Transcript scws2 6668
Attribute-Based Encryption
Brent Waters
SRI International
Joint work with Vipul Goyal, Omkant
Pandey, and Amit Sahai
http://www.csl.sri.com/users/bwaters/
1
IBE
[BF01]
IBE: [BF01] Public key encryption scheme where public key
is an arbitrary string (ID).
Examples: user’s e-mail address
Is regular PKI good enough?
email encrypted using public key:
“[email protected]”
Alice does not access a PKI
CA/PKG
Authority is offline
master-key
2
Generalizing the Framework
Encrypt “Structured” Data
CA/PKG
Authority is offline
master-key
3
Attributed-Based Encryption(ABE) [SW05]
Encrypt Data with descriptive “Attributes”
Users Private Keys reflect Decryption Policies
Encrypt
w/attributes
CA/PKG
Authority is offline
master-key
4
An Encrypted Filesystem
File 1
•“Creator: bsanders”
Encrypted Files on
Untrusted Server
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
Label files with
attributes
File 2
•“Creator: akeen”
•“History”
•“Hiring”
•“Date: 03-20-05”
5
An Encrypted Filesystem
Authority
File 1
•“Creator: bsanders”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
OR
File 2
•“Creator: akeen”
AND
•“History”
“bsmith”
•“Hiring”
•“Date: 03-20-05”
“CS”
“admissions”
6
This Talk
Threshold ABE & Biometrics
More “Advanced” ABE
Other Systems
7
A Warmup: Threshold ABE[SW05]
Data labeled with attributes
Keys of form “At least k” attributes
Application: IBE with Biometric Identities
8
Biometric Identities
Iris Scan
Voiceprint
Fingerprint
9
Biometric Identities
Stay with human
Are unique
No registration
Certification is natural
10
Biometric Identities
Deviations
Environment
Difference in sensors
Small change in trait
Can’t use previous IBE solutions!
11
Error-tolerance in Identity
k attributes must match
Example: 5 attributes
Public Key
Private Key
CA/PKG
master-key
5 matches
12
Error-tolerance in Identity
k attributes must match
Example: 5 attributes
Public Key
Private Key
CA/PKG
master-key
3 matches
13
Secret Sharing
Split message M into shares such that need k to
reconstruct
Choose random k-1 degree polynomial, q, s.t. q(0)=M
Need k points to interpolate
14
First Method
Key Pair per Trait
Encrypt shares of message
Deg. 4 (need 5 traits) polynomial q(x), such
that q(0)=M
Ciphertext
Private Key
E3(q(3))...
2
5
7 8
11
13
16
q(x) at 5 points ) q(0)=M
15
Collusion Attack
Private Key
5 6 7
8 9 10
5 6 7 8 9 10
16
Our Approach
Goals
•Threshold
•Collusion Resistance
Methods
•Secret-share private key
•Bilinear maps
17
Bilinear Maps
G , G1 : finite cyclic groups of prime order p.
Def: An admissible bilinear map
is:
– Bilinear:
ab
e(ga, gb) = e(g,g)
– Non-degenerate:
g generates G
e: GG G1
a,bZ, gG
e(g,g) generates G1 .
– Efficiently computable.
18
The SW05 Threshold ABE system
Public
Parameters
e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G
Private Key
Random degree 4
polynomial q(x) s.t. q(0)=y
Ciphertext
gq(5)/t5
gr¢ t5
e(g,g)rq(5)
Bilinear Map
Me(g,g)ry
Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry
19
Intuition
Threshold
•Need k values of e(g,g)rq(x)
Collusion resistance
•Can’t combine private key components
( shares of q(x), q’(x) )
Reduction
Given ga,gb,gc distinguish e(g,g)ab/c from random
20
Moving Beyond Threshold ABE
Threshold ABE not very expressive
“Grafting” has limitations
Shamir Secret Sharing => k of n
OR
Base new ABE off of general
AND
secret sharing schemes
“CS”
“ksmith”
“admin”
21
Access Trees [Ben86]
Secret Sharing for tree-structure of AND + OR
Replicate ORs
Split ANDs
OR
s
Alice
s-s’
s
AND
Bob
s’
AND
OR
Charlie
s-s’’
s
s’’
Doug
s’’
s’’
Edith
22
Key-Policy Attribute-Based Encryption
[GPSW06]
Encryption similar to Threshold ABE
Keys reflect a tree access structure
Randomness to prevent collusion!
OR
Use Threshold Gates
Decrypt iff attributes from CT
AND
“ksmith”
satisfy key’s policy
“CS”
“admin”
23
Delegation
Can delegate any key to a more restrictive policy
Subsumes Hierarchical-IBE
OR
AND
“CS”
“ksmith”
“admin”
Year=2005
24
A comparison
ABE [GPSW06]
Hidden Vector Enc. [BW06]
•
Arbitrary Attributes
•
Fields Fixed at Setup
•
Expressive Policy
•
Conjunctions & don’t care
•
Attributes in Clear
•
Hidden Attributes
25
Ciphertext Policy ABE (opposite)
Encrypt Data reflect Decryption Policies
Users’ Private Keys are descriptive attributes
“Blond”, “Well-dressed”,
OR
AND
“Rhodes
Scholar”
“Age=21”, “Height=5’2”
“millionaire”
“25-35”
CA/PKG
master-key
26
Multi-Authority ABE
[Chase07]
Authorities over different domains
• E.g. DMV and IRS
Challenge: Prevent Collusion Across Domains
Insight: Use “globally verifiable ID/attribute” to link
27
Open Problems
Ciphertext Policy ABE
ABE with “hidden attributes”
Policies from Circuits instead of Trees
28
Generalizing the Framework
Encrypt “Structured” Data
CA/PKG
Authority is offline
master-key
29
Health Records
Weight=125
If Weight/Height >30
AND Age > 45
Height = 5’4
Output Blood Pressure
Age = 46
Blood Pressure= 125
Partners = …
No analogous PKI solution
CA/PKG
Authority is offline
master-key
30
THE END
31
Related Work
Secret Sharing Schemes [Shamir79, Benaloh86…]
• Allow Collusion
Building from IBE + Secret Sharing [Smart03, Juels]
• IBE gives key Compression
• Not Collusion Resistant
32