This invention refers to the field of broadcast encryption, in particular the way to manage authorization rights to access the content described by a logical expression in a broadcast system having a management center and a plurality of receiving devices which have certain characteristics.
The area of broadcast encryption is well known in the art and was discussed for the first time by Fiat and Naor [1]. In this setting, the broadcasting center can send an encrypted message to a set of privileged (i.e., non-revoked) users which is a subset of the set of all possible receivers. Sometimes these terminals can be arranged according to some natural characteristics or attributes like their ZIP code based geographical location, their subscription to certain packages or their software version. Intuitively the broadcaster would like to broadcast to receivers which satisfy some of these properties in a more or less complex manner. For instance the broadcaster may want to enforce the access policy by sending the content only to receivers which are in ((“New York”) OR (“New Jersey”)) AND (with a receiver's firmware not older than 2.1.1). It should be emphasized that in this scenario, the broadcaster does not know the receivers identities and broadcasts to a subsets of receivers according to a logical expression based on their characteristics contrary to the standard broadcast encryption model, where the center broadcasts to a specific subset of receivers by specifying explicitly their identities.
The notion of attribute-based encryption (ABE) where the center broadcasts to a subset of receivers in terms of descriptive attributes was introduced by Sahai and Waters in [2]. There are two types of ABE, namely: key-policy ABE where the access policy (also called the access structure) is specified in the private key and ciphertext-policy ABE where the access policy is specified in the ciphertext. Bethencourt, Sahai and Waters proposed the first construction of a ciphertext-policy ABE in [3]. Current invention concerns only ciphertext-policy ABE schemes, which will be further referenced simply as ABE schemes.
Those skilled in the art would agree that a logical access policy can be expressed using AND, OR and NOT logical gates. These expressions can be generalized under two forms, namely the disjunctive normal form (DNF) and the conjunctive normal form (CNF). The CNF is the conjunction (in other words a logical AND) of clauses, where a clause is a disjunction (in other words a logical OR) of attributes. The DNF is the disjunction (a logical OR) of conjunctions (a logical AND) of attributes. The NOT gate can be only part of a single attribute. For a set of attributes A1, A2, K , An an example of a CNF expression would be: (A1A2A3)(A4A5A6)K(An-2An-1An) and an example of a DNF expression would be: (A1A2A3)(A4A5A6)K(An-2An-1An). In the two examples above the symbol represents a logical AND, and the symbol represents a logical OR.
An important notion is the one of a monotonic logical expression. The expression is called monotonic if it can be defined as a composition of logical ANDs and ORs, but without any NOTs.
It should be noted that the prior art describes ABE schemes, methods and systems which operate with DNF types of logical expressions, most of the them being monotonic and restricted to a certain fixed number of clauses or attributes per such expression. For instance, recently, such methods were disclosed in [4], [5] and [6].
Those skilled in the art would notice that the crucial property of an ABE scheme is the so-called attribute-collusion resistance property. This is represented by the fact that provided two decryption keys dku
The aim of the present invention is to address CNF types of logical expressions for ABE. The benefit of the present application is hence the possibility to efficiently perform ciphertext-policy ABE for CNF expressions with logical ANDs and ORs, as well as logical NOTs.
The aim is achieved thanks to a method for providing attribute-based encryption for conjunctive normal form (CNF) expressions, the said CNF expression consisting of at least one clause over a set of attributes, the said method consisting of a key generation engine, an encryption engine and a decryption engine, and comprising the steps of:
Generating by the key generation engine a random gεG, where G is a prime order group of order p, four random values α, γ, β, rεRZ/pZ, and for i=1, 2, K, n, n+2, K , 2n computing by the key generation engine 2n values gi=gα
Generating by the encryption engine the encryption key PK=(gr, g1r, K ,gnr, gn+2r, K, g2nr, vr, gnβ, gn) consisting of 2n+2 group elements, n being the number expressing the size of the attribute set. For the abovementioned CNF expression over a set of attributes, CNF expression consisting of N clauses, generating by the encryption engine N random values t1, t2, K, tNεRZ/pZ, computing by the encryption engine the value
generating by the encryption engine the cryptogram hdr=(gnt, hdr1, K, hdrN) consisting of 2N+1 group elements with
for each clause βi in the abovementioned CNF expression and generating the session key SK as SK=e(g1r, gnβ)t=e(g, g)βrα
The method of the invention will be better understood thanks to the attached figures in which:
the
the
The present invention relates to cryptographic systems and methods and provides an attribute collusion-resistant ciphertext-policy attribute-based encryption scheme for conjunctive normal form (CNF) expressions.
Bilinear Maps
The present invention relies on bilinear maps (also called pairings in the related art). Let G and GT be two cyclic groups of prime order p and a generator gεG. Let e: G×G→GT be a non-degenerate bilinear map such that for all x,yεG and a,bεZ/pZ , we have e(xa,yb)=e(x,y)ab and e(g,g)≠1 . The function e(.,.) should be also efficiently computable. For example, such maps can be, for instance, Weil or Tate pairings on supersingular elliptic curves. Their usage and implementation is well-known in the art. Weil and Tate pairings are provided here as examples and for the purpose of the preferred embodiment and it should be noted that any admissible pairing function e(.,.) with the above properties can be used. The preferred method involved in the computation of such a function will be the so-called Miller's algorithm for pairing calculation which is well known in the related art [7].
Choice of the Parameters
In the preferred embodiment we are using a supersingular elliptic curve E(Fp) with p≡3(mod4) a prime number of at least 512 bits and the order of E(Fp)=p+1. The group of point on the elliptic curve E(Fp) should also have a subgroup of prime order q of at least 160 bits. The sizes of these parameters correspond to the (block cipher) security equivalent of 80 bits. The generation of such elliptic curves is well known in the related art. Hence the following map is defined based on the Tate pairing function: E[q]×E′(Fp)→Fp
Preferred Implementation of the Scheme
According to the preferred embodiment of the current invention we consider a system where receivers can be arranger according to some characteristics or attributes, such as geographical position, firmware version, etc. Let n be the total number of such characteristics or attributes and λ be the total number of receivers. Hence for the sake of the preferred embodiment we can name these characteristics with n literals A1, A2 , K, An.The preferred implementation of the current invention includes three randomized algorithms, namely KeyGen, Encrypt and Decrypt implemented on a computer or in a dedicated apparatus. It should be also noted that in the below preferred implementation we will use an additive group law notation which is also frequently used in the art.
KeyGen algorithm starts by generating a random point GεE[q] by any well known mean of the art, as well as four random values α, γ, β, rεRZ/qZ. Then for i=1, 2, K, n, n+2, K, 2n the algorithm computes 2n−1 values Gi=αiG and V=γG. The algorithm then generates a public encryption key PK=(rG, rG1, K, rGn, rGn+2, K, rG2n, rV, βGn, Gn) consisting of 2n+2 points in the group E[q]. The algorithm will also generate a plurality of individual private decryption keys for each of λ receivers as follows. First the algorithm generates by any known mean of the art a random value suεZ/qZ. Then, for i=1, 2, K, n, n+2, K, 2n it sets 2n−1 values suG1, K, suGn, suGn+2, K, suG2n and computes the value r(β+su)Gn. Finally, for every defined property among A1, A2, K, An which characterizes the receiver, the algorithm computes N+R values Di
Encryption algorithm is provided with an expression in CNF of the form β1β2KβN, wherein every clause βi consists of a disjunction (logical ORs) of several attributes. First, the algorithm randomly generates N values t1,K,tNεZ/qZ by any well known mean of the art and computes the value
The encryption algorithm also computes the value hdr0=t·Gn. The algorithm then computes for every clause βi a pair of values, namely hdri,0=tirG and
It should be noted that the value j corresponds to an attribute in the clause βi. The said pair of values constitutes the i-th part of the cryptogram. After computing N-th such pair (for the last clause βN), the encryption algorithm computes the session key SK=e(r·G1, β·Gn)t=e(G,G)βrα
Decryption algorithm, upon receiving the cryptogram hdr=(hdr0,hdri,0,hdri,1,K,hdrN,0,hdrN,1), the corresponding expression in CNF and the useful encrypted message, examines the expression and determines whether or not the receiver fulfils the necessary conditions for decrypting the message. In the case where it does fulfil the necessary conditions, the decryption algorithm proceeds as follow. First, for every clause in the expression it computes the values
where the values Dk are bonded to the characterizing attributes of the receiver, the said attributes being also listed in the clause βi. Each of such N computations is performed using two pairing function described above. After computing N such values SK1S
The said session key is then hashed, in the context of this preferred embodiment, using the SHA-256 hash function and the resulting 128 less significant bits are used as the key for the AES algorithm in decryption mode to decrypt the useful message.
The person skilled in the art would appreciate the fact that the encryption key is public, any party can use it to encrypt any useful contents with respect to any CNF expression and that the said encryption key can not be used to derive the session key or decrypt the useful message without fulfilling a given CNF expression by explicitly possessing the decryption keys corresponding to the said expression. Those familiar with the art would also appreciate the fact that the proposed method fulfills the attribute collusion-resistance property described above. Contrary to the existing schemes of the art, the present invention can support expressions of any number of clauses and attributes without any constraints. Also, the size of the header is linear in the number of clauses and does not depend on the number of the attributes in any clause or in the whole expression.
It is important to note that the use of the particular supersingular elliptic curve over the finite field of a given size, its prime order subgroup, the specific bilinear map function as defined above, its parameters, key sizes, the use of the SHA-256 hash function and AES encryption algorithm is solely defined for the purpose of the preferred embodiment of the present invention and is not, in any case, limiting. Any elliptic curve, or any other group where the bilinear map can be efficiently and securely computed for a given security parameter can be used for the purpose of the present invention. The useful message, such as (but not limited to) video or audio content, can be encrypted or scrambled by any cryptographically secure means using key or keys derived from the session key defined in the scope of the present invention.
The above broadcast encryption scheme can be used to transmit messages from a control center to a plurality of terminals. These messages contain initialization data pertaining to one terminal.
In the
The receiving device RD1 being entitled to the subscription package B1 has received the key material K1. Due to the fact that this receiving device RD1 is not entitled to the subscription package B2, the key material K2′ was also sent to it.
The receiving device RD2 being entitled to the subscription package B1 and B2, both key material K1 and K2 were sent to this device.
The receiving device RD2 being entitled to the Subscription package B2, the key material K2 was sent to it. Due to the fact that this receiving device RD3 is not entitled to the Subscription package B1, the key material K1′ was also sent to it.
In case that the management center MC needs to transmit an access key K to only the receiving devices allowed to the second Subscription package B2 and not allowed to the first Subscription package B1, the cryptogram CY sent to the receiving devices RD will contain the access key combined with the negative key material K1′ and the positive key material K2.
In the authorization message containing the cryptogram, another field into the message contains a descriptor of the keys to be used for the decryption. This can be in the form of two bitmap, each active bits defining a subscription package, and one bitmap for the positive keys and the other one for the negative keys. According to the implementation of the invention, it could decided that the positive keys are used first to decrypt the cryptogram and then the negative keys.
The product key can release a single broadcast product, e.g. a film or can release a service for a day or a month.
The subscription package can refer to a plurality of services or a single service. The invention thus allows to define the access rule of this product by combining the access to the channel 3 (first subscription package) and not the channel 6 (second subscription package).
The invention has been described in detail with particular reference to the preferred embodiment thereof. It should be however understood that variations and modifications can be produced within the scope and the spirit of the present invention.
[1] A. Fiat and M. Naor, “Broadcast encryption”, CRYPTO'93, Lecture Notes in Computer Science 773, pp. 480491, Springer-Verlag, 1994.
[2] A. Sahai and B. Waters. Fuzzy identity-based encryption. In Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, pages 457-473, 2005.
[3] J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-policy attribute-based encryption. In 2007 IEEE Symposium on Security and Privacy (S&P 2007), 20-23 May 2007, Oakland, Calif., USA, pages 321-334, 2007.
[4] B. Waters. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. http://eprint.iacr.org/2008/290.pdf, 2008. Unpublished manuscript.
[5] D. Lubicz and T. Sirvent. Attribute-based broadcast encryption scheme made efficient. In S. Vaudenay et al., editor, Proc. of Advances in Cryptology—Africacrypt'08, volume 5023 of LNCS, pages 325-342. Springer-Verlag, 2008.
[6] N. Attrapadung and H. Imai. Conjunctive broadcast and attribute-based encryption. In Pairing-Based Cryptography—Pairing 2009, Third International Conference, Palo Alto, Calif., USA, Aug. 12-14, 2009, pages 248-265, 2009.
[7] V. Miller. Short program for functions on curves. http://crypto.stanford.edu/miller/miller.pdf, 1986. Unpublished manuscript.
[8] P. Barreto, H. Kim, B. Lynn, M. Scott. Efficient Algorithms for Pairing-Based Cryptosystems. In Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, pages 354-368, London, UK, 2002. Springer-Verlag.
This application is a U.S. National Stage Filing under 35 U.S.C. 371 from International Patent Application Serial No. PCT/EP2010/067817, filed Nov. 19, 2010, and published on May 26, 2011 as WO 2011/061285A1, which claims the priority benefit of U.S. Provisional Application Ser. No. 61/262,602, filed Nov. 19, 2009, the contents of which are incorporated herein by reference in their entirety.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP2010/067817 | 11/19/2010 | WO | 00 | 5/17/2012 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2011/061285 | 5/26/2011 | WO | A |
Number | Date | Country |
---|---|---|
2068489 | Jun 2009 | EP |
Entry |
---|
“PCT/EP2010/067817 Search Report and Written Opinion, mailed Mar. 28, 2011”, 11 pgs. |
Attrapadung, Nuttapong, et al., “Conjunctive Broadcast and Attribute-Based Encryption”, Pairing 2009, LNCS 5671, (2009), pp. 248-265. |
Boneh, Dan, et al., “Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys”, Crypto 2005, LNCS 3621, (2005), pp. 258-275. |
Barreto, Paulo, et al., “Efficient Algorithms for Pairing-Based Cryptosystems”, CRYPTO 2002, 22nd Annual International Cryptology Conference, (2002), 354-369. |
Bethencourt, J, et al., “Ciphertext-policy attribute-based encryption”, IEEE Symposium on Security and Privacy (SP'07), (2007), 14 pgs. |
Fiat, Amos, et al., “Broadcast encryption”, Advances in Cryptology—CRYPTO'93, Lecture Notes in Computer Science, vol. 773/1994, (1994), 480-491. |
Lubicz, David, et al., “Attribute-based broadcast encryption scheme made efficient”, Lecture Notes in Computer Science, 2008, vol. 5023, Progress in Cryptology—AFRICACRYPT 2008, (2008), 325-342. |
Miller, Victor S, “Short program for functions on curves”, Exploratory Computer Science. IBM, Thomas J. Watson Research Center, Unpublished Manuscript. Retrieved from the Internet: <URL: http://crypto.stanford.edu/miller/miller.pdf, (Accessed May 30, 2012), 1-7. |
Sahai, A, et al., “Fuzzy identity-based encryption”, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus Denmark., (2005), 457-473. |
Waters, Brent, “Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization”, University of Texas at Austin, Unpublished Manuscript. Retrieved from the Internet: <URL: http://eprint.iacr.org/2008/290.pdf>, (Accessed May 30, 2012), 30 pgs. |
Number | Date | Country | |
---|---|---|---|
20120224692 A1 | Sep 2012 | US |
Number | Date | Country | |
---|---|---|---|
61262602 | Nov 2009 | US |