Transcript scws2 6668
Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai http://www.csl.sri.com/users/bwaters/ 1 IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address Is regular PKI good enough? email encrypted using public key: “[email protected]” Alice does not access a PKI CA/PKG Authority is offline master-key 2 Generalizing the Framework Encrypt “Structured” Data CA/PKG Authority is offline master-key 3 Attributed-Based Encryption(ABE) [SW05] Encrypt Data with descriptive “Attributes” Users Private Keys reflect Decryption Policies Encrypt w/attributes CA/PKG Authority is offline master-key 4 An Encrypted Filesystem File 1 •“Creator: bsanders” Encrypted Files on Untrusted Server •“Computer Science” •“Admissions” •“Date: 04-11-06” Label files with attributes File 2 •“Creator: akeen” •“History” •“Hiring” •“Date: 03-20-05” 5 An Encrypted Filesystem Authority File 1 •“Creator: bsanders” •“Computer Science” •“Admissions” •“Date: 04-11-06” OR File 2 •“Creator: akeen” AND •“History” “bsmith” •“Hiring” •“Date: 03-20-05” “CS” “admissions” 6 This Talk Threshold ABE & Biometrics More “Advanced” ABE Other Systems 7 A Warmup: Threshold ABE[SW05] Data labeled with attributes Keys of form “At least k” attributes Application: IBE with Biometric Identities 8 Biometric Identities Iris Scan Voiceprint Fingerprint 9 Biometric Identities Stay with human Are unique No registration Certification is natural 10 Biometric Identities Deviations Environment Difference in sensors Small change in trait Can’t use previous IBE solutions! 11 Error-tolerance in Identity k attributes must match Example: 5 attributes Public Key Private Key CA/PKG master-key 5 matches 12 Error-tolerance in Identity k attributes must match Example: 5 attributes Public Key Private Key CA/PKG master-key 3 matches 13 Secret Sharing Split message M into shares such that need k to reconstruct Choose random k-1 degree polynomial, q, s.t. q(0)=M Need k points to interpolate 14 First Method Key Pair per Trait Encrypt shares of message Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M Ciphertext Private Key E3(q(3))... 2 5 7 8 11 13 16 q(x) at 5 points ) q(0)=M 15 Collusion Attack Private Key 5 6 7 8 9 10 5 6 7 8 9 10 16 Our Approach Goals •Threshold •Collusion Resistance Methods •Secret-share private key •Bilinear maps 17 Bilinear Maps G , G1 : finite cyclic groups of prime order p. Def: An admissible bilinear map is: – Bilinear: ab e(ga, gb) = e(g,g) – Non-degenerate: g generates G e: GG G1 a,bZ, gG e(g,g) generates G1 . – Efficiently computable. 18 The SW05 Threshold ABE system Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G Private Key Random degree 4 polynomial q(x) s.t. q(0)=y Ciphertext gq(5)/t5 gr¢ t5 e(g,g)rq(5) Bilinear Map Me(g,g)ry Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry 19 Intuition Threshold •Need k values of e(g,g)rq(x) Collusion resistance •Can’t combine private key components ( shares of q(x), q’(x) ) Reduction Given ga,gb,gc distinguish e(g,g)ab/c from random 20 Moving Beyond Threshold ABE Threshold ABE not very expressive “Grafting” has limitations Shamir Secret Sharing => k of n OR Base new ABE off of general AND secret sharing schemes “CS” “ksmith” “admin” 21 Access Trees [Ben86] Secret Sharing for tree-structure of AND + OR Replicate ORs Split ANDs OR s Alice s-s’ s AND Bob s’ AND OR Charlie s-s’’ s s’’ Doug s’’ s’’ Edith 22 Key-Policy Attribute-Based Encryption [GPSW06] Encryption similar to Threshold ABE Keys reflect a tree access structure Randomness to prevent collusion! OR Use Threshold Gates Decrypt iff attributes from CT AND “ksmith” satisfy key’s policy “CS” “admin” 23 Delegation Can delegate any key to a more restrictive policy Subsumes Hierarchical-IBE OR AND “CS” “ksmith” “admin” Year=2005 24 A comparison ABE [GPSW06] Hidden Vector Enc. [BW06] • Arbitrary Attributes • Fields Fixed at Setup • Expressive Policy • Conjunctions & don’t care • Attributes in Clear • Hidden Attributes 25 Ciphertext Policy ABE (opposite) Encrypt Data reflect Decryption Policies Users’ Private Keys are descriptive attributes “Blond”, “Well-dressed”, OR AND “Rhodes Scholar” “Age=21”, “Height=5’2” “millionaire” “25-35” CA/PKG master-key 26 Multi-Authority ABE [Chase07] Authorities over different domains • E.g. DMV and IRS Challenge: Prevent Collusion Across Domains Insight: Use “globally verifiable ID/attribute” to link 27 Open Problems Ciphertext Policy ABE ABE with “hidden attributes” Policies from Circuits instead of Trees 28 Generalizing the Framework Encrypt “Structured” Data CA/PKG Authority is offline master-key 29 Health Records Weight=125 If Weight/Height >30 AND Age > 45 Height = 5’4 Output Blood Pressure Age = 46 Blood Pressure= 125 Partners = … No analogous PKI solution CA/PKG Authority is offline master-key 30 THE END 31 Related Work Secret Sharing Schemes [Shamir79, Benaloh86…] • Allow Collusion Building from IBE + Secret Sharing [Smart03, Juels] • IBE gives key Compression • Not Collusion Resistant 32