Sei sulla pagina 1di 21

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data

Vipul Goyal
Omkant Pandey Amit Sahai

UCLA
UCLA UCLA

Brent Waters

SRI

Traditional Encrypted Filesystem


File 1
Owner: John

Encrypted Files stored on Untrusted Server Every user can decrypt its own files

File 2
Owner: Tim

Files to be shared across different users?

A New Encrypted Filesystem


File 1
Creator: John Computer Science Admissions Date: 04-11-06

Label files with attributes

File 2
Creator: Tim History

Admissions
Date: 03-20-05
3

An Encrypted Filesystem
File 1
Creator: John
Computer Science Admissions Date: 04-11-06

Authority

OR File 2
Creator: Tim

History
Admissions Date: 03-20-05
Computer Science

AND

Bob

Admissions 4

Threshold Attribute-Based Enc.

[SW05]

Sahai-Waters introduced ABE, but only for threshold policies: Ciphertext has set of attributes User has set of attributes If more than k attributes match, then User can decrypt. Main Application- Biometrics

General Attribute-Based Encryption


Ciphertext has set of attributes Keys reflect a tree access structure Decrypt iff attributes from CT satisfy keys policy

OR

AND

Bob

Computer Science

Admissions 6

Central goal: Prevent Collusions


Users shouldnt be able to collude

AND

AND

Computer Science

Admissions

History

Hiring

Ciphertext = M, {Computer Science, Hiring}


7

Related Work

Access Control [Smart03], Hidden Credentials [Holt et al. 03-04]


Not Collusion Resistant

Secret Sharing Schemes [Shamir79, Benaloh86] Allow Collusion

Techniques
We combine two ideas
Bilinear maps General Secret Sharing Schemes

Bilinear Maps
G , G1 : multiplicative of prime order p.

Def: An admissible bilinear map is:


Non-degenerate: g generates G
Bilinear:

e: GG G1

e(g,g) generates G1 . a,bZ, gG

e(ga, gb) = e(g,g)ab

Efficiently computable.

Exist based on Elliptic-Curve Cryptography


10

Secret Sharing [Ben86]

Secret Sharing for tree-structure of AND + OR

Replicate secret for ORs. Split secrets for ANDs. OR


y AND

Bob

y
Computer Science Admissions

(y-r)

r
11

The Fixed Attributes System: System Setup


Public Parameters

gt1, gt2,.... gtn, e(g,g)y

List of all possible attributes:

Bob, John, , Admissions

12

Encryption
Public Parameters File 1
Creator: John (attribute 2) Computer Science (attribute 3) Admissions (attribute n) Select set of attributes, raise them to random s

gt1, gt2, gt3,.... gtn, e(g,g)y

Ciphertext

gst2 , gst3 , gstn, e(g,g)sy M


13

Key Generation
Public Parameters Ciphertext Private Key
Computer Science

Fresh randomness used for each key generated! gt1, gt2,.... gtn, e(g,g)y y OR y gst2 , gst3 , gstn, e(g,g)sy M AND Bob gy1/t1 , gy3/t3 , gyn/tn
Admissions

y1= y

y3= (y-r)

yn= r

14

Decryption
Ciphertext Private Key

gst2, gst3, gstn, Me(g,g)sy e(g,g)sy3 gy1/t1 , gy3/t3 , gyn/tn

e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy (Linear operation in exponent to reconstruct e(g,g)sy)

15

Security
Reduction: Bilinear Decisional Diffie-Hellman
Given ga,gb,gc distinguish e(g,g)abc from random Collusion resistance Cant combine private key components

16

The Large Universe Construction: Key Idea


Any string can be a valid attribute Public Parameters Ciphertext Public Function T(.), e(g,g)y gs, e(g,g)syM For each attribute i: T(i)s e(g,g)syi

Private Key

For each attribute i gyiT(i)ri , gri

17

Extensions
Building from any linear secret sharing scheme
In particular, tree of threshold gates Delegation of Private Keys

18

Delegation
Derive a key for a more restrictive policy Subsumes Hierarchical-IBE [Horwitz-Lynn 02, ] OR

AND

Bob

Bobs Assistant

Computer Science

admissions

Year=2006
19

Applications: Targeted Broadcast Encryption


Encrypted stream Ciphertext = S, {Sport, Soccer, Germany, France, 11-01-2006}

AND

AND

Soccer

Germany

Sport

11-01-2006
20

Thank You

21

Potrebbero piacerti anche