Improving Privacy and Security in MultiAuthority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim -2/19- Overview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -3/19- Overview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -4/19- History of Attributed-Based Encryption 1977, RSA Rivest, Shamir and Adleman Public/Private(Secret) Key 1985, IBE(Identity-Based Encryption) Shamir Allows for a sender to encrypt message to an identity without access to a public key certificate Encrypted by Address, Name -5/19- History of Attributed-Based Encryption 2005, Fuzzy IBE Sahai and Waters A user having identity ω can decrypt a ciphertext with public key ω’. (|ω – ω’| < threshold distance) Two interesting new applications • Uses biometric identities. – Ex) a fingerprint of human can be changeable by pressure, angle and noisy • Attributed-Based Encryption (ABE) – Suppose that a party wish to encrypt a document to all users that have a certain set of attributes – Ex) {School, Department, Course} -> {KAIST, ICE, Ph.D} -6/19- Overview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -7/19- Introduction of paper Title Improving Privacy and Security in Multi-Authority Attribute-Based Encryption Conference In CCS'09: Proceedings of the 16th ACM conference on Computer and communications security. ACM, New York, NY, USA, 2009 Authors Melissa Chase (Microsoft Research) Sherman S.M. Chow (New York University) -8/23- Background of paper Motivation In single authority Attribute-Based Encryption (ABE), there exist only one trusted server who monitors all attributes. However, this may not be entirely realistic. Goal To provide an efficient scheme to resolve the above problem by multi-authority ABE -9/19- Overview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -10/23- Preliminaries Basic Idea of ABE Attributes of Human are different and changeable. Thus, it is difficult to find a perfect set of attributes according to various situations. Soccer Red Reading A Soccer Action Red Reading Soccer Drama Blue Music B -11/23- Preliminaries Lagrange Polynomial (from Wikipedia) -12/23- Single Authority ABE Step One – Feldman Verifiable Secret Sharing Init: First fix y ← Zq, where q is a prime. Secret Key (SK) for user u: Choose a random polynomial p such that p(0) = y and the degree of p is d-1. SK: {Di = gp(i)} ∀i∈Au ,where Au is a attribute set of user u and g is a costant Encryption: E = gym, where m is a message Decryption: Use d SK elements Di to interpolate to obtain Y = gp(0) = gy. Then m = E/Y -13/23- Single Authority ABE Step Two – Specifying Attributes Let G1 be a cyclic multiplicative group of prime order q generated by g. Let e(•, •) be a bilinear map such that g ∈ G1, and a, b ∈ Zq, e(ga, gb) = e(g, g)ab Init: First fix y, t1,…,tn ←Zq, Let Y = e(g, g)y SK for user u: Choose a random polynomial p such that p(0) = y. . SK: {Di = gp(i)/ti} ∀i∈Au Encryption for attribute set Ac: E=Ym and {Ei = gti} ∀i∈AC Decryption: For d attributes i∈Ac∩Au, compute e(Ei, Di) = e(g, g)p(i). Interpolate to find Y = e(g, g)p(0) = e(g, g)y. Then m = E/Y. -14/23- Single Authority ABE Step Three – Multiple Encryptions To encrypt multiple times without the decryptor needing to get a new secret key each time. Init: First fix y, t1, …, tn ← Zq. Public Key (PK) for system: T1 = gt1 … Tn = gtn, Y = e(g, g)y. PK = {Ti}1 ≤ I ≤ n,Y SK for user u: Choose a random polynomial p such that p(0) = y. SK: {Di = gp(i)/ti} ∀i∈Au Encryption for attribute set Ac: E=Ys=e(g, g)ysm and {Ei = gtis} ∀i∈AC Decryption: For d attributes i∈Ac∩Au, compute e(Ei, Di) = e(g, g)p(i)s. Interpolate to find Ys = e(g, g)p(0)s = e(g, g)ys. Then m = E/Ys. -15/19- Overview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -16/23- Multi Authority Attribute Based Encryption Encryption Attribute Set {A1C, …, ANC), pick s ∈R Zq. Return (E0 = mYs, E1 = g2s, {Ck, i = Tsk,i} Decryption For each authority k ∈ [1, …, N] • For any dk attributes i ∈AkC ∩ Aku, pair up Sk,i and Ck,i compute e(Sk,i, Ck,i) = e(g1, g2)spk(i). • Interpolate all the values e(g1, g2)spk(i) to get Pk = e(g1, g2)spk(i) = e(g1, g2)s(vk- ∑Rkj) Multiply Pk’s together to get Q = e(g1, g2)s(vk- ∑Ru) = Ys/ e(g1Ru, g2s) Compute e(Du, E1)Q = e(g1Ru, g2s)Q = Ys Recover m by E0/Ys -17/19- Overview History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions -18/19- Conclusion Contribution Multi-authority attributed-based encryption enables a more realistic deployment of attribute-based access control. Novelty An attribute-based encryption scheme without the trusted authority was proposed -19/19- Q&A Thank you! Any questions?