Attribute-Based Encryption with
Non-Monotonic Access Structures
Rafail Ostrovsky
Amit Sahai
Brent Waters
UCLA
UCLA
SRI International
1
Server Mediated Access Control
File 1
Access list: John, Beth,
Sue, Bob
Attributes: “Computer
Science” , “Admissions”
•Server stores data in clear
•Expressive access controls
2
Distributed Storage
•Scalability
•Reliability
Downside: Increased vulnerability
3
Traditional Encrypted Filesystem
File 1
Owner: John
Encrypted Files stored on
Untrusted Server
Every user can decrypt
its own files
File 2
Owner: Tim
Files to be shared across
different users? Credentials?
Lost expressivity of trusted server approach!
4
Attribute-Based Encryption
[SW05]
Goal: Encryption with Expressive Access Control
File 1
•“Creator: John”
Label files with
attributes
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2
•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
5
Attribute-Based Encryption
Univ. Key
Authority
File 1
•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
OR
File 2
•“Creator: Tim”
AND
•“History”
“Bob”
•“Admissions”
•“Date: 03-20-05”
“Computer
Science”
“Admissions”
6
Attribute-Based Encryption
Ciphertext has set of attributes
Keys reflect a tree access structure
Decrypt iff attributes from CT
OR
satisfy key’s policy
•“Creator: John”
AND
•“Computer Science”
“Bob”
•“Admissions”
•“Date: 04-11-06”
“Computer
Science”
“Admissions”
7
Central goal: Prevent Collusions
If neither user can decrypt a CT,
then they can’t together
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
8
Current ABE Systems [GPWS06]
Monotonic Access Formulas
• Tree of ANDs, ORs, threshold (k of N) …
•Attributes at leaves
•NOT is unsupported!
OR
AND
“Computer
Science”
“Bob”
“Admissions”
9
Key Generation
t1, geach
t2,.... key
y
Publicrandomness usedgfor
Fresh
gtn, e(g,g)
generated!
Parameters
y
OR
y
“Compute
r Science”
y3= (y-r)
Private Key
AND
“Bob”
“Greedy”
Decryption
y1=y
“Admissions”
yn=r
gy1/t1 , gy3/t3 , gyn/tn
10
Supporting “NOTs”
[OSW07]
Example Peer Review of Other Depts.
Bob is in C.S. dept => Avoid
Conflict of Interest
AND
NOT
“Dept.
Review”
“Year:2007”
“Computer
Science”
Challenge: Can’t attacker just ignore CT
components?
11
A Simple Solution

Use explicit “not” attributes

Attribute “Not:Admissions”, “Not:Biology”

Problems:
• Encryptor does not know all attributes to negate
• Huge number of attributes per CT
•“Creator: John”
•“Not:Anthropology”
•“History”
•“Not:Aeronautics”
•“Admissions”
•
•“Date: 04-11-06”
•“Not:Zoology”
…
12
Technique 1: Simplify Formulas
Use DeMorgan’s law to propagate NOTs
to just the attributes
AND
NOT
“Dept.
Review”
OR
NOT
“Computer
Science”
NOT
“Public
Policy”
13
Revocation Systems
[NNL01,NP01…]

Broadcast to all but a certain set of users

Application: Digital content protection
P1
P2
P3
14
Applying Revocation Techniques

Focus on a particular Not Attribute
AND
NOT
“Dept.
Review”
“Year:2007”
“Computer
Science”
15
Applying Revocation Techniques

Focus on a particular ‘Not’ Attribute
NOT
Attribute in ‘Not’ as node’s “identity”
“Computer
Science”
•“Creator: John”
•“Computer Science”
Attributes in CT as Revoked Users
•“Admissions”
Node ID not in “revoked” list =>satisfied
•“Date: 04-11-06”
N.B. – Just one node in larger policy
16
“Polynomial Revocation”
[NP01]

Pick a degree n polynomial q( ), q(0)=a
• n+1 points to interpolate

User t gets
q(t)

Encryption:
• Revoked x1, …, xn
gs ,
gsq(x1) , ..., gsq(xn) ,Mgsa
gsq(t)
Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}
17
ABE with Negation

Push NOTs to leaves

Apply ABE key generation
• Collusion resistance still key!
• Treat non-negated attributes same

New Type of Polynomial Revocation at Leaves
18
System Sketch
Choose degree n polynomial q(), q(0)=b
Public
Can compute gq(x)
Parameters gq(0), gq(1),.... gq(n),
Ciphertext
gs,
gsq(x1) , …
gsq(xn)
,
Attributes: x1, x2…
Private Key
NOT
“Computer
Science”
grq(t),
e(g,g)srq(t)
=t
gr
e(g,g)srq(x1)
e(g,g)srq(xn)
Derived
ABE can
If pointsfrom
different
key
generation
compute
e(g,g)srb
19
Conclusions and Open Directions

Goal: Increase expressiveness of Encryption
Systems

Provided Negation to ABE systems
• Challenge: Decryptor Ignores “Bad” Attributes
• Solution: Revocation techniques

Future:
• ABE with Circuits
• Other cryptographic access control
20
Thank You
21