Download presentation

Presentation is loading. Please wait.

Published byGenevieve Tulley Modified over 2 years ago

1
Russell Martin August 9th, 2013

2
Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future Work

3
Need for Attribute Based Encryption Private Key Cryptosystems o AES o Single key for all users Identity Based Encryption o Users given unique keys o Good for signatures, not so much encryption Attribute Based Encryption o “Fuzzy” IBE o Decryption controlled by matching “d of k” attributes

4
CPABE ABE schemes are single level of control Fine grain access control o Monotonic access trees KPABE o Access tree in user’s key, list of attributes in ciphertext o Users encrypting files have limited control of who decrypts CPABE o Access tree in ciphertext, list of attributes in user’s key o Users encrypting have strong control

5
Access Tree

6
CPABE Five functions o Setup o Key Generation o Encryption o Decryption o Delegation

7
Bilinear Pairings Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard

8
Bilinear Pairings Inputs most commonly elements of a specific elliptic curve o Restricted to r-torsion points of the curve o r * P = O Computed by the Weil or Tate pairing, using Miller’s algorithm o Computation of tangent/vertical/lines between one or two points on the curve

9
Setup Selection of bilinear group, generators, and exponentiations

10
Key Generation Generate a key for the user who possesses the list of attributes, S

11
Encryption Encrypt the message M with the access policy τ o Y = Set of all leaf nodes in tree

12
Decryption Recursive decryption starting at top of tree o If leaf node, decrypt node:

13
Decryption If non-leaf node, polynomial interpolation from child node results

14
Decryption Assuming access tree satisfied, interpolation at root occured

15
Group Selection CPABE uses, a=1 No justification for the usage or performance of this curve Can we do better with performance? Size? Security?

16
Embedding Degree Directly related to size and security of groups of the bilinear pairing Minimum value k such that, r = number of points on elliptic curve Ratio of size of input group to output group Larger embedding degree believed to be higher security

17
Curve Types Ben Lynn’s Pairing Based Cryptography Library Labeled as type A through G o Type B and C not implemented in library Types A, B, C are symmetric (supersingular) o Same group for both input elements of pairing Types D - G are ordinary o Generated by the complex multiplication equation

18
Curve Types Type A - k=2, 512 bit inputs, 1024 bit outputs Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs Type E - k=1, 1020 bit inputs, 1020 bit outputs Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs Type G - k=10, 149 bit inputs, 1490 bit outputs

19
Performance Tested key generation, encryption, and decryption o Encryption and Decryption were over horizontal and vertical access policies o 1 to 100 attributes in each policy o CHARM - Python library for cryptography prototyping Overhead over C implementation for CPABE mostly in serialization & parsing

20
Horizontal vs Vertical Access Policy

21
Performance - Key Generation

22
Performance - Horizontal Encryption

23
Performance - Vertical Encryption

24
Performance - Horizontal Decryption

25
Performance - Vertical Decryption

26
Performance Operation Breakdown:

27
Performance Operations per function: Key Generation - Multiplications and exponentiations, 1:2 ratio Encryption - Multiplications and exponentiations, 3:1 ratio Decryption - All operations, focused in output group Pairings take up majority of CPU time

28
Size Key Ciphertext

29
Performance Summary Type F - Fastest encryption & key gen, slowest decryption Minor differences in horizontal vs. vertical access policies Type G performance is not recommended Type D is close to type E, but both slower than type A Type F has the smallest keys, type D has the smallest ciphertexts Focus on optimizations to pairing operation

30
Pairings Outside of Elliptic Curves RSA is possible, by using exponentiation as the pairing function o Still requires normal comparable security sizes - EC vs RSA Hyperelliptic curves o Higher embedding degree is not worth additional complexity Vector of integers o Again, restricted to integer sizes (RSA)

31
Key Management CPABE wants to not use trusted servers o No access control outside of ciphertext Revocation & renewal difficult o Want immediate revocation of full keys o Minimize overhead in renewal Focus on full key revocation, not attribute

32
Key Management Possibilities Key expiration date o Adds many more attributes due to numeric attributes and timestamps Proxy Key o Additional pairings, and still direct communication with proxy server User Blacklist o Requires to be done by user encrypting files Hierarchical Access Roles o Large overhead, need to control number of unique values

33
Key Insulated ABE Temporary keys based on a time period Revocation is not immediate o Must wait until end of time period Pseudorandom function with identity as seed o Get next value for the next time period Users given helper key o Updates current key to valid key for next value

34
Key Insulated CPABE Replace random r value in users’ keys with a pseudorandom value k Setup - same as CPABE, except with definition of pseudorandom and hash functions Key Generation:

35
Key Insulated CPABE Helper Update: o Additional value here due to g α and β private User Update:

36
Key Insulated CPABE Encryption:

37
Key Insulated CPABE Decryption: Interpolation - no change Final Decryption:

38
Performance No changes to number of operations during pairings Additional multiplications and hashings to handle T() in encryption/key generation o Equivalent of an additional attribute in key generation User needs to perform multiplication for each attribute during update

39
Size 3 values, all in the input group Largest in type A pairing - 1536 bits

40
Security Security of revocation directly linked to security of pseudorandom function o If users can compute k values, they can generate any keys Outside of this, same security claims as CPABE No need to hide details of T() function o Needed for encryption

41
Disadvantages How to handle previous time periods o Users keep old keys - large storage overhead o Force rencryption of files after number of time periods? How to handle new users o Would not have previous keys, no access to previous files Application depedent o Broadcast schemes work well for this

42
Conclusion Type F curves provide fastest key generation and encryption for CPABE o Limited in decryption due to large output groups o Type A curves provide best decryption times Key Insulated CPABE allows non-immediate revocation at low overhead o Security same as CPABE o Issues with storage of multiple keys

43
Future Work Other pairing libraries (MIRACL) Optimizations to operations Comparison of KICPABE to other broadcast revocation schemes Security of KICPABE under other modified CPABE models

Similar presentations

Presentation is loading. Please wait....

OK

Elliptic Curve Cryptography

Elliptic Curve Cryptography

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on asymptotic notation of algorithms in c Ppt on artificial intelligence in electrical engineering Ppt on bluetooth communication system Ppt on articles of association sample Ppt on duty roster Maths ppt on surface area and volume free download Microsoft office ppt online ticket Ppt on earth movements and major landforms in california Download ppt on mahatma gandhi in hindi Ppt on grammar translation method