputs accept.
Otherwise, the algorithm outputs reject.
Attack
In order to attack this system, a forger has to try and get part of the secret
component of every authority. The attacker can accomplish this as follows:
Using the set of attributes {A
i,u

i
} the user has from each authority i,
the attacker forms equations as in (5.1); the only dierence being, g
x
2
will
now be g
f
s
i
(u)
2
.
Following along the same way as before, the user can now extract g
f
s
i
(u)
2
.
Once the attacker extracts g
f
s
i
(u)
2
for all 1 i k. She computes their
product:
k

i=1
g
f
s
i
(u)
2
= g

k
i=1
f
s
i
(u)
2
Multiplying it with the secret component given by the central authority :
d
ca
g

k
i=1
f
s
i
(u)
2
= g
x
k
i=1
f
s
i
(u)
2
g

k
i=1
f
s
i
(u)
2
= g
x
2
Universal Forgery. Now, using the values g
x
2
and
_
g
f
s
i
(u)
2
_
i=1, ,k
, the attacker
can forge on any message for any threshold of attributes. The signature is com-
puted as (
0
, {
ij
}
j

i
,

0
) where:

0
= d
ca

1ik
_
_
g
f
s
i
(u)
2

i
H
i
(j)
r

ij
_
_
(H(m))
s
_

ij
= g
r

ij
_
j

i
,

0
= g
s
Verication
e(g,
0
) = Z
_
_

1ik

i
e(H
i
(j),
ij
)
_
_
e(H(m),

0
)
45
Analysis of the verication:
e(g ,
0
) = e
_
_
g , d
c
a

1ik
_
_
g
f
s
i
(u)
2

i
H
i
(j)
r

ij
_
_
(H(m))
s
_
_
= e
_
_
g , g
x
k
i=1
f
s
i
(u)
2
g

k
i=1
f
s
i
(u)
2

1ik

i
H
i
(j)
r

ij
_
_
e(g, H(m))
s
= e(g, g
x
2
)

1ik
_
_

i
e(g , H
i
(j))
r

ij
_
_
e(g, H(m))
s
= Z
_
_

1ik

i
e(g
r

ij
, H
i
(j))
_
_
e(H(m),

0
)
= Z
_
_

1ik

i
e(H
i
(j),
ij
)
_
_
e(H(m),

0
)
Hence, the verication passes. This shows that universal forgery can be performed
by any attacker.
5.3.4 Attack on multi-level threshold ABS scheme
In this subsection we will focus on how the attack is possible on the multi-level
threshold ABS scheme proposed by Kumar et al in [KABPR10]. Here, inorder
to achieve multi-level threshold properties, the authors use the access structure
that was rst described in Goyal et als paper on bounded ciphertext policy ABE
[GJPS08]. They denote the access tree structure by T . Now, let us look at how
the key is generated for a signer possessing a set of attributes such that only
those users satisfying the access tree can produce a signature:
Key Generation
The key generation algorithm outputs a private key that enables the signer to
sign on any message m under a bounded threshold circuit T , as long as T () =
1. Choose a random polynomial q(x) for each non-leaf node x in the universal
bounded threshold circuit T
u
. These polynomials are chosen in the following way
in a top-down manner, starting from the root node r. For each x, set the degree
c
x
of the polynomial q
x
to be one less than the threshold value, i.e., c
x
= num1.
Now, for the root node r, set q
r
(0) = and choose c
r
other points of the polynomial
q
r
randomly to dene it completely. For any other non-leaf node x, assign q
x
(0) =
q
par(x)
(index(x)) and choose c
x
other points randomly to completely dene q
x
.
The secret values are given to the user by generating a new attribute set

= . For all i

:
1. If i , for each x
T
u
46
(a) Choose r
x,i
Z

p
(b) Compute d
x,i0
=
_
g
q
x
(i)
2
H
1
(x||i)
r
x,i
_
, d
x,i1
= g
r
x.i
2. If j , for each y
T
u
(a) Choose r
y,j
Z

p
(b) Compute d
y,j0
=
_
g
q
y
(j)
2
H
1
(y||j)
r
y,j
_
, d
y,j1
= g
r
y,j
Thus the private key is {d
x,i0
, d
x,i1
|x
T
u
, i } {d
y,i0
, d
y,i1
|y
T
u
, i }.
Attack
In order to model this attack, we will rst consider all the non-leaf nodes x at
depth d 1 i.e all x
T
u
. By using our method of attack, we will try to extract
g
q
x
(0)
2
, for each of these nodes. Once, we get these values, we can use these to
satisfy the threshold of the parent node and get its share of the secret and so
on until we reach the root. To do this we will rst establish the congruence
of the key generation in this scheme to that of [LAS
+
10]. Here, we can note
that H
1
(x||i) is a publicly computable function, the denition of which has been
established in the setup. Thus, we can consider it to be equivalent to the hash
function H
1
(i) as used in schemes [LAS
+
10, LK08]. If we now use the notation
H
xi
to indicate the value of H
1
(x||i) where x is the node under consideration
and i is the attribute under consideration and then evaluate
iS
d

i,S
(0)
x,i0
for pairs
of attributes, S {{A, B}, {A, C}, {A, D}, {B, C}, {B, D}, {C, D}} to get the
following equations. (It is important here to note that this is possible because,
a secret key component is given for all of the users attributes for each and every
non-leaf node in
T
u
).
X
1
= g
q
x
(0)
2
H
r
xA

AB
xA
H
r
xB

BA
xB
X
2
= g
q
x
(0)
2
H
r
xA

AC
xA
H
r
xC

CA
xC
X
3
= g
q
x
(0)
2
H
r
xA

AD
xA
H
r
xD

DA
xD
X
4
= g
q
x
(0)
2
H
r
xB

BC
xB
H
r
xC

CB
xC
X
5
= g
q
x
(0)
2
H
r
xB

BD
xB
H
r
xD

DB
xD
X
6
= g
q
x
(0)
2
H
r
xC

CD
xC
H
r
xD

DC
xD
This leads us to equations that have the exact same form as the primary
equations in (5.1). Thus, we can extract g
q
x
(0)
2
for all x
T
u
. Now, we have the
secret shares of all the children nodes at depth d 1. We are in a position to
interpolate and get the share of the parent nodes as well. By denition, q
x
(0) =
q
par(x)
(index(x)), so we can use interpolation and get q
par(x)
(0). Thus, by doing
the procedure of interpolation recursively at each level, we can get the value at
the root, g
q
r
(0)
2
= g

. Now, the attacker is just as capable of generating keys for

any set of attributes as the key generating authority.
47
5.3.5 Total break on hidden ABS without anonymity revo-
cation
The hidden attribute-based signatures without anonymity revocation was pro-
posed by Li and Kim in [LK10]. This scheme has been largely derived from the
work in [LAS
+
10] and hence it has the exact setup and key-extract phases as in
[LAS
+
10] and [LK08].
Now, any signer who gets a set of keys from the key-generating authority, can
use the same procedure as described in Section[5.2.3] to retrieve the component g
x
2
.
This will enable the attacker to use the strategy in Section[5.2.6] and impersonate
the key generating authority. Hence, the key extract algorithm in this scheme
[LK10] causes a total break of the system.
5.4 Summary of attacks
We summarize all our attacks (mentioned in the previous sections) in the table
below.
ABS Scheme Type of break Source
Flexible Threshold Predicate Support Total Break [LAS
+
10]
Multiple Attribute Authorities Universal Forgery [LAS
+
10]
Attribute-Based Ring Signatures Total Break [LK08]
Threshold Attribute-Based Signatures Total Break [SSN09]
Bounded multi-level threshold circuits Total Break [KABPR10]
Hidden ABS without anonymity revocation Total Break [LK10]
Table 5.1: Table summarizing the attacks
Here, we would like to remark that a total break is one of the strongest attacks
possible and it encompasses a universal forgery. This is because, in a total break
the adversary can get keys for any set of attributes. And with that it would be very
simple to give a signature on any message, thus giving the attacker the implicit
capability for universal forgery.
5.5 Observations
Our main observations are that, the specic attack we mention is possible when
the following conditions are satised:
1. d is a constant and the universe of attributes U contains a large number of
elements.
2. The signer possesses lot more than d attributes although (s)he might not
have k out of the given set

of attributes.
48
It is important here to note that the attack was made on the key construction
and method of verication, and not on the signature itself. The primary aw in the
key construction is in using the idea of secret shares to distribute the master secret,
and at the same time giving each person lot more shares than what is required for
recovering the secret. These additional shares - in the form of dummies and other
attributes the signer has which are not a part of

- give the signer multiple ways

to recover a derivative of the master secret key, which in turn leads to the attacks.
Discussion. We would like to remark here that, the concept of secret sharing
when combined with Waters signature, seems to be vulnerable to the attack we
have focused on, even when the number of keys are far fewer. We strongly feel
that there does not exist a x for this key-construct that can resist the mentioned
attacks, however this direction is denitely worth exploring.
49
CHAPTER 6
New Threshold Attribute-Based Signature Scheme
From the attacks in the previous chapter we can see that the idea of secret sharing
introduces a weakness in threshold attribute based ABS schemes. In this section
we propose a new scheme for threshold attribute based signatures which is con-
ceptually based on ring signatures. We will rst briey relate the idea behind the
scheme before presenting our construction.
Ring signature. A ring signature, introduced by Rivest et al. [RST01], is a form
of digital signature which can be produced by any one member of a ring/group of
signers, all of who have a set of public/secret key pairs. The ring-signature only
says that the message was signed by one member of the ring, moreover, it will not
reveal anything about the signer itself. Additionally, the members of the ring can
be quite arbitrary and the ring can be easily extended to include more people as
long as they each have their own public/private key pairs. Infact there is no need
for the ring members to be endowed with any special property at all. The fact
that ring signatures can maintain the anonymity of a single signer from amongst
a group of people, is what makes it appropriate for our threshold needs.
Figure 6.1: Ring ABS where each alleged member of the ring has 4 attributes.
Intuition. Any threshold attribute based signature ensures that the signer pos-
sesses atleast t out of the specied signing attributes, say n

in number. Another
way to look at this would be that, the signer has atleast 1 out of the
_
n

t
_
com-
binations of the attribute sets. Thus, a new approach to the same would be, for
the signer to pick some n

sets of t attributes each from the

_
n

t
_
possible sets, and
prove that she has atleast one of the n

sets in her possession. Showing that the

signer has 1 out of n

sets is where the idea of ring signature ts in. Note here

that 1 n

_
n

t
_
. If, n

2, it would be sucient to prove that the signature

is valid and the signer has the specied attributes, moreover it would also give a
reasonable degree of anonymity and not reveal the exact credentials of the signer.
If, the actual predicate was an AND, then t = n

, which means n

= 1 and the
signer needs to prove the possession of the complete set of attributes. On the
other hand, if the predicate consisted of just OR, then t = 1 and again the signer
can choose an appropriate n

depending on the amount of privacy she wishes to

have and then produce a signature. With this intuition, we are ready to see the
details of the scheme.
6.1 Underlying Ring Signature
The underlying ring signature scheme that we use for our construction is the
ecient ID-based ring signature scheme proposed by Chow et al. [CYH05]. In
this section we will present the construction of the ring signature scheme. Note
here that ID represents the identity of a user.
6.1.1 Construction
Let G
1
denote a cyclic additive group of prime order p on which the bilinear
function is eciently computable. Let e(, ) be the bilinear function, e : G
1

G
1
G
2
. Let, H
1
and H
2
be two hash functions where, H
1
: {0, 1}

G
1
and
H
2
: {0, 1}

p
.
Setup. The trusted authority (TA) randomly chooses x
R
Z
p
, keeps it as the
master secret key and computes the corresponding public key P
pub
= xP. The
system parameters are: {G
1
, G
2
, e(, ), p, P, P
pub
, H
1
, H
2
}.
Key-Gen. The signer with identity ID {0, 1}

submits ID to TA. TA sets the

signers public key Q
ID
to be H
1
(ID) G
1
, computes the signers private signing
key S
ID
by S
ID
= xQ
ID
. Then TA sends the private signing key to the signer via
a secure channel, or using some secure and anonymous protocol.
Sign. Let L = {ID
1
, ID
2
, , ID
n
} be the set of all identities of n users. The
actual signer, indexed by s (i.e. his/her public key is Q
ID
s
= H(ID
s
)), carries out
the following steps to give an ID-based ring signature on behalf of the group L.
51
1. Choose U
i

R
G
1
, compute h
i
= H
2
(m||L||U
i
)i {1, 2, , n}\{s}.
2. Choose r

s

R
Z
p
, compute U
s
= r

s
Q
ID
s

i=s
{U
i
+h
i
Q
ID
i
}.
3. Compute h
s
= H
2
(m||L||U
s
) and V = (h
s
+r

s
)S
ID
s
.
4. Output the signature on m as = {

n
i=1
{U
i
}, V }.
Verify. A verier can check the validity of a signature = {

n
i=1
{U
i
}, V } for
the message m and a set of identities L as follows.
1. Compute h
i
= H
2
(m||L||U
i
)i {1, 2, , n}.
2. Checking whether e(P
pub
,

n
i=1
(U
i
+h
i
Q
ID
i
)) = e(P, V ).
3. Accept the signature if it is true, reject otherwise.
Discussion. This signature scheme has formally been shown to have uncondi-
tional signer anonymity property in [CYH05]. Also, the scheme is proven to be
existentially-unforgeable in the chosen message attack game by reduction to the
CDH problem in the random oracle model. The reduction has been shown with
the help of forking lemma for generic ring signatures [HS04].
6.2 New ABS Scheme Construction
We present the construction for our scheme which is based on the ring signature
proposed in [CYH05]. Here, for each set of attributes in the chosen n

, we aggregate
the attributes by summing them up and form n

components, one for each set.

One of these components has the signers secret key embedded in it, making it
a ring signature. During the verication phase the signers component also takes
care of eliminating all the attribute sets except the one which is actually used for
signing, thus proving the possession of one among the chosen n

attribute sets.
Our construction also allows the key-generating authority to revoke anonymity if
required.
6.2.1 Setup
Let U denote the universe of attributes. U = {A
1
, A
2
, , A
n
} where A
i
denotes
an attribute. Let t denote the threshold that a user needs to satisfy and U

denote
the set of attributes in the predicate. If |U

| = n

then, a user must have atleast t

out of the n

attributes to be able to produce a valid signature on a message. Let

G
1
denote a cyclic additive group of prime order p on which the bilinear function
is eciently computable. Let e(, ) be the bilinear function, e : G
1
G
1
G
2
.
Let, H
1
, H
2
, H
3
, and H
4
be four hash functions where, H
1
: {0, 1}

G
1
,
H
2
: {0, 1}

p
, H
3
: {0, 1}

{0, 1}

and H
4
: {0, 1}

G
1
. Let the generator
of the group be P
R
G
1
, secret key be
R
Z

p
, and denote = e(P, P) G
2
.
The master secret key (msk) is and P
pub
= P.
52
params = (e, G
1
, G
2
, H
1
(), H
2
(), H
3
(), H
4
(), P, P
pub
, ) msk = .
6.2.2 Key Generation
D KeyGen(U

, ID, msk). Let, U

be the set of attributes that a user has.

Let D denote the set of keys given to the user. Say, |U

| = n

. Here, the attribute

authority picks a r

R
Z

p
and then computes the following:
Q
i
= H
1
(A
i
) D
i
= r

Q
i
(A
i
U

D
0
= r

P

D
1
= r
1

P
= H
3
(U

, ID) W = H
4
()

D
2
= r
1

W
The attribute authority nally gives the key, D =
_
{D
i
}
i{1, ,n

}
,

D
0
,

D
1
,

D
2
,
_
.
Key verication
Here, the user who is receiving the keys for her attributes can verify the secret
keys as follows.
e(

D
0
,

D
1
)
?
=
e(

D
0
,

D
2
)
?
= e(P, H
4
(H
3
(U

, ID)))
e(D
i
,

D
1
)
?
= e(Q
i
, P
pub
)
6.2.3 Sign
Sign(U

, t, D, m, params). The signer who possesses atleast t of the at-

tributes in U

must be able to produce a valid signature on a message m. Let

T

be the t-element subset of attributes of U

, that the user chooses inorder to

generate the signature. i.e T

such that, |T

| = t. Let T be a collection
of n

subsets of attributes from U

such that each of these subsets has a cardinality

of exactly t and no two of them are equivalent. Well assume that the sets in T are
indexed by values from 1 to n

, and well denote by T

i
, the elements of T which
are each a subset of the attributes in U

. So, the signer chooses {T

i
}
i{1, ,n

}
where T
i
U

, |T
i
| = t , T
i
= T
j
and 2 n

_
n

t
_
. Without loss of generality,
we can assume that the set T

is present in T and is at a random index s where

1 s n

. Thus, we refer to T

as T
s
in our subsequent discussions. Hence, T
s
is the set of t attributes that the signer possesses among U

, and will use for the

signature, and the remaining (n

1) sets are used just for the sake of anonymity.

Then, the signer computes the following signature components.
The signer rst picks n

random values, r
i

R
Z

p
for i = {1, , n

}, and an
r

R
Z

p
and then proceeds to generate the signature on m as follows:
1. Set

V
0
= r

D
0
,

V
1
= r
1

D
1
and

V
2
= r
1

D
2
53
2. U
i
= r
i

A
j
T
i
Q
j
, for i = {1, , n

}\s
3. We dene, h
i
= H
2
(m, U
i
, T
i
,

V
0
,

V
1
,

V
2
), for all i {1, , n

}\s.
4. U
s
=
_
r
s

A
j
T
s
Q
j
_

_
n

i=1;i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
5. We dene, h
s
= H
2
(m, U
s
, T
s
,

V
0
,

V
1
), in a manner consistent to that of the
denition of the h
i
values.
6. We set, V = r

(r
s
+h
s
)

A
i
T
s
D
i
and,
The nal signature is given as:
=
_
{T
i
}
i={1, ,n

}
, {U
i
}
i={1, ,n

}
, V ,

V
0
,

V
1
,

V
2
,
_
It is important to note in the algorithm that the size of the signature is inde-
pendent of the number of attributes, but depends more on the degree of privacy
that the signer prefers. This is because, n

is a factor that the signer chooses,

depending on the amount of information the signer wishes to reveal.
6.2.4 Verify
The verier can check the signature by performing the following computations:
e(

V
0
,

V
1
)
?
=
e(

V
0
,

V
2
)
?
= e(P, H
4
())
e(V ,

V
1
)
?
= e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
The signature is valid only if all the three checks are satised, in all other cases
its considered to be invalid.
Verication Analysis
We argue here that, if the steps of the algorithm are followed without deviation
then, the signature given is valid. We will show a proof of the correctness mathe-
matically. Lets rst consider e(

V
0
,

V
1
):
e(

V
0
,

V
1
) = e(r

D
0
, r
1

D
1
)
= e(r

P , r
1
r
1

P)
= e(P , P)
=
54
Next we check e(

V
0
,

V
2
):
e(

V
0
,

V
2
) = e(r

D
0
, r
1

D
2
)
= e(r

P , r
1
r
1

H
4
())
= e(P , H
4
())
Now, we will see if the third verication is also valid. i.e Check if,
e(V ,

V
1
) = e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
is correct for a valid signature. We
look at the L.H.S and the R.H.S components separately in showing the proof.
Consider the L.H.S:
e
_
V ,

V
1
_
= e
_
r

(r
s
+h
s
)

A
i
T
s
D
i
, r
1

D
1
_
= e
_
(r
s
+h
s
)

A
i
T
s
D
i
, r
1

P
_
= e
_
(r
s
+h
s
) r

A
i
T
s
Q
i
, r
1

P
_
= e
_
(r
s
+h
s
)

A
i
T
s
Q
i
, P
_
= e
_
(r
s
+h
s
)

A
i
T
s
Q
i
, P
_
= e
_
(r
s
+h
s
)

A
i
T
s
Q
i
, P
pub
_
(6.1)
Now, for the R.H.S:
e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
Well consider the rst component
n

i=1
(U
i
+ h
i

A
j
T
i
Q
j
) and simplify it before we
compute the mapping.
55
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) =
n

i=1
U
i
+
n

i=1
(h
i

A
j
T
i
Q
j
)
= U
s
+
n

i=1;i=s
U
i
+ (h
s

A
j
T
s
Q
j
) +
n

i=1;i=s
(h
i

A
j
T
i
Q
j
)
=
_
r
s

A
j
T
s
Q
j
_

_
n

i=1;i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
+ (h
s

A
j
T
s
Q
j
) +
n

i=1;i=s
U
i
+
n

i=1;i=s
(h
i

A
j
T
i
Q
j
)
=
_
r
s

A
j
T
s
Q
j
_

_
n

i=1;i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
+ (h
s

A
j
T
s
Q
j
) +

i=s
(r
i

A
j
T
i
Q
j
) +

i=s
(h
i

A
j
T
i
Q
j
)
= (r
s
+h
s
)

A
i
T
s
Q
i
(6.2)
Using the above we get R.H.S to be,
e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
= e
_
(r
s
+h
s
)

A
i
T
s
Q
i
, P
pub
_
(6.3)
Thus, from equations (6.1), (6.2) and (6.3) we can see that the verication
holds and can be performed using the public values.
6.3 Security
We will show that our threshold attribute based signature scheme is existentially
unforgeable with respect to the chosen message attack (CMA) .
6.3.1 Security Notions
We rst dene the game under which our threshold attribute based ring signature
scheme is existentially unforgeable.
Setup. The challenger C takes a security parameter k and runs the Setup to
generate common public parameters params and also the master secret key . C
sends params to adversary A.
Attack. The adversary A chooses a specic attribute A
x
and gives it to C. Ad-
versary can then perform polynomially bounded number of queries in an adaptive
manner (interactively) with the oracles.
56
- Hash functions. A can query for the output of the hash functions H
1
() and
H
2
() for any input.
- KeyGen. A is allowed to query the key for any set of attributes ( the set
may include A
x
).
- Sign. A picks a set of attributes U

(it can contain A

x
), a threshold t

, and
any message m; C will output (t

, n)-threshold ABS signature on m.

Forgery. At the end of the game, A outputs a threshold attribute based signa-
ture on the set of attributes U

. The restriction being A

x
must be an element of
every subset T
i
given by A, where |T
i
| = t

(threshold number of elements). Also,

the chosen set of attributes must not have been queried (as a single set) directly or
as a subset (of a larger set) during any of the key-generation or signature queries.
This ensures that, the adversary has not queried for atleast one element from each
subset of elements which can possibly satisfy the threshold. This game model also
captures the proof of security for the schemes collusion-resistant nature. This is
because, here, the adversary may have the keys for all of the attributes (including
A
x
) as part of one set or an other, but A should not be able to combine the secret
keys to generate a signature for the given set. A wins the game if the verication
on passes the check.
6.3.2 Modied Computational Bilinear Die-Hellman As-
sumption.
Well state the modied computational Die-Hellman problem, as we use it, to
prove the security of our scheme.
Let e : G G G
T
be an eciently computable bilinear map, where G has
prime order p. The modied computational bilinear die-hellman(m-CBDH) as-
sumption is said to hold in Gif, given elements {P, aP, bP, cP, a
1
P}, then no prob-
abilistic polynomial-time adversary can compute e(P, P)
abc
with non-negligible ad-
vantage, where a, b, c
R
Z

p
and generator P G are chosen independently and
uniformly at random.
6.3.3 Unforgeability
Theorem 6.3.1 (Unforgeability) In the random oracle model (where the hash
functions are modeled as random oracles), if there exists an algorithm A that
can win the existentially unforgeable, chosen message attack game, with non-
negligible probability by making a valid ABS in polynomial time, then the modied-
computational bilinear Die-Hellman (m-CBDH) problem can be solved in poly-
nomial time.
Proof: The proof for the unforgeability of our threshold attribute based sig-
nature follows, to some extent, that given by Chow et al. in [CYH05]. In the
57
subsequent discussion we will show the reduction of our scheme to solving the
CBDH problem.
Inorder to solve the m-CBDH problem, the challenger C receives the instance
{P, aP, bP, cP, a
1
P} and has to nally produce e(P, P)
abc
as the output. The
challenger will run A as a subroutine in the existential unforgeability game. As
dened in the game, A can make queries to the hash functions; although the hash
outputs will be random, the challenger C will maintain separate lists of the query
and response of each oracle in order to simulate proper collision-resistant hash
functions and avoid inconsistencies. Also, in the proof, well make the assumption
that all the H
1
(A
i
) queries are made before they are used in any further oracle
queries.
Setting. First, the challenger C sets the public-key as P
pub
= aP and master
secret as = a. Note that C does not know a, b or c, but it will simulate those
values during its responses to A, with the help of aP, bP, cP and a
1
P.
H
1
queries. When A makes queries to the hash function H
1
() with input as
some attribute A
i
, C does the following. If A
i
was already queried before, the hash
value will be in the list L
1
and C will search and give the stored value. Otherwise,
it rst picks an s
i
Z

p
uniformly at random, and then checks if this value is
present in the list L
1
. If it is present C re-picks s
i
repeating the process until it
gets a new value. Then, if A
i
= A
x
, it sets Q
i
= H
1
(A
i
) = s
i
P. If A
i
= A
x
, then it
sets Q
x
= H
1
(A
x
) = s
x
(bP). After each response, C makes sure to save the tuple
< A
i
, s
i
, Q
i
> in the list L
1
, if it wasnt already present.
H
3
queries. Queries to the H
3
oracle are answered by the challenger as follows.
C picks an Z

p
uniformly at random, and then checks if this value is present
in the list L
3
. If it is present, then it re-picks repeating the process until it gets
a new value. Then the tuple < U

, ID, > is added to list L

3
.
H
4
queries. List L
4
is used to maintain the queries and responses of this oracle.
When an input is queried for its hash, the list L
4
is looked up to see if a matching
entry already exists, if it is found the corresponding value is returned. In all other
cases, an w
R
Z

p
is picked uniformly at random and W is set to be W = wcP.
The tuple of, < , W, w > is added to the list, L
4
.
Key-Gen queries. Adversary A is allowed to request for the private keys on
any set of attributes U

(including A
x
). So, we will consider this in two cases: (1)
when the element A
x
/ U

, and (2) when the element A

x
U

.
Case-1: When the challenger gets a query where A
x
/ U

, C rst picks r

R
Z

p
and then gives the keys as follows:
1. Set,

D
0
= r

P and

D
1
= r
1

P
58
2. Now, = H
3
(U

, ID)
3. W = H
4
(), this is set as W = w(cP) (w
R
Z

p
)
4. Tuple < U

, ID, > is added to L

3
and tuple < , w, W > is added to L
4
.
5. Compute,

D
2
= r
1

W = r
1

w(cP)
6. It retrieves the tuple < A
i
, s
i
, Q
i
> corresponding to A
i
from the list L
1
.
7. Then, sets D
i
= r

s
i
(aP) and returns D
i
.
Case-2: If however, A
x
U

, then the keys given are follows. Let, r

R
Z

p
,
be chosen at random. Assume, r

= r

/a. Then, the rest of the values are set as

follows:
1. Set,

D
0
= r

P = r

(a
1
P) and

D
1
= r
1

P = r
1

(aP)
2. Now, = H
3
(U

, ID)
3. W = H
4
(), this is set as W = wP (w
R
Z

p
)
4. Tuple < U

, ID, > is added to L

3
and tuple < , w, W > is added to L
4
.
5. Compute,

D
2
= r
1

W = r
1

w(aP)
6. Finally, D
i
= r

Q
i
= r

s
x
(bP) (A
i
U

)
The nal key is given as, D =
_
{D
i
}
i{1, ,n

}
,

D
0
,

D
1
,

D
2
,
_
.
In both cases, all the intermediate random values that have been chosen by the
challenger are added to the respective lists along with the computed components
and nal responses.
H
2
queries. Whenever queries to H
2
() are made, C rst looks up entries in L
2
to see if the same query was made previously. If a matching entry is found, it
gives the corresponding saved hash value, otherwise, it just picks a random value
from Z

p
and gives it as output, storing the input and response as a tuple in L
2
.
Sign. Signature requests are answered by C as follows:
It picks a T
s
at random rst. If A
x
/ T
s
, then it computes the signature
as in the algorithm in Section(6.2.3) since it knows all the components. It also
makes sure to save the hash queries and responses, like h
i
= H
2
(m, U
i
, T
i
,

V
0
,

V
1
)
components in list L
2
. If however, A
x
T
s
, it rst selects n

random values,
r
i

R
Z

p
for i = {1, , n

}, and computes the following:

1. V
0
= r

D
0
= r
1
r

P,

V
1
= r
1

D
1
= r
1
r
1

V
2
= r
1

D
2
= r
1
r
1

H
4
()
2. Add the values r

, U

,

D
0
,

D
1
,

D
2
, T
s
to the sign oracle list.
59
3. Picks z
R
Z

p
and sets
1
, V = r

z (aP)
4. For i {1, , n

}\s
- Computes U
i
= r
i

A
j
T
i
Q
j
- Gets h
i
= H
2
(m, U
i
, T
i
,

V
0
,

V
1
,

V
2
) and saves h
i
in list L
2
5. U
s
= zP
_
h

A
j
T
s
Q
j
_

i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
6. V = r
1
r

z(aP)
7. Save the tuple < h

s
, U
s
, T
s
,

V
0
,

V
1
,

V
2
, V > in L
2
.
8. =
_
{T
i
}
i={1, ,n

}
, {U
i
}
i={1, ,n

}
, V ,

V
0
,

V
1
,

V
2
,
_
Proof for the verication of this signature can be found in Appendix(A.1).
Forgery. Finally, A will output =
_
{T
i
, U
i
}
i={1, ,n

}
, V ,

V
0
,

V
1
,

V
2
,
_
,
the forged signature on the message m such that A
x
is present in each of the
chosen subsets, T
i
, on which the ring signature is given.
Solving CBDH. From the forking lemma for generic ring signature schemes
[HS04] it follows that, if with non-negligible probability, A can give a valid forged
signature in the above interaction within time T
A
, then we can construct another
algorithmA

which within time 2T

A
can output two signatures and

with values
=
_
{T
i
, U
i
}
i={1, ,n

}
, V ,

V
0
,

V
1
,

V
2
,
_
;

=
_
{T
i
, U
i
}
i={1, ,n

}
, V

,

V

0
,

V

1
,

V

2
,
_
also with non-negligible probability. It also follows from the lemma that with
non-negligible probability, we can have h
i
= h

i
, for all i {1, , n

}\s. Now,
given A

derived from A, we can solve for e(P, P)

abc
as follows.
e(P, P)
abc
=
_

_
_
e(V,

V
2
)
e(V

,

V

2
)
_
w
1
(h
s
h

s
)
1
e
_
_
_
_

A
j
T
s
A
j
=A
x
(s
i
aP), cP
_
_
_
_
_

_
s
1
x
This is possible since, s
x
can be looked up from the list L
1
, and values of s
i
(for
all A
i
T
s
, A
i
= A
x
) can also be found from table L
1
. Also, h
s
and h

s
can be
queried on H
2
s list L
2
from the given values, and can be found within a constant
number of trials.
A more detailed derivation, showing the computations involved in extracting
the solution for CBDH can be found in the Appendix(A.2).
1
Note: This cannot be done by a normal signer since r

will only be available to the attribute

authority.
60
6.3.4 Anonymity
In this section we will dene what anonymity is and prove that our scheme provides
unconditional anonymity to the signers attribute subset used in the signature.
We dene signer ambiguity for our scheme in a manner similar to the one given
in [CYH05] for ring signatures. An attribute-based signature scheme, using the
ring approach as dened by us, for the threshold access structure, is said to have
unconditional signer attribute-set ambiguity if for any group of n

attribute subsets
{T}, where T =

T
i
, 1 i n

, T
i
U

and |T
i
| = t , any message m and
any signature , where = Sign(m, t, U

); any verier A even with unbounded

computing resources, cannot identify the actual attribute subset of the signer (used
in the signature) with probability better than a random guess. That is, A can
output the actual signers chosen attribute subset (indexed by T
s
) with probability
no better than 1/n

.
Theorem 6.3.2 (anonymity) Our threshold attribute-based signature has un-
conditional signer attribute-set anonymity property.
Proof: We rst claim that all the U
i
s are uniformly distributed. This is because,
each U
i
(including U
s
) is obtained via multiplying the components with a value r
i
,
that is chosen uniformly at random. So, we can say that the U
i
s by themselves
(as independent entities) dont leak any information. Another component of the
signature, , is a hash of the attributes of the user, but since its a hash and is
created even before T
s
is chosen, it cannot reveal anything about T
s
. Also, the
other values,

V
0
,

V
1
and

V
2
are unrelated to T
s
. So, it remains to be seen if V gives
away any information about T
s
with the help of the bilinear map function along
with any of the given components and public values.
So, we will consider if V = r

(r
s
+ h
s
)

A
i
T
s
D
i
, leaks anything about T
s
.
Let us focus on V r

h
s

A
i
T
s
D
i
= r

r
s

A
i
T
s
D
i
. The h
s
component can be
obtained publicly since it is a hash. Well see if this component gives away infor-
mation related to T
s
when considered along with

V
1
= r
1
r
1

P, in the bilinear
map. If we manage to get r

r
s

A
i
T
s
D
i
, then we can do the following verica-
tion test: we check if e(r

r
s

A
i
T
s
D
i
,

V
1
) = e(r
s

A
i
T
s
Q
i
, P
pub
)? To do this,
any user who suspects that the set T
k
was used in signing of the message will only
need to check if, e(U
k
+

i=k
(U
i
+h
i

A
j
T
i
Q
j
), P
pub
)
?
= e(V,

V
1
)/e(h
k

A
j
T
k
Q
j
, P
pub
).
We will now show that, although the above equality is valid for k = s, it is
equally valid for any of the other attribute subsets in T i.e the check is symmetric
with respect to any attribute subset and hence does not reveal anything about T
s
.
61
To see that, consider:
U
k
+

i=k
(U
i
+h
i

A
j
T
i
Q
j
), P
pub
) = U
s
+

i=s
(U
i
) +

i=k
(h
i

A
j
T
i
Q
j
=
_
r
s

A
j
T
s
Q
j
_

i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
+

i=s
(U
i
) +

i=k
(h
i

A
j
T
i
Q
j
)
= r
s

A
j
T
s
Q
j

i=s
r
i

A
j
T
i
Q
j

i=s
h
i

A
j
T
i
Q
j
+

i=s
(U
i
) +

i=k
(h
i

A
j
T
i
Q
j
)
= r
s

A
j
T
s
Q
j
h
k

A
j
T
k
Q
j
+h
s

A
j
T
s
Q
j
= (r
s
+h
s
)

A
j
T
s
Q
j
h
k

A
j
T
k
Q
j
= (V )
r
1
r
1

1
h
k

A
j
T
k
Q
j
Thus,
e(U
k
+

i=k
(U
i
+h
i

A
j
T
i
Q
j
), P
pub
) = e((V )
r
1
r
1

1
h
k

A
j
T
k
Q
j
, P
pub
)
= e(V,

V
1
)/e(h
k

A
j
T
k
Q
j
, P
pub
)
This proves that the check is symmetric with all attribute subsets in T =

T
i
, 1 i n

. So, the signature components are independent and uniformly

distributed irrespective of the attribute subset being used. Thus, our scheme is
unconditionally signer attribute-set anonymous.
6.4 Advantages of the new approach
The proposed threshold scheme has a new property that we can call controlled
partial anonymity which is not known to be present (to the best of the our knowl-
edge) in any of the previous threshold attribute based signature schemes. This
is a feature that would allow the signers to control their anonymity even if the
signing policy is not determined by them. We will illustrate this feature with an
example. Let us say Alice is signing a document which wants the signer to satisfy
a threshold predicate, and she has sucient attributes to satisfy the predicate.
Say, one of the attributes of the signing policy is CIA ocer. Now, Alice being
a CIA ocer among other things wishes to highlight this particular fact in her
62
signature (although it may not be necessary). She can choose all the n

attribute
sets {T
i
}
i{1, ,n

}
with CIA ocer being one of the attributes in each of these
sets. By doing this, she has control over which of her attributes she wants to
reveal. But if Alice does not wish to reveal anything about her credentials except
that they satisfy the necessary threshold, then she will have to give all the
_
n

t
_
possible sets. If on the other-hand, Alice is completely indierent about revealing
all of her attributes, then she can give a signature and include a single subset of
attributes. And that set should contain just the exact set of attributes used in the
signature inorder to satisfy the given policy. Note that this will also be a constant
size signature, since it will have only one T
i
and U
i
.
The power that this feature gives is that, even if the signing policy is specied
by a dierent authority, the signer can choose to reveal more in the signature than
what other schemes would normally allow. In a way, our approach allows the
signer control over the signature size and privacy, although he/she may not have
had the freedom to set the signing policy. If a signer does not care about privacy,
then she can go for a constant size signature. On the other-hand if the size of
the signature components is immaterial, then signer can choose to get complete
privacy by choosing all the subsets of attributes satisfying the policy to be a part
of the signature.
We also observe that this scheme can be extended to a multi-level threshold
attribute based signature if each attribute is present only once in the predicate.
63
CHAPTER 7
Conclusions and Directions for Future Work
We conclude our discussions on attribute-based cryptosystems in this chapter. We
will rst recap our work on size ecient attribute based schemes and present some
of the challenges this area poses. We will then revisit the security of ABS schemes
and outline our inferences. We present some interesting directions for future work
in the area of threshold attribute-based signatures with particular focus on our
new approach. We also give some intuitions for potential solutions to some of the
problems we pose. Finally well end this chapter by summarizing our work and
present the potential this eld has in the emerging computing world.
7.1 Conclusion
7.1.1 Threshold CP-ABE
The rst problem we looked at was the multi-level threshold attribute-based en-
cryption. We focused on ciphertext-policy based schemes since CP-ABE addresses
the problem of attribute-based communication in a natural way, i.e the access
policy is associated with the ciphertext during encryption and each user gets keys
based on the attributes/credentials they have. We paid particular attention to
eciency because, almost all attribute-based solutions require a huge number of
components for keys and ciphertext, making them cumbersome for large-scale
tasks. Although some constant-size threshold schemes exist, they only support
one gate and are not as expressive as some of the applications and real-world sit-
uations require them to be. Ours is an attempt to give an ecient scheme that
does not compromise on the expressiveness of the access policy. We also believe
that ours is the rst multi-level threshold scheme where the size of the ciphertext
is proportional to the complexity of the predicate policy as opposed to the number
of attributes involved.
Proposed Extensions. Our scheme appears to be provable only in the generic
model. An immediate open problem would be to provide a scheme that can be
reduced to a well known hard assumption. Additionally, this problem would be
considered as completely solved only if a scheme that can be proved in the standard
model is also presented.
Another natural extension to our work would be to design a provably secure
constant-size multi-level threshold CP-ABE scheme. Such a scheme would be most
practical, both for its compactness and the manifold control that it can provide
to the access policy.
7.1.2 Attribute Based Signatures
With regard to attribute-based signatures, our study has shown that many of the
ABS schemes have been inuenced by CP-ABE constructions. We also observed
that the idea of secret sharing and use of dummy attributes play an important
role in the formulation of schemes that support threshold access structures. These
observations coupled with our study of Waters signature on the attributes gave
us some intuitions for the attacks. However, we have seen other threshold schemes
making use of secret sharing that do not exhibit this vulnerability. We notice that
some these schemes use dierent mechanisms to generate their keys, and some
others using Waters signature ensure a check on the dummy values provided to
the user. Modifying the broken schemes to force some properties on number of
dummy values makes them inept for threshold predicates. This has led us to
conclude that the schemes for which we presented breaks cannot be xed easily.
Open Problem. We leave it as an open problem to come up with a provably
secure attribute based signature scheme with a key construct that makes use of
the linear secret sharing scheme combined with Waters signature.
7.1.3 Threshold ABS - New Directions
In our work on threshold attribute based signatures, we give a completely new
perspective on the problem of threshold signatures. Instead of viewing it as a
single (k, n) component, we break it up as 1-out-of-n

, k-sized, components. This

view gives us the exibility to use the trusted and well established idea of ring
signatures for the signing algorithm. However, there is still the challenge of being
able to aggregate the attributes into k-sized components. While aggregate signa-
ture allows one to verify each sub-components identity(signer), the fundamental
aspect in ring signature is to give anonymity and prevent anyone from recognizing
the exact signer. The combination of these two contrasting features is critical in
devising a scheme based on our new concept. It is easy to see from our scheme that
the aggregation is required since we want to be able to identify all the attributes
in each of the chosen n

subsets. However, we use the ring externally, to combine

these subsets so that a recipient is not able to identify which of the subsets was
used during the signing algorithm. Our scheme provides a construct that maps
both features to create an interesting threshold ABS scheme that gives the signer
a dierent way to control his/her anonymity.
Future directions. In this thesis we show our scheme can be reduced to a mod-
ied version of the CBDH problem with the help of the forking lemma. However,
we make use of the forking lemma which does not lead to a tight reduction. A
challenging line of work would be to develop a scheme that can be proved secure
without the use of forking lemma. If such a scheme can be provided it can also
address the open problem of creating a provably secure ring signature scheme with
a tight-reduction to some hard problem.
65
7.2 Summary
We began this work by studying various aspects of attribute-based cryptosystems.
We looked at the origin of attribute-based encryption and traced its development.
We then closely investigated size-ecient CP-ABE schemes. Later, we moved
to threshold CP-ABE schemes that had achieved constant-size ciphertexts. Our
observation that all the proposed constant-size ABE schemes could support only
one gate, led us to explore and obtain an ecient and expressive threshold CP-
ABE scheme. We inferred that an extension of the regular threshold schemes to
multi-level threshold would give them the required expressiveness. The scheme we
propose here supports multiple levels of threshold and at the same time has far
fewer ciphertext components than previous such schemes. Our scheme results in
a ciphertext-size that is independent of the number of attributes, it depends only
on the number of gates in the access structure. Although our proposal appears
reliable and robust (which we have seen with an example) its security remains to
be formalized. A good extension in this area would be to devise a provably secure
constant-size ciphertext multi-threshold CP-ABE.
Next, we looked at attribute-based signatures, and pointed out vulnerabilities
in a number of schemes. We closely examined the key-generating algorithm on
which our attacks were based. Then, we formally presented the dierent kind
of ways in which each of these schemes could be attacked. We concluded that
the attacks cannot be xed easily just by changing the number of components
(attributes and dummies) given to the user; a x would require a dierent key-
generating mechanism altogether. But we still think it is a worthwhile venture
to design a threshold attribute-based signature scheme built on Waters signature
and secret sharing principle, that is resistant to our attack.
With the momentum of the breaks we decided to explore a new way to per-
ceive threshold attribute-based signatures. Threshold is an instantly appealing
predicate primarily due to its versatility. So, we took up the challenge of creating
a novel threshold-ABS scheme founded on the principles of ring signatures. Our
construction aggregated attribute sets and gave a signature on a ring comprising
of various attribute subsets. Although our scheme is sound, it has been proved
secure in the selective model with the help of the forking lemma which makes the
reduction, and in turn, the security, weak. A good problem in this direction would
be to come up with a tightly-reducible scheme based on the proposed approach.
This can also lead to resolving some open problems in ring signatures.
Finally, in this chapter, we gave a more complete picture of our work in
attribute-based cryptosystems. We consolidated our observations and inferences.
We also reected on some of the interesting lines on which work in this area can
proceed. The problems we have looked at are all fundamental issues faced in
distributed settings. With large-scale data decentralization and vast networks of
distributed data (from social networks, cloud-computing, electronic-mail etc.) we
can see a number of avenues where such kind of security is highly pertinent. By
tackling these problems, we not only look at solving some central security issues,
we also embrace these emerging technologies and the new revolution in communi-
cation that they bring with them.
66
APPENDIX A
Detailed Analysis of Proof
This chapter is dedicated to show the correctness of the verication steps used
in the proof of our scheme in Chapter(6), in particular we look at the proof for
Theorem(6.3.1).
A.1 Sign Oracle Correctness
We will show the proof for the verication of the signature generated by the oracle
while showing the security of the scheme (from Section(6.3.3)).
The signature components generated by the sign oracle are as follows:
1. V
0
= r

D
0
= r
1
r

P,

V
1
= r
1

D
1
= r
1
r
1

V
2
= r
1

D
2
= r
1
r
1

H
4
()
2. V = r

z (aP)
3. For i {1, , n

}\s
- Computes U
i
= r
i

A
j
T
i
Q
j
- Gets h
i
= H
2
(m, U
i
, T
i
,

V
0
,

V
1
,

V
2
)
4. U
s
= zP
_
h

A
j
T
s
Q
j
_

i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
5. V = r
1
r

z(aP)
6. =
_
{T
i
}
i={1, ,n

}
, {U
i
}
i={1, ,n

}
, V ,

V
0
,

V
1
,

V
2
, ,
_
Now, the verication has to satisfy the following three equations:
e(

V
0
,

V
1
)
?
=
e(

V
0
,

V
2
)
?
= e(P, H
4
())
e(V ,

V
1
)
?
= e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
A.1.1 Verication analysis
Lets rst consider e(

V
0
,

V
1
):
e(

V
0
,

V
1
) = e(

D
0
,

D
1
) = e(r

P , r
1

P) = e(P , P) =
Similarly, for e(

V
0
,

V
2
):
e(

V
0
,

V
2
) = e(

D
0
,

D
2
) = e(r

P , r
1
r
1

H
4
()) = e(P , H
4
()) =
Now, we will see if e(V ,

V
1
) = e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
will hold true.
Consider the L.H.S:
e
_
V ,

V
1
_
= e
_
r

z (aP) , r
1

P
_
= e (z (aP) , P)
= e (zP , P
pub
) (A.1)
Now, for the R.H.S:
e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
Lets just consider the rst component:
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) =
n

i=1
U
i
+
n

i=1
(h
i

A
j
T
i
Q
j
)
= U
s
+
n

i=1;i=s
U
i
+ (h

A
j
T
s
Q
j
) +
n

i=1;i=s
(h
i

A
j
T
i
Q
j
)
= zP
_
h

A
j
T
s
Q
j
_

i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
+ (h

A
j
T
s
Q
j
) +
n

i=1;i=s
U
i
+
n

i=1;i=s
(h
i

A
j
T
i
Q
j
)
= zP
_
n

i=1;i=s
(r
i
+h
i
)

A
j
T
i
Q
j
_
+

i=s
(r
i

A
j
T
i
Q
j
) +

i=s
(h
i

A
j
T
i
Q
j
)
= zP (A.2)
68
Thus, R.H.S also reduces to,
e
_
n

i=1
(U
i
+h
i

A
j
T
i
Q
j
) , P
pub
_
= e(zP, P
pub
) (A.3)
From equations (A.1), (A.2) and (A.3) we can see that the verication holds for
the constructed signature.
A.2 Correctness of Solving CBDH
After using the forking lemma (refer Section(6.3.3)), let us say we have two sig-
natures and

which have the following components:

V = r

1
(r
s
+h
s
)

A
i
T
s
D
i
V

= r

2
(r
s
+h

s
)

A
i
T
s
D
i

V
2
= r

1
1
r
1
1
wcP

V

2
= r

2
1
r
2
1
wcP
V = r

r
1
(r
s
+h
s
)(abs
x
P +a

A
i
T
S
,i=x
Q
i
)
= r

r
1
(r
s
+h
s
)(abs
x
P +a

A
i
T
S
,i=x
s
i
P)
W
1
= e(V,

V
2
)
= e(P, P)
(r
s
+h
s
)(abs
x
P+a

A
i
T
S
,i=x
s
i
)(wc)
X
1
= W
w
1
1
=
(r
s
+h
s
)(abcs
x
P+ac

i=x
s
i
)
(A.4)
Similarly, set W
2
= e(V

,

V

2
) and get X
2
as follows:
X
2
= W
w
1
2
=
(r
s
+h

s
)(abcs
x
P+ac

i=x
s
i
)
Now, we do the following,
Y
1
=
X
1
X
2
=
(h
s
h

s
)(abcs
x
P+ac

i=x
s
i
)
Y = Y
(h
s
h

s
)
1
1
=
(abcs
x
P+ac

i=x
s
i
)

Y = e(

iT
s
,i=x
s
i
(aP), cP) =
ac

i=x
s
i
Z =
Y

Y
=
abcs
x
(Z)
s
x
=
abc
= e(P, P)
abc
(A.5)
69
REFERENCES
[Boy07] Xavier Boyen. Mesh signatures. In Proceedings of the 26th annual
international conference on Advances in Cryptology, EUROCRYPT
07, pages 210227, Berlin, Heidelberg, 2007. Springer-Verlag.
[BS04] Dan Boneh and Hovav Shacham. Group signatures with verier-local
revocation. In ACM Conference on Computer and Communications
Security, pages 168177, 2004.
[BSW07] John Bethencourt, Amit Sahai, and Brent Waters. Ciphertext-policy
attribute-based encryption. In IEEE Symposium on Security and
Privacy, pages 321334, 2007.
[Cam97] Jan Camenisch. Ecient and generalized group signatures. In
Proceedings of the 16th annual international conference on Theory
and application of cryptographic techniques, EUROCRYPT97, pages
465479, Berlin, Heidelberg, 1997. Springer-Verlag.
[CN07] Ling Cheung and Calvin Newport. Provably secure ciphertext policy
abe. In Proceedings of the 14th ACM conference on Computer and
communications security, CCS 07, pages 456465, New York, NY,
USA, 2007. ACM.
[CYH05] Sherman S. M. Chow, S. M. Yiu, and Lucas C. K. Hui. Ecient iden-
tity based ring signature. In Applied Crypto and Network Security -
ACNS 2005, LNCS 3531, pages 499512. Springer, 2005.
[DP08] Ccile Delerable and David Pointcheval. Dynamic threshold public-
key encryption. In Proceedings of the 28th Annual conference on
Cryptology: Advances in Cryptology, CRYPTO 2008, pages 317334,
Berlin, Heidelberg, 2008. Springer-Verlag.
[EMN
+
09] Keita Emura, Atsuko Miyaji, Akito Nomura, Kazumasa Omote,
and Masakazu Soshi. A ciphertext-policy attribute-based encryption
scheme with constant ciphertext length. In Proceedings of the 5th
International Conference on Information Security Practice and Ex-
perience, ISPEC 09, pages 1323, Berlin, Heidelberg, 2009. Springer-
Verlag.
[GJPS08] Vipul Goyal, Abhishek Jain, Omkant Pandey, and Amit Sahai.
Bounded ciphertext policy attribute based encryption. In Proceed-
ings of the 35th international colloquium on Automata, Languages
and Programming, Part II, ICALP 08, pages 579591, Berlin, Hei-
delberg, 2008. Springer-Verlag.
70
[GNSN10] Martin Gagn, Shivaramakrishnan Narayan, and Reihaneh Safavi-
Naini. Threshold attribute-based signcryption. In SCN, pages 154
171, 2010.
[GPSW06] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters.
Attribute-based encryption for ne-grained access control of en-
crypted data. In Proceedings of the 13th ACM conference on Com-
puter and communications security, CCS 06, pages 8998, New York,
NY, USA, 2006. ACM.
[GS08] Jens Groth and Amit Sahai. Ecient non-interactive proof systems
for bilinear groups. In EUROCRYPT, pages 415432, 2008.
[HLR10] Javier Herranz, Fabien Laguillaumie, and Carla Rfols. Constant size
ciphertexts in threshold attribute-based encryption. In Public Key
Cryptography, pages 1934, 2010.
[HS04] Javier Herranz and Germn Sez. New identity-based ring signature
schemes. In ICICS04, pages 2739, 2004.
[KABPR10] Swarun Kumar, Shivank Agrawal, Subha Balaraman, and
C Pandu Rangan. Attribute based signatures for bounded multi-level
threshold circuits. In Proceedings of the 7th European Workshop on
Public Key Services, Applications and Infrastructures, EuroPKI 10,
2010.
[Kha07a] Dalia Khader. Attribute based group signature with revocation.
Cryptology ePrint Archive, Report 2007/241, 2007. http://eprint.
iacr.org/.
[Kha07b] Dalia Khader. Attribute based group signatures. Cryptology ePrint
Archive, Report 2007/159, 2007. http://eprint.iacr.org/.
[LAS
+
10] Jin Li, Man Ho Au, Willy Susilo, Dongqing Xie, and Kui Ren.
Attribute-based signature and its applications. In Proceedings of the
5th ACM Symposium on Information, Computer and Communica-
tions Security, ASIACCS 10, pages 6069, New York, NY, USA,
2010. ACM.
[LK08] Jin Li and Kwangjo Kim. Attribute-based ring signatures. Cryptol-
ogy ePrint Archive, Report 2008/394, 2008. http://eprint.iacr.
org/.
[LK10] Jin Li and Kwangjo Kim. Hidden attribute-based signatures without
anonymity revocation. Inf. Sci., 180:16811689, May 2010.
[MPR08] Hemanta Maji, Manoj Prabhakaran, and Mike Rosulek. Attribute-
based signatures: Achieving attribute-privacy and collusion-
resistance. Cryptology ePrint Archive, Report 2008/328, 2008.
http://eprint.iacr.org/.
71
[MPR10] Hemanta K. Maji, Manoj Prabhakaran, and Mike Rosulek.
Attribute-based signatures. Cryptology ePrint Archive, Report
2010/595, 2010. http://eprint.iacr.org/.
[NYO09] Takashi Nishide, Kazuki Yoneyama, and Kazuo Ohta. Attribute-
based encryption with partially hidden ciphertext policies. IEICE
Transactions, 92-A(1):2232, 2009.
[OSW07] Rafail Ostrovsky, Amit Sahai, and Brent Waters. Attribute-based
encryption with non-monotonic access structures. In Proceedings of
the 14th ACM conference on Computer and communications security,
CCS 07, pages 195203, New York, NY, USA, 2007. ACM.
[RST01] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a
secret. In Proceedings of the 7th International Conference on the
Theory and Application of Cryptology and Information Security: Ad-
vances in Cryptology, pages 554567. Springer-Verlag, 2001.
[Sha79] Adi Shamir. How to share a secret. Commun. ACM, 22(11):612613,
1979.
[SSN09] Siamak F. Shahandashti and Reihaneh Safavi-Naini. Threshold
attribute-based signatures and their application to anonymous cre-
dential systems. In Proceedings of the 2nd International Conference
on Cryptology in Africa: Progress in Cryptology, AFRICACRYPT
09, pages 198216, Berlin, Heidelberg, 2009. Springer-Verlag.
[SW05] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In
EUROCRYPT, pages 457473, 2005.
[Wat05] Brent Waters. Ecient identity-based encryption without random
oracles. In EUROCRYPT, pages 114127, 2005.
[Wat08] Brent Waters. Ciphertext-policy attribute-based encryption: An ex-
pressive, ecient, and provably secure realization. Cryptology ePrint
Archive, Report 2008/290, 2008. http://eprint.iacr.org/.
[ZH10] Zhibin Zhou and Dijiang Huang. On ecient ciphertext-policy at-
tribute based encryption and broadcast encryption: extended ab-
stract. In Proceedings of the 17th ACM conference on Computer and
communications security, CCS 10, pages 753755, New York, NY,
USA, 2010. ACM.
72