Upload
joel-gilbert-roberts
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
1
Attribute-Based Encryption
http://www.csl.sri.com/users/bwaters/
Brent WatersSRI International
Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai
2
IBE [BF01]
IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address
email encrypted using public key:
master-key
CA/PKG
I am “[email protected]”
Private keyAlice does not access a PKI
Authority is offline
Is regular PKI good enough?
3
Generalizing the Framework
Encrypt “Structured” Data
master-key
CA/PKG
Capability Request
Private “Capability”
Authority is offline
4
Attributed-Based Encryption(ABE) [SW05]
Encrypt Data with descriptive “Attributes”
Users Private Keys reflect Decryption Policies
master-key
CA/PKG
Authority is offline
Encrypt
w/attributes
5
An Encrypted Filesystem
File 1•“Creator: bsanders”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: akeen”
•“History”
•“Hiring”
•“Date: 03-20-05”
Encrypted Files on Untrusted Server
Label files with attributes
6
An Encrypted Filesystem
File 1•“Creator: bsanders”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: akeen”
•“History”
•“Hiring”
•“Date: 03-20-05”
Authority
OR
AND
“CS”“admission
s”
“bsmith”
7
This Talk
Threshold ABE & Biometrics
More “Advanced” ABE
Other Systems
8
A Warmup: Threshold ABE[SW05]
Data labeled with attributes
Keys of form “At least k” attributes
Application: IBE with Biometric Identities
9
Biometric Identities
Iris Scan
Voiceprint
Fingerprint
10
Biometric Identities
Stay with human
Are unique
No registration
Certification is natural
11
Biometric Identities
Deviations
Environment
Difference in sensors
Small change in trait
Can’t use previous IBE solutions!
12
Error-tolerance in Identity
k attributes must match
Example: 5 attributes
Public Key
master-key
CA/PKG
Private Key
5 matches
13
Error-tolerance in Identity
k attributes must match
Example: 5 attributes
Public Key
master-key
CA/PKG
Private Key
3 matches
14
Secret Sharing
Split message M into shares such that need k to reconstruct
Choose random k-1 degree polynomial, q, s.t. q(0)=M
Need k points to interpolate
15
First Method
Key Pair per Trait
Encrypt shares of message
Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M
5Private Key
2 7 8 11 13 16
Ciphertext E3(q(3))...
q(x) at 5 points ) q(0)=M
16
Collusion Attack
5Private Key
6 7
9 108
6 8 975 10
17
Our Approach
Goals
•Threshold
•Collusion Resistance
Methods
•Secret-share private key
•Bilinear maps
18
Bilinear Maps
G , G1 : finite cyclic groups of prime order p.
Def: An admissible bilinear map e: GG
G1 is:
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Non-degenerate: g generates G e(g,g) generates G1 .
– Efficiently computable.
19
The SW05 Threshold ABE system
Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G
Private KeyRandom degree 4
polynomial q(x) s.t. q(0)=y
gq(5)/t5
Bilinear Map
e(g,g)rq(5)
Ciphertextgr¢
t5
Me(g,g)ry
Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry
20
Intuition
Threshold
•Need k values of e(g,g)rq(x)
Collusion resistance
•Can’t combine private key components
( shares of q(x), q’(x) )
Reduction
Given ga,gb,gc distinguish e(g,g)ab/c from random
21
Moving Beyond Threshold ABE
OR
AND
“CS” “admin”
“ksmith”
Threshold ABE not very expressive
“Grafting” has limitations
Shamir Secret Sharing => k of n
Base new ABE off of general
secret sharing schemes
22
Access Trees [Ben86]
Secret Sharing for tree-structure of AND + OR
Replicate ORs Split ANDs
OR
AND
Alice Bob
AND
Charlie
Doug Edith
OR
s
s’’ s’’
s s
s’s-s’ s-s’’
s’’
23
Key-Policy Attribute-Based Encryption [GPSW06]
OR
AND
“CS” “admin”
“ksmith”
Encryption similar to Threshold ABE
Keys reflect a tree access structure
Randomness to prevent collusion!
Use Threshold Gates
Decrypt iff attributes from CT
satisfy key’s policy
24
Delegation
OR
AND
“CS” “admin”
“ksmith”
Can delegate any key to a more restrictive policy
Subsumes Hierarchical-IBE
Year=2005
25
A comparison
ABE [GPSW06]
• Arbitrary Attributes
• Expressive Policy
• Attributes in Clear
Hidden Vector Enc. [BW06]
• Fields Fixed at Setup
• Conjunctions & don’t care
• Hidden Attributes
26
Ciphertext Policy ABE (opposite)
Encrypt Data reflect Decryption Policies
Users’ Private Keys are descriptive attributes
master-key
CA/PKG
“Blond”, “Well-dressed”,
“Age=21”, “Height=5’2”
OR
AND
“Rhodes
Scholar”“25-35”
“millionaire”
27
Multi-Authority ABE [Chase07]
Authorities over different domains•E.g. DMV and IRS
Challenge: Prevent Collusion Across Domains
Insight: Use “globally verifiable ID/attribute” to link
28
Open Problems
Ciphertext Policy ABE
ABE with “hidden attributes”
Policies from Circuits instead of Trees
29
Generalizing the Framework
Encrypt “Structured” Data
master-key
CA/PKG
Capability Request
Private “Capability”
Authority is offline
30
Health Records
master-key
CA/PKG
Private “Capability”
Authority is offline
Weight=125
Height = 5’4
Age = 46
Blood Pressure= 125
Partners = …
If Weight/Height >30 AND Age > 45
Output Blood Pressure
No analogous PKI solution
31
THE END
32
Related Work
Secret Sharing Schemes [Shamir79, Benaloh86…]•Allow Collusion
Building from IBE + Secret Sharing [Smart03, Juels]• IBE gives key Compression•Not Collusion Resistant