Identity-based Distributed Data Storage I

query secret keys SKID⁰ and SKID⁰⁰ for identities ID⁰ and ID⁰⁰. Furthermore, A can query access permissions RK_ID^∗_→ID⁰ and RKID⁰→ID⁰⁰. After receiving the challenged ciphertext CT^∗ for the identity ID^∗, if A can compute the permission RKID^∗→ID⁰⁰ from RKID^∗→ID⁰ and KID⁰→ID⁰⁰, B can use RKID^∗→ID⁰⁰ to transfer the ciphertext CT^∗ to a ciphertext gCT for the identity ID⁰⁰. Then, B can use SKID⁰⁰

to decrypt gCT and obtain the message Mb. So, B can use A to break the IND-CPA security in the above security model.

Unidirectional. If the scheme is not unidirectional in the above model, we can construct an algorithm B that can use A to break the IND-CPA security in the above security model. A can query a secret key SKID⁰ for an identity ID⁰ and an access permission RKID⁰→ID^∗ from ID⁰ to an identity ID^∗. After receiving the challenged ciphertext CT^∗ for ID^∗, if A can use RK_ID⁰_→ID^∗ to transfer CT^∗ to a ciphertext gCT for ID⁰, B can use the secret key SK_ID⁰ to decrypt gCT and obtain the message Mb. Therefore, B can use A to break the IND-CPA security in the

above model. 

3.3 Identity-based Distributed Data Storage I

In this section, we propose an IBDDS scheme IBDDS-I which is secure against chosen plaintext attacks (or IND-CPA). At first, the file owner encrypts his files and outsources the ciphertexts to the proxy servers. The proxy servers validate the ciphertexts and store them for the owner. For one request, the requester uses his secret key to compute an authentication information (AI) and sends it to the proxy server. The proxy server sends the identity of the requester, AI and the partial intended ciphertext to the owner. Suppose that the owner can detect which file the requester wants to access from the partial ciphertext. Subsequently, the owner validates the received AI. If it is valid, the owner computes an access permission (re-encryption key) using his secret key, the partial ciphertext and the identity of the requester, and sends it to the proxy server. Otherwise, the access request is denied.

When receiving an access permission from the owner, the proxy sever re-encrypts the intended ciphertext to a ciphertext for the requester. Finally, the requester can decrypt the re-encrypted ciphertext by his secret key and obtains the original file.

The specific protocol of our scheme IBDDS-I is demonstrated in Figure 3.2. This scheme can be seen as an extension of Water’s IBE [Wat05].

3.3. Identity-based Distributed Data Storage I 44

Setup. This algorithm takes as input 1^{`</sup>, and outputs a bilinear group GG(1<sup>`}) → (e, p,G, Gτ), where e : G × G → Gτ and p is a prime KeyGen. Let ID denote an identity which is an n bit string, IDi be the ith

bit of ID and I be a set which consists of all the index i with IDi = 1.

This algorithm takes as input the master secret key η^α and an identity ID, and computes

K_ID,1 = η^α(u₀Y

i∈I

u_i)^rID, K_ID,2 = g^rID and K_ID,3 = g^rID.

The secret key for a user U with identity ID is KID = (KID,1, KID,2, K_ID,3). This secret key can be verified by

e(KID,1, g)= e(η, g^? 1) · e((u0

Query. If a requester R with identity ID⁰ wants to access a ciphertext CTi, he chooses t ←^R Zp, and computes K_ID^{0 0}_,1 = KID⁰,1h^t and Γ = g^t. He sends (ID⁰, K_ID^{0 0}_,1, KID⁰,3, Γ) to the PS who stores the ciphertext CTi. Then, the PS redirects (ID⁰, K_ID⁰ 0,1, K_ID⁰_,3, Γ, C_i,2) to O.

3.3. Identity-based Distributed Data Storage I 45

Permission. O checks whether R has been authenticated by verifying e(K_ID^{0 0}_,1, g)= e(η, g^? 2) · e((u0

Y

i∈I⁰

ui), KID⁰,3) · e(h, Γ).

If it holds, O chooses β, ρ←^R Zp and computes D1 = KID,1

K_ID⁰ 0,1· Γ^ρ · (u0

Y

i∈I⁰

ui)^β, D2 = e(Ci,2, (u0

Y

i∈I⁰

ui))^β and D3 = g^ρ.

Then, O sends (D1, D2, D3, KID,2) to the PS.

Re-encryption. When receiving (D1, D2, D3, KID,2) from O, the PS computes the re-encrypted ciphertext as

C_i,1⁰ = D₂· C_i,1, C_i,2⁰ = C_i,2, C_i,3⁰ = C_i,3, C_i,4⁰ = D1, C_i,5⁰ = D3 and C_i,6⁰ = KID,2.

The PS responds R with CT_i⁰ = (C_i,1⁰ , C_i,2⁰ , C_i,3⁰ , C_i,4⁰ , C_i,5⁰ , C_i,6⁰ ).

Decryption.

1. To decrypt a ciphertext CTi = (Ci,1, Ci,2, Ci,3), O computes Mi = Ci,1· e(KID,2, Ci,3)

e(KID,1, Ci,2).

2. To decrypt a re-encrypted ciphertext CT_i⁰ = (C_i,1⁰ , C_i,2⁰ , C_i,3⁰ , C_i,4⁰ , C_i,5⁰ , C_i,6⁰ ), R computes

K1 = K_ID^{0 0}_,1· C_i,5^0t · C_i,4⁰ and

Mi = C_i,1⁰ ·e(C_i,6⁰ , C_i,3⁰ ) e(K1, C_i,2⁰ ).

Figure 3.2: IBDDS-I: Identity-Based Distributed Data Storage I

3.3. Identity-based Distributed Data Storage I 46

3.3. Identity-based Distributed Data Storage I 47

Theorem 3.2 Our identity-based distributed data storage scheme IBDDS-I is (T, q1, q2, q3, (`))-secure against chose plaintext attacks (or IND-CPA) if the (T<sup>0</sup>, <sup>0</sup> (`))-decisional bilinear Diffie-Hellman assumption holds in the bilinear group (e, p,G, Gτ) where

T⁰ = T + Θ(T ) and ⁰(`) = (`)

32(q₁+ 2q₂ + 2q₃)(n + 1).

Proof: The proof is similar to that in Waters’s IBE [Wat05], except that the permission queries and re-encryption queries from the adversary must be answered.

Suppose that there exists a PPT adversary A who can (T, q1, q2, q3, (`)) break the IND-CPA security of our IBDDS-I scheme, we can construct an algorithm B that can use A to break the DBDH assumption as follows. The challenger C generates a bilinear group GG(1<sup>`</sup>) → (e, p,G, Gτ) and chooses a generator g ←^R G. It flips an unbiased coin µ with {0, 1}. If µ = 0, he sends (A, B, C, Z) = (g^a, g^b, b^c, e(g, g)^abc) to B. Otherwise, he sends (A, B, C, Z) = (g^a, g^b, g^c, e(g, g)^z) to B, where z ←^R Zp. The algorithm B will output his guess µ⁰ on µ.

Setup. B sets σ = 4(q1+ 2q2+ 2q3) and chooses an integer ν ← [n]. It uniformly^R

←Zp. Then, B defines three functions:

P (ID) = (p − σν) + π0+X The distribution of these parameters is identical to that in the real protocol.

Phase 1.

3.3. Identity-based Distributed Data Storage I 48

1. Secret Key Queries. For a secret key query on an identity ID, B checks R(ID)= 1.^?

(a) If R(ID) = 1, B chooses r←^R Zp and computes KID,1 = A^{−Q(ID)P (ID)} (π0

Y

i∈I

πi)^r, (3.1)

KID,2 = A^{P (ID)−1} g^r (3.2)

and

K_ID,3 = K_ID,2^θ . (3.3)

B responds with K_ID= (KID,1, KID,2, KID,3).

(b) If R(ID) = 0, B aborts and outputs his guess µ⁰ randomly.

We claim that the secret key is generated correctly.

K_ID,1 = A^{−Q(ID)P (ID)} (u₀Y

i∈I

u_i)^r

= g^{−aQ(ID)P (ID)} (gbP (ID)+Q(ID))^r

= (gbP (ID)+Q(ID))^{P (ID)−a} g^ab(gbP (ID)+Q(ID))^r

= g^ab(gbP (ID)+Q(ID))^{r−P (ID)a}

= η^a(u0

Y

i∈I

ui)^{r−P (ID)a}

Let ˆr = r − _{P (ID)}^a , we have

KID,1= η^a(u0

Y

i∈I

ui)^ˆr,

KID,2 = A^{P (ID)−1} g^r = g^{r−P (ID)a} = g^ˆr and

KID,3 = K_ID,2^θ = g^θˆr = g^rˆ. Therefore, the secret key is created correctly.

2. Permission Queries. For an access permission on (ID, ID⁰, C2), B checks whether he has generated secret keys for identities ID and ID⁰. If he has not generated secret keys for ID and ID⁰, B checks whether R(ID) = R(ID)⁰ = 1.

3.3. Identity-based Distributed Data Storage I 49

(a) If it holds, B computes KID = (KID,1, KID,2, KID,3) and KID⁰ = (KID⁰,1, KID⁰,2, KID⁰,3). Then, he can compute an access permission (the re-encryption key) as follows. B chooses t, β, ρ←^R Zp, and com-putes

K_ID^{0 0}_,1= KID⁰,1h^t, (3.4)

Γ = g^t, (3.5)

D1 = KID,1

K_ID^{0 0}_,1Γ^ρ · (u0

Y

i∈I⁰

ui)^β (3.6)

D2 = e(C2, (u0

Y

i∈I⁰

ui))^β, (3.7)

and

D3 = g^ρ. (3.8)

B sends (D₁, D2, D3, KID,2) to A.

(b) Otherwise, B aborts the simulation and outputs his guess µ⁰ ran-domly.

3. Re-encryption Queries. For a re-encryption query on (ID, ID⁰, C), B checks whether he has generated an access permission (D1, D2, D3, KID,2) from identity ID to identity ID⁰. If he has not generated an access permission from ID to ID⁰, B generate (D1, , D2, D3, KID,2) as above.

Otherwise, B can compute

C₁⁰ = D₂· C₁, C₂⁰ = C₂, C₃⁰ = C₃, C₄⁰ = D₁, C₅⁰ = D₃ and C₆⁰ = K_ID,2. B responds A with the re-encrypted ciphertext CT⁰ = (C₁⁰, C₂⁰, C₃⁰, C₄⁰, C₅⁰, C₆⁰).

Challenge. A submits an identity ID^∗ and two messages M0 and M1 with the equal length. B checks R(ID^∗)= 0.^?

1. If R(ID^∗) = 1, B aborts and outputs his guess µ⁰ randomly.

2. If R(ID^∗) = 0, B flips an unbiased coin with {0, 1} and obtains one bit ω ∈ {0, 1}. B computes C₁^∗ = Mω · Z, C₂^∗ = C = g^c and C₃^∗ = C^Q(ID∗) = (u₀Q

i∈I^∗u_i)^c. B sends the ciphertext CT^∗ = (C₁^∗, C₂^∗, C₃^∗) to A.

3.3. Identity-based Distributed Data Storage I 50

Phase 2. Phase 1 is repeated with the following restrictions.

1. Secret Key Queries. A cannot query secret key for the identity ID^∗. 2. Permission Queries. A cannot query an access permission on (ID^∗, ID,

C₂^∗) and secret keys for identities ID.

3. Re-encryption Queries. A cannot query re-encryption on (ID^∗, ID, C^∗), permission on (ID^∗, ID, C₂^∗) and secret key for ID.

Guess. A outputs his guess ω⁰ on ω. If ω⁰ = ω, B outputs µ⁰ = 0; otherwise B outputs µ⁰ = 1.

As shown above, the public parameters and secret keys created in the simulation paradigm are identical to those created in the real protocol. B does not abort the simulation if and only if the secret keys can be generated correctly and R(ID^∗) = 0. In q1 secret key queries, q2 permission queries and q3 re-encryption queries, B needs to create at most q1 + 2q2 + 2q3 secret keys. Let ρ = q1 + 2q2 + 2q3 and {ID⁽¹⁾, ID⁽²⁾, · · · , ID^(ρ)} be the identities selected by A to query the oracles in our scheme. We compute the bound with which B does not abort the simulation. This bound is computed using the method exploited in [Wat05].

3.3. Identity-based Distributed Data Storage I 51

In document Privacy-preserving access control techniques in distributed systems (Page 63-72)