1
Attribute-Based Encryption
Brent Waters
SRI International
2
Server Mediated Access Control
Access list: John, Beth, Sue, Bob
Attributes: “Computer Science” , “Admissions”
File 1•Server stores data in clear
•Expressive access controls
3
Distributed Storage
•Scalability
•Reliability
Downside: Increased vulnerability
4
Traditional Encrypted Filesystem
File 1Owner: John
File 2Owner: Tim
Encrypted Files stored on Untrusted Server
Every user can decrypt its own files
Files to be shared across different users? Credentials?
Lost expressivity of trusted server approach!
5
A New Approach to Encrypting Data
File 1•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
Label files with attributes
Goal: Encryption with Expressive Access Control
6
File 1•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
Univ. Key Authority
OR
AND
“Computer
Science”
“Admissions”
“Bob”
A New Approach to Encrypting Files
7
Attribute-Based Encryption[Sahai-Waters 05]
Start with monotonic access formulas [GPSW06]
Techniques from IBE [S84,BF01]
Challenge: Collusion Resistance
Further developments of ABE
Bringing into Practice
8
Attribute-Based Encryption
Ciphertext has set of attributes
Keys reflect a tree access structure
Decrypt iff attributes from CT
satisfy key’s policyOR
AND
“Computer
Science”
“Admissions”
“Bob”•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
9
Central goal: Prevent Collusions
If neither user can decrypt a CT,
then they can’t together
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
10
A Misguided Approach
KHistory, KCS, KHiring , KAdmissions, …Public Parameters
SKCS, SKAdmissions SKHistory, SKHiring
CT= EKCS( R) , EKHiring(M-R)
Neither can decrypt alone, but …
11
Our Approach
Two key ideas
Prevent collusion attacksBilinear maps “tie” key components together
Support access formulas General Secret Sharing Schemes
12
Bilinear Maps
G , GT : multiplicative of prime order p.
Def: An admissible bilinear map e: GG
GT is:
– Non-degenerate: g generates G e(g,g) generates GT .
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Efficiently computable.
– Exist based on Elliptic-Curve Cryptography
13
Secret Sharing [Ben86]
Secret Sharing for tree-structure of AND + OR
OR
AND
“Computer
Science”
“Admissions”
“Bob”
y
y
y
r(y-r)
Replicate secret for OR’s.
Split secrets for AND’s.
14
The Fixed Attributes System: System Setup
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
“Bob”, “John”, …, “Admissions”List of all possible attributes:
15
Encryption
Public Parameters
gt1, gt2, gt3,.... gtn, e(g,g)y
Ciphertext gst2 , gst3 , gstn, e(g,g)sy
Select set of attributes, raise them to random s
M
File 1•“Creator: John” (attribute 2)
•“Computer Science” (attribute 3)
•“Admissions” (attribute n)
16
Key Generation
Public Parameters
Private Key gy1/t1 , gy3/t3 , gyn/tn
gt1, gt2,.... gtn, e(g,g)y
Fresh randomness used for each key generated!
Ciphertext gst2 , gst3 , gstn, e(g,g)sy M
OR
AND
“Computer
Science”
“Admissions”
“Bob”
y
y
y
r(y-r)y3= yn=
y1=
17
Decryption
e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy
(Linear operation in exponent to reconstruct e(g,g)sy)
Ciphertext gst2, gst3, gstn, Me(g,g)sy
Private Key gy1/t1 , gy3/t3 , gyn/tn
e(g,g)sy
3
18
Security
Reduction: Bilinear Decisional Diffie-Hellman
Given ga,gb,gc distinguish e(g,g)abc from random
Collusion resistance
Can’t combine private key components
19
The Large Universe Construction: Key Idea
Public Function T(.), e(g,g)y
Private Key
Any string can be a valid attribute
Ciphertext gs, e(g,g)syMFor each attribute i: T(i)s
For each attribute i gyiT(i)ri , gri
e(g,g)syi
Public Parameters
20
Delegation
AND
“Computer
Science”
“admissions”
OR
“Bob”
Derive a key for a more restrictive policy
Year=2006
Bob’s Assistant
21
Making ABE more expressive
Any access formulas•Challenge: Decryptor ignores an attribute
Attributes describe CT, policy in key•Flip things around
22
Supporting “NOTs” [OSW07]
Example Peer Review of Other Depts.
AND
“Year:2007”“Dept. Review”
“Computer
Science”
NOT
Bob is in C.S. dept => Avoid Conflict of Interest
Challenge: Can’t attacker just ignore CT components?
23
A Simple Solution
Use explicit “not” attributes
Attribute “Not:Admissions”, “Not:Biology”
Problems:•Encryptor does not know all attributes to
negate•Huge number of attributes per CT
•“Creator: John”
•“History”
•“Admissions”
•“Date: 04-11-06”
•“Not:Anthropology”
•“Not:Aeronautics”
• …
•“Not:Zoology”
24
Technique 1: Simplify Formulas
Use DeMorgan’s law to propagate NOTs
to just the attributes
AND
“Dept. Review”
“Public Policy”“Comput
er Science”
NOT
OR
NOT NOT
25
Applying Revocation Techniques
Broadcast a ciphertext to all but a certain set of users
Used in digital content protection•E.g. Revoke compromised players
P1 P2 P3
26
Applying Revocation Techniques
Focus on a particular Not Attribute
AND
“Year:2007”“Dept. Review”
“Computer
Science”
NOT
27
Applying Revocation Techniques
Focus on a particular ‘Not’ Attribute
“Computer
Science”
NOT
•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
Attribute in ‘Not’ as node’s “identity”
Attributes in CT as Revoked Users
Node ID not in “revoked” list =>satisfied
N.B. – Just one node in larger policy
28
The Naor-Pinkas Scheme
Pick a degree n polynomial q( ), q(0)=a•n+1 points to interpolate
User t gets q(t)
Encryption: gs , ,Mgsa
•Revoked x1, …, xn
gsq(t)
gsq(x1) , ..., gsq(xn)
Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}
29
Applying Revocation to ABE
Use same S.S. techniques for key generation•Same techniques for pos. attributes
“Local” N-P Revocation at each Not-Attribute
Upshot: N-P Revocation requires to use each CT attribute
30
Ciphertext Policy ABE [BSW07]
Encrypt Data reflect Decryption Policies
Users’ Private Keys are descriptive attributes
OR
AND
“Discipline
Committee”“Professor”
“Counselor”
“Professor”,
“Discipline Committee”,
“Age=33”, “History”
Univ. Key Authority
“Thinking” Encryptor
31
Challenges in Practice [PTMW06]
Applications•Health Care•Netflow Logs (currently building)
How are CTs annotated?•Can we automate?
Convention for using Attributes?•“Prof.” or “Professor”•Does “T.A.” + “CS236” mean TAing CS236?
32
Challenges in Practice
What group do Public Parameters represent?
Univ. Key Authority
Individual’s Key
33
Advanced Crypto Software Collection
Goal: Make advanced Crypto available to systems researchers
http://acsc.csl.sri.com (8 projects)
$ cpabe-setup
$ cpabe-keygen -o sara_priv_key pub_key master_key \
sysadmin it_department 'office = 1431' 'hire_date = '`date +%s`
$ cpabe-enc pub_key security_report.pdf (sysadmin and (hire_date < 946702800 or security_team)) or (business_staff and 2 of (executive_level >= 5, audit_group, strategy_team))
Projects at UIUC and MIT using ABE
34
Conclusions and Open Directions
Attribute-Based Encryption for Expressive Access Control on Encrypted Data
Extending Capabilities•Delegation•Non-Monotonic Formulas•Ciphertext-Policy
Currently implemented
35
Conclusions and Open Directions
Open: Can we express access control for any circuit over attributes?
What are limits of capability-based crypto?•Capability that evaluates any function
s
Univ. Key Authority
F( )
F(s)
36
Thank You
37
Related Work
Identity-Based Encryption [Shamir84,BF01,C01]
Access Control [Smart03], Hidden Credentials[Holt et al. 03-04]
•Not Collusion Resistant
Secret Sharing Schemes [Shamir79, Benaloh86…]•Allow Collusion
38
System Sketch
Public Parameters
Choose degree n polynomial q(), q(0)=b Can compute
gq(x)gq(0), gq(1),.... gq(n),
Ciphertext gs, gsq(x1) , … , gsq(xn) Attributes: x1, x2…
=t
Private Key grq(t), gr
“Computer
Science”
NOTe(g,g)srq(t) e(g,g)srq(x1) e(g,g)srq(xn)
If points different can compute e(g,g)srb
39
Applications: Targeted Broadcast Encryption
Encrypted stream
AND
“Soccer” “Germany”
AND
“Sport” “11-01-2006”
Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”}
40
Extensions
Building from any linear secret sharing scheme
In particular, tree of threshold gates…
Delegation of Private Keys
41
Threshold Attribute-Based Enc. [SW05]
Sahai-Waters introduced ABE, but only for“threshold policies”:•Ciphertext has set of attributes •User has set of attributes• If more than k attributes match, then User
can decrypt.
Main Application- Biometrics
42
Central goal: Prevent Collusions
Users shouldn’t be able to collude
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
