1 attribute-based encryption brent waters sri international joint work with vipul goyal, omkant...
TRANSCRIPT
![Page 1: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/1.jpg)
1
Attribute-Based Encryption
http://www.csl.sri.com/users/bwaters/
Brent WatersSRI International
Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai
![Page 2: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/2.jpg)
2
IBE [BF01]
IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address
email encrypted using public key:
master-key
CA/PKG
I am “[email protected]”
Private keyAlice does not access a PKI
Authority is offline
Is regular PKI good enough?
![Page 3: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/3.jpg)
3
Generalizing the Framework
Encrypt “Structured” Data
master-key
CA/PKG
Capability Request
Private “Capability”
Authority is offline
![Page 4: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/4.jpg)
4
Attributed-Based Encryption(ABE) [SW05]
Encrypt Data with descriptive “Attributes”
Users Private Keys reflect Decryption Policies
master-key
CA/PKG
Authority is offline
Encrypt
w/attributes
![Page 5: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/5.jpg)
5
An Encrypted Filesystem
File 1•“Creator: bsanders”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: akeen”
•“History”
•“Hiring”
•“Date: 03-20-05”
Encrypted Files on Untrusted Server
Label files with attributes
![Page 6: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/6.jpg)
6
An Encrypted Filesystem
File 1•“Creator: bsanders”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2•“Creator: akeen”
•“History”
•“Hiring”
•“Date: 03-20-05”
Authority
OR
AND
“CS”“admission
s”
“bsmith”
![Page 7: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/7.jpg)
7
This Talk
Threshold ABE & Biometrics
More “Advanced” ABE
Other Systems
![Page 8: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/8.jpg)
8
A Warmup: Threshold ABE[SW05]
Data labeled with attributes
Keys of form “At least k” attributes
Application: IBE with Biometric Identities
![Page 9: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/9.jpg)
9
Biometric Identities
Iris Scan
Voiceprint
Fingerprint
![Page 10: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/10.jpg)
10
Biometric Identities
Stay with human
Are unique
No registration
Certification is natural
![Page 11: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/11.jpg)
11
Biometric Identities
Deviations
Environment
Difference in sensors
Small change in trait
Can’t use previous IBE solutions!
![Page 12: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/12.jpg)
12
Error-tolerance in Identity
k attributes must match
Example: 5 attributes
Public Key
master-key
CA/PKG
Private Key
5 matches
![Page 13: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/13.jpg)
13
Error-tolerance in Identity
k attributes must match
Example: 5 attributes
Public Key
master-key
CA/PKG
Private Key
3 matches
![Page 14: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/14.jpg)
14
Secret Sharing
Split message M into shares such that need k to reconstruct
Choose random k-1 degree polynomial, q, s.t. q(0)=M
Need k points to interpolate
![Page 15: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/15.jpg)
15
First Method
Key Pair per Trait
Encrypt shares of message
Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M
5Private Key
2 7 8 11 13 16
Ciphertext E3(q(3))...
q(x) at 5 points ) q(0)=M
![Page 16: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/16.jpg)
16
Collusion Attack
5Private Key
6 7
9 108
6 8 975 10
![Page 17: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/17.jpg)
17
Our Approach
Goals
•Threshold
•Collusion Resistance
Methods
•Secret-share private key
•Bilinear maps
![Page 18: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/18.jpg)
18
Bilinear Maps
G , G1 : finite cyclic groups of prime order p.
Def: An admissible bilinear map e: GG
G1 is:
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Non-degenerate: g generates G e(g,g) generates G1 .
– Efficiently computable.
![Page 19: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/19.jpg)
19
The SW05 Threshold ABE system
Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G
Private KeyRandom degree 4
polynomial q(x) s.t. q(0)=y
gq(5)/t5
Bilinear Map
e(g,g)rq(5)
Ciphertextgr¢
t5
Me(g,g)ry
Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry
![Page 20: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/20.jpg)
20
Intuition
Threshold
•Need k values of e(g,g)rq(x)
Collusion resistance
•Can’t combine private key components
( shares of q(x), q’(x) )
Reduction
Given ga,gb,gc distinguish e(g,g)ab/c from random
![Page 21: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/21.jpg)
21
Moving Beyond Threshold ABE
OR
AND
“CS” “admin”
“ksmith”
Threshold ABE not very expressive
“Grafting” has limitations
Shamir Secret Sharing => k of n
Base new ABE off of general
secret sharing schemes
![Page 22: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/22.jpg)
22
Access Trees [Ben86]
Secret Sharing for tree-structure of AND + OR
Replicate ORs Split ANDs
OR
AND
Alice Bob
AND
Charlie
Doug Edith
OR
s
s’’ s’’
s s
s’s-s’ s-s’’
s’’
![Page 23: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/23.jpg)
23
Key-Policy Attribute-Based Encryption [GPSW06]
OR
AND
“CS” “admin”
“ksmith”
Encryption similar to Threshold ABE
Keys reflect a tree access structure
Randomness to prevent collusion!
Use Threshold Gates
Decrypt iff attributes from CT
satisfy key’s policy
![Page 24: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/24.jpg)
24
Delegation
OR
AND
“CS” “admin”
“ksmith”
Can delegate any key to a more restrictive policy
Subsumes Hierarchical-IBE
Year=2005
![Page 25: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/25.jpg)
25
A comparison
ABE [GPSW06]
• Arbitrary Attributes
• Expressive Policy
• Attributes in Clear
Hidden Vector Enc. [BW06]
• Fields Fixed at Setup
• Conjunctions & don’t care
• Hidden Attributes
![Page 26: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/26.jpg)
26
Ciphertext Policy ABE (opposite)
Encrypt Data reflect Decryption Policies
Users’ Private Keys are descriptive attributes
master-key
CA/PKG
“Blond”, “Well-dressed”,
“Age=21”, “Height=5’2”
OR
AND
“Rhodes
Scholar”“25-35”
“millionaire”
![Page 27: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/27.jpg)
27
Multi-Authority ABE [Chase07]
Authorities over different domains•E.g. DMV and IRS
Challenge: Prevent Collusion Across Domains
Insight: Use “globally verifiable ID/attribute” to link
![Page 28: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/28.jpg)
28
Open Problems
Ciphertext Policy ABE
ABE with “hidden attributes”
Policies from Circuits instead of Trees
![Page 29: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/29.jpg)
29
Generalizing the Framework
Encrypt “Structured” Data
master-key
CA/PKG
Capability Request
Private “Capability”
Authority is offline
![Page 30: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/30.jpg)
30
Health Records
master-key
CA/PKG
Private “Capability”
Authority is offline
Weight=125
Height = 5’4
Age = 46
Blood Pressure= 125
Partners = …
If Weight/Height >30 AND Age > 45
Output Blood Pressure
No analogous PKI solution
![Page 31: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/31.jpg)
31
THE END
![Page 32: 1 Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfef1a28abf838cb9ed0/html5/thumbnails/32.jpg)
32
Related Work
Secret Sharing Schemes [Shamir79, Benaloh86…]•Allow Collusion
Building from IBE + Secret Sharing [Smart03, Juels]• IBE gives key Compression•Not Collusion Resistant