1 Attribute-Based Encryption Brent Waters SRI International.

Slides:



Advertisements
Similar presentations
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Advertisements

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Attribute-based Encryption
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Encryption Public-Key, Identity-Based, Attribute-Based.
Access Control Methodologies
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
Access Control & Digital Rights Management KAIST KSE Uichin Lee.
Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.
Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters.
Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.
By Jyh-haw Yeh Boise State University ICIKM 2013.
Xiaohua Jia Shen Zhen Graduate School Harbin Institute of Technology Data Security for Cloud Storage Systems 1.
Privacy Preserving Query Processing in Cloud Computing Wen Jie
Functional Encryption: An Introduction and Survey Brent Waters.
Access Control & Digital Rights Management
ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Brown University New.
Fine-Grained Access Control (FGAC) in the Cloud Robert Barton.
Functional Encryption: Beyond Public Key Cryptography
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer.
1 Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA SRI.
1 A Secure System Based on Fingerprint Authentication Scheme Author : Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang Prestented by Chia Jui Hsu.
Attribute-Based Encryption with Non-Monotonic Access Structures
Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,
Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
1 Applied Cryptography in CyberTA Brent Waters Work with Dan Boneh and Amit Sahai.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Key-Policy Attribute-Based Encryption Present by Xiaokui.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Sensor Network Security through Identity-Based Encryption
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Attribute-Based Encryption
Attribute-Based Encryption With Verifiable Outsourced Decryption.
1 Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security.
2011 IEEE TrustCom-11 Sushmita Ruj Amiya Nayak and Ivan Stojmenovic Regular Seminar Tae Hoon Kim.
Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.
Encryption Extensions Model based on Hidden Attribute Certificate LI Yu 1,2,3, ZHAO Yong 1,2,3, GONG Bei 1 1 College of Computer Science and Technology,
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.
Privacy Preserving Cloud Data Access With Multi-Authorities Taeho Jung 1, Xiang-Yang Li 1, Zhiguo Wan 2, Meng Wan 3 Illinois Institute of Technology, Chicago.
Secret Sharing Schemes: A Short Survey Secret Sharing 2.
Shucheng Yu, Cong Wang, Kui Ren,
Identity Based Encryption
Advanced Cryptography Protocols
Attribute-Based Encryption
Fuzzy Identity Based Encryption
Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data An, Sanghong KAIST
Functional Encryption: An Introduction and Survey
Attribute-Based Encryption
Verifiable Attribute Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud They really need a shorter title.
Presentation transcript:

1 Attribute-Based Encryption Brent Waters SRI International

2 Server Mediated Access Control Access list: John, Beth, Sue, Bob Attributes: “Computer Science”, “Admissions” File 1 Server stores data in clear Expressive access controls

3 Distributed Storage Scalability Reliability Downside: Increased vulnerability

4 Traditional Encrypted Filesystem File 1 Owner: John File 2 Owner: Tim  Encrypted Files stored on Untrusted Server  Every user can decrypt its own files  Files to be shared across different users? Credentials? Lost expressivity of trusted server approach!

5 A New Approach to Encrypting Data File 1 “Creator: John” “Computer Science” “Admissions” “Date: ” File 2 “Creator: Tim” “History” “Admissions” “Date: ”  Label files with attributes Goal: Encryption with Expressive Access Control

6 File 1 “Creator: John” “Computer Science” “Admissions” “Date: ” File 2 “Creator: Tim” “History” “Admissions” “Date: ” Univ. Key Authority OR AND “Computer Science” “Admissions” “Bob” A New Approach to Encrypting Files

7 Attribute-Based Encryption [Sahai-Waters 05]  Start with monotonic access formulas [GPSW06]  Techniques from IBE [S84,BF01]  Challenge: Collusion Resistance  Further developments of ABE  Bringing into Practice

8 Attribute-Based Encryption  Ciphertext has set of attributes  Keys reflect a tree access structure  Decrypt iff attributes from CT satisfy key’s policy OR AND “Computer Science” “Admissions” “Bob” “Creator: John” “Computer Science” “Admissions” “Date: ”

9 Central goal: Prevent Collusions  If neither user can decrypt a CT, then they can’t together AND “Computer Science” “Admissions” AND “History” “Hiring” Ciphertext = M, {“Computer Science”, “Hiring”}

10 A Misguided Approach K History, K CS, K Hiring, K Admissions, … Public Parameters SK CS, SK Admissions SK History, SK Hiring CT= E K CS ( R), E K Hiring (M-R) Neither can decrypt alone, but …

11 Our Approach Two key ideas  Prevent collusion attacks  Bilinear maps “tie” key components together  Support access formulas  General Secret Sharing Schemes

12 Bilinear Maps  G, G T : multiplicative of prime order p.  Def: An admissible bilinear map e: G  G  G T is: –Non-degenerate: g generates G  e(g,g) generates G T. –Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G –Efficiently computable. –Exist based on Elliptic-Curve Cryptography

13 Secret Sharing [Ben86]  Secret Sharing for tree-structure of AND + OR OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) Replicate secret for OR’s. Split secrets for AND’s.

14 The Fixed Attributes System: System Setup Public Parameters g t 1, g t 2,.... g t n, e(g,g) y “Bob”, “John”, …, “Admissions” List of all possible attributes:

15 Encryption Public Parameters g t 1, g t 2, g t 3,.... g t n, e(g,g) y Ciphertext g st 2, g st 3, g st n, e(g,g) sy Select set of attributes, raise them to random s M File 1 “Creator: John” (attribute 2) “Computer Science” (attribute 3) “Admissions” (attribute n)

16 Key Generation Public Parameters Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n g t 1, g t 2,.... g t n, e(g,g) y Fresh randomness used for each key generated! Ciphertext g st 2, g st 3, g st n, e(g,g) sy M OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) y3=y3= yn=yn= y1=y1=

17 Decryption e(g,g) sy 3 e(g,g) sy n = e(g,g) s(y-r+r) = e(g,g) sy (Linear operation in exponent to reconstruct e(g,g) sy ) Ciphertext g st 2, g st 3, g st n, Me(g,g) sy Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n e(g,g) sy 3

18 Security  Reduction: Bilinear Decisional Diffie-Hellman  Given g a,g b,g c distinguish e(g,g) abc from random  Collusion resistance  Can’t combine private key components

19 The Large Universe Construction: Key Idea Public Function T(.), e(g,g) y Private Key  Any string can be a valid attribute Ciphertext g s, e(g,g) sy M For each attribute i: T(i) s For each attribute i g y i T(i) r i, g r i e(g,g) sy i Public Parameters

20 Delegation AND “Computer Science” “admissions” OR “ Bob ”  Derive a key for a more restrictive policy Year=2006 Bob’s Assistant

21 Making ABE more expressive  Any access formulas Challenge: Decryptor ignores an attribute  Attributes describe CT, policy in key Flip things around

22 Supporting “NOTs” [OSW07] Example Peer Review of Other Depts. AND “Year:2007” “Dept. Review” “Computer Science” NOT Bob is in C.S. dept => Avoid Conflict of Interest Challenge: Can’t attacker just ignore CT components?

23 A Simple Solution  Use explicit “not” attributes  Attribute “Not:Admissions”, “Not:Biology”  Problems: Encryptor does not know all attributes to negate Huge number of attributes per CT “Creator: John” “History” “Admissions” “Date: ” “Not:Anthropology” “Not:Aeronautics” … “Not:Zoology”

24 Technique 1: Simplify Formulas Use DeMorgan’s law to propagate NOTs to just the attributes AND “Dept. Review” “Public Policy” “Computer Science” NOT OR NOT

25 Applying Revocation Techniques  Broadcast a ciphertext to all but a certain set of users  Used in digital content protection E.g. Revoke compromised players P1P1 P2P2 P3P3

26 Applying Revocation Techniques  Focus on a particular Not Attribute AND “Year:2007” “Dept. Review” “Computer Science” NOT

27 Applying Revocation Techniques  Focus on a particular ‘Not’ Attribute “Computer Science” NOT “Creator: John” “Computer Science” “Admissions” “Date: ”  Attribute in ‘Not’ as node’s “identity”  Attributes in CT as Revoked Users Node ID not in “revoked” list =>satisfied N.B. – Just one node in larger policy

28 The Naor-Pinkas Scheme  Pick a degree n polynomial q( ), q(0)=a n+1 points to interpolate  User t gets q(t)  Encryption: g s,,Mg sa Revoked x 1, …, x n g sq(t) g sq(x 1 ),..., g sq(x n ) Can interpolate to g sq(0) =g sa iff t not in {x 1,…x n }

29 Applying Revocation to ABE  Use same S.S. techniques for key generation Same techniques for pos. attributes  “Local” N-P Revocation at each Not-Attribute  Upshot: N-P Revocation requires to use each CT attribute

30 Ciphertext Policy ABE [BSW07]  Encrypt Data reflect Decryption Policies  Users’ Private Keys are descriptive attributes OR AND “Discipline Committee” “Professor” “Counselor” “Professor”, “Discipline Committee”, “Age=33”, “History” Univ. Key Authority “Thinking” Encryptor

31 Challenges in Practice [PTMW06]  Applications Health Care Netflow Logs (currently building)  How are CTs annotated? Can we automate?  Convention for using Attributes? “Prof.” or “Professor” Does “T.A.” + “CS236” mean TAing CS236?

32 Challenges in Practice  What group do Public Parameters represent? Univ. Key Authority Individual’s Key

33 Advanced Crypto Software Collection  Goal: Make advanced Crypto available to systems researchers  (8 projects) $ cpabe-setup $ cpabe-keygen -o sara_priv_key pub_key master_key \ sysadmin it_department 'office = 1431' 'hire_date = '`date +%s` $ cpabe-enc pub_key security_report.pdf (sysadmin and (hire_date = 5, audit_group, strategy_team)) Projects at UIUC and MIT using ABE

34 Conclusions and Open Directions  Attribute-Based Encryption for Expressive Access Control on Encrypted Data  Extending Capabilities Delegation Non-Monotonic Formulas Ciphertext-Policy  Currently implemented

35 Conclusions and Open Directions  Open: Can we express access control for any circuit over attributes?  What are limits of capability-based crypto? Capability that evaluates any function s Univ. Key Authority F( ) F(s)

36 Thank You

37 Related Work  Identity-Based Encryption [Shamir84,BF01,C01]  Access Control [Smart03], Hidden Credentials [Holt et al ] Not Collusion Resistant  Secret Sharing Schemes [Shamir79, Benaloh86…] Allow Collusion

38 System Sketch Public Parameters Choose degree n polynomial q(), q(0)=b Can compute g q(x) g q(0), g q(1),.... g q(n), Ciphertext g s, g sq(x 1 ), …, g sq(x n ) Attributes: x 1, x 2 … =t Private Key g rq(t), g r “Computer Science” NOT e(g,g) srq(t) e(g,g) srq(x 1 ) e(g,g) srq(x n ) If points different can compute e(g,g) srb

39 Applications: Targeted Broadcast Encryption  Encrypted stream AND “Soccer” “Germany” AND “Sport” “ ” Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “ ”}

40 Extensions  Building from any linear secret sharing scheme  In particular, tree of threshold gates…  Delegation of Private Keys

41 Threshold Attribute-Based Enc. [SW05]  Sahai-Waters introduced ABE, but only for “threshold policies”: Ciphertext has set of attributes User has set of attributes If more than k attributes match, then User can decrypt.  Main Application- Biometrics

42 Central goal: Prevent Collusions  Users shouldn’t be able to collude AND “Computer Science” “Admissions” AND “History” “Hiring” Ciphertext = M, {“Computer Science”, “Hiring”}

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.