Análisis global de la flota de buques de crucero

In their seminal work [SW05], Sahai and Waters left an open question that whether it is possible to construct an ABE scheme where a user’s secret key can come from mul-tiple authorities. Chase [Cha07] answered this question affirmatively by proposing a multi-authority KP-ABE scheme. In this scheme, there are multiple authorities, one of those is called CA. The CA knows all the secret keys of the other authorities. A user needs to obtain secret keys from all these authorities. Being different from one authority ABE schemes, it is hard to resist collusion attacks in a multi-authority ABE scheme. Especially, if the multiple authorities can work independently, the scheme is subject to this attack. Chase [Cha07] overcame this problem by intro-ducing a global identifier (GID) to a multi-authority ABE scheme. All authorities tie a user’s secret keys to his GID. In order to let the ciphertext be independent of the user’s GID, the CA must compute a special secret key for the user using his secret key and the other authorities’ secret keys. Although this scheme is not a decentralized ABE scheme, Chase made an important step from one authority ABE to multi-authority ABE.

Lin, Cao, Liang and Shao [LCLS08] proposed a multi-authority ABE scheme without a central authority based on the distributed key generation (DKG) protocol [GlJK⁺99] and the joint zero secret sharing (JZSS) protocol [GJKR01]. At the system setup phase, the multiple authorities must collaboratively execute the DKG

5.1. Introduction 84

protocol and the JZSS protocol twice and k times, respectively, where k is the degree of the polynomial selected by each authority. Each authority must maintain k + 2 secret keys. This scheme is k-resilient, namely the scheme is secure if and only if the number of the colluding users is no more than k which is determined at the system setup phase.

M¨uller, Katzenbeisser and Eckert [MKE08] proposed a distributed CP-ABE scheme, where the pairing operations executed by the decryption algorithm are constant. This scheme was proven to be secure in the generic group [BSW07], in-stead of reducing to a complexity assumption. Furthermore, there must be a central authority to generate the global key and issues secret keys to users.

Chase and Chow proposed another multi-authority KP-ABE scheme [CC09]

which improved the previous scheme [Cha07] and removed the need of the CA.

Notably, they also addressed the privacy issue. In the previous multi-authority ABE schemes [Cha07, LCLS08], a user must submit his GID to each authority to obtain the corresponding secret keys. This will risk the user being traced by a group of corrupted authorities. Chase and Chow provided an anonymous key distribution protocol for the GID, where the 2-party secure computation technique is employed.

As a result, a group of authorities cannot cooperate to collect a user’s attributes by tracing his GID. However, the multiple authorities must interact to setup the system. Each pair of authorities must execute a 2-party key exchange protocol to share the seeds of the selected pseudorandom functions (PRF) [NPR99]. This scheme is (N − 2)-tolerant, namely the scheme is secure if and only if the number of the compromised authorities is no more than N − 2, where N is the number of the authorities in the system. The security of this scheme was reduced to DBDH assumption and non-standard complexity assumption (q-decisional Diffie-Hellman inverse (q-DDHI)). Chase and Chow also left an open challenging research problem that how to construct a privacy-preserving multi-authority ABE scheme without the need of cooperations among the authorities.

Lekwo and Waters [LW11]proposed a new multi-authority ABE scheme called decentralizing CP-ABE. This scheme improved the previous multi-authority ABE schemes that require collaborations among multiple authorities to setup the system.

In this scheme, no cooperation between the multiple authorities is required in the setup phase and the key generation phase, and there is no central authority. Note that an authority in this scheme can join or leave the system freely without the necessity to re-initialize the system. The scheme was designed in the composite

5.1. Introduction 85

order (N = p1p2p3) bilinear group, and achieves full (adaptive) security in the random oracle model. They also pointed out two methods to create a prime order group variant of their scheme. Unfortunately this scheme is not efficient [Wat11].

Furthermore, a user’s attributes can be collected by tracing his GID.

Liu, Cao, Huang, Wong and Yuen [LCH⁺11] proposed a fully secure multi-authority CP-ABE scheme in the standard model. Their scheme was based on the CP-ABE scheme [LOS⁺10]. In their scheme, multiple central authorities and at-tribute authorities co-exist. The central authorities disat-tribute identity-related keys to users and the attribute authorities issue attribute-related keys to users. Prior to obtaining attribute keys from the attribute authorities, a user must obtain secret keys from the multiple central authorities. This multi-authority ABE scheme was designed in the composite order (N = p₁p₂p₃) bilinear group.

Li et al. [LHC⁺11] proposed a multi-authority cipher-policy ABE scheme with accountability, where the anonymous key issuing protocol [CC09] was exploited. In their scheme, a user can only obtain secret keys anonymously from N −1 authorities;

while he can be traced when he shares his secret keys with others. Unfortunately, the multiple authorities must initialize the system interactively. Their scheme relied on DBDH assumption, decisional linear (DLIN) assumption and q-DDHI assumption.

5.1.3 Our Contribution

We answered the question left by Chase and Chow [CC09] affirmatively by designing a decentralized KP-ABE scheme with a privacy-preserving key extraction protocol.

In our scheme, multiple authorities can perform independently without any cooper-ation and a central authority. A user’s GID is used to tie all his secret keys together, while no group of corrupted authorities can pool the user’s attributes by tracing it.

Our scheme is (N − 1)-tolerant for the authorities, where N is the number of the authorities in the system. Our scheme is based on standard complexity assump-tion (DBDH), instead of any non-standard complexity assumpassump-tions (e.g., q-DDHI).

To the best of our knowledge, it is the first decentralized KP-ABE scheme with privacy-preserving that is based on merely a standard assumption.