Attribute-Based Encryption for
Fine-Grained Access Control of
Encrypted Data
Vipul Goyal
UCLA
Omkant Pandey
UCLA
Amit Sahai
UCLA
Brent Waters
SRI
1
Traditional Encrypted Filesystem
File 1
Owner: John
Encrypted Files stored on
Untrusted Server
Every user can decrypt
its own files
File 2
Owner: Tim
Files to be shared across
different users?
2
A New Encrypted Filesystem
File 1
•“Creator: John”
Label files with
attributes
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
File 2
•“Creator: Tim”
•“History”
•“Admissions”
•“Date: 03-20-05”
3
An Encrypted Filesystem
Authority
File 1
•“Creator: John”
•“Computer Science”
•“Admissions”
•“Date: 04-11-06”
OR
File 2
•“Creator: Tim”
AND
•“History”
“Bob”
•“Admissions”
•“Date: 03-20-05”
“Computer
Science”
“Admissions”
4
Threshold Attribute-Based Enc.
[SW05]

Sahai-Waters introduced ABE, but only for
“threshold policies”:
• Ciphertext has set of attributes
• User has set of attributes
• If more than k attributes match, then User
can decrypt.

Main Application- Biometrics
5
General Attribute-Based Encryption
Ciphertext has set of attributes
Keys reflect a tree access structure
Decrypt iff attributes from CT
OR
satisfy key’s policy
AND
“Computer
Science”
“Bob”
“Admissions”
6
Central goal: Prevent Collusions
Users shouldn’t be able to collude
AND
“Computer
Science”
“Admissions”
AND
“History”
“Hiring”
Ciphertext = M, {“Computer Science”, “Hiring”}
7
Related Work

Access Control [Smart03], Hidden Credentials
[Holt et al. 03-04]
• Not Collusion Resistant

Secret Sharing Schemes [Shamir79, Benaloh86…]
• Allow Collusion
8
Techniques
We combine two ideas
 Bilinear maps
 General Secret Sharing Schemes
9
Bilinear Maps
 G , G1 : multiplicative of prime order p.
 Def: An admissible bilinear map
is:
– Non-degenerate:
g generates G
– Bilinear:

e: GG  G1
e(g,g) generates G1 .
e(ga, gb) = e(g,g)ab
a,bZ, gG
– Efficiently computable.
– Exist based on Elliptic-Curve Cryptography
10
Secret Sharing [Ben86]

Secret Sharing for tree-structure of AND + OR
Replicate secret for OR’s.
Split secrets for AND’s.
y
OR
y
AND
“Bob”
y
“Computer
Science”
(y-r)
“Admissions”
r
11
The Fixed Attributes System: System
Setup
Public
Parameters
List of all possible
attributes:
gt1, gt2,.... gtn, e(g,g)y
“Bob”, “John”, …, “Admissions”
12
Encryption
Public
Parameters
gt1, gt2, gt3,.... gtn, e(g,g)y
File 1
•“Creator: John”
(attribute 2)
Select set of attributes, raise them to
random s
•“Computer Science”
(attribute 3)
•“Admissions”
(attribute n)
Ciphertext
gst2 , gst3 , gstn, e(g,g)sy M
13
Key Generation
Fresh randomness used for each key generated!
Public
Parameters
gt1, gt2,.... gtn, e(g,g)y
y
OR
Ciphertext
y
Private Key
gst2 , gst3 , gstn, e(g,g)sy M
AND
“Bob”
gy1/t1 , gy3/t3 , gyn/tn
“Computer
Science”
y3= (y-r)
y1= y
“Admissions”
yn= r
14
Decryption
Ciphertext
Private Key
gst2, gst3, gstn, Me(g,g)sy
e(g,g)sy3
gy1/t1 , gy3/t3 , gyn/tn
e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r) = e(g,g)sy
(Linear operation in exponent to reconstruct e(g,g)sy)
15
Security
 Reduction: Bilinear Decisional Diffie-Hellman
 Given ga,gb,gc distinguish e(g,g)abc from random
 Collusion resistance
 Can’t combine private key components
16
The Large Universe Construction:
Key Idea
Any string can be a valid attribute
Public
Parameters
Ciphertext
Public Function T(.), e(g,g)y
gs, e(g,g)syM
For each attribute i: T(i)s
e(g,g)syi
Private Key
For each attribute i
gyiT(i)ri , gri
17
Extensions
Building from any linear secret sharing scheme
 In particular, tree of threshold gates…
Delegation of Private Keys
18
Delegation
Derive a key for a more restrictive policy
Subsumes Hierarchical-IBE [Horwitz-Lynn 02, …]
OR
AND
“Computer
Science”
“Bob”
Bob’s Assistant
“admissions”
Year=2006
19
Applications:
Targeted Broadcast Encryption
Encrypted stream
Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”,
“11-01-2006”}
AND
“Soccer”
“Germany”
AND
“Sport”
“11-01-2006”
20
Thank You
21