220 likes | 253 Views
Attribute-Based Encryption with Non-Monotonic Access Structures. Rafail Ostrovsky UCLA. Amit Sahai UCLA. Brent Waters SRI International. Server Mediated Access Control. File 1. Server stores data in clear Expressive access controls. Access list: John, Beth, Sue, Bob
E N D
Attribute-Based Encryption with Non-Monotonic Access Structures Rafail Ostrovsky UCLA Amit Sahai UCLA Brent Waters SRI International
Server Mediated Access Control File 1 • Server stores data in clear • Expressive access controls Access list: John, Beth, Sue, Bob Attributes: “Computer Science” , “Admissions”
Distributed Storage • Scalability • Reliability Downside: Increased vulnerability
File 1 Owner: John File 2 Owner: Tim Traditional Encrypted Filesystem • Encrypted Files stored on Untrusted Server • Every user can decrypt its own files • Files to be shared across different users? Credentials? Lost expressivity of trusted server approach!
File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” Attribute-Based Encryption [SW05] Goal: Encryption with Expressive Access Control • Label files with attributes
File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” OR AND “Bob” “Computer Science” “Admissions” Attribute-Based Encryption Univ. Key Authority
“Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” OR AND “Bob” “Computer Science” “Admissions” Attribute-Based Encryption • Ciphertext has set of attributes • Keys reflect a tree access structure • Decrypt iff attributes from CT satisfy key’s policy
AND AND “Computer Science” “Admissions” “Hiring” “History” Central goal: Prevent Collusions • If neither user can decrypt a CT, then they can’t together Ciphertext = M, {“Computer Science”, “Hiring”}
Current ABE Systems [GPWS06] • Monotonic Access Formulas • Tree of ANDs, ORs, threshold (k of N) … • Attributes at leaves • NOT is unsupported! OR AND “Bob” “Computer Science” “Admissions”
y OR AND “Bob” y “Computer Science” “Admissions” y1= y r yn= Private Key gy1/t1 , gy3/t3 , gyn/tn (y-r) y3= Key Generation Public Parameters Fresh randomness used for each key generated! gt1, gt2,.... gtn, e(g,g)y “Greedy” Decryption
NOT “Computer Science” Supporting “NOTs” [OSW07] Example Peer Review of Other Depts. Bob is in C.S. dept => Avoid Conflict of Interest AND “Dept. Review” “Year:2007” Challenge: Can’t attacker just ignore CT components?
“Creator: John” • “History” • “Admissions” • “Date: 04-11-06” A Simple Solution • Use explicit “not” attributes • Attribute “Not:Admissions”, “Not:Biology” • Problems: • Encryptor does not know all attributes to negate • Huge number of attributes per CT • “Not:Anthropology” • “Not:Aeronautics” • … • “Not:Zoology”
NOT OR NOT NOT Technique 1: Simplify Formulas Use DeMorgan’s law to propagate NOTs to just the attributes AND “Dept. Review” “Public Policy” “Computer Science”
Revocation Systems [NNL01,NP01…] • Broadcast to all but a certain set of users • Application: Digital content protection P1 P2 P3
AND NOT “Dept. Review” “Year:2007” “Computer Science” Applying Revocation Techniques • Focus on a particular Not Attribute
“Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” NOT “Computer Science” Applying Revocation Techniques • Focus on a particular ‘Not’ Attribute • Attribute in ‘Not’ as node’s “identity” • Attributes in CT as Revoked Users Node ID not in “revoked” list =>satisfied N.B. – Just one node in larger policy
“Polynomial Revocation” [NP01] • Pick a degree n polynomial q( ), q(0)=a • n+1 points to interpolate • User t gets q(t) • Encryption: gs , ,Mgsa • Revoked x1, …, xn gsq(x1) , ..., gsq(xn) gsq(t) Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}
ABE with Negation • Push NOTs to leaves • Apply ABE key generation • Collusion resistance still key! • Treat non-negated attributes same • New Type of Polynomial Revocation at Leaves
NOT Ciphertext gs, gsq(x1), … , gsq(xn) Attributes: x1, x2… “Computer Science” Private Key grq(t), gr e(g,g)srq(t) e(g,g)srq(x1) e(g,g)srq(xn) Derived from ABE key generation System Sketch Choose degree n polynomial q(), q(0)=b Public Parameters Can compute gq(x) gq(0), gq(1),.... gq(n), If points different can compute e(g,g)srb =t
Conclusions and Open Directions • Goal: Increase expressiveness of Encryption Systems • Provided Negation to ABE systems • Challenge: Decryptor Ignores “Bad” Attributes • Solution: Revocation techniques • Future: • ABE with Circuits • Other cryptographic access control