online/offline attribute-based encryption

Download Online/Offline  Attribute-Based Encryption

Post on 22-Feb-2016




0 download

Embed Size (px)


Online/Offline Attribute-Based Encryption. Susan Hohenberger. Brent Waters. Presented by Shai Halevi. SK. Access Control by Encryption. Idea: Need secret key to access data. PK. OR. AND. Internal Affairs. Undercover. Central. Rethinking Encryption. - PowerPoint PPT Presentation


Ciphertext-Policy Attribute-Based Encryption

Online/Offline Attribute-Based EncryptionBrent WatersSusan HohenbergerPresented by Shai Halevi

testAccess Control by Encryption

Idea: Need secret key to access data


PK3Rethinking Encryption

ORInternal AffairsANDUndercover CentralWho matches this? Am I allowed to know? What if they join later?Problem: Disconnect between policy and mechanism34Attribute-Based Encryption [SW05,GPSW06,]

Public Parameters


MSKKey: f

SKCT: S (set of attributes)Functionality: output message if f(S) = trueS is not hidden45Costs of EncryptionTypical cost ~ 1-3 exponentiations per attribute (KP-ABE)Problems:Bursty encryption periodsLow power devices

5Can we move most of the encryption costs offline?67Online/Offline ABEOffline: Online:

Intermediate Ciphertext (IT)Attribute set S

CiphertextABE Key Encapsulation Mechanism (KEM)78Some Prior Online/Offline WorkSignatures: EGM96, ST01, Also in other contexts such as Multi-party computationIBE: GMC08, 89The rest of the talkWarmup with IBE(2) Our Online/Offline Construction(3) Pooling for better efficiency

910Brief Background on Bilinear maps

High Level: single multiplication1011Structure Matters

CT:Difficulty of online/offline on Boneh-Franklin IBE12IBE Warmup (Boneh-Boyen04 ish)Offline: Online (ID):

Correction FactorKeyGen(ID):


1213Challenges for ABEMany ABE systems do not have right structure (e.g. GPSW06)More complex access policiesUse Rouselakis-Waters 20131314System Setup

15Key Generation


Share a according to formulaGenerate key components

16EncryptionOffline: Online ( ):

System uses n attributes per CT (address later)

1617Decryption & ProofBrings together CT randomness and key sharesUses correction factor per nodeDetails in paper.Proof: Reduce to security of RW13 ABE schemeDecryption:18ExtensionsPooling: Flexible number of attributes per ciphertextOnline/Offline Key Gen:Matches CP-ABE

1819Thank you


View more >