WO2016014048A1 - Attribute-based cryptography - Google Patents

Attribute-based cryptography Download PDF

Info

Publication number
WO2016014048A1
WO2016014048A1 PCT/US2014/047773 US2014047773W WO2016014048A1 WO 2016014048 A1 WO2016014048 A1 WO 2016014048A1 US 2014047773 W US2014047773 W US 2014047773W WO 2016014048 A1 WO2016014048 A1 WO 2016014048A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
attribute
cryptography
individual attribute
engine
Prior art date
Application number
PCT/US2014/047773
Other languages
French (fr)
Inventor
Liqun Chen
Ali EL KAAFARANI
Siani Pearson
Bob LINDSAY
Peter Reid
Nikolaos Papanikolaou
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2014/047773 priority Critical patent/WO2016014048A1/en
Publication of WO2016014048A1 publication Critical patent/WO2016014048A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing

Definitions

  • Cryptography allows for secure communication in the presence of third parties over an insecure communication channel.
  • Two types of modern cryptography include digital signatures and encryption/decryption.
  • a digital signature is a mathematical scheme for demonstrating the authenticity of a digital message (e.g., a document).
  • a digital signature once verified, gives a recipient reason to believe that the message was created by a known sender such that the sender cannot deny having sent the message and that the message was not altered in transit.
  • Encryption is the process of encoding a message (e.g., a document) in a way that authorized parties are able to read it.
  • Decryption is the process of decoding the encrypted message such so that the authorized parties are able to read it.
  • Figure 1 shows a block diagram of an attribute-based cryptography system, according to an example
  • Figure 2 shows a block diagram of an attribute-based cryptography system implementing an attribute-based digital signature scheme, according to an example
  • Figure 3 shows a block diagram of an attribute-based cryptography system implementing an attribute-based decryption scheme, according to an example
  • Figure 4 shows an example circuit
  • Figure 5 shows a flowchart of an attribute-based cryptography method, according to an example
  • Figure 6 shows a flowchart of an attribute-based signature method, according to an example
  • Figure 7 shows a flowchart of an attribute-based decryption method, according to an example
  • Figure 8 is a block diagram of a computing device to provide attribute- based cryptography, according to an example.
  • Some digital signature techniques include a signing policy which is expressed as a public key and a certificate.
  • a verifier can lean who created the digital signature.
  • the identity of the signer is not a secret.
  • the signing policy is expressed as a signer's identifier.
  • a verifier can learn who created the digital signature.
  • Anonymous signatures use a group key and the signing policy is expressed as a group structure. Any group member can produce a valid signature on behalf of the group. A verifier cannot learn which group member has signed a signature, but does know the group structure.
  • attribute-based signature Another technique for creating and using digital signatures is referred to as an "attribute-based signature" technique.
  • the signature is computed based on one or more attributes of the signer. Examples of attributes may include the position of the user within a company (e.g., job role or title), the location of the signer, etc.
  • attribute-based signatures those users that have a valid set of attributes can successfully generate a valid signature for a given message.
  • An attribute-based signature scheme may be used to provide services such as entity authentication, data origin authentication, non-repudiation, and data-integrity.
  • attribute-based signature schemes a signer who has enough attributes to satisfy the policy can produce a valid signature A verifier knows that the signer has satisfied the policy. The set of attributes that has been used to sign along with the identity of the signers remain hidden. Unfortunately, the predicate itself (the policy) is known to the verifier in some attribute-based signature schemes.
  • various examples are provided herein that relate to attribute-based signature systems and methods to provide signer privacy, data origin authentication, non-repudiation, data-integrity, to ensure entity authentication, or a combination thereof.
  • the signer's identity, the signer's attributes, and/or the signing policy may remain hidden from the verifier.
  • sharing encrypted data on the cloud allows for sharing of the data at a coarse level. In other words, sharing encrypted data requires giving a private key to any user that the data is to be shared with for decryption.
  • attribute-based decryption systems and methods which allows for fine-grained sharing of encrypted data.
  • attribute-based decryption schemes allow a user to encrypt data with respect to a certain policy, and users who have the requisite credentials (attributes) to satisfy the policy are granted access to the data.
  • a master secret key is generated along with public keys which may be utilized for later verification of a digital signature or for use in decrypting a document.
  • the attribute-based cryptography system may utilize a circuit which comprises a plurality of logic gates coupled together. These coupled logic gates implement a signing policy or decryption policy.
  • the mathematical representation of the circuit receives as inputs a plurality of individual attribute- based keys or individual attribute-based hashes. All references herein to the "circuit" mean the hardware logic that implements the mathematical representation of the circuit.
  • Each individual attribute-based key or hash corresponds to a distinct characteristic (attribute) that is representative of a user seeking to sign or decrypt a message.
  • a secret key is generated by the circuit based on the individual attribute-based keys or hashes corresponding to the signing policy and based on the master secret key previously generated.
  • a signing policy or decryption policy may be a particular message can only be signed or decrypted by a junior level vice president that is located in the firm's London or New York offices. That policy can be implemented as a Boolean expression:
  • a circuit implements the Boolean expression that defines the policy.
  • the policy implemented by the circuit such as a circuit 1 10 of FIG. 1 , a circuit 210 of FIG. 2, or a circuit 310 of FIG. 3, thus may specify that certain combinations of attributes must be true.
  • the job title (junior level vice president) and a certain location (New York or London) must both be true per the policy.
  • the signing policy may also require that that the signer may be either (a) a junior vice president and based in the London or New York offices or (b) a senior vice president at any office.
  • circuits 1 10, 210, or 310 Any types and number of logic gates can be used to implement the circuit 1 10, 210, or 310, such as AND gates, OR gates, NOT gates, NAND gates, NOR gates, XOR gates, XNOR gates, or any other logic gate.
  • the fan-outs, or number of logic gates in the circuit 1 10, 210, or 310 are not limited to one as in the less expressive types of policies.
  • the circuit is implemented as a mathematical representation of the Boolean expression and thus implemented in instructions executable by a hardware processor.
  • the circuit may be an actual, physical circuit including various types of logic gates (AND gates, OR gates, etc.). All references herein to "circuit" refer to either or both types of implementations.
  • a digital signature is then created or a ciphertext is decrypted based on the secret key and based on the message.
  • the digital signature is created based on the individual attribute-based keys validly passing through the mathematical representation of the policy signing based circuit.
  • the digital signature may then be verified based on the public key.
  • the ciphertext may be decrypted based on the individual attribute-based hashes validly passing through the mathematical representation of the policy decryption based circuit.
  • FIG. 1 is a block diagram of an attribute-based cryptography system, in accordance with an example.
  • a computing system 102 includes a key generation engine 104, a cryptography engine 106, and a cryptography policy circuit 1 10.
  • the computing system 102 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device.
  • the attribute-based cryptography system may allow for a valid digital signature based on a user's attributes corresponding to a signing policy or allow for the decryption of an encrypted message based on the user's attributes corresponding to a decryption policy.
  • the key generation engine 104 generates a secret key that is utilized by the cryptography engine 106 to generate a digital signature or decrypt an encrypted message.
  • the key generation engine 104 implements cryptography policy circuit 1 10.
  • cryptography policy circuit 1 10 may include the key generation engine 104.
  • the key generation engine 104 may be implemented using cryptography policy circuit 1 10.
  • Two such cryptography policy circuits include signing policy circuit 210 from Figure 2 and decryption policy circuit 310 from Figure 3.
  • Cryptography policy circuit 1 10 corresponds to a cryptography policy such as a signing policy or a decryption policy.
  • cryptography policy circuit 1 10 includes Boolean logic that corresponds to a policy of which users may sign or decrypt an individual message.
  • Cryptography policy circuit 1 10 receives individual attribute-based data as inputs. Such attribute-based data may include attribute-based keys corresponding to individual attributes of a user or attribute-based hashes also corresponding to individual attributes of a user. Cryptography policy circuit 1 10 outputs a secret key based on the individual attribute-based data corresponding to the cryptography policy.
  • Cryptography engine 106 receives a message that is to be signed or a ciphertext to be decrypted and generates a digital signature or decrypts the ciphertext based on the secret key and based on the message.
  • Figure 2 is an attribute-based cryptography system 200 implementing an attribute-based digital signature scheme, according to an example.
  • the system 200 includes a computing system 201 which also includes the key generation engine 104, the cryptography engine 106, and a signing policy circuit 210, as well as a setup engine 202.
  • the cryptography engine 106 may include signature engine 206.
  • the computing system 201 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device.
  • the signing policy circuit 210 may be one type of cryptography policy circuit 1 10.
  • System 200 also includes a verification engine 204 coupled to computing system 201 through a communications network 212.
  • the communication network 212 can include wired communications, wireless communications, or combinations thereof. Further, the communication network 212 can include multiple sub- communication networks such as data networks, wireless networks, telephony networks, etc. Such networks can include, for example, a public data network such as the Internet, local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), cable networks, fiber optic networks, combinations thereof, or the like. In various examples, wireless networks may include cellular networks, satellite communications, wireless LANs, etc. Further, the communication network 212 can be in the form of a direct network link between devices. Various communications structures and infrastructure can be utilized to implement the communication network 212.
  • the computing systems 201 and verification engine 204 may communicate with each other and other components with access to the communication network 212 via a communication protocol or multiple protocols.
  • a protocol can be a set of rules that defines how nodes of the communication network 212 interact with other nodes.
  • communications between network nodes can be implemented by exchanging discrete packets of data or sending messages. Packets can include header information associated with a protocol (e.g., information on the location of the network node(s) to contact) as well as payload information.
  • Setup engine 202 may generate a master secret key, a public key, and other parameters which may be utilized by the key generation engine 104.
  • the setup engine 202 receives as inputs a security parameter , an upper boundary depth of all circuits (£) and an upper boundary input size for all attributes (n).
  • the security parameter is a variable that measures the resource requirements needed, such as the length, in bits, of the secret signing key to be computed.
  • the upper boundary depth of all circuits is the upper boundary depth, based on the number of logic gates, for signing policy circuit 210.
  • the upper boundary input size for all attributes (n) is the upper boundary number of attribute-based keys that may be input into signing policy circuit 210.
  • Setup engine 202 generates groups of prime order p, with canonical generators, where Setup engine 202 also generates random values and In an example, setup
  • Setup engine 202 may also generate a public key.
  • the public key may be a one-time signature (OTS) public key.
  • OTS public key is a public key that is utilized to verify a single message.
  • a secret signing key is also used to sign a single message.
  • the underlying OTS scheme can be instantiated by a suitable one-time strongly unforgeable signature scheme.
  • Such schemes may include those that are based on the computational Diffie-Helman CDH assumption in the standard model, or for instance, Shnorr signatures that are based on the Discrete Logarithm problem Dlog in the random oracle model using the Fiat-Shamir heuristic.
  • the public key generated by setup engine 202 includes the group sequence in addition to:
  • Setup engine 202 also generates additional parameters such as by solving for for each .
  • the values d ⁇ may be utilized by the key
  • the key generation engine 104 generates a secret signing key to be used to produce a digital signature.
  • the secret signing key is a key that is not known outside of computing system 102, 201 .
  • verification engine 204 does not know the secret signing key, nor the circuit used to generate the secret signing key.
  • the inputs to the signing policy circuit 210 include attribute-based keys that are computed based on the set of attributes of the potential signer.
  • Each attribute-based key corresponds to an individual attribute, or characteristic, of a user to be used to generate that user's secret signing key.
  • an attribute-based key may correspond to the position level of a user, the location the user is based, the age of the user, or any other individual characteristic of the user.
  • a lookup table may be utilized to generate the attribute-based keys.
  • a lookup table may match a key to a specific attribute.
  • the attribute-based key may be based on an existing identity based scheme.
  • the key generation engine 104 receives any number of attribute-based keys as inputs to the circuit 210 in accordance with the signing policy implemented by the circuit 210. If the attribute-based keys correspond to the signing policy, a valid secret signing key is produced. In other words, if the attribute-based keys validly pass through the signing policy circuit 210, then a valid secret signing key is produced by the key generation engine 104. Otherwise, an invalid secret signing key is produced— a condition for which will be detected during the verification phase. Attribute-based keys corresponding to the attributes of a user who wishes to sign the message would be input into the circuit 210. If these attributes validly pass through the circuit 210, then the attribute- based keys correspond to the signing policy and a valid secret signing key is generated.
  • Key generation engine 104 may receive as input the master secret key and a representation of circuit 210 corresponding to a signing policy for a specific message. Key generation engine 104 outputs a secret signing key (SK), such that .
  • SK secret signing key
  • A may refer to A(w), which represents one input wire (w) for the circuit.
  • B may refer to B(w), a second input wire for the circuit.
  • Circuit 210 may include n + q wires including n input wires and gate wires. The wire n + q may be designated as an output wire.
  • the key generation engine 104 may generate random values
  • the key generation engine 104 generates a header component:
  • the key generation engine 104 may generate key components for every wire w.
  • the structure of the key components depends on whether w is an input wire or a logic gate, such as an OR gate or an AND gate. [0037]
  • the key generation engine 104 generates key components for an input wire with w corresponding to the w-th input.
  • the key generation engine 104 generates a random value The key generation engine 104 then
  • the key generation engine 104 may generate random values .
  • key generation engine 104 then may generate the key components w to be:
  • the key generation engine 104 may generate random values .
  • key generation engine 104 then may generate the key components w to be:
  • the key generation engine 104 may then generate the secret signing key (SK) which includes together with all of the key components for the inputs and logic gate wires.
  • SK secret signing key
  • Cryptography engine 106 may comprise signature engine 206.
  • Signature engine 206 receives a message to be signed and generates a digital signature based on the secret signing key and the message to be signed.
  • the message to be signed may be received from an outside source or from within computer system 201 .
  • SK is the secret signing key and .
  • the message to be signed may be represented as
  • a digital signature on m under SK indicates that the signature engine
  • Signature engine 206 may generate a random value and generates where c 0 is g s .
  • s ⁇ t which is unknown to signature engine 206.
  • signature engine 106 may create an OTS on m, which may be denoted by .
  • Signature engine 206 then may compute a knowledge proof denoted by as follows. First, signature engine 206 may generate a header as:
  • Signature engine 206 then may compute - This may be accomplished by evaluating the signing policy circuit 210 from the bottom up. For example, if wire w is at depth j and 1, signature engine 206 computes .
  • Signature engine 206 iteratively starts with computing E 1 and proceeds in order through the signing policy circuit 210 until signature engine 206 computes
  • Signature engine 206 may compute for where of an input wire as follows. Utilizing the convention , the input wire corresponds to the w-th input. If that wire w satisfies , then signature engine 106 computes and then may compute:
  • Signature engine 206 may compute where of an OR gate
  • signature engine 206 computes:
  • signature engine 206 generates
  • Signature engine 206 then may compute .
  • Verification engine 204 is connected to computing system 201 through the communication network 212. Although shown separately, in some examples, verification engine 204 is instead a part of computing system 201 . Verification engine 204 verifies the validity of the digital signature created by signature engine 206 based on the public key created by setup engine 202.
  • verification engine 204 may perform a suitable verification.
  • One such verification includes verification engine 204 verifying under the OTS public key (d 0 , c 0 ). This
  • verification engine 204 may be accomplished through following the verification of the underlying OTS scheme. By this verification, verification engine 204 may determine that and that the value t is known by the signature engine. The signing policy is not involved in any of the verification equations utilized by verification engine 204 to verify the validity of the signature. Thus, the verification engine 204 does not need to know, and in fact may not know, the signing policy.
  • verification engine 204 may perform is to verify by determining whether holds true. This allows verification engine 204 to determine that for some value of s that is involved in the
  • verification engine 204 accepts the digital signature. However, if the verifications performed indicate that the signature ⁇ is not valid, verification engine 204 rejects the digital signature.
  • the verification engine 204 does not have access to the mathematical representation of the circuit 210 or to any of the inputs into the circuit 210, the systems described herein may have privacy of the policy and privacy of the attributes. That is to say, that the verification engine 204 does not know the signing policy for the message nor does verification engine 204 know what attributes the user whose digital signature is created has.
  • FIG. 3 shows a block diagram of an attribute-based cryptography system 300 implementing an attribute-based decryption scheme, according to an example.
  • the system 300 includes a computing system 301 which also includes the key generation engine 104, the cryptography engine 106, and a decryption policy circuit 310, as well as a setup engine 302 and encryption engine 304.
  • the cryptography engine 106 may include decryption engine 306.
  • the computing system 301 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device.
  • Decryption policy circuit 310 may be one type of cryptography policy circuit 1 10.
  • Setup engine 302 may generate a master secret key and a set of public parameters which may be utilized by encryption engine 304, the key
  • the setup engine 302 receives as inputs a security parameter , an upper boundary depth of all circuits
  • the security parameter is a variable that measures the resource
  • the upper boundary depth of all circuits is the upper boundary depth, based on the number of logic gates, for circuit 310.
  • the Boolean inputs (n) is the input size for all ciphertexts that will be input into circuit 310.
  • Setup engine 302 may map an individual attribute with a group element . To accomplish this, setup engine 302 may utilize a hash to point technique to hash the attribute into the point where
  • Setup engine 302 in an example, may hash the attributes into group elements , so that
  • setup engine 302 may hash the decryption policy along with the attributes, so that users that have secret keys that correspond with the decryption policy may decrypt.
  • the hash function is where . In this example, if a
  • setup engine 302 may generate a set of public group elements as follows:
  • the public parameters may be reduced by the setup engine 302 to: -
  • setup engine 302 may generate the master secret key as:
  • Encryption engine 304 may receive the public parameters and a message M to create ciphertext for the message, and thus, encrypt the message. Encryption engine 304 first generates based on the public parameters , the input x that describes which attributes are being used, and a message bit . Encryption engine 304 then may generate With Sbeing the set of i for which , encryption engine 304 generates the following ciphertext:
  • the key generation engine 104 generates a secret signing key to be used by the decryption engine 306 for decryption of the encrypted message.
  • the inputs to the decryption policy circuit 310 include the attribute-based hashes generated by setup engine 302.
  • Each attribute-based hash corresponds to an individual attribute, or characteristic, of a user to be used to generate that user's secret key.
  • an attribute-based hash may correspond to the position level of a user, the location the user is based, the age of the user, or any other individual characteristic of the user.
  • the key generation engine 104 receives any number of attribute-based hashes as inputs to circuit 310 in accordance with the decryption policy implemented by circuit 310. If the attribute-based hashes correspond with the decryption policy, a valid secret key is produced. In other words, if the attribute- based hashes validly pass through the decryption policy circuit 310, then a valid secret key is produced by the key generation engine 104. Otherwise, an invalid secret signing key is produced— a condition for which is detected during the decryption phase. Attribute-based hashes corresponding to the attributes of a user who wishes to decrypt the message would be input into the circuit 310. If these attributes validly pass through the circuit 310, then the attribute-based hashes correspond to the decryption policy and a valid secret key is generated.
  • the key generation engine 104 may receive as inputs the master secret key generated by setup engine 302 and a representation of circuit 310 corresponding to a decryption policy for a specific message.
  • the representation of circuit 310 has a total of n + q wires with n inputs, and q gates.
  • the wire represents the output wire of circuit 310.
  • the key generation engine 104 then may generate a set of keys (i.e. the header key , the input wire keys
  • the secret key generated by the key generation engine 104 is: [0063]
  • Decryption engine 306 may validly decrypt the message given a ciphertext CT corresponding with input ⁇ 0 1 ⁇ and a secret key SK associated with representation of circuit 310 if . In other words, decryption engine 306 may decrypt the message if the attributes validly pass through the circuit 310. Decryption engine 306 generates to retrieve the message M, since . Utilizing the header key decryption engine 306 may generate the following:
  • decryption engine 306 may generate:
  • circuit 310 may be reduced to determining which is possible if circuit 310
  • Figure 4 shows an example of cryptography circuit 1 10.
  • the circuit depicted in Figure 4 may also represent circuit 210 and circuit 310.
  • Circuit 1 10 from Figure 4 includes input wires 402, 404, 406, and 410, AND gate 408, OR gate 412 and output wire 414.
  • the collection of wires and gates implements a particular cryptography policy such as a signing policy or a decryption policy.
  • circuit 1 10, which is mathematically represented by the key generation engine 104 and cryptography engine 106 may be any combination of logic gates, such as AND gates, OR gates, NOT gates, NAND gates, NOR gates, XOR gates, XNOR gates, or any other logic gate that maps to a signing policy for a particular message.
  • the cryptography policy requires attribute-based keys or attribute-based hashes input as input wires 402 and 404 to validly pass through AND gate 408.
  • both attribute-based keys input as input wires 402 and 404 may meet the signing policy or both attribute-based hashes input as input wires 402 and 404 may meet the decryption policy.
  • both inputs 402 and 404 may conform to the policy.
  • the output of AND gate 408 acts as an input wire 410 along with input wire 406 for OR gate 412. In this case one of input wire 410 or input wire 406 may conform to the requirements for the output 414 of the circuit 1 10 to be valid.
  • E n+q is the output 414 of the cryptography policy circuit 1 10. As discussed previously under Figure 2, this is multiplied by E' in order to get a s which is a part of the final signature.
  • inputs 402, 404, and 406 are algebraic group elements, thus, they are multi-bit attribute based keys.
  • Figures 5, 6, and 7 are flowcharts of attribute-based cryptography methods 500, 600, and 700.
  • execution of methods 500, 600, and 700 is described below with reference to systems 102, 200, and 300, other suitable components for execution of methods 500, 600, and 700 can be utilized (e.g., computing device 800). Additionally, the components for executing the methods 500, 600, and 700 may be spread among multiple devices.
  • Methods 500, 600, and 700 may be implemented in the form of processor executable instructions stored on a non-transitory machine-readable storage medium, such as the machine-readable storage medium 820, and/or in the form of electronic circuitry.
  • Method 500 begins at 502 with inputting a plurality of individual attribute- based data into circuit 1 10.
  • the circuit 1 10 comprises a plurality of logic gates which implement a Boolean expression that defines a signing or decryption policy for a message.
  • Each of the plurality of individual attribute-based data may correspond to an individual attribute.
  • Each individual attribute may correspond to a characteristic representative of a user seeking to sign a message.
  • the individual attribute-based data may include individual attribute-based keys and individual attribute-based hashes.
  • the method continues at 504 with generating, by the key generation engine 104, a secret key, such as a secret signing key, based on the plurality of individual attribute-based data corresponding to the signing or decryption policy.
  • the method continues at 506 with receiving, by the cryptography engine 106, a message to be signed or decrypted.
  • the message to be decrypted may be ciphertext.
  • the method continues at 508 with generating, by the cryptography engine 106, a digital signature or decrypt, by the cryptography engine 106, based on the secret key and based on the message.
  • Method 600 begins at 602 with generating a master secret key by the setup engine 202.
  • the method continues at 604 with generating a public key by the setup engine 202.
  • the public key may be an OTS public key.
  • the method continues at 606 with inputting a plurality of individual attribute-based keys into the signing policy circuit 210.
  • the circuit 210 comprises a plurality of logic gates. The logic gates correspond to a signing policy for a message.
  • the method continues at 608 with generating, by the key generation engine 104, a secret signing key based on the plurality of individual attribute- based keys corresponding to the signing policy.
  • the method continues at 610 with receiving, by the signature engine 206, a message to be signed.
  • the method continues at 612 with generating, by the signature engine 206, a digital signature based on the secret signing key and the message to be signed.
  • the method continues at 614 with verifying, by verification engine 204, the digital signature.
  • Method 700 begins at 702 with generating a master secret key by the setup engine 302.
  • the method continues at 704 with generating public parameters by the setup engine 302.
  • the method continues at 706 with encrypting, by encryption engine 304 a message.
  • the method continues at 708 with inputting a plurality of individual attribute-based hashes into the decryption policy circuit 310.
  • the circuit 310 comprises a plurality of logic gates that correspond to a decryption policy for a message.
  • the method continues at 710 with generating, by the key generation engine 104, a secret key based on the plurality of individual attribute-based hashes corresponding to the decryption policy.
  • the method continues at 712 with receiving, by the decryption engine 306 the encrypted message as ciphertext.
  • the method continues at 714 with decrypting, by the decryption engine 306, the encrypted message.
  • FIG. 8 is a block diagram of a computing device 800 to provide attribute-based cryptography, according to an example.
  • the computing device 800 includes, for example, a processing resource 830, and a non-transitory machine-readable storage medium 820 including instructions 802, 804, 806, and 808 for providing attribute-based cryptography including an attribute-based digital signature and attribute-based decryption.
  • Computing device 800 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device.
  • Processing resource 830 may include a single processor, multiple processors, a single computer, a network of computers, or any other type of processing device suitable for retrieval and execution of instructions stored in machine-readable storage medium 820.
  • the processing resource 830 may include multiple cores on a chip, include multiple cores across multiple chips, multiple cores across multiple devices (e.g., if the computing device 800 includes multiple node devices), or combinations thereof.
  • Processing resource 830 may fetch, decode, and execute instructions 802-808 to implement methods 500, 600, and 700.
  • processing resource 830 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 802-808.
  • IC integrated circuit
  • the non-transitory machine-readable storage medium 820 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions.
  • machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like.
  • RAM Random Access Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • CD-ROM Compact Disc Read Only Memory
  • machine-readable storage medium 820 may be encoded with a series of executable instructions for providing a digital signature.
  • Setup instructions 802 can be used to generate a public key.
  • the public key may by an OTS public key.
  • Setup instructions 802 may also be used to generate a master secret key.
  • Key generation instructions 804 may be used to input a plurality of individual attribute-based keys or attribute-based hashes into a mathematical representation of a circuit.
  • the circuit may comprise a plurality of coupled logic gates which correspond to a policy, such as a signing policy or a decryption policy.
  • Each of the plurality of individual attribute-based keys or hashes may correspond to an individual attribute.
  • the individual attribute may correspond to a characteristic representative of a user seeking to sign or decrypt a ciphertext.
  • Key generation instructions 804 may also be used to generate a secret key based on the plurality of individual attribute-based keys or hashes corresponding to the signing or decryption policy.
  • the secret key may also be based on the master secret key.
  • the cryptography instructions 806 may receive a message to be signed or decrypted.
  • the cryptography instructions 806 may also generate a digital signature or decrypt the message based on the secret key and the message to be signed.
  • Verification instructions 808 may verify the digital signature based on the public key.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Physics & Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Algebra (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method and system for providing attribute-based cryptography which include inputting a plurality of individual attribute-based data into a circuit that implements a cryptography policy, generating a secret key via the circuit based on the plurality of individual attribute-based data corresponding to the cryptography policy, receiving a message, and generating a digital signature or decrypting a ciphertext based on the secret key and based on the message. Each of the plurality of individual attribute-based data corresponds to an individual attribute.

Description

ATTRIBUTE-BASED CRYPTOGRAPHY BACKGROUND
[0001] Cryptography allows for secure communication in the presence of third parties over an insecure communication channel. Two types of modern cryptography include digital signatures and encryption/decryption. A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message (e.g., a document). A digital signature, once verified, gives a recipient reason to believe that the message was created by a known sender such that the sender cannot deny having sent the message and that the message was not altered in transit. Encryption is the process of encoding a message (e.g., a document) in a way that authorized parties are able to read it. Decryption is the process of decoding the encrypted message such so that the authorized parties are able to read it.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] For a detailed description of various examples, reference will now be made to the accompanying drawings in which:
[0003] Figure 1 shows a block diagram of an attribute-based cryptography system, according to an example;
[0004] Figure 2 shows a block diagram of an attribute-based cryptography system implementing an attribute-based digital signature scheme, according to an example;
[0005] Figure 3 shows a block diagram of an attribute-based cryptography system implementing an attribute-based decryption scheme, according to an example;
[0006] Figure 4 shows an example circuit;
[0007] Figure 5 shows a flowchart of an attribute-based cryptography method, according to an example;
[0008] Figure 6 shows a flowchart of an attribute-based signature method, according to an example;
[0009] Figure 7 shows a flowchart of an attribute-based decryption method, according to an example; and [0010] Figure 8 is a block diagram of a computing device to provide attribute- based cryptography, according to an example.
DETAILED DESCRIPTION
[0011] Some digital signature techniques include a signing policy which is expressed as a public key and a certificate. In some such techniques, a verifier can lean who created the digital signature. Thus, the identity of the signer is not a secret. In an identity-based signature technique, the signing policy is expressed as a signer's identifier. Again, a verifier can learn who created the digital signature. Anonymous signatures use a group key and the signing policy is expressed as a group structure. Any group member can produce a valid signature on behalf of the group. A verifier cannot learn which group member has signed a signature, but does know the group structure.
[0012] Another technique for creating and using digital signatures is referred to as an "attribute-based signature" technique. The signature is computed based on one or more attributes of the signer. Examples of attributes may include the position of the user within a company (e.g., job role or title), the location of the signer, etc. In attribute-based signatures, those users that have a valid set of attributes can successfully generate a valid signature for a given message.
[0013] An attribute-based signature scheme may be used to provide services such as entity authentication, data origin authentication, non-repudiation, and data-integrity. In attribute-based signature schemes, a signer who has enough attributes to satisfy the policy can produce a valid signature A verifier knows that the signer has satisfied the policy. The set of attributes that has been used to sign along with the identity of the signers remain hidden. Unfortunately, the predicate itself (the policy) is known to the verifier in some attribute-based signature schemes.
[0014] In accordance with the disclosed implementations, various examples are provided herein that relate to attribute-based signature systems and methods to provide signer privacy, data origin authentication, non-repudiation, data-integrity, to ensure entity authentication, or a combination thereof. In the disclosed attribute-based signature techniques, the signer's identity, the signer's attributes, and/or the signing policy may remain hidden from the verifier. [0015] Similarly, sharing encrypted data on the cloud allows for sharing of the data at a coarse level. In other words, sharing encrypted data requires giving a private key to any user that the data is to be shared with for decryption.
[0016] In accordance with the disclosed implementations, various examples are provided herein that relate to attribute-based decryption systems and methods which allows for fine-grained sharing of encrypted data. In other words, attribute- based decryption schemes allow a user to encrypt data with respect to a certain policy, and users who have the requisite credentials (attributes) to satisfy the policy are granted access to the data.
[0017] In an example, a master secret key is generated along with public keys which may be utilized for later verification of a digital signature or for use in decrypting a document. The attribute-based cryptography system may utilize a circuit which comprises a plurality of logic gates coupled together. These coupled logic gates implement a signing policy or decryption policy. The mathematical representation of the circuit receives as inputs a plurality of individual attribute- based keys or individual attribute-based hashes. All references herein to the "circuit" mean the hardware logic that implements the mathematical representation of the circuit. Each individual attribute-based key or hash corresponds to a distinct characteristic (attribute) that is representative of a user seeking to sign or decrypt a message. A secret key is generated by the circuit based on the individual attribute-based keys or hashes corresponding to the signing policy and based on the master secret key previously generated.
[0018] By way of example, a signing policy or decryption policy may be a particular message can only be signed or decrypted by a junior level vice president that is located in the firm's London or New York offices. That policy can be implemented as a Boolean expression:
(junior level vice president) AND (London OR New York) A circuit implements the Boolean expression that defines the policy. The policy implemented by the circuit, such as a circuit 1 10 of FIG. 1 , a circuit 210 of FIG. 2, or a circuit 310 of FIG. 3, thus may specify that certain combinations of attributes must be true. In the above example, the job title (junior level vice president) and a certain location (New York or London) must both be true per the policy. To continue the example, the signing policy may also require that that the signer may be either (a) a junior vice president and based in the London or New York offices or (b) a senior vice president at any office. Any types and number of logic gates can be used to implement the circuit 1 10, 210, or 310, such as AND gates, OR gates, NOT gates, NAND gates, NOR gates, XOR gates, XNOR gates, or any other logic gate. The fan-outs, or number of logic gates in the circuit 1 10, 210, or 310 are not limited to one as in the less expressive types of policies. In some implementations, the circuit is implemented as a mathematical representation of the Boolean expression and thus implemented in instructions executable by a hardware processor. In other implementations, the circuit may be an actual, physical circuit including various types of logic gates (AND gates, OR gates, etc.). All references herein to "circuit" refer to either or both types of implementations.
[0019] A digital signature is then created or a ciphertext is decrypted based on the secret key and based on the message. In other words, the digital signature is created based on the individual attribute-based keys validly passing through the mathematical representation of the policy signing based circuit. The digital signature may then be verified based on the public key. Likewise, the ciphertext may be decrypted based on the individual attribute-based hashes validly passing through the mathematical representation of the policy decryption based circuit.
[0020] Figure 1 is a block diagram of an attribute-based cryptography system, in accordance with an example. In Figure 1 , a computing system 102 includes a key generation engine 104, a cryptography engine 106, and a cryptography policy circuit 1 10. The computing system 102 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device. The attribute-based cryptography system may allow for a valid digital signature based on a user's attributes corresponding to a signing policy or allow for the decryption of an encrypted message based on the user's attributes corresponding to a decryption policy.
[0021] The key generation engine 104 generates a secret key that is utilized by the cryptography engine 106 to generate a digital signature or decrypt an encrypted message. The key generation engine 104 implements cryptography policy circuit 1 10. In some examples, cryptography policy circuit 1 10 may include the key generation engine 104. In other examples, the key generation engine 104 may be implemented using cryptography policy circuit 1 10. Two such cryptography policy circuits include signing policy circuit 210 from Figure 2 and decryption policy circuit 310 from Figure 3. Cryptography policy circuit 1 10 corresponds to a cryptography policy such as a signing policy or a decryption policy. In other words, cryptography policy circuit 1 10 includes Boolean logic that corresponds to a policy of which users may sign or decrypt an individual message.
[0022] Cryptography policy circuit 1 10 receives individual attribute-based data as inputs. Such attribute-based data may include attribute-based keys corresponding to individual attributes of a user or attribute-based hashes also corresponding to individual attributes of a user. Cryptography policy circuit 1 10 outputs a secret key based on the individual attribute-based data corresponding to the cryptography policy.
[0023] Cryptography engine 106 receives a message that is to be signed or a ciphertext to be decrypted and generates a digital signature or decrypts the ciphertext based on the secret key and based on the message.
[0024] Figure 2 is an attribute-based cryptography system 200 implementing an attribute-based digital signature scheme, according to an example. In Figure 2, the system 200 includes a computing system 201 which also includes the key generation engine 104, the cryptography engine 106, and a signing policy circuit 210, as well as a setup engine 202. The cryptography engine 106 may include signature engine 206. The computing system 201 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device. The signing policy circuit 210 may be one type of cryptography policy circuit 1 10.
[0025] System 200 also includes a verification engine 204 coupled to computing system 201 through a communications network 212. The communication network 212 can include wired communications, wireless communications, or combinations thereof. Further, the communication network 212 can include multiple sub- communication networks such as data networks, wireless networks, telephony networks, etc. Such networks can include, for example, a public data network such as the Internet, local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), cable networks, fiber optic networks, combinations thereof, or the like. In various examples, wireless networks may include cellular networks, satellite communications, wireless LANs, etc. Further, the communication network 212 can be in the form of a direct network link between devices. Various communications structures and infrastructure can be utilized to implement the communication network 212.
[0026] By way of example, the computing systems 201 and verification engine 204 may communicate with each other and other components with access to the communication network 212 via a communication protocol or multiple protocols. A protocol can be a set of rules that defines how nodes of the communication network 212 interact with other nodes. Further, communications between network nodes can be implemented by exchanging discrete packets of data or sending messages. Packets can include header information associated with a protocol (e.g., information on the location of the network node(s) to contact) as well as payload information.
[0027] Setup engine 202 may generate a master secret key, a public key, and other parameters which may be utilized by the key generation engine 104. The setup engine 202 receives as inputs a security parameter
Figure imgf000008_0001
, an upper boundary depth of all circuits (£) and an upper boundary input size for all attributes (n). A trusted third party may produce these values. The security parameter
Figure imgf000008_0002
is a variable that measures the resource requirements needed, such as the length, in bits, of the secret signing key to be computed. The upper boundary depth of all circuits is the upper boundary depth, based on the number of logic gates, for signing policy circuit 210. The upper boundary input size for all attributes (n) is the upper boundary number of attribute-based keys that may be input into signing policy circuit 210. [0028] Setup engine 202 generates groups
Figure imgf000009_0001
of prime order p, with canonical generators,
Figure imgf000009_0002
where
Figure imgf000009_0003
Setup engine 202 also generates random values and In an example, setup
Figure imgf000009_0004
Figure imgf000009_0005
engine 202 generates the master secret key as:
Figure imgf000009_0006
[0029] Setup engine 202 may also generate a public key. The public key may be a one-time signature (OTS) public key. An OTS public key is a public key that is utilized to verify a single message. In an OTS scheme, a secret signing key is also used to sign a single message. The underlying OTS scheme can be instantiated by a suitable one-time strongly unforgeable signature scheme. Such schemes may include those that are based on the computational Diffie-Helman CDH assumption in the standard model, or for instance, Shnorr signatures that are based on the Discrete Logarithm problem Dlog in the random oracle model using the Fiat-Shamir heuristic.
[0030] In an example, the public key generated by setup engine 202 includes the group sequence
Figure imgf000009_0007
in addition to:
Figure imgf000009_0008
[0031] Setup engine 202 also generates additional parameters such as by solving for for each . The values d^may be utilized by the key
Figure imgf000009_0009
Figure imgf000009_0010
generation engine 104.
[0032] The key generation engine 104 generates a secret signing key to be used to produce a digital signature. The secret signing key is a key that is not known outside of computing system 102, 201 . Thus, verification engine 204 does not know the secret signing key, nor the circuit used to generate the secret signing key.
[0033] The inputs to the signing policy circuit 210 include attribute-based keys that are computed based on the set of attributes of the potential signer. Each attribute-based key corresponds to an individual attribute, or characteristic, of a user to be used to generate that user's secret signing key. For example, an attribute-based key may correspond to the position level of a user, the location the user is based, the age of the user, or any other individual characteristic of the user. A lookup table may be utilized to generate the attribute-based keys. For example, a lookup table may match a key to a specific attribute. In another example, the attribute-based key may be based on an existing identity based scheme.
[0034] The key generation engine 104 receives any number of attribute-based keys as inputs to the circuit 210 in accordance with the signing policy implemented by the circuit 210. If the attribute-based keys correspond to the signing policy, a valid secret signing key is produced. In other words, if the attribute-based keys validly pass through the signing policy circuit 210, then a valid secret signing key is produced by the key generation engine 104. Otherwise, an invalid secret signing key is produced— a condition for which will be detected during the verification phase. Attribute-based keys corresponding to the attributes of a user who wishes to sign the message would be input into the circuit 210. If these attributes validly pass through the circuit 210, then the attribute- based keys correspond to the signing policy and a valid secret signing key is generated.
[0035] Key generation engine 104 may receive as input the master secret key and a representation
Figure imgf000010_0001
of circuit 210 corresponding to a signing policy for a specific message. Key generation engine 104 outputs a secret signing key (SK), such that
Figure imgf000010_0002
. In some implementations, to represent the signing policy circuit 210, a mathematical representation may be utilized. In the mathematical representation, A may refer to A(w), which represents one input wire (w) for the circuit. Additionally, B may refer to B(w), a second input wire for the circuit. Circuit 210 may include n + q wires including n input wires and
Figure imgf000010_0007
gate wires. The wire n + q may be designated as an output wire.
[0036] The key generation engine 104 may generate random values
,
Figure imgf000010_0003
where random value
Figure imgf000010_0006
corresponds with wire .
Figure imgf000010_0004
The key generation engine 104 generates a header component:
Figure imgf000010_0005
The key generation engine 104 may generate key components for every wire w. The structure of the key components depends on whether w is an input wire or a logic gate, such as an OR gate or an AND gate. [0037] The key generation engine 104 generates key components for an input wire with w
Figure imgf000011_0001
corresponding to the w-th input. The key generation engine 104 generates a random value The key generation engine 104 then
Figure imgf000011_0002
may generate the key components for w to be:
Figure imgf000011_0003
[0038] The key generation engine 104 generates key components of an OR gate with wire w
Figure imgf000011_0004
Gate and GateType(w) = OR. The OR gate has two inputs (A) and (B). Additional
Figure imgf000011_0005
ly, j = depth(w) is the depth of wire w. Furthermore,
Figure imgf000011_0006
is the value associated with A while is the value associated with B.
Figure imgf000011_0007
Figure imgf000011_0008
The key generation engine 104 may generate random values . The
Figure imgf000011_0009
key generation engine 104 then may generate the key components w to be:
Figure imgf000011_0010
[0039] The key generation engine 104 generates key components of an AND gate with wire w
Figure imgf000011_0011
Gate and GateType(w) = AND. The AND gate has two inputs (A) and (B). Additionally, j = depth(w) is the depth of wire w. Furthermore,
Figure imgf000011_0012
is the rw value associated with A while is the rw value associated with B.
Figure imgf000011_0013
The key generation engine 104 may generate random values . The
Figure imgf000011_0014
key generation engine 104 then may generate the key components w to be:
Figure imgf000011_0015
[0040] The key generation engine 104 may then generate the secret signing key (SK) which includes
Figure imgf000011_0016
together with all of the key components for the inputs and logic gate wires.
[0041] Cryptography engine 106 may comprise signature engine 206. Signature engine 206 receives a message to be signed and generates a digital signature based on the secret signing key and the message to be signed. The message to be signed may be received from an outside source or from within computer system 201 . As with the key generation engine 104, SK is the secret signing key and
Figure imgf000011_0017
. The message to be signed may be represented as
. A digital signature on m under SK indicates that the signature engine
Figure imgf000011_0018
has computed without knowing either a or β and the proof is bound with m.
Figure imgf000011_0019
[0042] Signature engine 206 may generate a random value
Figure imgf000012_0026
and generates
Figure imgf000012_0025
where c0 is gs. Here, s = β t which is unknown to signature engine 206. By using the pair (d0, c0), in an example, is an OTS public key and the value t as the corresponding secret key, signature engine 106 may create an OTS on m, which may be denoted by .
Figure imgf000012_0024
[0043] Signature engine 206 then may compute a knowledge proof denoted by
Figure imgf000012_0023
as follows. First, signature engine 206 may generate a header as:
.
Figure imgf000012_0022
Signature engine 206 then may compute
Figure imgf000012_0021
- This may be accomplished by evaluating the signing policy circuit 210 from the bottom up. For example, if wire w is at depth j and 1, signature engine 206 computes .
Figure imgf000012_0020
Figure imgf000012_0019
However, if
Figure imgf000012_0018
, signature engine 206 does nothing for that wire. Signature engine 206 iteratively starts with computing E1 and proceeds in order through the signing policy circuit 210 until signature engine 206 computes
Figure imgf000012_0017
By computing these values in order, the computation on depth j - 1 wire, long as it evaluates to 1 , is defined before computing for a depth j wire.
[0044] Signature engine 206 may compute for
Figure imgf000012_0011
where
Figure imgf000012_0012
of an input wire as follows. Utilizing the convention
Figure imgf000012_0010
, the input wire corresponds to the w-th input. If that wire w satisfies
Figure imgf000012_0009
, then signature engine 106 computes
Figure imgf000012_0008
and then may compute:
.
Figure imgf000012_0007
[0045] Signature engine 206 may compute
Figure imgf000012_0013
where of an OR gate
Figure imgf000012_0014
with wire w
Figure imgf000012_0015
and GateType(w) = OR as follows. With
Figure imgf000012_0016
being the depth of wire w and , then if and , signature
Figure imgf000012_0004
Figure imgf000012_0005
Figure imgf000012_0006
engine 206 computes:
However, if , signature engine 206 computes:
Figure imgf000012_0003
Figure imgf000012_0002
[0046] Signature engine 206 may compute where
Figure imgf000013_0002
of an AND gate with wire w
Figure imgf000013_0003
Gate and GateType(w) = AND as follows. With j = depth(w) being the depth of wire w and
Figure imgf000013_0004
, then and ,
Figure imgf000013_0005
Figure imgf000013_0006
and signature engine 206 computes:
Figure imgf000013_0001
[0047] Thus, if , signature engine 206 generates
Figure imgf000013_0007
Figure imgf000013_0008
. Signature engine 206 then may compute . The
Figure imgf000013_0009
Figure imgf000013_0010
entire digital signature may be expressed as:
.
Figure imgf000013_0011
[0048] Verification engine 204 is connected to computing system 201 through the communication network 212. Although shown separately, in some examples, verification engine 204 is instead a part of computing system 201 . Verification engine 204 verifies the validity of the digital signature created by signature engine 206 based on the public key created by setup engine 202.
[0049] In order to verify the digital signature , verification
Figure imgf000013_0012
engine 204 may perform a suitable verification. One such verification includes verification engine 204 verifying under the OTS public key (d0, c0). This
Figure imgf000013_0013
may be accomplished through following the verification of the underlying OTS scheme. By this verification, verification engine 204 may determine that
Figure imgf000013_0016
and that the value t is known by the signature engine. The signing policy is not involved in any of the verification equations utilized by verification engine 204 to verify the validity of the signature. Thus, the verification engine 204 does not need to know, and in fact may not know, the signing policy.
[0050] Another verification that verification engine 204 may perform is to verify by determining whether
Figure imgf000013_0014
holds true. This allows verification engine 204 to determine that for some value of s that is involved in the
Figure imgf000013_0015
secret signing key.
[0051] While two different verifications are presented, either one may be performed or both verifications may be performed. If verifications performed indicate that the signature σ is valid, verification engine 204 accepts the digital signature. However, if the verifications performed indicate that the signature σ is not valid, verification engine 204 rejects the digital signature.
[0052] Because the verification engine 204 does not have access to the mathematical representation of the circuit 210 or to any of the inputs into the circuit 210, the systems described herein may have privacy of the policy and privacy of the attributes. That is to say, that the verification engine 204 does not know the signing policy for the message nor does verification engine 204 know what attributes the user whose digital signature is created has.
[0053] Figure 3 shows a block diagram of an attribute-based cryptography system 300 implementing an attribute-based decryption scheme, according to an example. In Figure 3, the system 300 includes a computing system 301 which also includes the key generation engine 104, the cryptography engine 106, and a decryption policy circuit 310, as well as a setup engine 302 and encryption engine 304. The cryptography engine 106 may include decryption engine 306. The computing system 301 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device. Decryption policy circuit 310 may be one type of cryptography policy circuit 1 10.
[0054] Setup engine 302 may generate a master secret key and a set of public parameters which may be utilized by encryption engine 304, the key
Figure imgf000014_0001
generation engine 104, and decryption engine 306. The setup engine 302 receives as inputs a security parameter , an upper boundary depth of all circuits
Figure imgf000014_0004
and a number of Boolean inputs (n). A trusted third party may produce these values. The security parameter is a variable that measures the resource
Figure imgf000014_0003
requirements needed, such as the length, in bits, of the secret signing key to be computed. The upper boundary depth of all circuits
Figure imgf000014_0002
is the upper boundary depth, based on the number of logic gates, for circuit 310. The Boolean inputs (n) is the input size for all ciphertexts that will be input into circuit 310. [0055] Setup engine 302 generates groups
Figure imgf000015_0001
of prime order
Figure imgf000015_0013
with canonical generators, where . Setup engine 302 also
Figure imgf000015_0002
Figure imgf000015_0003
generates random values . The public parameters
Figure imgf000015_0004
Figure imgf000015_0006
consist of the group sequence description =
Figure imgf000015_0005
in addition to:
Figure imgf000015_0007
[0056] Setup engine 302 may map an individual attribute with a group element . To accomplish this, setup engine 302 may utilize a hash to point technique to hash the attribute
Figure imgf000015_0008
into the point where
Figure imgf000015_0009
Figure imgf000015_0010
is a suitable hash to point type of hash function. Setup engine 302, in an example, may hash the attributes into group elements , so that
Figure imgf000015_0011
.
Figure imgf000015_0012
[0057] In an alternative example, setup engine 302 may hash the decryption policy along with the attributes, so that users that have secret keys that correspond with the decryption policy may decrypt. In this example, the hash function is
Figure imgf000015_0014
where . In this example, if a
Figure imgf000015_0015
user uses as a basis to encrypt a particular message, any user who wishes
Figure imgf000015_0026
to decrypt that data should have a secret key that is specifically corresponds to the decryption policy (e.g., being the attribute manager is not enough, by itself, to decrypt, the user is required to own a credential associated with manager
Figure imgf000015_0016
).
[0058] Utilizing this hashing technique, setup engine 302 may generate a set of public group elements
Figure imgf000015_0017
as follows:
.
Figure imgf000015_0018
Thus, the public parameters may be reduced by the setup engine 302 to:
Figure imgf000015_0019
-
Hence the setup engine 302 may generate the master secret key as:
Figure imgf000015_0020
[0059] Encryption engine 304 may receive the public parameters
Figure imgf000015_0021
and a message M to create ciphertext for the message, and thus, encrypt the message. Encryption engine 304 first generates based on the public parameters ,
Figure imgf000015_0022
Figure imgf000015_0025
the input x that describes which attributes are being used, and a message bit . Encryption engine 304 then may generate With Sbeing
Figure imgf000015_0023
Figure imgf000015_0024
the set of i for which
Figure imgf000016_0001
, encryption engine 304 generates the following ciphertext:
Figure imgf000016_0002
[0060] The key generation engine 104 generates a secret signing key to be used by the decryption engine 306 for decryption of the encrypted message. The inputs to the decryption policy circuit 310 include the attribute-based hashes generated by setup engine 302. Each attribute-based hash corresponds to an individual attribute, or characteristic, of a user to be used to generate that user's secret key. For example, an attribute-based hash may correspond to the position level of a user, the location the user is based, the age of the user, or any other individual characteristic of the user.
[0061] The key generation engine 104 receives any number of attribute-based hashes as inputs to circuit 310 in accordance with the decryption policy implemented by circuit 310. If the attribute-based hashes correspond with the decryption policy, a valid secret key is produced. In other words, if the attribute- based hashes validly pass through the decryption policy circuit 310, then a valid secret key is produced by the key generation engine 104. Otherwise, an invalid secret signing key is produced— a condition for which is detected during the decryption phase. Attribute-based hashes corresponding to the attributes of a user who wishes to decrypt the message would be input into the circuit 310. If these attributes validly pass through the circuit 310, then the attribute-based hashes correspond to the decryption policy and a valid secret key is generated.
[0062] The key generation engine 104 may receive as inputs the master secret key generated by setup engine 302 and a representation
Figure imgf000016_0004
of circuit 310 corresponding to a decryption policy for a specific message. The representation of circuit 310 has a total of n + q wires with n inputs, and q gates. The wire represents the output wire of circuit 310. The key generation engine 104 then may generate a set of keys (i.e. the header key , the input wire keys
Figure imgf000016_0005
, the OR gate keys , and the AND gate keys in a similar way
Figure imgf000016_0008
Figure imgf000016_0007
Figure imgf000016_0006
as discussed under Figure 2. Thus, the secret key generated by the key generation engine 104 is:
Figure imgf000016_0003
[0063] Decryption engine 306 may validly decrypt the message given a ciphertext CT corresponding with input
Figure imgf000017_0007
{0 1} and a secret key SK associated with representation
Figure imgf000017_0005
of circuit 310 if
Figure imgf000017_0006
. In other words, decryption engine 306 may decrypt the message if the attributes validly pass through the circuit 310. Decryption engine 306 generates
Figure imgf000017_0009
to retrieve the message M, since
Figure imgf000017_0008
. Utilizing the header key
Figure imgf000017_0010
decryption engine 306 may generate the following:
Figure imgf000017_0001
Therefore, decryption engine 306 may generate:
Figure imgf000017_0002
Thus, may be reduced to determining which is possible if circuit 310
Figure imgf000017_0003
is evaluated from the bottom up so long as
Figure imgf000017_0004
.
[0064] Figure 4 shows an example of cryptography circuit 1 10. The circuit depicted in Figure 4 may also represent circuit 210 and circuit 310. Circuit 1 10 from Figure 4 includes input wires 402, 404, 406, and 410, AND gate 408, OR gate 412 and output wire 414. The collection of wires and gates implements a particular cryptography policy such as a signing policy or a decryption policy. While a specific configuration is depicted in Figure 4, circuit 1 10, which is mathematically represented by the key generation engine 104 and cryptography engine 106, may be any combination of logic gates, such as AND gates, OR gates, NOT gates, NAND gates, NOR gates, XOR gates, XNOR gates, or any other logic gate that maps to a signing policy for a particular message.
[0065] In the example shown in Figure 4, the cryptography policy requires attribute-based keys or attribute-based hashes input as input wires 402 and 404 to validly pass through AND gate 408. Thus, both attribute-based keys input as input wires 402 and 404 may meet the signing policy or both attribute-based hashes input as input wires 402 and 404 may meet the decryption policy. For example, both inputs 402 and 404 may conform to the policy. The output of AND gate 408 acts as an input wire 410 along with input wire 406 for OR gate 412. In this case one of input wire 410 or input wire 406 may conform to the requirements for the output 414 of the circuit 1 10 to be valid. In the case of a digital signature, En+q is the output 414 of the cryptography policy circuit 1 10. As discussed previously under Figure 2, this is multiplied by E' in order to get as which is a part of the final signature. Moreover, inputs 402, 404, and 406 are algebraic group elements, thus, they are multi-bit attribute based keys.
[0066] Figures 5, 6, and 7 are flowcharts of attribute-based cryptography methods 500, 600, and 700. Although the execution of methods 500, 600, and 700 is described below with reference to systems 102, 200, and 300, other suitable components for execution of methods 500, 600, and 700 can be utilized (e.g., computing device 800). Additionally, the components for executing the methods 500, 600, and 700 may be spread among multiple devices. Methods 500, 600, and 700 may be implemented in the form of processor executable instructions stored on a non-transitory machine-readable storage medium, such as the machine-readable storage medium 820, and/or in the form of electronic circuitry.
[0067] Method 500 begins at 502 with inputting a plurality of individual attribute- based data into circuit 1 10. As explained above, the circuit 1 10 comprises a plurality of logic gates which implement a Boolean expression that defines a signing or decryption policy for a message. Each of the plurality of individual attribute-based data may correspond to an individual attribute. Each individual attribute may correspond to a characteristic representative of a user seeking to sign a message. The individual attribute-based data may include individual attribute-based keys and individual attribute-based hashes.
[0068] The method continues at 504 with generating, by the key generation engine 104, a secret key, such as a secret signing key, based on the plurality of individual attribute-based data corresponding to the signing or decryption policy. The method continues at 506 with receiving, by the cryptography engine 106, a message to be signed or decrypted. The message to be decrypted may be ciphertext. The method continues at 508 with generating, by the cryptography engine 106, a digital signature or decrypt, by the cryptography engine 106, based on the secret key and based on the message. [0069] Method 600 begins at 602 with generating a master secret key by the setup engine 202. The method continues at 604 with generating a public key by the setup engine 202. The public key may be an OTS public key. The method continues at 606 with inputting a plurality of individual attribute-based keys into the signing policy circuit 210. The circuit 210 comprises a plurality of logic gates. The logic gates correspond to a signing policy for a message.
[0070] The method continues at 608 with generating, by the key generation engine 104, a secret signing key based on the plurality of individual attribute- based keys corresponding to the signing policy. The method continues at 610 with receiving, by the signature engine 206, a message to be signed. The method continues at 612 with generating, by the signature engine 206, a digital signature based on the secret signing key and the message to be signed. The method continues at 614 with verifying, by verification engine 204, the digital signature.
[0071] Method 700 begins at 702 with generating a master secret key by the setup engine 302. The method continues at 704 with generating public parameters by the setup engine 302. The method continues at 706 with encrypting, by encryption engine 304 a message. The method continues at 708 with inputting a plurality of individual attribute-based hashes into the decryption policy circuit 310. The circuit 310 comprises a plurality of logic gates that correspond to a decryption policy for a message.
[0072] The method continues at 710 with generating, by the key generation engine 104, a secret key based on the plurality of individual attribute-based hashes corresponding to the decryption policy. The method continues at 712 with receiving, by the decryption engine 306 the encrypted message as ciphertext. The method continues at 714 with decrypting, by the decryption engine 306, the encrypted message.
[0073] Figure 8 is a block diagram of a computing device 800 to provide attribute-based cryptography, according to an example. The computing device 800 includes, for example, a processing resource 830, and a non-transitory machine-readable storage medium 820 including instructions 802, 804, 806, and 808 for providing attribute-based cryptography including an attribute-based digital signature and attribute-based decryption. Computing device 800 may be, for example, a notebook computer, a tablet computing device, a portable reading device, a wireless email device, a mobile phone, a workstation, a server, a desktop computer, or any other computing device.
[0074] Processing resource 830 may include a single processor, multiple processors, a single computer, a network of computers, or any other type of processing device suitable for retrieval and execution of instructions stored in machine-readable storage medium 820. For example, the processing resource 830 may include multiple cores on a chip, include multiple cores across multiple chips, multiple cores across multiple devices (e.g., if the computing device 800 includes multiple node devices), or combinations thereof. Processing resource 830 may fetch, decode, and execute instructions 802-808 to implement methods 500, 600, and 700. As an alternative or in addition to retrieving and executing instructions, processing resource 830 may include at least one integrated circuit (IC), other control logic, other electronic circuits, or combinations thereof that include a number of electronic components for performing the functionality of instructions 802-808.
[0075] The various engines depicted in Figures 1 , 2, and 3 are implemented as the processing resource 830 executing machine instructions such as those illustrated in Figure 8.
[0076] The non-transitory machine-readable storage medium 820 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, machine-readable storage medium may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage drive, a Compact Disc Read Only Memory (CD-ROM), and the like. As described in detail herein, machine-readable storage medium 820 may be encoded with a series of executable instructions for providing a digital signature.
[0077] Setup instructions 802 can be used to generate a public key. The public key may by an OTS public key. Setup instructions 802 may also be used to generate a master secret key. Key generation instructions 804 may be used to input a plurality of individual attribute-based keys or attribute-based hashes into a mathematical representation of a circuit. The circuit may comprise a plurality of coupled logic gates which correspond to a policy, such as a signing policy or a decryption policy. Each of the plurality of individual attribute-based keys or hashes may correspond to an individual attribute. The individual attribute may correspond to a characteristic representative of a user seeking to sign or decrypt a ciphertext.
[0078] Key generation instructions 804 may also be used to generate a secret key based on the plurality of individual attribute-based keys or hashes corresponding to the signing or decryption policy. The secret key may also be based on the master secret key.
[0079] The cryptography instructions 806 may receive a message to be signed or decrypted. The cryptography instructions 806 may also generate a digital signature or decrypt the message based on the secret key and the message to be signed. Verification instructions 808 may verify the digital signature based on the public key.
[0080] The above discussion is meant to be illustrative of the principles and various embodiments of the present disclosure. Numerous variations and modifications will become apparent to those skilled in the art once the above disclosure is fully appreciated. It is intended that the following claims be interpreted to embrace all such variations and modifications.

Claims

CLAIMS What is claimed is:
1 . An attribute-based cryptography system, comprising:
a key generation engine to generate a secret key, the key generation engine to implement a cryptography policy circuit that defines a cryptography policy, the cryptography policy circuit to receive as an input a plurality of individual attribute-based data and to output the secret key based on the individual attribute based data corresponding to the cryptography policy; and
a cryptography engine to receive ciphertext or a message and to decrypt the ciphertext or generate a digital signature based on the secret key and based on the message;
wherein each of the plurality of individual attribute-based data corresponds to an individual attribute.
2. The attribute-based cryptography system of claim 1 , further comprising: a verification engine to accept or reject a digital signature, the verification engine not having access to the cryptography policy, the cryptography policy being a signing policy;
wherein the cryptography engine comprises a signature engine to receive the message and to generate the digital signature,
wherein the cryptography policy circuit is a signing policy circuit comprising
Boolean logic that implements the signing policy, and wherein each of the plurality of individual attribute-based data is an individual attribute-based key.
3. The attribute-based cryptography system of claim 2, wherein each individual attribute is selected from a group comprising a position level of a user, a location the user is based, and an age of the user.
4. The attribute-based cryptography system of claim 2, further comprising a setup engine to generate a public key, the public key being one-time signature (OTS) public key.
5. The attribute-based cryptography system of claim 1 ,
wherein the cryptography engine comprises a decryption engine to receive the ciphertext and to decrypt the ciphertext based on the individual attribute-based data corresponding to a cryptography policy, the cryptography policy being a decryption policy;
wherein the cryptography policy circuit is a decryption policy circuit comprising Boolean logic that implements the decryption policy; and
wherein each of the individual attribute-based data is a hash of the individual attribute.
6. A non-transitory machine-readable storage medium storing instructions that, if executed by a processing resource of an attribute-based cryptography system, cause the processing resource to:
generate a public key;
input a plurality of individual attribute-based data into a circuit defining a cryptography policy;
generate a secret key via the circuit based on the plurality of individual attribute-based data corresponding to the cryptography policy; and generate a digital signature or decrypt a ciphertext based on based on the secret key and based on the public key;
wherein each of the plurality of individual attribute-based data corresponds to an individual attribute.
7. The non-transitory machine-readable storage medium of claim 6, further comprising instructions that, if executed by the processing resource, causes the processing resource to generate a master secret key based on an upper boundary depth of the circuit, wherein the secret key is further based on the master secret key.
8. The non-transitory machine-readable storage medium of claim 6, further comprising instructions that, if executed by the processing resource, wherein the public key is a one-time signature (OTS) public key used by a verification engine to verify a single message.
9. The non-transitory machine-readable storage medium of claim 6,
wherein the plurality of individual attribute-based data is a plurality of individual attribute-based keys;
wherein the circuit is signing policy circuit comprising Boolean logic that implements a signing policy; and
wherein the individual attribute corresponds to a characteristic representative of a user seeking to sign a message.
10. The non-transitory machine-readable storage medium of claim 6,
wherein the plurality of individual attribute-based data is a plurality of individual attribute-based hashes;
wherein the circuit is a decryption policy circuit comprising Boolean logic that implements a decryption policy; and
wherein the individual attribute corresponds to a characteristic representative of a user seeking to decrypt the ciphertext.
1 1 . An attribute-based cryptography method, comprising:
inputting a plurality of individual attribute-based data into a mathematical representation of a plurality of coupled logic gates corresponding to a cryptography policy;
generating, by at least one processor, a secret key based on the plurality individual attribute-based data corresponding to the cryptography policy;
receiving, by the at least one processor, a message; and generating a digital signature or decrypting the ciphertext based on the secret key and based on the message;
wherein each of the plurality of individual attribute-based keys corresponds to an individual attribute.
12. The attribute-based cryptography method of claim 1 1 , further comprising verifying the digital signature such that a signing policy is not known when the digital signature is verified;
wherein the individual attribute-based data is a plurality of individual attribute-based keys;
wherein the cryptography policy is a signing policy; and
wherein the individual attribute corresponds to a characteristic representative of a user seeking to sign the message.
13. The attribute-based cryptography method of claim 12, further comprising generating a master secret key and a public key, wherein a secret signing key is further based on the master secret key and the public key, the public key being a one-time signature (OTS) public key.
14. The attribute-based cryptography method of claim 1 1 , further comprising encrypting the message;
wherein the individual attribute-based data is a plurality of individual attribute-based hashes;
wherein the cryptography policy is a decryption policy; and
wherein the individual attribute corresponds to a characteristic representative of a user seeking to decrypt the ciphertext.
15. The attribute-based cryptography method of claim 14, further comprising generating a master secret key and public parameters;
wherein the generating the secret key is further based on the master secret key and the public parameters.
PCT/US2014/047773 2014-07-23 2014-07-23 Attribute-based cryptography WO2016014048A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2014/047773 WO2016014048A1 (en) 2014-07-23 2014-07-23 Attribute-based cryptography

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/047773 WO2016014048A1 (en) 2014-07-23 2014-07-23 Attribute-based cryptography

Publications (1)

Publication Number Publication Date
WO2016014048A1 true WO2016014048A1 (en) 2016-01-28

Family

ID=55163435

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/047773 WO2016014048A1 (en) 2014-07-23 2014-07-23 Attribute-based cryptography

Country Status (1)

Country Link
WO (1) WO2016014048A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108777626A (en) * 2018-08-16 2018-11-09 西南交通大学 A kind of attribute base net network endorsement method for supporting dynamic attribute space
JP2021114641A (en) * 2020-01-16 2021-08-05 株式会社国際電気通信基礎技術研究所 Collaborative attribute-based group signature processing method, collaborative attribute-based group signature authentication processing method, collaborative attribute-based group signature trace processing method, collaborative attribute-based group signature processing system, and program
US11316662B2 (en) 2018-07-30 2022-04-26 Koninklijke Philips N.V. Method and apparatus for policy hiding on ciphertext-policy attribute-based encryption
KR20220064766A (en) * 2020-11-12 2022-05-19 성신여자대학교 연구 산학협력단 Anonymous Attribute Proof System and Method with Efficient Key Revocation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120063593A1 (en) * 2010-09-10 2012-03-15 International Business Machines Corporation Oblivious transfer with hidden access control lists
US20120144210A1 (en) * 2010-12-03 2012-06-07 Yacov Yacobi Attribute-based access-controlled data-storage system
US20120260094A1 (en) * 2009-12-18 2012-10-11 Koninklijke Philips Electronics N.V. Digital rights managmenet using attribute-based encryption
US20130073860A1 (en) * 2010-05-19 2013-03-21 Koninklijke Philips Electronics N.V. Attribute-based digital signature system
US20130322627A1 (en) * 2011-01-25 2013-12-05 Nippon Telegraph And Telephone Corporation Signature processing system, key generation device, signature device, verification device, signature processing method, and signature processing program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120260094A1 (en) * 2009-12-18 2012-10-11 Koninklijke Philips Electronics N.V. Digital rights managmenet using attribute-based encryption
US20130073860A1 (en) * 2010-05-19 2013-03-21 Koninklijke Philips Electronics N.V. Attribute-based digital signature system
US20120063593A1 (en) * 2010-09-10 2012-03-15 International Business Machines Corporation Oblivious transfer with hidden access control lists
US20120144210A1 (en) * 2010-12-03 2012-06-07 Yacov Yacobi Attribute-based access-controlled data-storage system
US20130322627A1 (en) * 2011-01-25 2013-12-05 Nippon Telegraph And Telephone Corporation Signature processing system, key generation device, signature device, verification device, signature processing method, and signature processing program

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11316662B2 (en) 2018-07-30 2022-04-26 Koninklijke Philips N.V. Method and apparatus for policy hiding on ciphertext-policy attribute-based encryption
CN108777626A (en) * 2018-08-16 2018-11-09 西南交通大学 A kind of attribute base net network endorsement method for supporting dynamic attribute space
JP2021114641A (en) * 2020-01-16 2021-08-05 株式会社国際電気通信基礎技術研究所 Collaborative attribute-based group signature processing method, collaborative attribute-based group signature authentication processing method, collaborative attribute-based group signature trace processing method, collaborative attribute-based group signature processing system, and program
JP7348848B2 (en) 2020-01-16 2023-09-21 株式会社国際電気通信基礎技術研究所 Integrated attribute-based group signature processing method, integrated attribute-based group signature processing system, and program
KR20220064766A (en) * 2020-11-12 2022-05-19 성신여자대학교 연구 산학협력단 Anonymous Attribute Proof System and Method with Efficient Key Revocation
KR102477363B1 (en) * 2020-11-12 2022-12-14 성신여자대학교 연구 산학협력단 Anonymous Attribute Proof System and Method with Efficient Key Revocation

Similar Documents

Publication Publication Date Title
US11936774B2 (en) Determining a common secret for the secure exchange of information and hierarchical, deterministic cryptographic keys
US10652026B2 (en) Implicitly certified digital signatures
KR101999188B1 (en) Secure personal devices using elliptic curve cryptography for secret sharing
US10079686B2 (en) Privacy-preserving attribute-based credentials
US10880100B2 (en) Apparatus and method for certificate enrollment
US9705683B2 (en) Verifiable implicit certificates
US9906512B2 (en) Flexible revocation of credentials
CA2838322A1 (en) Secure implicit certificate chaining
US11444752B2 (en) Systems and methods for data encryption and decryption in data transmission
Velliangiri et al. An efficient lightweight privacy-preserving mechanism for industry 4.0 based on elliptic curve cryptography
Odelu et al. A secure and efficient ECC‐based user anonymity preserving single sign‐on scheme for distributed computer networks
WO2016014048A1 (en) Attribute-based cryptography
Hajny et al. Attribute‐based credentials with cryptographic collusion prevention
CN117795901A (en) Generating digital signature shares
Shao et al. Private set intersection via public key encryption with keywords search
KR102005946B1 (en) System and method for providng anonymous identity-based signature using homomorphic encryption
Téllez et al. Security in mobile payment systems
Liqun Chen et al. Attribute-based cryptography
Vécsi et al. Formal language identity-based cryptography
Shiny et al. Signature based data auditing under mobile cloud system
Wang et al. Constructing an authentication token to access external services in service aggregation
Ezekiel et al. Optimized Rivest, Shamir and Adleman (RSA) for Network Inter-Layer Communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14898193

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14898193

Country of ref document: EP

Kind code of ref document: A1