Attribute-Based Encryption

Slides:



Advertisements
Similar presentations
Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Advertisements

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Attribute-based Encryption
Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
Encryption Public-Key, Identity-Based, Attribute-Based.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.
Identity Based Encryption
1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters.
Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.
Xiaohua Jia Shen Zhen Graduate School Harbin Institute of Technology Data Security for Cloud Storage Systems 1.
Functional Encryption: An Introduction and Survey Brent Waters.
Functional Encryption: Beyond Public Key Cryptography
An Efficient Identity-based Cryptosystem for
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
1 Attribute-Based Encryption Brent Waters SRI International.
1 Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA SRI.
1 A Secure System Based on Fingerprint Authentication Scheme Author : Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang Prestented by Chia Jui Hsu.
Attribute-Based Encryption with Non-Monotonic Access Structures
Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,
Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu.
EE515/IS523 Think Like an Adversary Lecture 3 Crypto Yongdae Kim 한국과학기술원.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
1 Applied Cryptography in CyberTA Brent Waters Work with Dan Boneh and Amit Sahai.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Key-Policy Attribute-Based Encryption Present by Xiaokui.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
PUBLIC-KEY CRYPTOGRAPH IT 352 : Lecture 2- part3 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.
Cryptanalysis of Some Proxy Signature Schemes without Certificates Wun-She Yap, Swee-Huay Heng Bok-Min Goi Multimedia University.
Pairing Based Cryptography Standards Terence Spies VP Engineering Voltage Security
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Fuzzy Identity Based Encryption Brent Waters Current Research with Amit Sahai.
Attribute-Based Encryption With Verifiable Outsourced Decryption.
Key Management Network Systems Security Mort Anvari.
1 Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
2011 IEEE TrustCom-11 Sushmita Ruj Amiya Nayak and Ivan Stojmenovic Regular Seminar Tae Hoon Kim.
Encryption Extensions Model based on Hidden Attribute Certificate LI Yu 1,2,3, ZHAO Yong 1,2,3, GONG Bei 1 1 College of Computer Science and Technology,
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:
Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.
Privacy Preserving Cloud Data Access With Multi-Authorities Taeho Jung 1, Xiang-Yang Li 1, Zhiguo Wan 2, Meng Wan 3 Illinois Institute of Technology, Chicago.
Cryptography and Network Security Chapter 13
Shucheng Yu, Cong Wang, Kui Ren,
Boneh-Franklin Identity Based Encryption Scheme
Advanced Protocols.
Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording
Using low-degree Homomorphism for Private Conjunction Queries
Attribute-Based Encryption
Fuzzy Identity Based Encryption
Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data An, Sanghong KAIST
Functional Encryption: An Introduction and Survey
Attribute-Based Encryption
Verifiable Attribute Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud They really need a shorter title.
Presentation transcript:

Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai http://www.csl.sri.com/users/bwaters/

IBE [BF01] Is regular PKI good enough? IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address Is regular PKI good enough? I am “bob@stanford.edu” Private key email encrypted using public key: “bob@stanford.edu” Alice does not access a PKI CA/PKG Authority is offline master-key

Generalizing the Framework Capability Request Private “Capability” Encrypt “Structured” Data CA/PKG Authority is offline master-key

Attributed-Based Encryption(ABE) [SW05] Encrypt Data with descriptive “Attributes” Users Private Keys reflect Decryption Policies master-key CA/PKG Authority is offline Encrypt w/attributes

An Encrypted Filesystem Encrypted Files on Untrusted Server Label files with attributes File 1 “Creator: bsanders” “Computer Science” “Admissions” “Date: 04-11-06” File 2 “Creator: akeen” “History” “Hiring” “Date: 03-20-05”

An Encrypted Filesystem “Creator: bsanders” “Computer Science” “Admissions” “Date: 04-11-06” Authority OR File 2 “Creator: akeen” “History” “Hiring” “Date: 03-20-05” AND “bsmith” “CS” “admissions”

This Talk Threshold ABE & Biometrics More “Advanced” ABE Other Systems

A Warmup: Threshold ABE[SW05] Data labeled with attributes Keys of form “At least k” attributes Application: IBE with Biometric Identities

Biometric Identities Iris Scan Voiceprint Fingerprint

Biometric Identities Stay with human Are unique No registration Certification is natural

Biometric Identities Deviations Environment Difference in sensors Small change in trait Can’t use previous IBE solutions!

Error-tolerance in Identity k attributes must match Example: 5 attributes Public Key master-key CA/PKG Private Key 5 matches

Error-tolerance in Identity k attributes must match Example: 5 attributes Public Key Private Key CA/PKG 3 matches master-key

Secret Sharing Split message M into shares such that need k to reconstruct Choose random k-1 degree polynomial, q, s.t. q(0)=M Need k points to interpolate

First Method Key Pair per Trait Encrypt shares of message Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M Ciphertext E3(q(3))... 5 Private Key 2 7 8 11 13 16 q(x) at 5 points ) q(0)=M

Collusion Attack Private Key 5 6 7 9 10 8 6 8 9 7 5 10

Our Approach Goals Threshold Collusion Resistance Methods Secret-share private key Bilinear maps

Bilinear Maps G , G1 : finite cyclic groups of prime order p. Def: An admissible bilinear map e: GG  G1 is: Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG Non-degenerate: g generates G  e(g,g) generates G1 . Efficiently computable.

The SW05 Threshold ABE system Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G Private Key Random degree 4 polynomial q(x) s.t. q(0)=y gq(5)/t5 Bilinear Map e(g,g)rq(5) Ciphertext gr¢ t5 Me(g,g)ry Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry

Intuition Threshold Need k values of e(g,g)rq(x) Collusion resistance Can’t combine private key components ( shares of q(x), q’(x) ) Reduction Given ga,gb,gc distinguish e(g,g)ab/c from random

Moving Beyond Threshold ABE Threshold ABE not very expressive “Grafting” has limitations Shamir Secret Sharing => k of n Base new ABE off of general secret sharing schemes OR AND “ksmith” “CS” “admin”

Access Trees [Ben86] Secret Sharing for tree-structure of AND + OR Replicate ORs Split ANDs s OR s AND AND OR s-s’’ s’’ Alice Bob Charlie s’ s-s’ s’’ Doug Edith

Key-Policy Attribute-Based Encryption [GPSW06] Encryption similar to Threshold ABE Keys reflect a tree access structure Randomness to prevent collusion! Use Threshold Gates Decrypt iff attributes from CT satisfy key’s policy OR AND “ksmith” “CS” “admin”

Delegation Can delegate any key to a more restrictive policy Subsumes Hierarchical-IBE OR AND “ksmith” Year=2005 “CS” “admin”

A comparison ABE [GPSW06] Arbitrary Attributes Expressive Policy Attributes in Clear Hidden Vector Enc. [BW06] Fields Fixed at Setup Conjunctions & don’t care Hidden Attributes

Ciphertext Policy ABE (opposite) Encrypt Data reflect Decryption Policies Users’ Private Keys are descriptive attributes master-key CA/PKG “Blond”, “Well-dressed”, “Age=21”, “Height=5’2” OR AND “Rhodes Scholar” “25-35” “millionaire”

Multi-Authority ABE [Chase07] Authorities over different domains E.g. DMV and IRS Challenge: Prevent Collusion Across Domains Insight: Use “globally verifiable ID/attribute” to link

Open Problems Ciphertext Policy ABE ABE with “hidden attributes” Policies from Circuits instead of Trees

Generalizing the Framework Capability Request Private “Capability” Encrypt “Structured” Data CA/PKG Authority is offline master-key

Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure Private “Capability” No analogous PKI solution CA/PKG Authority is offline master-key

THE END

Related Work Secret Sharing Schemes [Shamir79, Benaloh86…] Allow Collusion Building from IBE + Secret Sharing [Smart03, Juels] IBE gives key Compression Not Collusion Resistant