








































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The analysis and construction of an efficient multi-dimensional range query encryption scheme based on bilinear groups. The scheme achieves o(1) public key size, o(log t)d encryption cost, ciphertext size, decryption key size, and decryption cost in the aibe-based mrqedd construction. The document also compares the cost of decryption with the size of decryption keys and discusses the reduction of pairing operations at decryption time.
Typology: Lab Reports
1 / 48
This page cannot be seen from the preview
Don't miss anything!









































May 2006. Updated: March 2007. CMU-CS-06-
School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213
(^1) This research was supported in part by CyLab at Carnegie Mellon under grant DAAD19-02-1-0389 and Cyber- TA Research grant No. W911NF-06-1-0316 from the Army Research Office, and grants 0433540 and 0448452 from the National Science Foundation, and a grant from GM. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of ARO, CMU, GM, NSF, or the U.S. Government or any of its agencies.
Keywords: applied cryptography, range query, searchable encryption, anonymous identity- based encryption
Recently, the network intrusion detection community has made large-scale efforts to collect net- work audit logs from different sites [25, 35, 24]. In this application, a network gateway or an Internet Service Provider (ISP) can submit network traces to an audit log repository. However, due to the presence of privacy sensitive information in the network traces, the gateway will allow only authorized parties to search their audit logs. We consider the following four types of entities: a gateway , an untrusted repository , an authority , and an auditor. We design a cryptographic primi- tive that allows the gateway to submit encrypted audit logs to the untrusted repository. Normally, no one is able to decrypt these audit logs. However, when malicious behavior is suspected, an auditor may ask the authority for a search capability. With this search capability, the auditor can decrypt entries satisfying certain properties, e.g., network flows whose destination address and port number fall within a certain range. However, the privacy of all other flows should still be preserved. Note that in practice, to avoid a central point of trust, we can have multiple parties to jointly act as the authority. Only when a sufficient number of the parities collaborate, can they generate a valid search capability. We name our encryption scheme Multi-dimensional Range Query over Encrypted Data (MRQED). In MRQED, we encrypt a message with a set of attributes. For example, in the network audit log application, the attributes are the fields of a network flow, e.g., source and destination addresses, port numbers, time-stamp, protocol number, etc. Among these attributes, suppose that we would like to support queries on the time-stamp t, the source address a and the destination port number p. Our encryption scheme provides the following properties:
Our results and contributions. We are among the earliest to study the problem of point encryp- tion, range query, and conditional decryption of matching entries. We propose a provably secure encryption scheme that allows us to achieve these properties. Table 1 summarizes the asymptotic performance of our scheme in comparison with other approaches. Please refer to Section 2 for a detailed comparison between our scheme MRQED, and the concurrent work BonehWaters06 [13]. We study the practical performance of MRQED, and show that it makes the encrypted network
However, sharing of network audit logs is hampered by the presence of security and privacy sensitive information. By encrypting each log entry before sending it to another party, the source can allay these concerns. Later, the source may release a decryption key for a carefully specified set of log entries deemed currently relevant. For example, suppose a particular host with IP address a 1 is determined to have been compromised at time t 1 and later involved in scanning other hosts for vulnerabilities on a certain range of ports [p 1 , p 2 ]. A trusted authority may then choose to release a key decrypting any entries at time t, with source address a, connecting to port p such that t ≥ t 1 , a = a 1 , and p 1 ≤ p ≤ p 2. Note that to avoid a central point of trust, we can have multiple parties jointly act as the authority. Using techniques from secure multi-party computation [27], only when a sufficient number of them collaborate, can they generate a valid decryption key. The source would then have precise guarantees about the privacy of their network while providing useful information to other individual organizations or a global monitoring effort. The public key nature of the scheme would allow distributed, encrypted submissions to a central monitoring organization possessing the master private key and giving out decryption keys as necessary. There have been some previous attempts to protect the security of audit logs through encryption or anonymization while allowing limited queries [46, 23, 33], but in no previous scheme has it been possible to issue keys for conjunctions of ranges over multiple attributes while maintaining the secrecy of the attributes. In particular, we are not aware of any previous method supporting queries such as our example of (t ≥ t 1 ) ∧ (a = a 1 ) ∧ (p 1 ≤ p ≤ p 2 ) that does not require either revealing the attribute values or issuing an exponential number of key components.
Apart from the network audit log application, and the stock-trading application described in Sec- tion 8, we mention here some other potentially interesting applications of MRQED.
Financial audit logs. Financial audit logs contain sensitive information about financial transac- tions. Our MRQED scheme allows financial institutions to release audit logs in encrypted format. When necessary, an authorized auditor can obtain a decryption key from a trusted authority. With this decryption key, the auditor can decrypt certain transactions that may be suspected of fraudulent activities. However, the privacy of all other transactions are preserved.
Medical privacy. Consider a health monitoring program. When Alice moves about in her daily life, a PDA or smart-phone she carries automatically deposits encrypted crumbs of her trajectory at a storage server. Assume that each crumb is of the form ((x, y, t), ct), where (x, y) represents the location, t represents time, and ct is Alice’s contact information. During an outbreak of an epidemic, Alice wishes to be alerted if she was present at a site borne with the disease during an incubation period, i.e., if (x, y, t) falls within a certain range. However, she is also concerned with privacy, and she does not wish to leak her trajectory if she has not been to a site borne with the disease.
Untrusted remote storage. Individual users may wish to store emails and files on a remote server, but because the storage server is untrusted, the content must be encrypted before it is stored at the remote server. Emails and files can be classified with multi-dimensional attributes. Users may wish to perform range queries and retrieve only data that satisfy the queries.
Using biometrics in anonymous IBE. The MRQED scheme can also be used in biometric-based Anonymous Identity-Based Encryption (AIBE). Using biometrics in identity-based encryption first appeared in the work by Sahai and Waters [41]. In this application, a person’s biometric features such as finger-prints, blood-type, year of birth, eye color, etc., are encoded as a point X in a multi-dimensional lattice. Personal data is encrypted using the owner’s biometric features as the identity, and the encryption protects both the secrecy of the personal data and the owner’s biometric identity. Due to potential noise each time a person’s biometric features are sampled, a user holding the private key for biometric identity X should be allowed to decrypt data encrypted under X′, iff X′^ and X have small distance. In particular, the SahaiWaters04 construction [41] considered the set-overlap distance (or the Hamming distance); and their encryption scheme does not hide the identity of the user. Our construction allows a user with the private key for identity X, to decrypt an entry encrypted under X′, iff ∞(X, X′) ≤ . Here ∞ denotes the ∞ distance between X and X′, and is defined as max{|x 1 − x′ 1 | ,... , |xD − x′ D|}. In this case, the decryption region is a hyper- cube in multi-dimensional space. One can also associate a different weight to each dimension, in which case the decryption region becomes a hyper-rectangle.
Search on encrypted data. The problem of search on encrypted data (SoE) was introduced in the symmetric key setting by Song et al. [44] and has had some recent improvements in security definitions and efficiency [21]. Boneh et al. [10] later proposed Public Key Encryption with Key- word Search (PEKS), in which any party possessing the public key can encrypt and the owner of the corresponding private key can generate keyword search capabilities. Both SoE and PEKS can be trivially extended to support one-dimensional range queries; the extension is similar to the MRQED^1 scheme described in Section 4.2. However, it is not clear that either can be used to con- struct a scheme supporting range queries over multiple attributes. Recent work on traitor-tracing systems [14, 12] allows a more specialized sort of range query. Given a ciphertext C with at- tributes X = (x 1 , x 2 ,... , xD), a master key owner can issue a token for some value x′^ that allow us to decide whether xd ≤ x′^ for all 1 ≤ d ≤ D with O(
T ) ciphertext size and token size. Applications of searchable encryption have been studied by the database community [30, 22, 2]. Other works related to searches on encrypted data include oblivious RAMs [37, 28], and private stream searching [5, 38].
IBE. The notion of Identity-Based Encryption (IBE) was introduced by Shamir [42]. Several IBE schemes [20, 11, 7, 6, 18, 45, 36], hierarchical IBE (HIBE) schemes [31, 26, 8, 47], and applications [41, 29] were proposed since then. In particular, the HIBE scheme proposed by Boneh, Boyen, and Goh [8] can be extended to multiple dimensions (M-HIBE) efficiently and in a collusion-resistant^1 manner. The resulting scheme can be used to solve a problem similar to MRQED, but lacking the third property in the previous discussion. That is, when using M-HIBE it would not be possible to hide the attribute values associated with a ciphertext.
(^1) Collusion-resistance, in this sense, means that two parties who have been issued different decryption keys cannot combine their keys in some way to allow decryption of ciphertexts that neither could decrypt previously.
flows are still preserved. There is a geometric interpretation to these multi-attribute range queries. Suppose that we would like to allow queries on these three fields: time-stamp t, source address a, and destination port p. The tuple (t, a, p) can be regarded as a point X in multi-dimensional space. Now suppose we query for all flows whose t, a, p falls within some range: t ∈ [t 1 , t 2 ], a ∈ [a 1 , a 2 ] and p ∈ [p 1 , p 2 ]. Here the “hyper-range” [t 1 , t 2 ] × [a 1 , a 2 ] × [p 1 , p 2 ] forms a hyper- rectangle B in space. The above range query is equivalent to testing whether a point X falls inside the hyper-rectangle B. We now formally define these notions mentioned above. Assume that an attribute can be en- coded using discrete integer values 1 through T. For example, an IP address can be encoded using integers 1 through 232. We use the notation [T ] to denote integers from 1 to T , i.e., [T ] = { 1 , 2 ,... , T }. Let S ≤ T be integers, we use [S, T ] to denote integers from S to T inclusive, i.e., [S, T ] = {S, S + 1,... , T }. Throughout this paper, we assume that T is a power of 2, and denote log 2 as simply log. Suppose that we would like to support range queries on D different attributes, each of them can take on values in [T 1 ], [T 2 ],... , [TD] respectively. We formally define a D-dimensional lattice, points and hyper-rectangles below.
Definition 1 (D-dimensional lattice, point, hyper-rectangle). Let Δ = (T 1 , T 2 ,... , TD). LΔ = [T 1 ] × [T 2 ] ×... × [TD] defines a D -dimensional lattice. A D -tuple X = (x 1 , x 2 ,... , xD) de- fines a point in LΔ , where xd ∈ [Td](∀d ∈ [D]). A hyper-rectangle B in LΔ is defined as B(s 1 , t 1 , s 2 , t 2 ,... , sD, tD) = {(x 1 , x 2 ,... , xD)
∣∀d ∈ [D], xd ∈ [sd, td]} ( ∀d ∈ [D], 1 ≤ sd ≤
td ≤ Td ).
A MRQED scheme consists of four (randomized) polynomial-time algorithms: Setup, Encrypt, DeriveKey and QueryDecrypt. In the network audit log example, an authority runs Setup to generate public parameters and a master private key; a gateway runs the Encrypt algorithm to en- crypt a flow. Encryption is performed on a pair (Msg, X). The message Msg is an arbitrary string, and X is a point in multi-dimensional space, representing the attributes. For example, suppose that we would like to support queries on the following three attributes of a flow: time-stamp t, source address a, and destination port p. The tuple (t, a, p) then becomes the point X, and the entire flow summary forms the message Msg. Whenever necessary, the authority can run the DeriveKey algorithm, and compute a decryption key allowing the decryption of flows whose attributes fall within a certain range. Given this decryption key, an auditor runs the QueryDecrypt algorithm over the encrypted data to decrypt the relevant flows. We now formally define MRQED.
Definition 2 (MRQED). An Multi-dimensional Range Query over Encrypted Data (MRQED) scheme consists of the following polynomial-time randomized algorithms.
For each message Msg ∈ M, hyper-rectangle B ⊆ LΔ, and point X ∈ LΔ, the above algo- rithms must satisfy the following consistency constraints:
QueryDecrypt(PK, DK, C) =
Msg if X ∈ B ⊥ w.h.p., if X ∈/ B
where C = Encrypt(PK, X, Msg) and DK = DeriveKey(PK, SK, B).
Suppose that during time [t 1 , t 2 ], there is an outbreak of a worm characteristic by the port number p 1. Now the trusted authority issues a key for the range t ∈ [t 1 , t 2 ] and p = p 1 to a research group who has been asked to study the worm behavior. With this key, the research group should be able to decrypt only flows whose time-stamp and port number fall within the given range. The privacy of all other flows should still be preserved. Informally, suppose that a computationally bounded adversary has obtained decryption keys for regions B 0 , B 1 ,... , Bq. Now given a ciphertext C = Encrypt(PK, X, Msg) such that X ∈/ B 0 , B 1 ,... , Bq, the adversary cannot learn X or Msg from C. Of course, since the adversary fails to decrypt C using keys for regions B 0 , B 1 ,... , Bq, the adversary inevitably learns that the point X encrypted does not fall within these regions. But apart from this fact, the adversary cannot learn more information about X or Msg. We now formalize this intuition into a selective security game for MRQED. Here, the selective security notion is similar to the selective-ID security for IBE schemes [16, 17, 6]. We prove the security of our construction in the selective model. A stronger security notion is adaptive security, where the adversary does not have to commit to two points in the Init stage of the security game defined below. In Appendix D, we give a formal definition for adaptive security, and state how it is related to the selective security model.
Definition 3 (MR-selective security). An MRQED scheme is selectively secure in the match- revealing (MR) model if all polynomial-time adversaries have at most a negligible advantage in the selective security game defined below.
A pairing is an efficiently computable, non-degenerate function, e : G × Ĝ → G′, satisfying the bilinear property that e(gr, ̂gs) = e(g, ̂g)rs. G, Ĝ and G′^ are all groups of prime order. g,
̂ g and e(g, ̂g) are generators of G, Ĝ and G′^ respectively. Although our MRQED scheme can be constructed using asymmetric pairing, for simplicity, we describe our scheme using symmetric pairing in the remainder of the paper, i.e., G = Ĝ. We name a tuple G = [p, G, G′, g, e] a bilinear instance, where G and G′^ are two cyclic groups of prime order p. We assume an efficient generation algorithm that on input of a security parameter
Σ, outputs G R ← Gen(Σ) where log 2 p = Θ(Σ). We rely on the following complexity assumptions:
Decision BDH Assumption : The Decision Bilinear DH assumption, first used by Joux [32], later used by IBE systems [11], posits the hardness of the following problem: Given [g, gz^1 , gz^2 , gz^3 , Z] ∈ G^4 × G′, where exponents z 1 , z 2 , z 3 are picked at random from Zp, decide whether Z = e(g, g)z^1 z^2 z^3.
Decision Linear Assumption : The Decision Linear assumption, first proposed by Boneh, Boyen and Shacham for group signatures [9], posits the hardness of the following problem: Given [g, gz^1 , gz^2 , gz^1 z^3 , gz^2 z^4 , Z] ∈ G^6 , where z 1 , z 2 , z 3 , z 4 are picked at random from Zp, de- cide whether Z = gz^3 +z^4.
In this section, we first show a trivial construction for MRQED which has O(T 2 D) public key size, O(T 2 D) encryption cost and ciphertext size, O(1) decryption key size and decryption cost. Then in Section 4.2, we show that using AIBE, we can obtain an improved one-dimension MRQED scheme. Henceforth, we refer to a one-dimension MRQED scheme as MRQED^1 and refer to multi- dimension MRQED as MRQEDD. The AIBE-based MRQED^1 construction has O(1) public key size, O(log T ) encryption cost, ciphertext size, decryption key size and decryption cost. While describing the AIBE-based MRQED^1 construction, we introduce some primitives and notations that will later be used in our main construction in Section 5. In Section 4.3, we demonstrate that a straightforward extension of the AIBE-based MRQED^1 scheme into multiple dimensions results in O
(log T )D
encryption cost, ciphertext size, decryption key size and decryption cost. The AIBE- based MRQED^1 construction aids the understanding of our main construction in Section 5. By contrast, details of the AIBE-based MRQEDD^ scheme are not crucial towards the understanding of our main construction. Therefore, we only highlight a few important definitions and give a sketch of the scheme in Section 4.3. We give the detailed description of the AIBE-based MRQEDD scheme in Appendix F.
1...^ x... T ID 4
ID 3
ID 2
ID 1
(a) The path from a leaf to the root.
c 4
c 3
c (^) 2
c 1
ID (^) A IDB IDC
1...^ x... T 1... 3 T [3,7]
... (^7)
k
k k
(b) A ciphertext and a decryption key in MRQED^1.
Figure 1: An MRQED^1 scheme. (a) Path from the leaf node representing x ∈ [T ] to the root. P(x) = {ID 1 , ID 2 , ID 3 , ID 4 }. (b) Encryption under the point x = 3 and the keys released for the range [3, 7].
We first give a trivial construction for one-dimensional range query over encrypted data. We refer to one-dimensional range query over encrypted data as MRQED^1 where the superscript represents the number of dimensions. In the trivial MRQED^1 construction, we make use of any secure public key encryption scheme. We first generate O(T 2 ) public-private key pairs, one for each range [s, t] ⊆ [1, T ]. To encrypt a message Msg under a point x, we produce O(T 2 ) ciphertexts, one for each range [s, t] ⊆ [1, T ]. In particular, if x ∈ [s, t], we encrypt Msg with public key pks,t; otherwise, we encrypt an invalid message ⊥ with pks,t. The decryption key for any range [s, t] is then sks,t, the private key for [s, t]. In Appendix E, we give a formal description of this trivial construction. One can extend this idea into multiple dimensions. The resulting MRQEDD^ scheme requires that one encrypt δB(Msg, X) for all hyper-rectangles B in space. Therefore, the trivial MRQEDD scheme has O(T 2 D) public key size, O(T 2 D) encryption cost and ciphertext size, O(1) decryption key size and O(1) decryption cost.
We show an improved MRQED construction based on Anonymous Identity-Based Encryption (AIBE). For clarity, we first explain the construction for one dimension. We call the scheme MRQED^1 where the superscript denotes the number of dimensions. We note that the primitives and notations introduced in this section will be used in our main construction.
4.2.1 Primitives: Efficient Representation of Ranges
To represent ranges efficiently, we build a binary interval tree over integers 1 through T.
Definition 5 (Interval tree). Let tr(T ) denote a binary interval tree over integers from 1 to T_. Each node in the tree has a pre-assigned unique_ ID_. For convenience, we define_ tr(T ) to be the set of all node ID s in the tree. Each node in tr(T ) represents a range. Let cv(ID) denote the range represented by node ID ∈ tr(T ). Define cv(ID) as the following: Let ID be the ith^ leaf node, then cv(ID) = i_. Otherwise, when_ ID is an internal node, let ID 1 and ID 2 denote its child nodes, then cv(ID) = cv(ID 1 ) ∪ cv(ID 2 ). In other words, cv(ID) is the set of integers that correspond to the leaf descendants of ID_._
we get O(log T ) in encryption cost, ciphertext size, and decryption key size. Later, we will show that decryption can be done in O(log T ) time as well. Stated more formally, given a secure AIBE scheme [ Setup∗(Σ), DeriveKey∗(PK, SK, ID), Encrypt∗(PK, ID, Msg), Decrypt∗(PK, DK, C)
one can construct a secure MRQED^1 scheme as below:
cID
∣ID ∈ P(x)
, where cID = Encrypt∗(PK, ID, Msg|| 0 m ′ ). To check whether a decryption is valid, prior to encryption, we append m′^ trailing 0s denoted 0 m ′ to message Msg ∈ { 0 , 1 }m.
kID
∣ (^) ID ∈ Λ(s, t)
Note that in the AIBE-based construction, if we simply try all decryption keys over all cipher- texts, then decryption would require O(|P(x)|·|Λ(s, t)|) time; and since |P(x)| = O(log T ), |Λ(s, t)| = O(log T ), decryption would require O(log^2 T ) time. However, observe that it is not necessary to try kID on cID′^ , if ID and ID′^ are at different depth in the tree; since then, ID and ID′^ cannot be equal. Thus we only need to try kID on cID′ if ID and ID′^ are at the same depth in the tree, which requires knowledge of the depth of ID′^ for ciphertext cID′^. Of course, we cannot directly release ID′^ for ciphertext cID′ , since the encryption is meant to hide ID′. However, since each ciphertext C has a portion at every depth of the tree, we can give out the depth of ID′^ for each cID′ ∈ C without leaking any information about ID′. In this way, we reduce the decryption cost to O(log T ) rather than O(log^2 T ). We emphasize that using AIBE as the underlying encryption scheme is crucial to ensuring the security of the derived MRQED^1 scheme. In particular, a non-anonymous IBE scheme is not suitable to use as the underlying encryption scheme, since IBE hides only the message Msg but not the attribute x.
The same idea can be applied to construct an MRQEDD^ scheme, resulting in O(1) public key size, O
(log T )D
encryption cost, ciphertext size, decryption key size, and decryption cost. Since the details of this construction is not crucial to the understanding of our main construction, we only give a sketch here and leave the full description of the scheme to Appendix F. However, we
highlight a few important definitions here, including the notion of a simple hyper-rectangle, and the definition of Λ×(B). These definitions will later be used in our main construction. We build D binary interval trees, one for each dimension. We assign a globally unique ID to each node in the D trees.
Representing a hyper-rectangle. We represent an arbitrary hyper-rectangle as a collection of simple hyper-rectangles. To illustrate this idea, we first give a formal definition of a simple hyper- rectangle, and then state how to represent an arbitrary hyper-rectangle as a collection of simple hyper-rectangles. Simply put, a simple hyper-rectangle is a hyper-rectangle B 0 in space, such that B 0 can be represented by a single node in the tree of every dimension. More specifically, a hyper- rectangle B(s 1 , t 1 ,... , sD, tD) in space is composed of a range along each dimension. If for all 1 ≤ d ≤ D, |Λ(sd, td)| = 1, i.e., [sd, td] is a simple range in the dth^ dimension, then we say that the hyper-rectangle B(s 1 , t 1 ,... , sD, tD) is a simple hyper-rectangle. A simple hyper-rectangle can be defined by a single node from each dimension. We can assign a unique identity to each simple-rectangle B 0 (s 1 , t 1 ,... , sD, tD) in space. Define
idB 0 = (ID 1 , ID 2 ,... , IDD) ,
where IDd(1 ≤ i ≤ D) is the node representing [sd, td] in the dth^ dimension.
Definition 6 (Hyper-rectangle as a collection of simple hyper-rectangles). Given an hyper-rectangle B(s 1 , t 1 ,... , sD, tD) , denote Λd(B) := Λ(sd, td) for d ∈ [D]. Λ(B) is the collection of nodes representing range [sd, td] in the dth^ dimension. The hyper-rectangle B can be represented as a collection Λ×(B) of simple hyper-rectangles:
Λ×(B) = Λ 1 (B) × Λ 2 (B) ×... × ΛD(B)
In particular, for every id ∈ Λ×(B) , id is a vector of the form (ID 1 , ID 2 ,... , IDD) , where IDd (d ∈ [D]) is a node in the tree corresponding to the dth^ dimension. Therefore, id uniquely specifies a simple hyper-rectangle B 0 in space.
Clearly, |Λ×(B)| = O
(log T )D
; in addition, Λ×(B) can be efficiently computed. Given the above definitions, we briefly describe the AIBE-based MRQEDD^ construction. The detailed description is provided in Appendix F.
Encryption. Suppose that now we would like to encrypt a message Msg and the point X = (x 1 , x 2 ,... , xD). We encrypt the message Msg under all simple hyper-rectangles that contain the point X = (x 1 , x 2 ,... , xD). This is equivalent to encrypting Msg under the cross-product of D different paths to the root. Specifically, for d ∈ [D], denote Pd(X) := P(xd). Pd(X) is the path from the root to the leaf node representing xd in the dth^ dimension. Define the cross-product of all D different paths to the root:
P×(X) = P 1 (X) × P 2 (X) ×... × PD(X). Then, to encrypt Msg and X, we use AIBE to encrypt Msg under every id ∈ P×(X). Since |P×(X)| = O
(log T )D
, both encryption cost and ciphertext size are O
(log T )D
Key derivation and decryption. To issue decryption keys for a hyper-rectangle B, we issue a key for every id ∈ Λ×(B). Since |Λ×(B)| = O
(log T )D
, the decryption key has size O
(log T )D
the the union of these D different paths:
P∪(X) = P 1 (X) ∪... ∪ PD(X).
Reducing the decryption key size. Instead of representing an arbitrary hyper-rectangle using the collection of simple hyper-rectangles, we can represent a simple hyper-rectangle B as the collection of disjoint intervals over different dimensions:
Definition 7 (Hyper-rectangle as a collection of nodes). A hyper-rectangle B ⊆ LΔ gives a col- lection of nodes corresponding to disjoint intervals over different dimensions:
Λ∪(B) = Λ 1 (B) ∪ Λ 2 (B) ∪... ∪ ΛD(B)
Note that for all hyper-rectangle B ⊆ LΔ, |Λ∪(B)| = O(D log T ); in addition, Λ∪(B) can be computed efficiently. Using the above definition, rather than releasing keys for each simple hyper-rectangle in Λ×(B) = Λ 1 (B) ×... × ΛD(B), we would like to release keys for each ID in Λ 1 (B) ∪... ∪ ΛD(B).
Example. Figure 2 (a) is an example in two dimensions. To encrypt under the point (3, 5), we find the path from the leaf node 3 to the root in the first dimension, and the path from the leaf node 5 to the root in the second dimension. We then produce a block in the ciphertext corresponding to each node on the two paths. In the first dimension, we produce blocks c 1 , c 2 , c 3 and c 4. In the second dimension, we produce blocks c 5 , c 6 , c 7 and c 8. To release decryption keys for the range [2, 6] × [3, 7], we find a collection Λ(2, 6) of nodes covering the range [2, 6] in the first dimension; and a collection Λ(3, 7) of nodes covering [3, 7] in the second dimension. We issue a block in the decryption key corresponding to each node in Λ(2, 6) and in Λ(3, 7). In the first dimension, we create blocks kIDA , kIDB , and kIDC ; and in the second dimension, we create blocks kIDD , kIDE , and kIDF.
Preventing the collusion attack. Unfortunately, naively doing the above is equivalent to apply- ing the AIBE-based MRQED^1 scheme independently in each dimension. As we demonstrate in Figure 2 (b), such a scheme is susceptible to the collusion attack. Suppose that Figure 2 (b), every rectangle is a simple rectangle. Now suppose that an adversary were given the decryp- tion keys for region R 1 and R 4 , then the adversary would have collected keys kR 1 = {kx 1 , ky 1 }, kR 4 = {kx 2 , ky 2 }. With these, the adversary would be able to reconstruct the keys for R 2 and R 3 : kR 2 = {kx 2 , ky 1 }, kR 3 = {kx 1 , ky 2 }. Hence, our major challenge is to find a way to se- cure against the collusion attack without incurring additional cost. We use a binding technique to prevent the collusion attack: we use re-randomization to tie together the sub-keys in different di- mensions. For example, in Figure 2 (b), when we release the decryption key for region R 1 , instead of releasing {kx 1 , ky 1 }, we release {˜μxkx 1 , μ˜yky 1 }, where μ˜x and ˜μy are random numbers that we pick each time we issue a decryption key. Likewise, when releasing the key for region R 4 , we release {˜μ′ xkx 2 , μ˜′ yky 2 }, where μ˜′ x and ˜μ′ y are two random numbers picked independently from ˜μx and μ˜y. Of course, in the real construction, μ˜x and ˜μy ( ˜μ′ x and μ˜′ y) also need to satisfy certain algebraic properties (e.g., ˜μx μ˜y = μ˜′ x μ˜′ y = some invariant) to preserve the internal consistency of our scheme. In this way, components in the decryption key for R 1 cannot be used in combination with components in the decryption key for R 4.
We are now ready to describe our construction. Define L = O(log T ) to represent the height of a tree. Assume that node IDs are picked from Z∗ p. We append a message Msg ∈ { 0 , 1 }m^ with a
series of trailing zeros, 0 m ′ , prior to encryption. Assume that { 0 , 1 }m+m ′ ⊆ G′.
Setup(Σ, LΔ) To generate public parameters and the master private key, the setup algorithm first
generates a bilinear instance G = [p, G, G′, g, e] R ← Gen(Σ). Then, the setup algorithm does the following.
ω,
αϕ, 1 , αϕ, 2 , βϕ, 1 , βϕ, 2 , θϕ, 1 , θϕ, 2 , θ ϕ,′ 1 , θ′ ϕ, 2
ϕ=(d,l) ∈[D]×[L]
In addition, we require that the α’s and the β’s be forcibly non-zero. At this point, we give a brief explanation of our notation. The variable ϕ is used to index a tuple (d, l) ∈ [D] × [L], where d denotes the dimension and l denote the depth of a node in the corresponding tree.
⎡^ Ω^ ←^ e(g, g)ω,
⎢ ⎢ ⎣
aϕ, 1 ← gαϕ,^1 θϕ,^1 , aϕ, 2 ← gαϕ,^2 θϕ,^2 , a′ ϕ, 1 ← gαϕ,^1 θ
′ ϕ, 1 , a′ ϕ, 2 ← gαϕ,^2 θ
′ ϕ, 2 , bϕ, 1 ← gβϕ,^1 θϕ,^1 , bϕ, 2 ← gβϕ,^2 θϕ,^2 , b′ ϕ, 1 ← gβϕ,^1 θ
′ ϕ, 1 , b′ ϕ, 2 ← gβϕ,^2 θ
′ ϕ, 2 ,
ϕ=(d,l)∈ [D]×[L]
⎡ω^ ˜^ ←^ gω, ⎢ ⎢ ⎣
aϕ, 1 ← gαϕ,^1 , aϕ, 2 ← gαϕ,^2 , bϕ, 1 ← gβϕ,^1 , bϕ, 2 ← gβϕ,^2 , yϕ, 1 ← gαϕ,^1 βϕ,^1 θϕ,^1 , yϕ, 2 ← gαϕ,^2 βϕ,^1 θϕ,^2 , y ϕ,′ 1 ← gαϕ,^1 βϕ,^1 θ
′ ϕ, 1 , y′ ϕ, 2 ← gαϕ,^2 βϕ,^1 θ
′ ϕ, 2
ϕ=(d,l) ∈[D]×[L]
Notice that in the public parameters and the master key, we have different versions of the same variable, e.g., aϕ, 1 , aϕ, 2 , a′ ϕ, 1 , a′ ϕ, 2. Although they seem to be redundant, they are ac- tually need to provide sufficient degrees of randomness for our proof to go through. The reasons for having these different versions will become clear once the reader has gone over the detailed proof provided in Appendix C.
DeriveKey(PK, SK, B) The following steps compute the decryption key for hyper-rectangle B, given public key PK and master private key SK.