Embed Size (px)
DESCRIPTION
Attribute-Based Encryption with Non-Monotonic Access Structures. Rafail Ostrovsky UCLA. Amit Sahai UCLA. Brent Waters SRI International. Server Mediated Access Control. File 1. Server stores data in clear Expressive access controls. Access list: John, Beth, Sue, Bob - PowerPoint PPT Presentation
Citation preview
1
Attribute-Based Encryption with Non-Monotonic Access
Structures
Brent Waters
SRI International
Amit Sahai
UCLA
Rafail Ostrovsky
UCLA
2
Server Mediated Access Control
Access list: John, Beth, Sue, Bob
Attributes: “Computer Science” , “Admissions”
File 1•Server stores data in clear
•Expressive access controls
3
Distributed Storage
•Scalability
•Reliability
Downside: Increased vulnerability
4
Traditional Encrypted Filesystem
File 1Owner: John
File 2Owner: Tim
Encrypted Files stored on Untrusted Server
Every user can decrypt its own files
Files to be shared across different users? Credentials?
Lost expressivity of trusted server approach!
5
Attribute-Based Encryption [SW05]
File 1•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
Label files with attributes
Goal: Encryption with Expressive Access Control
6
File 1•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
Univ. Key Authority
OR
AND
“Computer
Science”
“Admissions”
“Bob”
Attribute-Based Encryption
7
Attribute-Based Encryption
Ciphertext has set of attributes
Keys reflect a tree access structure
Decrypt iff attributes from CT
satisfy key’s policyOR
AND
“Computer
Science”
“Admissions”
“Bob”•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
8
Central goal: Prevent Collusions
If neither user can decrypt a CT,
then they can’t together
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
9
OR
AND
“Computer
Science”
“Admissions”
“Bob”
Current ABE Systems [GPWS06]
Monotonic Access Formulas
• Tree of ANDs, ORs, threshold (k of N) …
•Attributes at leaves
•NOT is unsupported!
10
Key Generation
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
OR
AND
“Computer
Science”
“Admissions”
“Bob”
y
y
y
r(y-r)y3= yn=
y1=
Fresh randomness used for each key generated!
Private Key gy1/t1 , gy3/t3 , gyn/tn
“Greedy” Decryption
11
Supporting “NOTs” [OSW07]
Example Peer Review of Other Depts.
AND
“Year:2007”“Dept. Review”
“Computer
Science”
NOT
Bob is in C.S. dept => Avoid Conflict of Interest
Challenge: Can’t attacker just ignore CT components?
12
A Simple Solution
Use explicit “not” attributes
Attribute “Not:Admissions”, “Not:Biology”
Problems:•Encryptor does not know all attributes to
negate•Huge number of attributes per CT
•“Creator: John”
•“History”
•“Admissions”
•“Date: 04-11-06”
•“Not:Anthropology”
•“Not:Aeronautics”
• …
•“Not:Zoology”
13
Technique 1: Simplify Formulas
Use DeMorgan’s law to propagate NOTs
to just the attributes
AND
“Dept. Review”
“Public Policy”“Comput
er Science”
NOT
OR
NOT NOT
14
Revocation Systems [NNL01,NP01…]
Broadcast to all but a certain set of users
Application: Digital content protection
P1 P2 P3
15
Applying Revocation Techniques
Focus on a particular Not Attribute
AND
“Year:2007”“Dept. Review”
“Computer
Science”
NOT
16
Applying Revocation Techniques
Focus on a particular ‘Not’ Attribute
“Computer
Science”
NOT
•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
Attribute in ‘Not’ as node’s “identity”
Attributes in CT as Revoked Users
Node ID not in “revoked” list =>satisfied
N.B. – Just one node in larger policy
17
“Polynomial Revocation” [NP01]
Pick a degree n polynomial q( ), q(0)=a•n+1 points to interpolate
User t gets q(t)
Encryption: gs , ,Mgsa
•Revoked x1, …, xn
gsq(t)
gsq(x1) , ..., gsq(xn)
Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}
18
ABE with Negation
Push NOTs to leaves
Apply ABE key generation•Collusion resistance still key!•Treat non-negated attributes same
New Type of Polynomial Revocation at Leaves
19
System Sketch
Public Parameters
Choose degree n polynomial q(), q(0)=b Can compute
gq(x)gq(0), gq(1),.... gq(n),
Ciphertext gs, gsq(x1) , … , gsq(xn) Attributes: x1, x2…
=t
Private Key grq(t), gr
“Computer
Science”
NOTe(g,g)srq(t) e(g,g)srq(x1) e(g,g)srq(xn)
If points different can compute e(g,g)srb
Derived from ABE key generation
20
Conclusions and Open Directions
Goal: Increase expressiveness of Encryption Systems
Provided Negation to ABE systems•Challenge: Decryptor Ignores “Bad” Attributes•Solution: Revocation techniques
Future:•ABE with Circuits•Other cryptographic access control
21
Thank You
![Attribute-Based Encryption with Verifiable Outsourced ... · [1]J. Breckling, Generic and Efficient Constructions of Attribute-Based Encryption with Verifiable Outsourced Decryption.Xianping](https://img.pdfslide.net/doc/110x75/5f41aee78bd70060bc4f8024/attribute-based-encryption-with-verifiable-outsourced-1j-breckling-generic.jpg)
![SRAME: An Attribute based Message Encryption scheme with ...as Identity-based Encryption [8], Attribute-based Encryption [16] have been proposed for the demand. We have investigated](https://img.pdfslide.net/doc/110x75/5e2cd5da71576e7c714c111d/srame-an-attribute-based-message-encryption-scheme-with-as-identity-based-encryption.jpg)
