1 Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA SRI
2 Traditional Encrypted Filesystem File 1 Owner: John File 2 Owner: Tim Encrypted Files stored on Untrusted Server Every user can decrypt its own files Files to be shared across different users?
3 A New Encrypted Filesystem File 1 “Creator: John” “Computer Science” “Admissions” “Date: ” File 2 “Creator: Tim” “History” “Admissions” “Date: ” Label files with attributes
4 An Encrypted Filesystem File 1 “Creator: John” “Computer Science” “Admissions” “Date: ” File 2 “Creator: Tim” “History” “Admissions” “Date: ” Authority OR AND “Computer Science” “Admissions” “Bob”
5 Threshold Attribute-Based Enc. [SW05] Sahai-Waters introduced ABE, but only for “threshold policies”: Ciphertext has set of attributes User has set of attributes If more than k attributes match, then User can decrypt. Main Application- Biometrics
6 General Attribute-Based Encryption Ciphertext has set of attributes Keys reflect a tree access structure Decrypt iff attributes from CT satisfy key’s policy OR AND “Computer Science” “Admissions” “Bob”
7 Central goal: Prevent Collusions Users shouldn’t be able to collude AND “Computer Science” “Admissions” AND “History” “Hiring” Ciphertext = M, {“Computer Science”, “Hiring”}
8 Related Work Access Control [Smart03], Hidden Credentials [Holt et al ] Not Collusion Resistant Secret Sharing Schemes [Shamir79, Benaloh86…] Allow Collusion
9 Techniques We combine two ideas Bilinear maps G eneral Secret Sharing Schemes
10 Bilinear Maps G, G 1 : multiplicative of prime order p. Def: An admissible bilinear map e: G G G 1 is: –Non-degenerate: g generates G e(g,g) generates G 1. –Bilinear: e(g a, g b ) = e(g,g) ab a,b Z, g G –Efficiently computable. –Exist based on Elliptic-Curve Cryptography
11 Secret Sharing [Ben86] Secret Sharing for tree-structure of AND + OR OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) Replicate secret for OR’s. Split secrets for AND’s.
12 The Fixed Attributes System: System Setup Public Parameters g t 1, g t 2,.... g t n, e(g,g) y “Bob”, “John”, …, “Admissions” List of all possible attributes:
13 Encryption Public Parameters g t 1, g t 2, g t 3,.... g t n, e(g,g) y Ciphertext g st 2, g st 3, g st n, e(g,g) sy Select set of attributes, raise them to random s M File 1 “Creator: John” (attribute 2) “Computer Science” (attribute 3) “Admissions” (attribute n)
14 Key Generation Public Parameters Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n g t 1, g t 2,.... g t n, e(g,g) y Fresh randomness used for each key generated! Ciphertext g st 2, g st 3, g st n, e(g,g) sy M OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) y3=y3= yn=yn= y1=y1=
15 Decryption e(g,g) sy 3 e(g,g) sy n = e(g,g) s(y-r+r) = e(g,g) sy (Linear operation in exponent to reconstruct e(g,g) sy ) Ciphertext g st 2, g st 3, g st n, Me(g,g) sy Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n e(g,g) sy 3
16 Security Reduction: Bilinear Decisional Diffie-Hellman Given g a,g b,g c distinguish e(g,g) abc from random Collusion resistance Can’t combine private key components
17 The Large Universe Construction: Key Idea Public Function T(.), e(g,g) y Private Key Any string can be a valid attribute Ciphertext g s, e(g,g) sy M For each attribute i: T(i) s For each attribute i g y i T(i) r i, g r i e(g,g) sy i Public Parameters
18 Extensions Building from any linear secret sharing scheme In particular, tree of threshold gates… Delegation of Private Keys
19 Delegation AND “Computer Science” “admissions” OR “ Bob ” Derive a key for a more restrictive policy Year=2006 Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …] Bob’s Assistant
20 Applications: Targeted Broadcast Encryption Encrypted stream AND “Soccer” “Germany” AND “Sport” “ ” Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “ ”}
21 Thank You