Attribute-Based Encryption Brent Waters SRI International Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai http://www.csl.sri.com/users/bwaters/
IBE [BF01] Is regular PKI good enough? IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address Is regular PKI good enough? I am “bob@stanford.edu” Private key email encrypted using public key: “bob@stanford.edu” Alice does not access a PKI CA/PKG Authority is offline master-key
Generalizing the Framework Capability Request Private “Capability” Encrypt “Structured” Data CA/PKG Authority is offline master-key
Attributed-Based Encryption(ABE) [SW05] Encrypt Data with descriptive “Attributes” Users Private Keys reflect Decryption Policies master-key CA/PKG Authority is offline Encrypt w/attributes
An Encrypted Filesystem Encrypted Files on Untrusted Server Label files with attributes File 1 “Creator: bsanders” “Computer Science” “Admissions” “Date: 04-11-06” File 2 “Creator: akeen” “History” “Hiring” “Date: 03-20-05”
An Encrypted Filesystem “Creator: bsanders” “Computer Science” “Admissions” “Date: 04-11-06” Authority OR File 2 “Creator: akeen” “History” “Hiring” “Date: 03-20-05” AND “bsmith” “CS” “admissions”
This Talk Threshold ABE & Biometrics More “Advanced” ABE Other Systems
A Warmup: Threshold ABE[SW05] Data labeled with attributes Keys of form “At least k” attributes Application: IBE with Biometric Identities
Biometric Identities Iris Scan Voiceprint Fingerprint
Biometric Identities Stay with human Are unique No registration Certification is natural
Biometric Identities Deviations Environment Difference in sensors Small change in trait Can’t use previous IBE solutions!
Error-tolerance in Identity k attributes must match Example: 5 attributes Public Key master-key CA/PKG Private Key 5 matches
Error-tolerance in Identity k attributes must match Example: 5 attributes Public Key Private Key CA/PKG 3 matches master-key
Secret Sharing Split message M into shares such that need k to reconstruct Choose random k-1 degree polynomial, q, s.t. q(0)=M Need k points to interpolate
First Method Key Pair per Trait Encrypt shares of message Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M Ciphertext E3(q(3))... 5 Private Key 2 7 8 11 13 16 q(x) at 5 points ) q(0)=M
Collusion Attack Private Key 5 6 7 9 10 8 6 8 9 7 5 10
Our Approach Goals Threshold Collusion Resistance Methods Secret-share private key Bilinear maps
Bilinear Maps G , G1 : finite cyclic groups of prime order p. Def: An admissible bilinear map e: GG G1 is: Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG Non-degenerate: g generates G e(g,g) generates G1 . Efficiently computable.
The SW05 Threshold ABE system Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G Private Key Random degree 4 polynomial q(x) s.t. q(0)=y gq(5)/t5 Bilinear Map e(g,g)rq(5) Ciphertext gr¢ t5 Me(g,g)ry Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry
Intuition Threshold Need k values of e(g,g)rq(x) Collusion resistance Can’t combine private key components ( shares of q(x), q’(x) ) Reduction Given ga,gb,gc distinguish e(g,g)ab/c from random
Moving Beyond Threshold ABE Threshold ABE not very expressive “Grafting” has limitations Shamir Secret Sharing => k of n Base new ABE off of general secret sharing schemes OR AND “ksmith” “CS” “admin”
Access Trees [Ben86] Secret Sharing for tree-structure of AND + OR Replicate ORs Split ANDs s OR s AND AND OR s-s’’ s’’ Alice Bob Charlie s’ s-s’ s’’ Doug Edith
Key-Policy Attribute-Based Encryption [GPSW06] Encryption similar to Threshold ABE Keys reflect a tree access structure Randomness to prevent collusion! Use Threshold Gates Decrypt iff attributes from CT satisfy key’s policy OR AND “ksmith” “CS” “admin”
Delegation Can delegate any key to a more restrictive policy Subsumes Hierarchical-IBE OR AND “ksmith” Year=2005 “CS” “admin”
A comparison ABE [GPSW06] Arbitrary Attributes Expressive Policy Attributes in Clear Hidden Vector Enc. [BW06] Fields Fixed at Setup Conjunctions & don’t care Hidden Attributes
Ciphertext Policy ABE (opposite) Encrypt Data reflect Decryption Policies Users’ Private Keys are descriptive attributes master-key CA/PKG “Blond”, “Well-dressed”, “Age=21”, “Height=5’2” OR AND “Rhodes Scholar” “25-35” “millionaire”
Multi-Authority ABE [Chase07] Authorities over different domains E.g. DMV and IRS Challenge: Prevent Collusion Across Domains Insight: Use “globally verifiable ID/attribute” to link
Open Problems Ciphertext Policy ABE ABE with “hidden attributes” Policies from Circuits instead of Trees
Generalizing the Framework Capability Request Private “Capability” Encrypt “Structured” Data CA/PKG Authority is offline master-key
Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure Private “Capability” No analogous PKI solution CA/PKG Authority is offline master-key
THE END
Related Work Secret Sharing Schemes [Shamir79, Benaloh86…] Allow Collusion Building from IBE + Secret Sharing [Smart03, Juels] IBE gives key Compression Not Collusion Resistant