220 likes | 260 Views
Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. Vipul Goyal Omkant Pandey Amit Sahai Brent Waters. UCLA UCLA UCLA SRI. File 1 Owner: John. File 2 Owner: Tim. Traditional Encrypted Filesystem. Encrypted Files stored on Untrusted Server
E N D
Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA UCLA UCLA SRI
File 1 Owner: John File 2 Owner: Tim Traditional Encrypted Filesystem • Encrypted Files stored on Untrusted Server • Every user can decrypt its own files • Files to be shared across different users?
File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” A New Encrypted Filesystem • Label files with attributes
File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” OR AND “Bob” “Computer Science” “Admissions” An Encrypted Filesystem Authority
Threshold Attribute-Based Enc. [SW05] • Sahai-Waters introduced ABE, but only for“threshold policies”: • Ciphertext has set of attributes • User has set of attributes • If more than k attributes match, then User can decrypt. • Main Application- Biometrics
General Attribute-Based Encryption • Ciphertext has set of attributes • Keys reflect a tree access structure • Decrypt iff attributes from CT satisfy key’s policy OR AND “Bob” “Computer Science” “Admissions”
Central goal: Prevent Collusions • Users shouldn’t be able to collude AND AND “Computer Science” “Admissions” “Hiring” “History” Ciphertext = M, {“Computer Science”, “Hiring”}
Related Work • Access Control [Smart03], Hidden Credentials [Holt et al. 03-04] • Not Collusion Resistant • Secret Sharing Schemes [Shamir79, Benaloh86…] • Allow Collusion
Techniques We combine two ideas • Bilinear maps • General Secret Sharing Schemes
Bilinear Maps • G , G1 : multiplicative of prime order p. • Def: An admissible bilinear mape: GG G1is: • Non-degenerate:g generates G e(g,g) generates G1 . • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable. • Exist based on Elliptic-Curve Cryptography
y y r (y-r) Secret Sharing [Ben86] • Secret Sharing for tree-structure of AND + OR Replicate secret for OR’s. Split secrets for AND’s. y OR AND “Bob” “Computer Science” “Admissions”
The Fixed Attributes System: System Setup Public Parameters gt1, gt2,.... gtn, e(g,g)y List of all possible attributes: “Bob”, “John”, …, “Admissions”
File 1 • “Creator: John” (attribute 2) • “Computer Science” (attribute 3) • “Admissions” (attribute n) Encryption Public Parameters gt1, gt2, gt3,.... gtn, e(g,g)y Select set of attributes, raise them to random s Ciphertext gst2 , gst3 , gstn, e(g,g)sy M
y OR AND “Bob” y “Computer Science” “Admissions” y1= y r yn= (y-r) y3= Key Generation Fresh randomness used for each key generated! Public Parameters gt1, gt2,.... gtn, e(g,g)y Ciphertext gst2 , gst3 , gstn, e(g,g)sy M Private Key gy1/t1 , gy3/t3 , gyn/tn
Decryption Ciphertext gst2, gst3, gstn, Me(g,g)sy e(g,g)sy3 Private Key gy1/t1 , gy3/t3 , gyn/tn e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r)= e(g,g)sy (Linear operation in exponent to reconstruct e(g,g)sy)
Security • Reduction: Bilinear Decisional Diffie-Hellman • Given ga,gb,gc distinguish e(g,g)abc from random • Collusion resistance • Can’t combine private key components
The Large Universe Construction: Key Idea • Any string can be a valid attribute Public Parameters Public Function T(.), e(g,g)y Ciphertext gs, e(g,g)syMFor each attribute i: T(i)s e(g,g)syi Private Key For each attribute i gyiT(i)ri , gri
Extensions • Building from any linear secret sharing scheme • In particular, tree of threshold gates… • Delegation of Private Keys
OR Bob’s Assistant “Bob” Year=2006 Delegation • Derive a key for a more restrictive policy • Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …] AND “Computer Science” “admissions”
Applications: Targeted Broadcast Encryption • Encrypted stream Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”} AND AND “Soccer” “Germany” “Sport” “11-01-2006”