attribute-based encryption with non-monotonic access structures

Download Attribute-Based Encryption  with Non-Monotonic Access Structures

Post on 31-Dec-2015




0 download

Embed Size (px)


Attribute-Based Encryption with Non-Monotonic Access Structures. Rafail Ostrovsky UCLA. Amit Sahai UCLA. Brent Waters SRI International. Server Mediated Access Control. File 1. Server stores data in clear Expressive access controls. Access list: John, Beth, Sue, Bob - PowerPoint PPT Presentation


  • Attribute-Based Encryption with Non-Monotonic Access StructuresBrent Waters SRI InternationalAmit Sahai UCLARafail Ostrovsky UCLA

  • Server Mediated Access ControlAccess list: John, Beth, Sue, BobAttributes: Computer Science , AdmissionsFile 1Server stores data in clear

    Expressive access controls

  • Distributed StorageScalability Reliability

    Downside: Increased vulnerability

  • Traditional Encrypted FilesystemEncrypted Files stored on Untrusted Server

    Every user can decrypt its own files

    Files to be shared across different users? Credentials?Lost expressivity of trusted server approach!

  • Attribute-Based Encryption [SW05]Label files with attributesGoal: Encryption with Expressive Access Control

  • Attribute-Based EncryptionUniv. Key Authority

  • Attribute-Based EncryptionCiphertext has set of attributes

    Keys reflect a tree access structure

    Decrypt iff attributes from CT satisfy keys policy

  • Central goal: Prevent CollusionsIf neither user can decrypt a CT, then they cant togetherCiphertext = M, {Computer Science, Hiring}

  • Current ABE Systems [GPWS06]ORANDComputer ScienceAdmissionsBobMonotonic Access Formulas Tree of ANDs, ORs, threshold (k of N) Attributes at leavesNOT is unsupported!

  • Key GenerationPublic Parametersgt1, gt2,.... gtn, e(g,g)y Fresh randomness used for each key generated!Greedy Decryption

  • Supporting NOTs [OSW07]Example Peer Review of Other Depts. ANDYear:2007Dept. ReviewBob is in C.S. dept => Avoid Conflict of InterestChallenge: Cant attacker just ignore CT components?

  • A Simple SolutionUse explicit not attributes

    Attribute Not:Admissions, Not:Biology

    Problems:Encryptor does not know all attributes to negateHuge number of attributes per CTNot:AnthropologyNot:Aeronautics Not:Zoology

  • Technique 1: Simplify FormulasUse DeMorgans law to propagate NOTsto just the attributesANDDept. ReviewPublic PolicyComputer Science

  • Revocation Systems [NNL01,NP01]Broadcast to all but a certain set of users

    Application: Digital content protectionP1P2P3

  • Applying Revocation TechniquesFocus on a particular Not Attribute

  • Applying Revocation TechniquesFocus on a particular Not AttributeAttribute in Not as nodes identityAttributes in CT as Revoked UsersNode ID not in revoked list =>satisfiedN.B. Just one node in larger policy

  • Polynomial Revocation [NP01]Pick a degree n polynomial q( ), q(0)=an+1 points to interpolate

    User t gets q(t)

    Encryption: gs , ,MgsaRevoked x1, , xn

    gsq(t)gsq(x1) , ..., gsq(xn)Can interpolate to gsq(0)=gsa iff t not in {x1,xn}

  • ABE with NegationPush NOTs to leaves

    Apply ABE key generationCollusion resistance still key!Treat non-negated attributes same

    New Type of Polynomial Revocation at Leaves

  • System SketchPublic ParametersChoose degree n polynomial q(), q(0)=bCan compute gq(x)gq(0), gq(1),.... gq(n), =tIf points different can compute e(g,g)srb

  • Conclusions and Open DirectionsGoal: Increase expressiveness of Encryption Systems

    Provided Negation to ABE systemsChallenge: Decryptor Ignores Bad AttributesSolution: Revocation techniques

    Future:ABE with CircuitsOther cryptographic access control

  • Thank You


View more >