Attribute-Based Encryption
Brent Waters
SRI International
1
Server Mediated Access Control
File 1
Access list: John, Beth,
Sue, Bob
Attributes: “Computer
Science” , “Admissions”
•Server stores data in clear
•Expressive access controls
2
Distributed Storage
•Scalability
•Reliability
Downside: Increased vulnerability
3
Traditional Encrypted Filesystem
File 1
Owner: John
Encrypted Files stored on
Untrusted Server
Every user can decrypt
its own files
File 2
Owner: Tim
Files to be shared across
different users? Credentials?
Lost expressivity of trusted server approach!
4
A New Approach to Encrypting Data
Goal: Encryption with Expressive Access Control
File 1
•“Creator: John”
Label files with
attributes
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2
•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
5
A New Approach to Encrypting Files
Univ. Key
Authority
File 1
•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
OR
File 2
•“Creator: Tim”
AND
•“History”
“Bob”
•“Admissions”
•“Date: 03-20-05”
“Computer
Science”
“Admissions”
6
Attribute-Based Encryption[Sahai-Waters 05]
Start with monotonic access formulas [GPSW06]
Techniques from IBE [S84,BF01]
Challenge: Collusion Resistance
Further developments of ABE
Bringing into Practice
7
Attribute-Based Encryption
Ciphertext has set of attributes
Keys reflect a tree access structure
Decrypt iff attributes from CT
OR
satisfy key’s policy
•“Creator: John”
AND
•“Computer Science”
“Bob”
•“Admissions”
•“Date: 04-11-06”
“Computer
Science”
“Admissions”
8
Central goal: Prevent Collusions
If neither user can decrypt a CT,
then they can’t together
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
9
A Misguided Approach
Public
Parameters
KHistory, KCS, KHiring , KAdmissions, …
SKCS, SKAdmissions
CT= EKCS( R) ,
SKHistory, SKHiring
EKHiring(M-R)
Neither can decrypt alone, but …
10
Our Approach
Two key ideas
Prevent collusion attacks
Bilinear maps “tie” key components together
Support access formulas
 General Secret Sharing Schemes
11
Bilinear Maps
 G , GT : multiplicative of prime order p.
 Def: An admissible bilinear map
is:
– Non-degenerate:
g generates G
– Bilinear:

e: GG  GT
e(g,g) generates GT .
e(ga, gb) = e(g,g)ab
a,bZ, gG
– Efficiently computable.
– Exist based on Elliptic-Curve Cryptography
12
Secret Sharing [Ben86]

Secret Sharing for tree-structure of AND + OR
Replicate secret for OR’s.
Split secrets for AND’s.
y
OR
y
AND
“Bob”
y
“Computer
Science”
(y-r)
“Admissions”
r
13
The Fixed Attributes System:
System Setup
Public
Parameters
List of all possible
attributes:
gt1, gt2,.... gtn, e(g,g)y
“Bob”, “John”, …, “Admissions”
14
Encryption
Public
Parameters
gt1, gt2, gt3,.... gtn, e(g,g)y
File 1
•“Creator: John”
(attribute 2)
•“Computer Science”
(attribute 3)
Select set of attributes, raise
them to random s
•“Admissions”
(attribute n)
Ciphertext
gst2 , gst3 , gstn, e(g,g)sy M
15
Key Generation
Fresh randomness used for each key generated!
Public
Parameters
gt1, gt2,.... gtn, e(g,g)y
y
OR
Ciphertext
y
Private Key
gst2 , gst3 , gstn, e(g,g)sy M
AND
“Bob”
gy1/t1 , gy3/t3 , gyn/tn
“Computer
Science”
y3= (y-r)
y1= y
“Admissions”
yn= r
16
Decryption
Ciphertext
Private Key
gst2, gst3, gstn, Me(g,g)sy
e(g,g)sy3
gy1/t1 , gy3/t3 , gyn/tn
e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy
(Linear operation in exponent to reconstruct e(g,g)sy)
17
Security
 Reduction: Bilinear Decisional Diffie-Hellman
 Given ga,gb,gc distinguish e(g,g)abc from random
 Collusion resistance
 Can’t combine private key components
18
The Large Universe Construction:
Key Idea
Any string can be a valid attribute
Public
Parameters
Ciphertext
Public Function T(.), e(g,g)y
gs, e(g,g)syM
For each attribute i: T(i)s
e(g,g)syi
Private Key
For each attribute i
gyiT(i)ri , gri
19
Delegation
Derive a key for a more restrictive policy
OR
AND
“Computer
Science”
“Bob”
Bob’s Assistant
“admissions”
Year=2006
20
Making ABE more expressive

Any access formulas
• Challenge: Decryptor ignores an attribute

Attributes describe CT, policy in key
• Flip things around
21
Supporting “NOTs”
[OSW07]
Example Peer Review of Other Depts.
Bob is in C.S. dept => Avoid
Conflict of Interest
AND
NOT
“Dept.
Review”
“Year:2007”
“Computer
Science”
Challenge: Can’t attacker just ignore CT
components?
22
A Simple Solution

Use explicit “not” attributes

Attribute “Not:Admissions”, “Not:Biology”

Problems:
• Encryptor does not know all attributes to negate
• Huge number of attributes per CT
•“Creator: John”
•“Not:Anthropology”
•“History”
•“Not:Aeronautics”
•“Admissions”
•
•“Date: 04-11-06”
•“Not:Zoology”
…
23
Technique 1: Simplify Formulas
Use DeMorgan’s law to propagate NOTs
to just the attributes
AND
NOT
“Dept.
Review”
OR
NOT
“Computer
Science”
NOT
“Public
Policy”
24
Applying Revocation Techniques

Broadcast a ciphertext to all but a certain set
of users

Used in digital content protection
• E.g. Revoke compromised players
P1
P2
P3
25
Applying Revocation Techniques

Focus on a particular Not Attribute
AND
NOT
“Dept.
Review”
“Year:2007”
“Computer
Science”
26
Applying Revocation Techniques

Focus on a particular ‘Not’ Attribute
NOT
Attribute in ‘Not’ as node’s “identity”
“Computer
Science”
•“Creator: John”
•“Computer Science”
Attributes in CT as Revoked Users
•“Admissions”
Node ID not in “revoked” list =>satisfied
•“Date: 04-11-06”
N.B. – Just one node in larger policy
27
The Naor-Pinkas Scheme

Pick a degree n polynomial q( ), q(0)=a
• n+1 points to interpolate

User t gets
q(t)

Encryption:
• Revoked x1, …, xn
gs ,
gsq(x1) , ..., gsq(xn) ,Mgsa
gsq(t)
Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}
28
Applying Revocation to ABE

Use same S.S. techniques for key generation
• Same techniques for pos. attributes

“Local” N-P Revocation at each Not-Attribute

Upshot: N-P Revocation requires to use each CT
attribute
29
Ciphertext Policy ABE
[BSW07]

Encrypt Data reflect Decryption Policies

Users’ Private Keys are descriptive attributes
“Professor”,
OR
“Discipline Committee”,
“Age=33”, “History”
AND
“Discipline
Committee”
“Counselor”
“Professor”
“Thinking” Encryptor
Univ. Key
Authority
30
Challenges in Practice
[PTMW06]

Applications
• Health Care
• Netflow Logs (currently building)

How are CTs annotated?
• Can we automate?

Convention for using Attributes?
• “Prof.” or “Professor”
• Does “T.A.” + “CS236” mean TAing CS236?
31
Challenges in Practice

What group do Public Parameters represent?
Univ. Key
Authority
Individual’s
Key
32
Advanced Crypto Software Collection

Goal: Make advanced Crypto available
to systems researchers

http://acsc.csl.sri.com
(8 projects)
$ cpabe-setup
$ cpabe-keygen -o sara_priv_key pub_key master_key \
sysadmin it_department 'office = 1431' 'hire_date = '`date +%s`
$ cpabe-enc pub_key security_report.pdf (sysadmin and (hire_date < 946702800 or security_team))
or (business_staff and 2 of (executive_level >= 5, audit_group, strategy_team))
Projects at UIUC and MIT using ABE
33
Conclusions and Open Directions

Attribute-Based Encryption for Expressive Access
Control on Encrypted Data

Extending Capabilities
• Delegation
• Non-Monotonic Formulas
• Ciphertext-Policy

Currently implemented
34
Conclusions and Open Directions

Open: Can we express access control for any circuit
over attributes?

What are limits of capability-based crypto?
• Capability that evaluates any function
s
F(s)
F( )
Univ. Key
Authority
35
Thank You
36
Related Work

Identity-Based Encryption [Shamir84,BF01,C01]

Access Control [Smart03], Hidden Credentials
[Holt et al. 03-04]
• Not Collusion Resistant

Secret Sharing Schemes [Shamir79, Benaloh86…]
• Allow Collusion
37
System Sketch
Choose degree n polynomial q(), q(0)=b
Public
Can compute gq(x)
Parameters gq(0), gq(1),.... gq(n),
Ciphertext
gs,
gsq(x1) , …
gsq(xn)
,
Attributes: x1, x2…
Private Key
NOT
“Computer
Science”
grq(t),
e(g,g)srq(t)
=t
gr
e(g,g)srq(x1)
e(g,g)srq(xn)
If points different can
compute e(g,g)srb
38
Applications:
Targeted Broadcast Encryption
Encrypted stream
Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”,
“11-01-2006”}
AND
“Soccer”
“Germany”
AND
“Sport”
“11-01-2006”
39
Extensions
Building from any linear secret sharing scheme
 In particular, tree of threshold gates…
Delegation of Private Keys
40
Threshold Attribute-Based Enc.
[SW05]

Sahai-Waters introduced ABE, but only for
“threshold policies”:
• Ciphertext has set of attributes
• User has set of attributes
• If more than k attributes match, then User
can decrypt.

Main Application- Biometrics
41
Central goal: Prevent Collusions
Users shouldn’t be able to collude
AND
AND
“History”
“Computer
Science”
“Hiring”
“Admissions”
Ciphertext = M, {“Computer Science”, “Hiring”}
42