1 attribute-based encryption brent waters sri international

Download 1 Attribute-Based Encryption Brent Waters SRI International

Post on 31-Dec-2015




0 download

Embed Size (px)


  • Attribute-Based EncryptionBrent Waters SRI International

  • Server Mediated Access ControlAccess list: John, Beth, Sue, BobAttributes: Computer Science , AdmissionsFile 1Server stores data in clear

    Expressive access controls

  • Distributed StorageScalability Reliability

    Downside: Increased vulnerability

  • Traditional Encrypted FilesystemEncrypted Files stored on Untrusted Server

    Every user can decrypt its own files

    Files to be shared across different users? Credentials?Lost expressivity of trusted server approach!

  • A New Approach to Encrypting DataLabel files with attributesGoal: Encryption with Expressive Access Control

  • A New Approach to Encrypting FilesUniv. Key Authority

  • Attribute-Based Encryption[Sahai-Waters 05]Start with monotonic access formulas [GPSW06]Techniques from IBE [S84,BF01]Challenge: Collusion Resistance

    Further developments of ABE

    Bringing into Practice

  • Attribute-Based EncryptionCiphertext has set of attributes

    Keys reflect a tree access structure

    Decrypt iff attributes from CT satisfy keys policy

  • Central goal: Prevent CollusionsIf neither user can decrypt a CT, then they cant togetherCiphertext = M, {Computer Science, Hiring}

  • A Misguided ApproachKHistory, KCS, KHiring , KAdmissions, Public ParametersSKCS, SKAdmissionsSKHistory, SKHiringCT= EKCS( R) , EKHiring(M-R)Neither can decrypt alone, but

  • Our Approach Two key ideasPrevent collusion attacksBilinear maps tie key components together

    Support access formulas General Secret Sharing Schemes

  • Bilinear MapsG , GT : multiplicative of prime order p.Def: An admissible bilinear map e: GG GT is:Non-degenerate: g generates G e(g,g) generates GT .Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gGEfficiently computable.Exist based on Elliptic-Curve Cryptography

  • Secret Sharing [Ben86]Secret Sharing for tree-structure of AND + OR ORANDComputer ScienceAdmissionsBobyReplicate secret for ORs.Split secrets for ANDs.

  • The Fixed Attributes System: System SetupPublic Parametersgt1, gt2,.... gtn, e(g,g)y Bob, John, , AdmissionsList of all possible attributes:

  • EncryptionPublic Parametersgt1, gt2, gt3,.... gtn, e(g,g)y Ciphertextgst2 , gst3 , gstn, e(g,g)sy Select set of attributes, raise them to random sM

  • Key GenerationPublic ParametersPrivate Keygy1/t1 , gy3/t3 , gyn/tn gt1, gt2,.... gtn, e(g,g)y Fresh randomness used for each key generated!Ciphertextgst2 , gst3 , gstn, e(g,g)sy M

  • Decryptione(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy(Linear operation in exponent to reconstruct e(g,g)sy)

    Ciphertextgst2, gst3, gstn, Me(g,g)syPrivate Keygy1/t1 , gy3/t3 , gyn/tn e(g,g)sy3

  • Security

    Reduction: Bilinear Decisional Diffie-HellmanGiven ga,gb,gc distinguish e(g,g)abc from random

    Collusion resistanceCant combine private key components

  • The Large Universe Construction: Key IdeaPublic Function T(.), e(g,g)yPrivate KeyAny string can be a valid attributeCiphertext gs, e(g,g)syM For each attribute i: T(i)s For each attribute i gyiT(i)ri , grie(g,g)syi Public Parameters

  • DelegationANDComputer ScienceadmissionsDerive a key for a more restrictive policy

  • Making ABE more expressiveAny access formulasChallenge: Decryptor ignores an attribute

    Attributes describe CT, policy in keyFlip things around

  • Supporting NOTs [OSW07]Example Peer Review of Other Depts. ANDYear:2007Dept. ReviewBob is in C.S. dept => Avoid Conflict of InterestChallenge: Cant attacker just ignore CT components?

  • A Simple SolutionUse explicit not attributes

    Attribute Not:Admissions, Not:Biology

    Problems:Encryptor does not know all attributes to negateHuge number of attributes per CTNot:AnthropologyNot:Aeronautics Not:Zoology

  • Technique 1: Simplify FormulasUse DeMorgans law to propagate NOTsto just the attributesANDDept. ReviewPublic PolicyComputer Science

  • Applying Revocation TechniquesBroadcast a ciphertext to all but a certain set of users

    Used in digital content protectionE.g. Revoke compromised playersP1P2P3

  • Applying Revocation TechniquesFocus on a particular Not Attribute

  • Applying Revocation TechniquesFocus on a particular Not AttributeAttribute in Not as nodes identityAttributes in CT as Revoked UsersNode ID not in revoked list =>satisfiedN.B. Just one node in larger policy

  • The Naor-Pinkas SchemePick a degree n polynomial q( ), q(0)=an+1 points to interpolate

    User t gets q(t)

    Encryption: gs , ,MgsaRevoked x1, , xn

    gsq(t)gsq(x1) , ..., gsq(xn)Can interpolate to gsq(0)=gsa iff t not in {x1,xn}

  • Applying Revocation to ABEUse same S.S. techniques for key generationSame techniques for pos. attributes

    Local N-P Revocation at each Not-Attribute

    Upshot: N-P Revocation requires to use each CT attribute

  • Ciphertext Policy ABE [BSW07]Encrypt Data reflect Decryption Policies

    Users Private Keys are descriptive attributesThinking Encryptor

  • Challenges in Practice [PTMW06]ApplicationsHealth CareNetflow Logs (currently building)

    How are CTs annotated?Can we automate?

    Convention for using Attributes?Prof. or ProfessorDoes T.A. + CS236 mean TAing CS236?

  • Challenges in PracticeWhat group do Public Parameters represent?

  • Advanced Crypto Software CollectionGoal: Make advanced Crypto available to systems researchers

    http://acsc.csl.sri.com (8 projects)

  • Conclusions and Open DirectionsAttribute-Based Encryption for Expressive Access Control on Encrypted Data

    Extending CapabilitiesDelegationNon-Monotonic FormulasCiphertext-Policy

    Currently implemented

  • Conclusions and Open DirectionsOpen: Can we express access control for any circuit over attributes?

    What are limits of capability-based crypto?Capability that evaluates any function


  • Thank You

  • Related WorkIdentity-Based Encryption [Shamir84,BF01,C01]

    Access Control [Smart03], Hidden Credentials[Holt et al. 03-04]

    Not Collusion Resistant

    Secret Sharing Schemes [Shamir79, Benaloh86]Allow Collusion

  • System SketchPublic ParametersChoose degree n polynomial q(), q(0)=bCan compute gq(x)gq(0), gq(1),.... gq(n), =tIf points different can compute e(g,g)srb

  • Applications: Targeted Broadcast EncryptionEncrypted streamANDSoccerGermanyANDSport11-01-2006Ciphertext = S, {Sport, Soccer, Germany, France, 11-01-2006}

  • Extensions

    Building from any linear secret sharing scheme In particular, tree of threshold gates

    Delegation of Private Keys

  • Threshold Attribute-Based Enc. [SW05]

    Sahai-Waters introduced ABE, but only for threshold policies:Ciphertext has set of attributes User has set of attributesIf more than k attributes match, then User can decrypt.

    Main Application- Biometrics

  • Central goal: Prevent CollusionsUsers shouldnt be able to colludeANDComputer ScienceAdmissionsCiphertext = M, {Computer Science, Hiring}


View more >