AttributeBased Encryption for FineGrained Access Control of Encrypted Data

1
Attribute-Based Encryption for Fine-Grained
Access Control of Encrypted Data
Vipul Goyal Omkant Pandey Amit Sahai Brent Waters
UCLA UCLA UCLA SRI
2
Traditional Encrypted Filesystem

• Encrypted Files stored on Untrusted Server
• Every user can decrypt its own files

• Files to be shared across different users?

3
A New Encrypted Filesystem

• Label files with attributes

4
An Encrypted Filesystem
Authority
5
Threshold Attribute-Based Enc. SW05

• Sahai-Waters introduced ABE, but only
  forthreshold policies
• Ciphertext has set of attributes
• User has set of attributes
• If more than k attributes match, then User can
  decrypt.
• Main Application- Biometrics

6
General Attribute-Based Encryption

• Ciphertext has set of attributes
• Keys reflect a tree access structure
• Decrypt iff attributes from CT
• satisfy keys policy

OR
AND
Bob
Computer Science
Admissions
7
Central goal Prevent Collusions

• Users shouldnt be able to collude

AND
AND
Computer Science
Admissions
Hiring
History
Ciphertext M, Computer Science, Hiring
8
Related Work

• Access Control Smart03, Hidden
  Credentials Holt et al. 03-04
• Not Collusion Resistant
• Secret Sharing Schemes Shamir79, Benaloh86
• Allow Collusion

9
Techniques

• We combine two ideas
• Bilinear maps
• General Secret Sharing Schemes

10
Bilinear Maps

• G , G1 multiplicative of prime order p.
• Def An admissible bilinear map e G?G ? G1
  is
• Non-degenerate g generates G ?
  e(g,g) generates G1 .
• Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
  g?G
• Efficiently computable.
• Exist based on Elliptic-Curve Cryptography

11
Secret Sharing Ben86

• Secret Sharing for tree-structure of AND OR

Replicate secret for ORs.
Split secrets for ANDs.
y
OR
AND
Bob
Computer Science
Admissions
12
The Fixed Attributes System System Setup
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
List of all possible attributes
Bob, John, , Admissions
13
Encryption
Public Parameters
gt1, gt2, gt3,.... gtn, e(g,g)y
Select set of attributes, raise them to random s
Ciphertext
gst2 , gst3 , gstn, e(g,g)sy
M
14
Key Generation
Fresh randomness used for each key generated!
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
Ciphertext
gst2 , gst3 , gstn, e(g,g)sy
M
Private Key
gy1/t1 , gy3/t3 , gyn/tn
15
Decryption
Ciphertext
gst2, gst3, gstn, Me(g,g)sy
e(g,g)sy3
Private Key
gy1/t1 , gy3/t3 , gyn/tn
e(g,g)sy3e(g,g)syn e(g,g)s(y-rr)
e(g,g)sy (Linear operation in exponent to
reconstruct e(g,g)sy)
16
Security

• Reduction Bilinear Decisional Diffie-Hellman
• Given ga,gb,gc distinguish e(g,g)abc from random
• Collusion resistance
• Cant combine private key components

17
The Large Universe Construction Key Idea

• Any string can be a valid attribute

Public Parameters
Public Function T(.), e(g,g)y
Ciphertext
gs, e(g,g)syMFor each attribute i T(i)s
e(g,g)syi
Private Key
For each attribute i gyiT(i)ri , gri
18
Extensions

• Building from any linear secret sharing scheme
• In particular, tree of threshold gates
• Delegation of Private Keys

19
Delegation

• Derive a key for a more restrictive policy

• Subsumes Hierarchical-IBE Horwitz-Lynn 02,

AND
Computer Science
admissions
20
Applications Targeted Broadcast Encryption

• Encrypted stream

Ciphertext S, Sport, Soccer, Germany,
France, 11-01-2006
AND
AND
Soccer
Germany
Sport
11-01-2006
21
Thank You