Presentation is loading. Please wait.

Presentation is loading. Please wait.

Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Similar presentations

Presentation on theme: "Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future."— Presentation transcript:

1 Russell Martin August 9th, 2013

2 Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future Work

3 Need for Attribute Based Encryption Private Key Cryptosystems o AES o Single key for all users Identity Based Encryption o Users given unique keys o Good for signatures, not so much encryption Attribute Based Encryption o “Fuzzy” IBE o Decryption controlled by matching “d of k” attributes

4 CPABE ABE schemes are single level of control Fine grain access control o Monotonic access trees KPABE o Access tree in user’s key, list of attributes in ciphertext o Users encrypting files have limited control of who decrypts CPABE o Access tree in ciphertext, list of attributes in user’s key o Users encrypting have strong control

5 Access Tree

6 CPABE Five functions o Setup o Key Generation o Encryption o Decryption o Delegation

7 Bilinear Pairings Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard

8 Bilinear Pairings Inputs most commonly elements of a specific elliptic curve o Restricted to r-torsion points of the curve o r * P = O Computed by the Weil or Tate pairing, using Miller’s algorithm o Computation of tangent/vertical/lines between one or two points on the curve

9 Setup Selection of bilinear group, generators, and exponentiations

10 Key Generation Generate a key for the user who possesses the list of attributes, S

11 Encryption Encrypt the message M with the access policy τ o Y = Set of all leaf nodes in tree

12 Decryption Recursive decryption starting at top of tree o If leaf node, decrypt node:

13 Decryption If non-leaf node, polynomial interpolation from child node results

14 Decryption Assuming access tree satisfied, interpolation at root occured

15 Group Selection CPABE uses, a=1 No justification for the usage or performance of this curve Can we do better with performance? Size? Security?

16 Embedding Degree Directly related to size and security of groups of the bilinear pairing Minimum value k such that, r = number of points on elliptic curve Ratio of size of input group to output group Larger embedding degree believed to be higher security

17 Curve Types Ben Lynn’s Pairing Based Cryptography Library Labeled as type A through G o Type B and C not implemented in library Types A, B, C are symmetric (supersingular) o Same group for both input elements of pairing Types D - G are ordinary o Generated by the complex multiplication equation

18 Curve Types Type A - k=2, 512 bit inputs, 1024 bit outputs Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs Type E - k=1, 1020 bit inputs, 1020 bit outputs Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs Type G - k=10, 149 bit inputs, 1490 bit outputs

19 Performance Tested key generation, encryption, and decryption o Encryption and Decryption were over horizontal and vertical access policies o 1 to 100 attributes in each policy o CHARM - Python library for cryptography prototyping  Overhead over C implementation for CPABE mostly in serialization & parsing

20 Horizontal vs Vertical Access Policy

21 Performance - Key Generation

22 Performance - Horizontal Encryption

23 Performance - Vertical Encryption

24 Performance - Horizontal Decryption

25 Performance - Vertical Decryption

26 Performance Operation Breakdown:

27 Performance  Operations per function:  Key Generation - Multiplications and exponentiations, 1:2 ratio  Encryption - Multiplications and exponentiations, 3:1 ratio  Decryption - All operations, focused in output group  Pairings take up majority of CPU time

28 Size Key Ciphertext

29 Performance Summary Type F - Fastest encryption & key gen, slowest decryption Minor differences in horizontal vs. vertical access policies Type G performance is not recommended Type D is close to type E, but both slower than type A Type F has the smallest keys, type D has the smallest ciphertexts Focus on optimizations to pairing operation

30 Pairings Outside of Elliptic Curves RSA is possible, by using exponentiation as the pairing function o Still requires normal comparable security sizes - EC vs RSA Hyperelliptic curves o Higher embedding degree is not worth additional complexity Vector of integers o Again, restricted to integer sizes (RSA)

31 Key Management CPABE wants to not use trusted servers o No access control outside of ciphertext Revocation & renewal difficult o Want immediate revocation of full keys o Minimize overhead in renewal Focus on full key revocation, not attribute

32 Key Management Possibilities Key expiration date o Adds many more attributes due to numeric attributes and timestamps Proxy Key o Additional pairings, and still direct communication with proxy server User Blacklist o Requires to be done by user encrypting files Hierarchical Access Roles o Large overhead, need to control number of unique values

33 Key Insulated ABE Temporary keys based on a time period Revocation is not immediate o Must wait until end of time period Pseudorandom function with identity as seed o Get next value for the next time period Users given helper key o Updates current key to valid key for next value

34 Key Insulated CPABE Replace random r value in users’ keys with a pseudorandom value k Setup - same as CPABE, except with definition of pseudorandom and hash functions Key Generation:

35 Key Insulated CPABE Helper Update: o Additional value here due to g α and β private User Update:

36 Key Insulated CPABE Encryption:

37 Key Insulated CPABE Decryption: Interpolation - no change Final Decryption:

38 Performance No changes to number of operations during pairings Additional multiplications and hashings to handle T() in encryption/key generation o Equivalent of an additional attribute in key generation User needs to perform multiplication for each attribute during update

39 Size 3 values, all in the input group Largest in type A pairing bits

40 Security Security of revocation directly linked to security of pseudorandom function o If users can compute k values, they can generate any keys Outside of this, same security claims as CPABE No need to hide details of T() function o Needed for encryption

41 Disadvantages How to handle previous time periods o Users keep old keys - large storage overhead o Force rencryption of files after number of time periods? How to handle new users o Would not have previous keys, no access to previous files Application depedent o Broadcast schemes work well for this

42 Conclusion Type F curves provide fastest key generation and encryption for CPABE o Limited in decryption due to large output groups o Type A curves provide best decryption times Key Insulated CPABE allows non-immediate revocation at low overhead o Security same as CPABE o Issues with storage of multiple keys

43 Future Work Other pairing libraries (MIRACL) Optimizations to operations Comparison of KICPABE to other broadcast revocation schemes Security of KICPABE under other modified CPABE models

Download ppt "Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future."

Similar presentations

Ads by Google