Post on 13-Jan-2016
1
Attribute-Based Encryption for Fine-Grained Access
Control of Encrypted Data
Vipul Goyal
Omkant Pandey
Amit Sahai
Brent Waters
UCLA
UCLA
UCLA
SRI
2
Traditional Encrypted Filesystem
File 1Owner: John
File 2Owner: Tim
Encrypted Files stored on Untrusted Server
Every user can decrypt its own files
Files to be shared across different users?
3
A New Encrypted Filesystem
File 1•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
Label files with attributes
4
An Encrypted Filesystem
File 1•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
Authority
OR
AND
“Computer
Science”
“Admissions”
“Bob”
5
Threshold Attribute-Based Enc. [SW05]
Sahai-Waters introduced ABE, but only for“threshold policies”:•Ciphertext has set of attributes •User has set of attributes• If more than k attributes match, then User
can decrypt.
Main Application- Biometrics
6
General Attribute-Based Encryption
Ciphertext has set of attributes
Keys reflect a tree access structure
Decrypt iff attributes from CT
satisfy key’s policy
OR
AND
“Computer
Science”
“Admissions”
“Bob”
7
Central goal: Prevent Collusions
Users shouldn’t be able to collude
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
8
Related Work
Access Control [Smart03], Hidden Credentials[Holt et al. 03-04]
•Not Collusion Resistant
Secret Sharing Schemes [Shamir79, Benaloh86…]•Allow Collusion
9
Techniques
We combine two ideas
Bilinear maps
General Secret Sharing Schemes
10
Bilinear Maps
G , G1 : multiplicative of prime order p.
Def: An admissible bilinear map e: GG
G1 is:
– Non-degenerate: g generates G e(g,g) generates G1 .
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Efficiently computable.
– Exist based on Elliptic-Curve Cryptography
11
Secret Sharing [Ben86]
Secret Sharing for tree-structure of AND + OR
OR
AND
“Computer
Science”
“Admissions”
“Bob”
y
y
y
r(y-r)
Replicate secret for OR’s.
Split secrets for AND’s.
12
The Fixed Attributes System: System Setup
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
“Bob”, “John”, …, “Admissions”List of all possible attributes:
13
Encryption
Public Parameters
gt1, gt2, gt3,.... gtn, e(g,g)y
Ciphertext gst2 , gst3 , gstn, e(g,g)sy
Select set of attributes, raise them to random s
M
File 1•“Creator: John” (attribute 2)
•“Computer Science” (attribute 3)
•“Admissions” (attribute n)
14
Key Generation
Public Parameters
Private Key gy1/t1 , gy3/t3 , gyn/tn
gt1, gt2,.... gtn, e(g,g)y
Fresh randomness used for each key generated!
Ciphertext gst2 , gst3 , gstn, e(g,g)sy M
OR
AND
“Computer
Science”
“Admissions”
“Bob”
y
y
y
r(y-r)y3= yn=
y1=
15
Decryption
e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy
(Linear operation in exponent to reconstruct e(g,g)sy)
Ciphertext gst2, gst3, gstn, Me(g,g)sy
Private Key gy1/t1 , gy3/t3 , gyn/tn
e(g,g)sy
3
16
Security
Reduction: Bilinear Decisional Diffie-Hellman
Given ga,gb,gc distinguish e(g,g)abc from random
Collusion resistance
Can’t combine private key components
17
The Large Universe Construction: Key Idea
Public Function T(.), e(g,g)y
Private Key
Any string can be a valid attribute
Ciphertext gs, e(g,g)syMFor each attribute i: T(i)s
For each attribute i gyiT(i)ri , gri
e(g,g)syi
Public Parameters
18
Extensions
Building from any linear secret sharing scheme
In particular, tree of threshold gates…
Delegation of Private Keys
19
Delegation
AND
“Computer
Science”
“admissions”
OR
“Bob”
Derive a key for a more restrictive policy
Year=2006
Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …]
Bob’s Assistant
20
Applications: Targeted Broadcast Encryption
Encrypted stream
AND
“Soccer” “Germany”
AND
“Sport” “11-01-2006”
Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”}
21
Thank You