前言
做一篇论文笔记以及源码阅读笔记
J. Bethencourt, A. Sahai and B. Waters, “Ciphertext-Policy Attribute-Based Encryption,” 2007 IEEE Symposium on Security and Privacy (SP '07), 2007, pp. 321-334, doi: 10.1109/SP.2007.11.
主要探讨系统方案的算法实现部分, 源码是python的charm-crypto库的abenc_bsw07.
系统方案
符号汇总
ZR, G1, G2, GT, pair都是导入的已有模块的定义, pair是双线性映射方法.
# type annotations
pk_t = { 'g':G1, 'g2':G2, 'h':G1, 'f':G1, 'e_gg_alpha':GT }
mk_t = {'beta':ZR, 'g2_alpha':G2 }
sk_t = { 'D':G2, 'Dj':G2, 'Djp':G1, 'S':str }
ct_t = { 'C_tilde':GT, 'C':G1, 'Cy':G1, 'Cyp':G2 }
S e t u p ( ) → { P K , M K } Setup() → \{PK, MK\} Setup()→{PK,MK}
初始化系统, 输出系统公钥PK, 主私钥MK.
@Output(pk_t, mk_t)
def setup(self):
g, gp = group.random(G1), group.random(G2)
alpha, beta = group.random(ZR), group.random(ZR)
# initialize pre-processing for generators
g.initPP(); gp.initPP()
h = g ** beta; f = g ** ~beta
e_gg_alpha = pair(g, gp ** alpha)
pk = { 'g':g, 'g2':gp, 'h':h, 'f':f, 'e_gg_alpha':e_gg_alpha }
mk = {'beta':beta, 'g2_alpha':gp ** alpha }
return (pk, mk)
g(= g1), gp( = g2)分别是群G1, G2的生成元由group.random(G1)与group.random(G2)生成,
α
,
β
\alpha, \beta
α,β是p阶整数集合
Z
p
Z_p
Zp的随机数, 由group.random(ZR)生成. 方法返回pk和mk.
@Input和@Output函数是修饰器, 在函数输入输出前进行类型检查, 如果不对则报错, 下同.
E n c r y p t ( P K , M , A ) → C T Encrypt(PK, M, \mathbb{A}) → CT Encrypt(PK,M,A)→CT
@Input(pk_t, GT, str)
@Output(ct_t)
def encrypt(self, pk, M, policy_str):
policy = util.createPolicy(policy_str)
a_list = util.getAttributeList(policy)
s = group.random(ZR)
shares = util.calculateSharesDict(s, policy)
C = pk['h'] ** s
C_y, C_y_pr = {}, {}
for i in shares.keys():
j = util.strip_index(i)
C_y[i] = pk['g'] ** shares[i]
C_y_pr[i] = group.hash(j, G2) ** shares[i]
return { 'C_tilde':(pk['e_gg_alpha'] ** s) * M,
'C':C, 'Cy':C_y, 'Cyp':C_y_pr, 'policy':policy_str, 'attributes':a_list }
K e y G e n e r a t i o n ( M K , S ) → S K Key Generation(MK, S) → SK KeyGeneration(MK,S)→SK
接收属性集合S, 主私钥MK, 输出用户私钥SK.
@Input(pk_t, mk_t, [str])
@Output(sk_t)
def keygen(self, pk, mk, S):
r = group.random()
g_r = (pk['g2'] ** r)
D = (mk['g2_alpha'] * g_r) ** (1 / mk['beta'])
D_j, D_j_pr = {}, {}
for j in S:
r_j = group.random()
D_j[j] = g_r * (group.hash(j, G2) ** r_j)
D_j_pr[j] = pk['g'] ** r_j
return { 'D':D, 'Dj':D_j, 'Djp':D_j_pr, 'S':S }
r是随机数, 通过group.random()生成, D j D_j Dj和 D j ′ D_j' Dj′是字典, 存储S中每个属性对应的key, r j r_j rj是每个属性对应的随机值.
D e c r y p t ( P K , C T , S K ) → M Decrypt(PK, CT, SK) → M Decrypt(PK,CT,SK)→M
@Input(pk_t, sk_t, ct_t)
@Output(GT)
def decrypt(self, pk, sk, ct):
policy = util.createPolicy(ct['policy'])
pruned_list = util.prune(policy, sk['S'])
if pruned_list == False:
return False
z = util.getCoefficients(policy)
A = 1
for i in pruned_list:
j = i.getAttributeAndIndex(); k = i.getAttribute()
A *= ( pair(ct['Cy'][j], sk['Dj'][k]) / pair(sk['Djp'][k], ct['Cyp'][j]) ) ** z[j]
return ct['C_tilde'] / (pair(ct['C'], sk['D']) / A)
用拉格朗日插值法计算根节点的秘密值s, 递归的形式进行计算, 叶节点是直接解密出属性值参与上层结点的计算, 直到计算到根节点得到s, 用公式第三幅图的公式约掉随机数完成解密过程得到明文M.
D e l e g a t e ( S K , S ~ ) → S K ~ Delegate(SK, \widetilde{S}) → \widetilde{SK} Delegate(SK,S )→SK
输入用户私钥SK, 属性集的子集 S ~ \widetilde{S} S , 为属性集 S ~ ( ⊆ S ) \widetilde{S}(\subseteq S) S (⊆S)生成的用户私钥 S K ~ \widetilde{SK} SK .
# 没有算法实现delegage
# 略过
总结
主要的计算公式推导难度在于对双线性映射性质的理解, 以及树形结构秘密共享方案基于拉格朗日插值法, 计算出秘密值s之后通过构造的公式实现解密.
代码实现本身不复杂, 利用已有的轮子可以快速实现, 不过要对数学原理深入理解才能真正理解这篇论文的核心思想.