1

Attribute-Based Encryption

http://www.csl.sri.com/users/bwaters/

Brent WatersSRI International

Joint work with Vipul Goyal, Omkant Pandey, and Amit Sahai

2

IBE [BF01]

IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address

email encrypted using public key:

“bob@stanford.edu”

master-key

CA/PKG

I am “bob@stanford.edu”

Private keyAlice does not access a PKI

Authority is offline

Is regular PKI good enough?

3

Generalizing the Framework

Encrypt “Structured” Data

master-key

CA/PKG

Capability Request

Private “Capability”

Authority is offline

4

Attributed-Based Encryption(ABE) [SW05]

Encrypt Data with descriptive “Attributes”

Users Private Keys reflect Decryption Policies

master-key

CA/PKG

Authority is offline

Encrypt

w/attributes

5

An Encrypted Filesystem

File 1•“Creator: bsanders”

•“Computer Science”

•“Admissions”

•“Date: 04-11-06”

File 2•“Creator: akeen”

•“History”

•“Hiring”

•“Date: 03-20-05”

Encrypted Files on Untrusted Server

Label files with attributes

6

An Encrypted Filesystem

File 1•“Creator: bsanders”

•“Computer Science”

•“Admissions”

•“Date: 04-11-06”

File 2•“Creator: akeen”

•“History”

•“Hiring”

•“Date: 03-20-05”

Authority

OR

AND

“CS”“admission

s”

“bsmith”

7

This Talk

Threshold ABE & Biometrics

More “Advanced” ABE

Other Systems

8

A Warmup: Threshold ABE[SW05]

Data labeled with attributes

Keys of form “At least k” attributes

Application: IBE with Biometric Identities

9

Biometric Identities

Iris Scan

Voiceprint

Fingerprint

10

Biometric Identities

Stay with human

Are unique

No registration

Certification is natural

11

Biometric Identities

Deviations

Environment

Difference in sensors

Small change in trait

Can’t use previous IBE solutions!

12

Error-tolerance in Identity

k attributes must match

Example: 5 attributes

Public Key

master-key

CA/PKG

Private Key

5 matches

13

Error-tolerance in Identity

k attributes must match

Example: 5 attributes

Public Key

master-key

CA/PKG

Private Key

3 matches

14

Secret Sharing

Split message M into shares such that need k to reconstruct

Choose random k-1 degree polynomial, q, s.t. q(0)=M

Need k points to interpolate

15

First Method

Key Pair per Trait

Encrypt shares of message

Deg. 4 (need 5 traits) polynomial q(x), such that q(0)=M

5Private Key

2 7 8 11 13 16

Ciphertext E3(q(3))...

q(x) at 5 points ) q(0)=M

16

Collusion Attack

5Private Key

6 7

9 108

6 8 975 10

17

Our Approach

Goals

•Threshold

•Collusion Resistance

Methods

•Secret-share private key

•Bilinear maps

18

Bilinear Maps

G , G1 : finite cyclic groups of prime order p.

Def: An admissible bilinear map e: GG

G1 is:

– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG

– Non-degenerate: g generates G e(g,g) generates G1 .

– Efficiently computable.

19

The SW05 Threshold ABE system

Public Parameters e(g,g)y 2 G1, gt1, gt2,.... gtn 2 G

Private KeyRandom degree 4

polynomial q(x) s.t. q(0)=y

gq(5)/t5

Bilinear Map

e(g,g)rq(5)

Ciphertextgr¢

t5

Me(g,g)ry

Interpolate in exponent to get e(g,g)rq(0)=e(g,g)ry

20

Intuition

Threshold

•Need k values of e(g,g)rq(x)

Collusion resistance

•Can’t combine private key components

( shares of q(x), q’(x) )

Reduction

Given ga,gb,gc distinguish e(g,g)ab/c from random

21

Moving Beyond Threshold ABE

OR

AND

“CS” “admin”

“ksmith”

Threshold ABE not very expressive

“Grafting” has limitations

Shamir Secret Sharing => k of n

Base new ABE off of general

secret sharing schemes

22

Access Trees [Ben86]

Secret Sharing for tree-structure of AND + OR

Replicate ORs Split ANDs

OR

AND

Alice Bob

AND

Charlie

Doug Edith

OR

s

s’’ s’’

s s

s’s-s’ s-s’’

s’’

23

Key-Policy Attribute-Based Encryption [GPSW06]

OR

AND

“CS” “admin”

“ksmith”

Encryption similar to Threshold ABE

Keys reflect a tree access structure

Randomness to prevent collusion!

Use Threshold Gates

Decrypt iff attributes from CT

satisfy key’s policy

24

Delegation

OR

AND

“CS” “admin”

“ksmith”

Can delegate any key to a more restrictive policy

Subsumes Hierarchical-IBE

Year=2005

25

A comparison

ABE [GPSW06]

• Arbitrary Attributes

• Expressive Policy

• Attributes in Clear

Hidden Vector Enc. [BW06]

• Fields Fixed at Setup

• Conjunctions & don’t care

• Hidden Attributes

26

Ciphertext Policy ABE (opposite)

Encrypt Data reflect Decryption Policies

Users’ Private Keys are descriptive attributes

master-key

CA/PKG

“Blond”, “Well-dressed”,

“Age=21”, “Height=5’2”

OR

AND

“Rhodes

Scholar”“25-35”

“millionaire”

27

Multi-Authority ABE [Chase07]

Authorities over different domains•E.g. DMV and IRS

Challenge: Prevent Collusion Across Domains

Insight: Use “globally verifiable ID/attribute” to link

28

Open Problems

Ciphertext Policy ABE

ABE with “hidden attributes”

Policies from Circuits instead of Trees

29

Generalizing the Framework

Encrypt “Structured” Data

master-key

CA/PKG

Capability Request

Private “Capability”

Authority is offline

30

Health Records

master-key

CA/PKG

Private “Capability”

Authority is offline

Weight=125

Height = 5’4

Age = 46

Blood Pressure= 125

Partners = …

If Weight/Height >30 AND Age > 45

Output Blood Pressure

No analogous PKI solution

31

THE END

32

Related Work

Secret Sharing Schemes [Shamir79, Benaloh86…]•Allow Collusion

Building from IBE + Secret Sharing [Smart03, Juels]• IBE gives key Compression•Not Collusion Resistant