1 / 21

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. Vipul Goyal Omkant Pandey Amit Sahai Brent Waters. UCLA UCLA UCLA SRI. File 1 Owner: John. File 2 Owner: Tim. Traditional Encrypted Filesystem. Encrypted Files stored on Untrusted Server

Leo
Download Presentation

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA UCLA UCLA SRI

  2. File 1 Owner: John File 2 Owner: Tim Traditional Encrypted Filesystem • Encrypted Files stored on Untrusted Server • Every user can decrypt its own files • Files to be shared across different users?

  3. File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” A New Encrypted Filesystem • Label files with attributes

  4. File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” OR AND “Bob” “Computer Science” “Admissions” An Encrypted Filesystem Authority

  5. Threshold Attribute-Based Enc. [SW05] • Sahai-Waters introduced ABE, but only for“threshold policies”: • Ciphertext has set of attributes • User has set of attributes • If more than k attributes match, then User can decrypt. • Main Application- Biometrics

  6. General Attribute-Based Encryption • Ciphertext has set of attributes • Keys reflect a tree access structure • Decrypt iff attributes from CT satisfy key’s policy OR AND “Bob” “Computer Science” “Admissions”

  7. Central goal: Prevent Collusions • Users shouldn’t be able to collude AND AND “Computer Science” “Admissions” “Hiring” “History” Ciphertext = M, {“Computer Science”, “Hiring”}

  8. Related Work • Access Control [Smart03], Hidden Credentials [Holt et al. 03-04] • Not Collusion Resistant • Secret Sharing Schemes [Shamir79, Benaloh86…] • Allow Collusion

  9. Techniques We combine two ideas • Bilinear maps • General Secret Sharing Schemes

  10. Bilinear Maps • G , G1 : multiplicative of prime order p. • Def: An admissible bilinear mape: GG G1is: • Non-degenerate:g generates G  e(g,g) generates G1 . • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable. • Exist based on Elliptic-Curve Cryptography

  11. y y r (y-r) Secret Sharing [Ben86] • Secret Sharing for tree-structure of AND + OR Replicate secret for OR’s. Split secrets for AND’s. y OR AND “Bob” “Computer Science” “Admissions”

  12. The Fixed Attributes System: System Setup Public Parameters gt1, gt2,.... gtn, e(g,g)y List of all possible attributes: “Bob”, “John”, …, “Admissions”

  13. File 1 • “Creator: John” (attribute 2) • “Computer Science” (attribute 3) • “Admissions” (attribute n) Encryption Public Parameters gt1, gt2, gt3,.... gtn, e(g,g)y Select set of attributes, raise them to random s Ciphertext gst2 , gst3 , gstn, e(g,g)sy M

  14. y OR AND “Bob” y “Computer Science” “Admissions” y1= y r yn= (y-r) y3= Key Generation Fresh randomness used for each key generated! Public Parameters gt1, gt2,.... gtn, e(g,g)y Ciphertext gst2 , gst3 , gstn, e(g,g)sy M Private Key gy1/t1 , gy3/t3 , gyn/tn

  15. Decryption Ciphertext gst2, gst3, gstn, Me(g,g)sy e(g,g)sy3 Private Key gy1/t1 , gy3/t3 , gyn/tn e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r)= e(g,g)sy (Linear operation in exponent to reconstruct e(g,g)sy)

  16. Security • Reduction: Bilinear Decisional Diffie-Hellman • Given ga,gb,gc distinguish e(g,g)abc from random • Collusion resistance • Can’t combine private key components

  17. The Large Universe Construction: Key Idea • Any string can be a valid attribute Public Parameters Public Function T(.), e(g,g)y Ciphertext gs, e(g,g)syMFor each attribute i: T(i)s e(g,g)syi Private Key For each attribute i gyiT(i)ri , gri

  18. Extensions • Building from any linear secret sharing scheme • In particular, tree of threshold gates… • Delegation of Private Keys

  19. OR Bob’s Assistant “Bob” Year=2006 Delegation • Derive a key for a more restrictive policy • Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …] AND “Computer Science” “admissions”

  20. Applications: Targeted Broadcast Encryption • Encrypted stream Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”} AND AND “Soccer” “Germany” “Sport” “11-01-2006”

  21. Thank You

More Related