Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Attribute-Based Encryption Brent Waters SRI International.

Published byArnold White Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Attribute-Based Encryption Brent Waters SRI International."— Presentation transcript:

1 1 Attribute-Based Encryption Brent Waters SRI International

2 2 Server Mediated Access Control Access list: John, Beth, Sue, Bob Attributes: “Computer Science”, “Admissions” File 1 Server stores data in clear Expressive access controls

3 3 Distributed Storage Scalability Reliability Downside: Increased vulnerability

4 4 Traditional Encrypted Filesystem File 1 Owner: John File 2 Owner: Tim  Encrypted Files stored on Untrusted Server  Every user can decrypt its own files  Files to be shared across different users? Credentials? Lost expressivity of trusted server approach!

5 5 A New Approach to Encrypting Data File 1 “Creator: John” “Computer Science” “Admissions” “Date: 04-11-06” File 2 “Creator: Tim” “History” “Admissions” “Date: 03-20-05”  Label files with attributes Goal: Encryption with Expressive Access Control

6 6 File 1 “Creator: John” “Computer Science” “Admissions” “Date: 04-11-06” File 2 “Creator: Tim” “History” “Admissions” “Date: 03-20-05” Univ. Key Authority OR AND “Computer Science” “Admissions” “Bob” A New Approach to Encrypting Files

7 7 Attribute-Based Encryption [Sahai-Waters 05]  Start with monotonic access formulas [GPSW06]  Techniques from IBE [S84,BF01]  Challenge: Collusion Resistance  Further developments of ABE  Bringing into Practice

8 8 Attribute-Based Encryption  Ciphertext has set of attributes  Keys reflect a tree access structure  Decrypt iff attributes from CT satisfy key’s policy OR AND “Computer Science” “Admissions” “Bob” “Creator: John” “Computer Science” “Admissions” “Date: 04-11-06”

9 9 Central goal: Prevent Collusions  If neither user can decrypt a CT, then they can’t together AND “Computer Science” “Admissions” AND “History” “Hiring” Ciphertext = M, {“Computer Science”, “Hiring”}

10 10 A Misguided Approach K History, K CS, K Hiring, K Admissions, … Public Parameters SK CS, SK Admissions SK History, SK Hiring CT= E K CS ( R), E K Hiring (M-R) Neither can decrypt alone, but …

11 11 Our Approach Two key ideas  Prevent collusion attacks  Bilinear maps “tie” key components together  Support access formulas  General Secret Sharing Schemes

12 12 Bilinear Maps  G, G T : multiplicative of prime order p.  Def: An admissible bilinear map e: G  G  G T is: –Non-degenerate: g generates G  e(g,g) generates G T. –Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G –Efficiently computable. –Exist based on Elliptic-Curve Cryptography

13 13 Secret Sharing [Ben86]  Secret Sharing for tree-structure of AND + OR OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) Replicate secret for OR’s. Split secrets for AND’s.

14 14 The Fixed Attributes System: System Setup Public Parameters g t 1, g t 2,.... g t n, e(g,g) y “Bob”, “John”, …, “Admissions” List of all possible attributes:

15 15 Encryption Public Parameters g t 1, g t 2, g t 3,.... g t n, e(g,g) y Ciphertext g st 2, g st 3, g st n, e(g,g) sy Select set of attributes, raise them to random s M File 1 “Creator: John” (attribute 2) “Computer Science” (attribute 3) “Admissions” (attribute n)

16 16 Key Generation Public Parameters Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n g t 1, g t 2,.... g t n, e(g,g) y Fresh randomness used for each key generated! Ciphertext g st 2, g st 3, g st n, e(g,g) sy M OR AND “Computer Science” “Admissions” “Bob” y y y r (y-r) y3=y3= yn=yn= y1=y1=

17 17 Decryption e(g,g) sy 3 e(g,g) sy n = e(g,g) s(y-r+r) = e(g,g) sy (Linear operation in exponent to reconstruct e(g,g) sy ) Ciphertext g st 2, g st 3, g st n, Me(g,g) sy Private Key g y 1 /t 1, g y 3 /t 3, g y n /t n e(g,g) sy 3

18 18 Security  Reduction: Bilinear Decisional Diffie-Hellman  Given g a,g b,g c distinguish e(g,g) abc from random  Collusion resistance  Can’t combine private key components

19 19 The Large Universe Construction: Key Idea Public Function T(.), e(g,g) y Private Key  Any string can be a valid attribute Ciphertext g s, e(g,g) sy M For each attribute i: T(i) s For each attribute i g y i T(i) r i, g r i e(g,g) sy i Public Parameters

20 20 Delegation AND “Computer Science” “admissions” OR “ Bob ”  Derive a key for a more restrictive policy Year=2006 Bob’s Assistant

21 21 Making ABE more expressive  Any access formulas Challenge: Decryptor ignores an attribute  Attributes describe CT, policy in key Flip things around

22 22 Supporting “NOTs” [OSW07] Example Peer Review of Other Depts. AND “Year:2007” “Dept. Review” “Computer Science” NOT Bob is in C.S. dept => Avoid Conflict of Interest Challenge: Can’t attacker just ignore CT components?

23 23 A Simple Solution  Use explicit “not” attributes  Attribute “Not:Admissions”, “Not:Biology”  Problems: Encryptor does not know all attributes to negate Huge number of attributes per CT “Creator: John” “History” “Admissions” “Date: 04-11-06” “Not:Anthropology” “Not:Aeronautics” … “Not:Zoology”

24 24 Technique 1: Simplify Formulas Use DeMorgan’s law to propagate NOTs to just the attributes AND “Dept. Review” “Public Policy” “Computer Science” NOT OR NOT

25 25 Applying Revocation Techniques  Broadcast a ciphertext to all but a certain set of users  Used in digital content protection E.g. Revoke compromised players P1P1 P2P2 P3P3

26 26 Applying Revocation Techniques  Focus on a particular Not Attribute AND “Year:2007” “Dept. Review” “Computer Science” NOT

27 27 Applying Revocation Techniques  Focus on a particular ‘Not’ Attribute “Computer Science” NOT “Creator: John” “Computer Science” “Admissions” “Date: 04-11-06”  Attribute in ‘Not’ as node’s “identity”  Attributes in CT as Revoked Users Node ID not in “revoked” list =>satisfied N.B. – Just one node in larger policy

28 28 The Naor-Pinkas Scheme  Pick a degree n polynomial q( ), q(0)=a n+1 points to interpolate  User t gets q(t)  Encryption: g s,,Mg sa Revoked x 1, …, x n g sq(t) g sq(x 1 ),..., g sq(x n ) Can interpolate to g sq(0) =g sa iff t not in {x 1,…x n }

29 29 Applying Revocation to ABE  Use same S.S. techniques for key generation Same techniques for pos. attributes  “Local” N-P Revocation at each Not-Attribute  Upshot: N-P Revocation requires to use each CT attribute

30 30 Ciphertext Policy ABE [BSW07]  Encrypt Data reflect Decryption Policies  Users’ Private Keys are descriptive attributes OR AND “Discipline Committee” “Professor” “Counselor” “Professor”, “Discipline Committee”, “Age=33”, “History” Univ. Key Authority “Thinking” Encryptor

31 31 Challenges in Practice [PTMW06]  Applications Health Care Netflow Logs (currently building)  How are CTs annotated? Can we automate?  Convention for using Attributes? “Prof.” or “Professor” Does “T.A.” + “CS236” mean TAing CS236?

32 32 Challenges in Practice  What group do Public Parameters represent? Univ. Key Authority Individual’s Key

33 33 Advanced Crypto Software Collection  Goal: Make advanced Crypto available to systems researchers  http://acsc.csl.sri.com (8 projects) http://acsc.csl.sri.com $ cpabe-setup $ cpabe-keygen -o sara_priv_key pub_key master_key \ sysadmin it_department 'office = 1431' 'hire_date = '`date +%s` $ cpabe-enc pub_key security_report.pdf (sysadmin and (hire_date = 5, audit_group, strategy_team)) Projects at UIUC and MIT using ABE

34 34 Conclusions and Open Directions  Attribute-Based Encryption for Expressive Access Control on Encrypted Data  Extending Capabilities Delegation Non-Monotonic Formulas Ciphertext-Policy  Currently implemented

35 35 Conclusions and Open Directions  Open: Can we express access control for any circuit over attributes?  What are limits of capability-based crypto? Capability that evaluates any function s Univ. Key Authority F( ) F(s)

36 36 Thank You

37 37 Related Work  Identity-Based Encryption [Shamir84,BF01,C01]  Access Control [Smart03], Hidden Credentials [Holt et al. 03-04] Not Collusion Resistant  Secret Sharing Schemes [Shamir79, Benaloh86…] Allow Collusion

38 38 System Sketch Public Parameters Choose degree n polynomial q(), q(0)=b Can compute g q(x) g q(0), g q(1),.... g q(n), Ciphertext g s, g sq(x 1 ), …, g sq(x n ) Attributes: x 1, x 2 … =t Private Key g rq(t), g r “Computer Science” NOT e(g,g) srq(t) e(g,g) srq(x 1 ) e(g,g) srq(x n ) If points different can compute e(g,g) srb

39 39 Applications: Targeted Broadcast Encryption  Encrypted stream AND “Soccer” “Germany” AND “Sport” “11-01-2006” Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”}

40 40 Extensions  Building from any linear secret sharing scheme  In particular, tree of threshold gates…  Delegation of Private Keys

41 41 Threshold Attribute-Based Enc. [SW05]  Sahai-Waters introduced ABE, but only for “threshold policies”: Ciphertext has set of attributes User has set of attributes If more than k attributes match, then User can decrypt.  Main Application- Biometrics

42 42 Central goal: Prevent Collusions  Users shouldn’t be able to collude AND “Computer Science” “Admissions” AND “History” “Hiring” Ciphertext = M, {“Computer Science”, “Hiring”}

Download ppt "1 Attribute-Based Encryption Brent Waters SRI International."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Attribute-based Encryption

Attribute-based Encryption
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Access Control Methodologies

Access Control Methodologies
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
Access Control & Digital Rights Management KAIST KSE Uichin Lee.

Access Control & Digital Rights Management KAIST KSE Uichin Lee.
Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.

Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.

Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

Similar presentations

Ads by Google