基本CP-ABE的系统方案算法阅读笔记

前言

做一篇论文笔记以及源码阅读笔记
J. Bethencourt, A. Sahai and B. Waters, “Ciphertext-Policy Attribute-Based Encryption,” 2007 IEEE Symposium on Security and Privacy (SP '07), 2007, pp. 321-334, doi: 10.1109/SP.2007.11.
主要探讨系统方案的算法实现部分, 源码是python的charm-crypto库的abenc_bsw07.

系统方案

符号汇总

ZR, G1, G2, GT, pair都是导入的已有模块的定义, pair是双线性映射方法.

# type annotations
pk_t = { 'g':G1, 'g2':G2, 'h':G1, 'f':G1, 'e_gg_alpha':GT }
mk_t = {'beta':ZR, 'g2_alpha':G2 }
sk_t = { 'D':G2, 'Dj':G2, 'Djp':G1, 'S':str }
ct_t = { 'C_tilde':GT, 'C':G1, 'Cy':G1, 'Cyp':G2 }

S e t u p ( ) → { P K , M K } Setup() → \{PK, MK\} Setup()→{PK,MK}

初始化系统, 输出系统公钥PK, 主私钥MK.

    @Output(pk_t, mk_t)    
    def setup(self):
        g, gp = group.random(G1), group.random(G2)
        alpha, beta = group.random(ZR), group.random(ZR)
        # initialize pre-processing for generators
        g.initPP(); gp.initPP()
        
        h = g ** beta; f = g ** ~beta
        e_gg_alpha = pair(g, gp ** alpha)
        
        pk = { 'g':g, 'g2':gp, 'h':h, 'f':f, 'e_gg_alpha':e_gg_alpha }
        mk = {'beta':beta, 'g2_alpha':gp ** alpha }
        return (pk, mk)

g(= g1), gp( = g2)分别是群G1, G2的生成元由group.random(G1)与group.random(G2)生成, $\alpha ,\beta$是p阶整数集合$Z_p$的随机数, 由group.random(ZR)生成. 方法返回pk和mk.
@Input和@Output函数是修饰器, 在函数输入输出前进行类型检查, 如果不对则报错, 下同.

$Encrypt(PK,M,\mathbb{A})\to CT$

    @Input(pk_t, GT, str)
    @Output(ct_t)
    def encrypt(self, pk, M, policy_str): 
        policy = util.createPolicy(policy_str)
        a_list = util.getAttributeList(policy)
        s = group.random(ZR)
        shares = util.calculateSharesDict(s, policy)      

        C = pk['h'] ** s
        C_y, C_y_pr = {}, {}
        for i in shares.keys():
            j = util.strip_index(i)
            C_y[i] = pk['g'] ** shares[i]
            C_y_pr[i] = group.hash(j, G2) ** shares[i] 
        
        return { 'C_tilde':(pk['e_gg_alpha'] ** s) * M,
                 'C':C, 'Cy':C_y, 'Cyp':C_y_pr, 'policy':policy_str, 'attributes':a_list }

$KeyGeneration(MK,S)\to SK$

接收属性集合S, 主私钥MK, 输出用户私钥SK.

    @Input(pk_t, mk_t, [str])
    @Output(sk_t)
    def keygen(self, pk, mk, S):
        r = group.random() 
        g_r = (pk['g2'] ** r)    
        D = (mk['g2_alpha'] * g_r) ** (1 / mk['beta'])        
        D_j, D_j_pr = {}, {}
        for j in S:
            r_j = group.random()
            D_j[j] = g_r * (group.hash(j, G2) ** r_j)
            D_j_pr[j] = pk['g'] ** r_j
        return { 'D':D, 'Dj':D_j, 'Djp':D_j_pr, 'S':S }

r是随机数, 通过group.random()生成, $D_j$和$D_j^{\prime }$是字典, 存储S中每个属性对应的key, $r_j$是每个属性对应的随机值.

$Decrypt(PK,CT,SK)\to M$

    @Input(pk_t, sk_t, ct_t)
    @Output(GT)
    def decrypt(self, pk, sk, ct):
        policy = util.createPolicy(ct['policy'])
        pruned_list = util.prune(policy, sk['S'])
        if pruned_list == False:
            return False
        z = util.getCoefficients(policy)
        A = 1 
        for i in pruned_list:
            j = i.getAttributeAndIndex(); k = i.getAttribute()
            A *= ( pair(ct['Cy'][j], sk['Dj'][k]) / pair(sk['Djp'][k], ct['Cyp'][j]) ) ** z[j]
        
        return ct['C_tilde'] / (pair(ct['C'], sk['D']) / A)

用拉格朗日插值法计算根节点的秘密值s, 递归的形式进行计算, 叶节点是直接解密出属性值参与上层结点的计算, 直到计算到根节点得到s, 用公式第三幅图的公式约掉随机数完成解密过程得到明文M.

$Delegate(SK,\tilde{S})\to \widetilde{SK}$

输入用户私钥SK, 属性集的子集$\tilde{S}$, 为属性集$\tilde{S}(\subseteq S)$生成的用户私钥$\widetilde{SK}$.

# 没有算法实现delegage
# 略过

总结

主要的计算公式推导难度在于对双线性映射性质的理解, 以及树形结构秘密共享方案基于拉格朗日插值法, 计算出秘密值s之后通过构造的公式实现解密.
代码实现本身不复杂, 利用已有的轮子可以快速实现, 不过要对数学原理深入理解才能真正理解这篇论文的核心思想.