ciphertext-policy attribute-based encryption (cp-abe)
DESCRIPTION
Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Presented by Sherley Codio. Application Scenario. Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it. Office: Public Corruption City: Knoxville. Bob FBI Head. - PowerPoint PPT PresentationTRANSCRIPT
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Ciphertext-Policy Attribute-Based Encryption (CP-ABE)
Presented by Sherley Codio
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it
Application Scenario
Bob FBI Head
Office: Public Corruption City: Knoxville
Office: Public Corruption City: San Francisco
Office: Public Corruption City: Denver
Access structure for accessing this information: ((“Public Corruption Office” AND (“Knoxville” OR “San Francisco”))
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Application Scenario
Advantages of replicating data across several locations:- Performance- Reliability
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Application Scenario
Disadvantage:If a server is compromised, data confidentiality is compromised
Solution:Store data in encrypted form: Encrypted access control
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Attribute-based encryption (ABE): New means for encrypted access control.
Ciphertexts not necessarily encrypted to one particular user.
Users’ private keys and ciphertexts associated with a set of attributes or a policy over attributes.
A “match” between user’s private key and the ciphertext, decryption is possible.
Attribute-Based Encryption (ABE)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Ciphertext-Policy Attribute-Based Encryption
BobAccess Structure over
attributes
ciphertext
Sends
Set of attributes
Private Key
YES
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Ciphertext-Policy Attribute-Based Encryption
Gate
Gate Gate
Attribute Attribute Attribute
AND gate: n-of-n threshold gates OR gate: 1-of-n threshold gates
Access Structure: monotonic access Tree
ORAND
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Ciphertext-Policy Attribute-Based Encryption
X
Kx=1 Kx=1
Threshold gate: Described by children and threshold value
Access Structure: monotonic access Tree
numx == number of children of Xkx == numx => AND gate
kx== 1 => OR gateLeaf: k == 1
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Ciphertext-Policy Attribute-Based Encryption
r
x
Kx=1 Kx=1
Satisfying an Access Tree
γ set of attributes => Tx(γ) == 1Tx(γ) == 1 iff at least kx == 1
x is a leaf node => then Tx(γ)== 1 iff att(x) γ∈
Tr == T
Tx
att(x): denotes the attribute associated with the leaf node x
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Difference between KP-ABE and CP-ABE
Bob Descriptive attributes
ciphertextSends
Set of attributes
Private Key
YES
CP-ABE
KP-ABE
Bob Access Structure over attributes
ciphertext
Sends
Policies
Private Key
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
CP-ABE: Fundamental Algorithms
Setup Encrypt Keygen
Decrypt Delegate
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
CP-ABE: Fundamental Algorithms
12
Encrypt ASetup
Implicit security parameter
Keygen Decrypt
M
S
M
MK
PK
CT
SKPK
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Bilinear map
G0 and G1: two multiplicative cyclic groups of prime order p. g a generator of G0 and e a bilinear map, e : G0 × G0 → G1. e has the following properties:
1. Bilinearity: for all u, v G0 and a, b Zp, e(u^a, v^b) = ∈ ∈e(u, v)^ab.2. Non-degeneracy: e(g, g) =/ 1
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Setup Algorithm
Public Key PK
• PK = G0, g, h = g^β , f = g^1/β, e(g, g)^α
Master key MK • (β, g^α)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Encryption Algorithm
Let, Y be the set of leaf nodes in T . The ciphertextis constructed by giving the tree access structureT and computing
• CT =T , C˜ = Me(g, g)^αs , C = h^s, y Y : ∀ ∈Cy = g^qy (0) , C′y = H(att(y))^qy (0)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Keygen Algorithm
Let r Zp, rj Zp, j S. Then it computes the key as∈ ∈ ∈
• SK = (D = g^(α+r)/β, j S : Dj = g^r. H(j)^rj, D′j = ∀ ∈g^rj)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Decryption Algorithm
I x is a leaf node, i = att(x), i S∈
• CT = (T , C, C,˜ y Y : Cy, C′)∀ ∈
• DecryptNode(CT, SK, x) =e(Di, Cx)/e(D′i, C′x)
• =e(g^r. H(i)^ri, g^qx(0))/e(g^ri, H(i)^qx(0)• == e(g, g)^rqx(0)
• If i / S DecryptNode(CT, SK, x) = ∈ ⊥
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Decryption Algorithm
I x is a non-leaf node
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Delegate( SK, S˜), S˜ S⊆SK = (D, j S : Dj , D′j)∀ ∈
SK ˜ = (D˜ = Df^r˜, k S˜: D˜ k = ∀ ∈Dkg^r˜H(k)^r˜k, D˜ ′k = D′kg^r˜k)
The Delegate algorithm
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
To decrypt an attacker needs e(g, g)^αs
To recover e(g, g)^αs, C must be paired with the D component from some user’s private key.
Security Intuition
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
e(g, g)^αs is blinded e(g, g)^rsTo blind e(g, g)^αs , correct key
components neededblinding value is randomized
How is Collusion Prevented?