370 likes | 667 Views
Attribute-Based Encryption. Brent Waters SRI International. Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai. http://www.csl.sri.com/users/bwaters/. I am “bob@stanford.edu”. email encrypted using public key: “bob@stanford.edu”. Private key. IBE [BF01].
E N D
Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai http://www.csl.sri.com/users/bwaters/
I am“bob@stanford.edu” email encrypted using public key: “bob@stanford.edu” Private key IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address Is regular PKI good enough? Alice does not access a PKI CA/PKG Authority is offline master-key
Capability Request Encrypt “Structured” Data Private “Capability” Generalizing the Framework CA/PKG Authority is offline master-key
Encrypt w/attributes CA/PKG Authority is offline master-key Attributed-Based Encryption(ABE)[SW05] • Encrypt Data with descriptive “Attributes” • Users Private Keys reflect Decryption Policies
File 1 • “Creator: bsanders” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: akeen” • “History” • “Hiring” • “Date: 03-20-05” An Encrypted Filesystem • Encrypted Files on Untrusted Server • Label files with attributes
File 1 • “Creator: bsanders” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: akeen” • “History” • “Hiring” • “Date: 03-20-05” An Encrypted Filesystem Authority OR AND “bsmith” “CS” “admissions”
This Talk • Threshold ABE & Biometrics • More “Advanced” ABE • Other Systems
A Warmup: Threshold ABE[SW05] • Data labeled with attributes • Keys of form “At least k” attributes • Application: IBE with Biometric Identities
Biometric Identities • Iris Scan • Voiceprint • Fingerprint
Biometric Identities • Stay with human • Are unique • No registration • Certification is natural
Biometric Identities • Deviations • Environment • Difference in sensors • Small change in trait Can’t use previous IBE solutions!
Private Key CA/PKG 5 matches master-key Error-tolerance in Identity • k attributes must match • Example: 5 attributes Public Key
3 matches Error-tolerance in Identity • k attributes must match • Example: 5 attributes Public Key Private Key CA/PKG master-key
Secret Sharing • Split message M into shares such that need k to reconstruct • Choose random k-1 degree polynomial, q, s.t. q(0)=M • Need k points to interpolate
5 2 7 8 E3(q(3))... Ciphertext Private Key 11 13 16 First Method • Key Pair per Trait • Encrypt shares of message • Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M q(x) at 5 points ) q(0)=M
5 6 7 9 8 6 8 9 7 5 10 10 Collusion Attack Private Key
Our Approach • Goals • Threshold • Collusion Resistance • Methods • Secret-share private key • Bilinear maps
Bilinear Maps • G , G1 : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG G1is: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate:g generates G e(g,g) generates G1 . • Efficiently computable.
Private Key gq(5)/t5 Random degree 4 polynomial q(x) s.t. q(0)=y e(g,g)rq(5) gr¢ t5 Bilinear Map Ciphertext Me(g,g)ry The SW05 Threshold ABE system Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn2 G Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry
Intuition • Threshold • Need k values of e(g,g)rq(x) • Collusion resistance • Can’t combine private key components • ( shares of q(x), q’(x) ) • Reduction • Given ga,gb,gc distinguish e(g,g)ab/c from random
Moving Beyond Threshold ABE • Threshold ABE not very expressive • “Grafting” has limitations • Shamir Secret Sharing => k of n • Base new ABE off of general secret sharing schemes OR AND “ksmith” “CS” “admin”
s s s’’ s-s’ s-s’’ s’ s’’ s’’ Access Trees [Ben86] • Secret Sharing for tree-structure of AND + OR • Replicate ORs Split ANDs s OR AND AND OR Alice Bob Charlie Doug Edith
Key-Policy Attribute-Based Encryption[GPSW06] • Encryption similar to Threshold ABE • Keys reflect a tree access structure • Randomness to prevent collusion! • Use Threshold Gates • Decrypt iff attributes from CT satisfy key’s policy OR AND “ksmith” “CS” “admin”
Year=2005 Delegation • Can delegate any key to a more restrictive policy • Subsumes Hierarchical-IBE OR AND “ksmith” “CS” “admin”
ABE [GPSW06] Arbitrary Attributes Expressive Policy Attributes in Clear Hidden Vector Enc. [BW06] Fields Fixed at Setup Conjunctions & don’t care Hidden Attributes A comparison
“Blond”, “Well-dressed”, “Age=21”, “Height=5’2” OR AND “millionaire” CA/PKG “Rhodes Scholar” “25-35” master-key Ciphertext Policy ABE (opposite) • Encrypt Data reflect Decryption Policies • Users’ Private Keys are descriptive attributes
Multi-Authority ABE [Chase07] • Authorities over different domains • E.g. DMV and IRS • Challenge: Prevent Collusion Across Domains • Insight: Use “globally verifiable ID/attribute” to link
Open Problems • Ciphertext Policy ABE • ABE with “hidden attributes” • Policies from Circuits instead of Trees
Capability Request Encrypt “Structured” Data Private “Capability” Generalizing the Framework CA/PKG Authority is offline master-key
Private “Capability” Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure No analogous PKI solution CA/PKG Authority is offline master-key
Related Work • Secret Sharing Schemes [Shamir79, Benaloh86…] • Allow Collusion • Building from IBE + Secret Sharing [Smart03, Juels] • IBE gives key Compression • Not Collusion Resistant