Russell Martin August 9th, 2013 Contents • • • • • • Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future Work Need for Attribute Based Encryption • Private Key Cryptosystems o • o Identity Based Encryption o • AES Single key for all users o Users given unique keys Good for signatures, not so much encryption Attribute Based Encryption o o “Fuzzy” IBE Decryption controlled by matching “d of k” attributes CPABE • • • ABE schemes are single level of control Fine grain access control o KPABE o • Monotonic access trees o Access tree in user’s key, list of attributes in ciphertext Users encrypting files have limited control of who decrypts CPABE o o Access tree in ciphertext, list of attributes in user’s key Users encrypting have strong control Access Tree CPABE • Five functions o o o o o Setup Key Generation Encryption Decryption Delegation Bilinear Pairings • Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard Bilinear Pairings • Inputs most commonly elements of a specific elliptic curve o • Restricted to r-torsion points of the curve o r*P=O Computed by the Weil or Tate pairing, using Miller’s algorithm o Computation of tangent/vertical/lines between one or two points on the curve Setup • Selection of bilinear group, generators, and exponentiations Key Generation • Generate a key for the user who possesses the list of attributes, S Encryption • Encrypt the message M with the access policy τ o Y = Set of all leaf nodes in tree Decryption • Recursive decryption starting at top of tree o If leaf node, decrypt node: Decryption • If non-leaf node, polynomial interpolation from child node results Decryption • Assuming access tree satisfied, interpolation at root occured Group Selection • • • CPABE uses , a=1 No justification for the usage or performance of this curve Can we do better with performance? Size? Security? Embedding Degree • • • • Directly related to size and security of groups of the bilinear pairing Minimum value k such that , r = number of points on elliptic curve Ratio of size of input group to output group Larger embedding degree believed to be higher security Curve Types • • • • Ben Lynn’s Pairing Based Cryptography Library Labeled as type A through G o Type B and C not implemented in library Types A, B, C are symmetric (supersingular) o Same group for both input elements of pairing Types D - G are ordinary o Generated by the complex multiplication equation Curve Types • • • • • Type A - k=2, 512 bit inputs, 1024 bit outputs Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs Type E - k=1, 1020 bit inputs, 1020 bit outputs Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs Type G - k=10, 149 bit inputs, 1490 bit outputs Performance • Tested key generation, encryption, and decryption o o o Encryption and Decryption were over horizontal and vertical access policies 1 to 100 attributes in each policy CHARM - Python library for cryptography prototyping Overhead over C implementation for CPABE mostly in serialization & parsing Horizontal vs Vertical Access Policy Performance - Key Generation Performance - Horizontal Encryption Performance - Vertical Encryption Performance - Horizontal Decryption Performance - Vertical Decryption Performance • Operation Breakdown: Performance Operations per function: Key Generation - Multiplications and exponentiations , 1:2 ratio Encryption - Multiplications and exponentiations, 3:1 ratio Decryption - All operations, focused in output group Pairings take up majority of CPU time Size • Key • Ciphertext Performance Summary • • • • • • Type F - Fastest encryption & key gen, slowest decryption Minor differences in horizontal vs. vertical access policies Type G performance is not recommended Type D is close to type E, but both slower than type A Type F has the smallest keys, type D has the smallest ciphertexts Focus on optimizations to pairing operation Pairings Outside of Elliptic Curves • • • RSA is possible, by using exponentiation as the pairing function o Still requires normal comparable security sizes - EC vs RSA Hyperelliptic curves o Higher embedding degree is not worth additional complexity Vector of integers o Again, restricted to integer sizes (RSA) Key Management • • CPABE wants to not use trusted servers o Revocation & renewal difficult o • No access control outside of ciphertext o Want immediate revocation of full keys Minimize overhead in renewal Focus on full key revocation, not attribute Key Management Possibilities • • • • Key expiration date o Adds many more attributes due to numeric attributes and timestamps Proxy Key o Additional pairings, and still direct communication with proxy server User Blacklist o Requires to be done by user encrypting files Hierarchical Access Roles o Large overhead, need to control number of unique values Key Insulated ABE • • • • Temporary keys based on a time period Revocation is not immediate o Must wait until end of time period Pseudorandom function with identity as seed o Get next value for the next time period Users given helper key o Updates current key to valid key for next value Key Insulated CPABE • • • Replace random r value in users’ keys with a pseudorandom value k Setup - same as CPABE, except with definition of pseudorandom and hash functions Key Generation: Key Insulated CPABE • • Helper Update: o Additional value here due to gα and β private User Update: Key Insulated CPABE • Encryption: Key Insulated CPABE • Decryption: • • Interpolation - no change Final Decryption: Performance • • • No changes to number of operations during pairings Additional multiplications and hashings to handle T() in encryption/key generation o Equivalent of an additional attribute in key generation User needs to perform multiplication for each attribute during update Size • • 3 values, all in the input group Largest in type A pairing - 1536 bits Security • • • Security of revocation directly linked to security of pseudorandom function o If users can compute k values, they can generate any keys Outside of this, same security claims as CPABE No need to hide details of T() function o Needed for encryption Disadvantages • How to handle previous time periods o • • o Users keep old keys - large storage overhead Force rencryption of files after number of time periods? How to handle new users o Would not have previous keys, no access to previous files Application depedent o Broadcast schemes work well for this Conclusion • Type F curves provide fastest key generation and encryption for CPABE o • o Limited in decryption due to large output groups Type A curves provide best decryption times Key Insulated CPABE allows non-immediate revocation at low overhead o o Security same as CPABE Issues with storage of multiple keys Future Work • • • • Other pairing libraries (MIRACL) Optimizations to operations Comparison of KICPABE to other broadcast revocation schemes Security of KICPABE under other modified CPABE models