1 / 21

Attribute-Based Encryption with Non-Monotonic Access Structures

Attribute-Based Encryption with Non-Monotonic Access Structures. Rafail Ostrovsky UCLA. Amit Sahai UCLA. Brent Waters SRI International. Server Mediated Access Control. File 1. Server stores data in clear Expressive access controls. Access list: John, Beth, Sue, Bob

Download Presentation

Attribute-Based Encryption with Non-Monotonic Access Structures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Attribute-Based Encryption with Non-Monotonic Access Structures Rafail Ostrovsky UCLA Amit Sahai UCLA Brent Waters SRI International

  2. Server Mediated Access Control File 1 • Server stores data in clear • Expressive access controls Access list: John, Beth, Sue, Bob Attributes: “Computer Science” , “Admissions”

  3. Distributed Storage • Scalability • Reliability Downside: Increased vulnerability

  4. File 1 Owner: John File 2 Owner: Tim Traditional Encrypted Filesystem • Encrypted Files stored on Untrusted Server • Every user can decrypt its own files • Files to be shared across different users? Credentials? Lost expressivity of trusted server approach!

  5. File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” Attribute-Based Encryption [SW05] Goal: Encryption with Expressive Access Control • Label files with attributes

  6. File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” OR AND “Bob” “Computer Science” “Admissions” Attribute-Based Encryption Univ. Key Authority

  7. “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” OR AND “Bob” “Computer Science” “Admissions” Attribute-Based Encryption • Ciphertext has set of attributes • Keys reflect a tree access structure • Decrypt iff attributes from CT satisfy key’s policy

  8. AND AND “Computer Science” “Admissions” “Hiring” “History” Central goal: Prevent Collusions • If neither user can decrypt a CT, then they can’t together Ciphertext = M, {“Computer Science”, “Hiring”}

  9. Current ABE Systems [GPWS06] • Monotonic Access Formulas • Tree of ANDs, ORs, threshold (k of N) … • Attributes at leaves • NOT is unsupported! OR AND “Bob” “Computer Science” “Admissions”

  10. y OR AND “Bob” y “Computer Science” “Admissions” y1= y r yn= Private Key gy1/t1 , gy3/t3 , gyn/tn (y-r) y3= Key Generation Public Parameters Fresh randomness used for each key generated! gt1, gt2,.... gtn, e(g,g)y “Greedy” Decryption

  11. NOT “Computer Science” Supporting “NOTs” [OSW07] Example Peer Review of Other Depts. Bob is in C.S. dept => Avoid Conflict of Interest AND “Dept. Review” “Year:2007” Challenge: Can’t attacker just ignore CT components?

  12. “Creator: John” • “History” • “Admissions” • “Date: 04-11-06” A Simple Solution • Use explicit “not” attributes • Attribute “Not:Admissions”, “Not:Biology” • Problems: • Encryptor does not know all attributes to negate • Huge number of attributes per CT • “Not:Anthropology” • “Not:Aeronautics” • … • “Not:Zoology”

  13. NOT OR NOT NOT Technique 1: Simplify Formulas Use DeMorgan’s law to propagate NOTs to just the attributes AND “Dept. Review” “Public Policy” “Computer Science”

  14. Revocation Systems [NNL01,NP01…] • Broadcast to all but a certain set of users • Application: Digital content protection P1 P2 P3

  15. AND NOT “Dept. Review” “Year:2007” “Computer Science” Applying Revocation Techniques • Focus on a particular Not Attribute

  16. “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” NOT “Computer Science” Applying Revocation Techniques • Focus on a particular ‘Not’ Attribute • Attribute in ‘Not’ as node’s “identity” • Attributes in CT as Revoked Users Node ID not in “revoked” list =>satisfied N.B. – Just one node in larger policy

  17. “Polynomial Revocation” [NP01] • Pick a degree n polynomial q( ), q(0)=a • n+1 points to interpolate • User t gets q(t) • Encryption: gs , ,Mgsa • Revoked x1, …, xn gsq(x1) , ..., gsq(xn) gsq(t) Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}

  18. ABE with Negation • Push NOTs to leaves • Apply ABE key generation • Collusion resistance still key! • Treat non-negated attributes same • New Type of Polynomial Revocation at Leaves

  19. NOT Ciphertext gs, gsq(x1), … , gsq(xn) Attributes: x1, x2… “Computer Science” Private Key grq(t), gr e(g,g)srq(t) e(g,g)srq(x1) e(g,g)srq(xn) Derived from ABE key generation System Sketch Choose degree n polynomial q(), q(0)=b Public Parameters Can compute gq(x) gq(0), gq(1),.... gq(n), If points different can compute e(g,g)srb =t

  20. Conclusions and Open Directions • Goal: Increase expressiveness of Encryption Systems • Provided Negation to ABE systems • Challenge: Decryptor Ignores “Bad” Attributes • Solution: Revocation techniques • Future: • ABE with Circuits • Other cryptographic access control

  21. Thank You

More Related