Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim

OverviewOverview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -2/19-

OverviewOverview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -3/19-

History of Attributed-Based Encryption 1977, RSA  Rivest, Shamir and Adleman  Public/Private(Secret) Key 1985, IBE(Identity-Based Encryption)  Shamir  Allows for a sender to encrypt message to an identity without access to a public key certificate -4/19- Encrypted by Address, Name

History of Attributed-Based Encryption 2005, Fuzzy IBE  Sahai and Waters  A user having identity ω can decrypt a ciphertext with public key ω’. (|ω – ω’| < threshold distance)  Two interesting new applications Uses biometric identities. –Ex) a fingerprint of human can be changeable by pressure, angle and noisy Attributed-Based Encryption (ABE) –Suppose that a party wish to encrypt a document to all users that have a certain set of attributes –Ex) {School, Department, Course} -> {KAIST, ICE, Ph.D} -5/19-

OverviewOverview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -6/19-

Introduction of paper Title  Improving Privacy and Security in Multi-Authority Attribute-Based Encryption Conference  In CCS'09: Proceedings of the 16th ACM conference on Computer and communications security. ACM, New York, NY, USA, 2009 Authors  Melissa Chase (Microsoft Research)  Sherman S.M. Chow (New York University) -7/19-

Background of paper Motivation  In single authority Attribute-Based Encryption (ABE), there exist only one trusted server who monitors all attributes.  However, this may not be entirely realistic. Goal  To provide an efficient scheme to resolve the above problem by multi-authority ABE -8/23-

OverviewOverview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -9/19-

PreliminariesPreliminaries Basic Idea of ABE  Attributes of Human are different and changeable.  Thus, it is difficult to find a perfect set of attributes according to various situations. -10/23- Soccer Action Red Reading Soccer Red Reading AB Soccer Drama Blue Music

PreliminariesPreliminaries Lagrange Polynomial (from Wikipedia) -11/23-

Single Authority ABE Step One – Feldman Verifiable Secret Sharing  Init: First fix y ← Z q, where q is a prime.  Secret Key (SK) for user u: Choose a random polynomial p such that p(0) = y and the degree of p is d-1. SK: {D i = g p(i) } ∀ i ∈ A u,where A u is a attribute set of user u and g is a costant  Encryption: E = g y m, where m is a message  Decryption: Use d SK elements D i to interpolate to obtain Y = g p(0) = g y. Then m = E/Y -12/23-

Single Authority ABE Step Two – Specifying Attributes  Let G 1 be a cyclic multiplicative group of prime order q generated by g.  Let e(, ) be a bilinear map such that g ∈ G1, and a, b ∈ Z q, e(g a, g b ) = e(g, g) ab  Init: First fix y, t 1,…,t n ←Zq, Let Y = e(g, g) y  SK for user u: Choose a random polynomial p such that p(0) = y.. SK: {D i = g p(i)/ti } ∀ i ∈ A u  Encryption for attribute set A c : E=Ym and {E i = g ti } ∀ i ∈ A C  Decryption: For d attributes i ∈ A c ∩A u, compute e(E i, D i ) = e(g, g) p(i). Interpolate to find Y = e(g, g) p(0) = e(g, g) y. Then m = E/Y. -13/23-

Single Authority ABE Step Three – Multiple Encryptions  To encrypt multiple times without the decryptor needing to get a new secret key each time.  Init: First fix y, t 1, …, t n ← Z q.  Public Key (PK) for system: T 1 = g t1 … T n = g tn, Y = e(g, g) y. PK = {T i } 1 ≤ I ≤ n,Y  SK for user u: Choose a random polynomial p such that p(0) = y. SK: {D i = g p(i)/ti } ∀ i ∈ A u  Encryption for attribute set A c : E=Y s =e(g, g) ys m and {E i = g tis } ∀ i ∈ A C  Decryption: For d attributes i ∈ A c ∩A u, compute e(E i, D i ) = e(g, g) p(i)s. Interpolate to find Y s = e(g, g) p(0)s = e(g, g) ys. Then m = E/Y s. -14/23-

OverviewOverview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -15/19-

Multi Authority Attribute Based Encryption Encryption  Attribute Set {A 1 C, …, A N C ), pick s ∈ R Zq.  Return (E0 = mY s, E1 = g 2 s, {C k, i = T s k,i } Decryption  For each authority k ∈ [1, …, N] For any d k attributes i ∈ A k C ∩ A k u, pair up S k,i and C k,i compute e(S k,i, C k,i ) = e(g 1, g 2 ) spk(i). Interpolate all the values e(g 1, g 2 ) spk(i) to get P k = e(g 1, g 2 ) spk(i) = e(g 1, g 2 ) s(vk- ∑Rkj)  Multiply Pk’s together to get Q = e(g 1, g 2 ) s(vk- ∑Ru) = Ys/ e(g 1 Ru, g 2 s )  Compute e(Du, E1)Q = e(g 1 Ru, g 2 s )Q = Ys  Recover m by E 0 /Y s -16/23-

OverviewOverview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -17/19-

ConclusionConclusion Contribution  Multi-authority attributed-based encryption enables a more realistic deployment of attribute-based access control. Novelty  An attribute-based encryption scheme without the trusted authority was proposed -18/19-

Q&AQ&A Thank you! Any questions? -19/19-