1 / 32

Attribute-Based Encryption

Attribute-Based Encryption. Brent Waters SRI International. Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai. http://www.csl.sri.com/users/bwaters/. I am “bob@stanford.edu”. email encrypted using public key: “bob@stanford.edu”. Private key. IBE [BF01].

lamont
Download Presentation

Attribute-Based Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai http://www.csl.sri.com/users/bwaters/

  2. I am“bob@stanford.edu” email encrypted using public key: “bob@stanford.edu” Private key IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address Is regular PKI good enough? Alice does not access a PKI CA/PKG Authority is offline master-key

  3. Capability Request Encrypt “Structured” Data Private “Capability” Generalizing the Framework CA/PKG Authority is offline master-key

  4. Encrypt w/attributes CA/PKG Authority is offline master-key Attributed-Based Encryption(ABE)[SW05] • Encrypt Data with descriptive “Attributes” • Users Private Keys reflect Decryption Policies

  5. File 1 • “Creator: bsanders” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: akeen” • “History” • “Hiring” • “Date: 03-20-05” An Encrypted Filesystem • Encrypted Files on Untrusted Server • Label files with attributes

  6. File 1 • “Creator: bsanders” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: akeen” • “History” • “Hiring” • “Date: 03-20-05” An Encrypted Filesystem Authority OR AND “bsmith” “CS” “admissions”

  7. This Talk • Threshold ABE & Biometrics • More “Advanced” ABE • Other Systems

  8. A Warmup: Threshold ABE[SW05] • Data labeled with attributes • Keys of form “At least k” attributes • Application: IBE with Biometric Identities

  9. Biometric Identities • Iris Scan • Voiceprint • Fingerprint

  10. Biometric Identities • Stay with human • Are unique • No registration • Certification is natural

  11. Biometric Identities • Deviations • Environment • Difference in sensors • Small change in trait Can’t use previous IBE solutions!

  12. Private Key CA/PKG 5 matches master-key Error-tolerance in Identity • k attributes must match • Example: 5 attributes Public Key

  13. 3 matches Error-tolerance in Identity • k attributes must match • Example: 5 attributes Public Key Private Key CA/PKG master-key

  14. Secret Sharing • Split message M into shares such that need k to reconstruct • Choose random k-1 degree polynomial, q, s.t. q(0)=M • Need k points to interpolate

  15. 5 2 7 8 E3(q(3))... Ciphertext Private Key 11 13 16 First Method • Key Pair per Trait • Encrypt shares of message • Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M q(x) at 5 points ) q(0)=M

  16. 5 6 7 9 8 6 8 9 7 5 10 10 Collusion Attack Private Key

  17. Our Approach • Goals • Threshold • Collusion Resistance • Methods • Secret-share private key • Bilinear maps

  18. Bilinear Maps • G , G1 : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG G1is: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate:g generates G  e(g,g) generates G1 . • Efficiently computable.

  19. Private Key gq(5)/t5 Random degree 4 polynomial q(x) s.t. q(0)=y e(g,g)rq(5) gr¢ t5 Bilinear Map Ciphertext Me(g,g)ry The SW05 Threshold ABE system Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn2 G Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry

  20. Intuition • Threshold • Need k values of e(g,g)rq(x) • Collusion resistance • Can’t combine private key components • ( shares of q(x), q’(x) ) • Reduction • Given ga,gb,gc distinguish e(g,g)ab/c from random

  21. Moving Beyond Threshold ABE • Threshold ABE not very expressive • “Grafting” has limitations • Shamir Secret Sharing => k of n • Base new ABE off of general secret sharing schemes OR AND “ksmith” “CS” “admin”

  22. s s s’’ s-s’ s-s’’ s’ s’’ s’’ Access Trees [Ben86] • Secret Sharing for tree-structure of AND + OR • Replicate ORs Split ANDs s OR AND AND OR Alice Bob Charlie Doug Edith

  23. Key-Policy Attribute-Based Encryption[GPSW06] • Encryption similar to Threshold ABE • Keys reflect a tree access structure • Randomness to prevent collusion! • Use Threshold Gates • Decrypt iff attributes from CT satisfy key’s policy OR AND “ksmith” “CS” “admin”

  24. Year=2005 Delegation • Can delegate any key to a more restrictive policy • Subsumes Hierarchical-IBE OR AND “ksmith” “CS” “admin”

  25. ABE [GPSW06] Arbitrary Attributes Expressive Policy Attributes in Clear Hidden Vector Enc. [BW06] Fields Fixed at Setup Conjunctions & don’t care Hidden Attributes A comparison

  26. “Blond”, “Well-dressed”, “Age=21”, “Height=5’2” OR AND “millionaire” CA/PKG “Rhodes Scholar” “25-35” master-key Ciphertext Policy ABE (opposite) • Encrypt Data reflect Decryption Policies • Users’ Private Keys are descriptive attributes

  27. Multi-Authority ABE [Chase07] • Authorities over different domains • E.g. DMV and IRS • Challenge: Prevent Collusion Across Domains • Insight: Use “globally verifiable ID/attribute” to link

  28. Open Problems • Ciphertext Policy ABE • ABE with “hidden attributes” • Policies from Circuits instead of Trees

  29. Capability Request Encrypt “Structured” Data Private “Capability” Generalizing the Framework CA/PKG Authority is offline master-key

  30. Private “Capability” Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure No analogous PKI solution CA/PKG Authority is offline master-key

  31. THE END

  32. Related Work • Secret Sharing Schemes [Shamir79, Benaloh86…] • Allow Collusion • Building from IBE + Secret Sharing [Smart03, Juels] • IBE gives key Compression • Not Collusion Resistant

More Related