1

Attribute-Based Encryption for Fine-Grained Access

Control of Encrypted Data

Vipul Goyal

Omkant Pandey

Amit Sahai

Brent Waters

UCLA

UCLA

UCLA

SRI

2

Traditional Encrypted Filesystem

File 1Owner: John

File 2Owner: Tim

Encrypted Files stored on Untrusted Server

Every user can decrypt its own files

Files to be shared across different users?

3

A New Encrypted Filesystem

File 1•“Creator: John”

•“Computer Science”

•“Admissions”

•“Date: 04-11-06”

File 2•“Creator: Tim”

•“History”

•“Admissions”

•“Date: 03-20-05”

Label files with attributes

4

An Encrypted Filesystem

File 1•“Creator: John”

•“Computer Science”

•“Admissions”

•“Date: 04-11-06”

File 2•“Creator: Tim”

•“History”

•“Admissions”

•“Date: 03-20-05”

Authority

OR

AND

“Computer

Science”

“Admissions”

“Bob”

5

Threshold Attribute-Based Enc. [SW05]

Sahai-Waters introduced ABE, but only for“threshold policies”:•Ciphertext has set of attributes •User has set of attributes• If more than k attributes match, then User

can decrypt.

Main Application- Biometrics

6

General Attribute-Based Encryption

Ciphertext has set of attributes

Keys reflect a tree access structure

Decrypt iff attributes from CT

satisfy key’s policy

OR

AND

“Computer

Science”

“Admissions”

“Bob”

7

Central goal: Prevent Collusions

Users shouldn’t be able to collude

AND

“Computer

Science”

“Admissions”

AND

“History”

“Hiring”

Ciphertext = M, {“Computer Science”, “Hiring”}

8

Related Work

Access Control [Smart03], Hidden Credentials[Holt et al. 03-04]

•Not Collusion Resistant

Secret Sharing Schemes [Shamir79, Benaloh86…]•Allow Collusion

9

Techniques

We combine two ideas

Bilinear maps

General Secret Sharing Schemes

10

Bilinear Maps

G , G1 : multiplicative of prime order p.

Def: An admissible bilinear map e: GG

G1 is:

– Non-degenerate: g generates G e(g,g) generates G1 .

– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG

– Efficiently computable.

– Exist based on Elliptic-Curve Cryptography

11

Secret Sharing [Ben86]

Secret Sharing for tree-structure of AND + OR

OR

AND

“Computer

Science”

“Admissions”

“Bob”

y

y

y

r(y-r)

Replicate secret for OR’s.

Split secrets for AND’s.

12

The Fixed Attributes System: System Setup

Public Parameters

gt1, gt2,.... gtn, e(g,g)y

“Bob”, “John”, …, “Admissions”List of all possible attributes:

13

Encryption

Public Parameters

gt1, gt2, gt3,.... gtn, e(g,g)y

Ciphertext gst2 , gst3 , gstn, e(g,g)sy

Select set of attributes, raise them to random s

M

File 1•“Creator: John” (attribute 2)

•“Computer Science” (attribute 3)

•“Admissions” (attribute n)

14

Key Generation

Public Parameters

Private Key gy1/t1 , gy3/t3 , gyn/tn

gt1, gt2,.... gtn, e(g,g)y

Fresh randomness used for each key generated!

Ciphertext gst2 , gst3 , gstn, e(g,g)sy M

OR

AND

“Computer

Science”

“Admissions”

“Bob”

y

y

y

r(y-r)y3= yn=

y1=

15

Decryption

e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy

(Linear operation in exponent to reconstruct e(g,g)sy)

Ciphertext gst2, gst3, gstn, Me(g,g)sy

Private Key gy1/t1 , gy3/t3 , gyn/tn

e(g,g)sy

3

16

Security

Reduction: Bilinear Decisional Diffie-Hellman

Given ga,gb,gc distinguish e(g,g)abc from random

Collusion resistance

Can’t combine private key components

17

The Large Universe Construction: Key Idea

Public Function T(.), e(g,g)y

Private Key

Any string can be a valid attribute

Ciphertext gs, e(g,g)syMFor each attribute i: T(i)s

For each attribute i gyiT(i)ri , gri

e(g,g)syi

Public Parameters

18

Extensions

Building from any linear secret sharing scheme

In particular, tree of threshold gates…

Delegation of Private Keys

19

Delegation

AND

“Computer

Science”

“admissions”

OR

“Bob”

Derive a key for a more restrictive policy

Year=2006

Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …]

Bob’s Assistant

20

Applications: Targeted Broadcast Encryption

Encrypted stream

AND

“Soccer” “Germany”

AND

“Sport” “11-01-2006”

Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”}

21

Thank You