Attribute-Based Encryption - PowerPoint PPT Presentation

About This Presentation
Title:

Attribute-Based Encryption

Description:

Attributes: 'Computer Science' , 'Admissions' File 1. Server ... at each Not-Attribute ... Attribute-Based Encryption for Expressive Access Control ... – PowerPoint PPT presentation

Number of Views:2887
Avg rating:3.0/5.0
Slides: 43
Provided by: vip76
Category:

less

Transcript and Presenter's Notes

Title: Attribute-Based Encryption


1
Attribute-Based Encryption
Brent Waters SRI International
2
Server Mediated Access Control
File 1
  • Server stores data in clear
  • Expressive access controls

Access list John, Beth, Sue, Bob Attributes
Computer Science , Admissions
3
Distributed Storage
  • Scalability
  • Reliability

Downside Increased vulnerability
4
Traditional Encrypted Filesystem
  • Encrypted Files stored on Untrusted Server
  • Every user can decrypt its own files
  • Files to be shared across different users?
    Credentials?

Lost expressivity of trusted server approach!
5
A New Approach to Encrypting Data
Goal Encryption with Expressive Access Control
  • Label files with attributes

6
A New Approach to Encrypting Files
Univ. Key Authority
7
Attribute-Based EncryptionSahai-Waters 05
  • Start with monotonic access formulas GPSW06
  • Techniques from IBE S84,BF01
  • Challenge Collusion Resistance
  • Further developments of ABE
  • Bringing into Practice

8
Attribute-Based Encryption
  • Ciphertext has set of attributes
  • Keys reflect a tree access structure
  • Decrypt iff attributes from CT
  • satisfy keys policy

9
Central goal Prevent Collusions
  • If neither user can decrypt a CT,
  • then they cant together

Ciphertext M, Computer Science, Hiring
10
A Misguided Approach
Public Parameters
KHistory, KCS, KHiring , KAdmissions,
SKCS, SKAdmissions
SKHistory, SKHiring
CT EKCS( R) , EKHiring(M-R)
Neither can decrypt alone, but
11
Our Approach
  • Two key ideas
  • Prevent collusion attacks
  • Bilinear maps tie key components together
  • Support access formulas
  • General Secret Sharing Schemes

12
Bilinear Maps
  • G , GT multiplicative of prime order p.
  • Def An admissible bilinear map e G?G ? GT
    is
  • Non-degenerate g generates G ?
    e(g,g) generates GT .
  • Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
    g?G
  • Efficiently computable.
  • Exist based on Elliptic-Curve Cryptography

13
Secret Sharing Ben86
  • Secret Sharing for tree-structure of AND OR

Replicate secret for ORs.
Split secrets for ANDs.
y
OR
AND
Bob
Computer Science
Admissions
14
The Fixed Attributes System System Setup
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
List of all possible attributes
Bob, John, , Admissions
15
Encryption
Public Parameters
gt1, gt2, gt3,.... gtn, e(g,g)y
Select set of attributes, raise them to random s
Ciphertext
gst2 , gst3 , gstn, e(g,g)sy
M
16
Key Generation
Fresh randomness used for each key generated!
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
Ciphertext
gst2 , gst3 , gstn, e(g,g)sy
M
Private Key
gy1/t1 , gy3/t3 , gyn/tn
17
Decryption
Ciphertext
gst2, gst3, gstn, Me(g,g)sy
e(g,g)sy3
Private Key
gy1/t1 , gy3/t3 , gyn/tn
e(g,g)sy3e(g,g)syn e(g,g)s(y-rr)
e(g,g)sy (Linear operation in exponent to
reconstruct e(g,g)sy)
18
Security
  • Reduction Bilinear Decisional Diffie-Hellman
  • Given ga,gb,gc distinguish e(g,g)abc from random
  • Collusion resistance
  • Cant combine private key components

19
The Large Universe Construction Key Idea
  • Any string can be a valid attribute

Public Parameters
Public Function T(.), e(g,g)y
Ciphertext
gs, e(g,g)syMFor each attribute i T(i)s
e(g,g)syi
Private Key
For each attribute i gyiT(i)ri , gri
20
Delegation
  • Derive a key for a more restrictive policy

AND
Computer Science
admissions
21
Making ABE more expressive
  • Any access formulas
  • Challenge Decryptor ignores an attribute
  • Attributes describe CT, policy in key
  • Flip things around

22
Supporting NOTs OSW07
  • Example Peer Review of Other Depts.

Bob is in C.S. dept gt Avoid Conflict of Interest
AND
Dept. Review
Year2007
Challenge Cant attacker just ignore CT
components?
23
A Simple Solution
  • Use explicit not attributes
  • Attribute NotAdmissions, NotBiology
  • Problems
  • Encryptor does not know all attributes to negate
  • Huge number of attributes per CT
  • NotAnthropology
  • NotAeronautics
  • NotZoology

24
Technique 1 Simplify Formulas
Use DeMorgans law to propagate NOTs to just the
attributes
AND
Dept. Review
Public Policy
Computer Science
25
Applying Revocation Techniques
  • Broadcast a ciphertext to all but a certain set
    of users
  • Used in digital content protection
  • E.g. Revoke compromised players

P1
P2
P3
26
Applying Revocation Techniques
  • Focus on a particular Not Attribute

27
Applying Revocation Techniques
  • Focus on a particular Not Attribute
  • Attribute in Not as nodes identity
  • Attributes in CT as Revoked Users

Node ID not in revoked list gtsatisfied N.B.
Just one node in larger policy
28
The Naor-Pinkas Scheme
  • Pick a degree n polynomial q( ), q(0)a
  • n1 points to interpolate
  • User t gets q(t)
  • Encryption gs ,
    ,Mgsa
  • Revoked x1, , xn

gsq(x1) , ..., gsq(xn)
gsq(t)
Can interpolate to gsq(0)gsa iff t not in
x1,xn
29
Applying Revocation to ABE
  • Use same S.S. techniques for key generation
  • Same techniques for pos. attributes
  • Local N-P Revocation at each Not-Attribute
  • Upshot N-P Revocation requires to use each CT
    attribute

30
Ciphertext Policy ABE BSW07
  • Encrypt Data reflect Decryption Policies
  • Users Private Keys are descriptive attributes

Thinking Encryptor
31
Challenges in Practice PTMW06
  • Applications
  • Health Care
  • Netflow Logs (currently building)
  • How are CTs annotated?
  • Can we automate?
  • Convention for using Attributes?
  • Prof. or Professor
  • Does T.A. CS236 mean TAing CS236?

32
Challenges in Practice
  • What group do Public Parameters represent?

33
Advanced Crypto Software Collection
  • Goal Make advanced Crypto available
  • to systems researchers
  • http//acsc.csl.sri.com (8 projects)

34
Conclusions and Open Directions
  • Attribute-Based Encryption for Expressive Access
    Control on Encrypted Data
  • Extending Capabilities
  • Delegation
  • Non-Monotonic Formulas
  • Ciphertext-Policy
  • Currently implemented

35
Conclusions and Open Directions
  • Open Can we express access control for any
    circuit over attributes?
  • What are limits of capability-based crypto?
  • Capability that evaluates any function

F(s)
36
Thank You
37
Related Work
  • Identity-Based Encryption Shamir84,BF01,C01
  • Access Control Smart03, Hidden
    Credentials Holt et al. 03-04
  • Not Collusion Resistant
  • Secret Sharing Schemes Shamir79, Benaloh86
  • Allow Collusion

38
System Sketch
Choose degree n polynomial q(), q(0)b
Public Parameters
Can compute gq(x)
gq(0), gq(1),.... gq(n),
If points different can compute e(g,g)srb
t
39
Applications Targeted Broadcast Encryption
  • Encrypted stream

Ciphertext S, Sport, Soccer, Germany,
France, 11-01-2006
AND
AND
Soccer
Germany
Sport
11-01-2006
40
Extensions
  • Building from any linear secret sharing scheme
  • In particular, tree of threshold gates
  • Delegation of Private Keys

41
Threshold Attribute-Based Enc. SW05
  • Sahai-Waters introduced ABE, but only
    forthreshold policies
  • Ciphertext has set of attributes
  • User has set of attributes
  • If more than k attributes match, then User can
    decrypt.
  • Main Application- Biometrics

42
Central goal Prevent Collusions
  • Users shouldnt be able to collude

AND
Computer Science
Admissions
Ciphertext M, Computer Science, Hiring
Write a Comment
User Comments (0)
About PowerShow.com