Improving Privacy and Security in MultiAuthority Attribute-Based Encryption
Advanced Information Security
April 6, 2010
Presenter: Semin Kim
-2/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-3/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-4/19-
History of Attributed-Based Encryption
1977, RSA
 Rivest, Shamir and Adleman
 Public/Private(Secret) Key
1985, IBE(Identity-Based Encryption)
 Shamir
 Allows for a sender to encrypt message to an identity
without access to a public key certificate
Encrypted by
Address, Name
-5/19-
History of Attributed-Based Encryption
2005, Fuzzy IBE
 Sahai and Waters
 A user having identity ω can decrypt a ciphertext with
public key ω’. (|ω – ω’| < threshold distance)
 Two interesting new applications
• Uses biometric identities.
– Ex) a fingerprint of human can be
changeable by pressure, angle and noisy
• Attributed-Based Encryption (ABE)
– Suppose that a party wish to encrypt a document to all users that have
a certain set of attributes
– Ex) {School, Department, Course}
-> {KAIST, ICE, Ph.D}
-6/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-7/19-
Introduction of paper
Title
 Improving Privacy and Security in Multi-Authority
Attribute-Based Encryption
Conference
 In CCS'09: Proceedings of the 16th ACM conference
on Computer and communications security. ACM,
New York, NY, USA, 2009
Authors
 Melissa Chase (Microsoft Research)
 Sherman S.M. Chow (New York University)
-8/23-
Background of paper
Motivation
 In single authority Attribute-Based Encryption (ABE),
there exist only one trusted server who monitors all
attributes.
 However, this may not be entirely realistic.
Goal
 To provide an efficient scheme to resolve the above
problem by multi-authority ABE
-9/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-10/23-
Preliminaries
Basic Idea of ABE
 Attributes of Human are different and changeable.
 Thus, it is difficult to find a perfect set of attributes
according to various situations.
Soccer
Red
Reading
A
Soccer
Action
Red
Reading
Soccer
Drama
Blue
Music
B
-11/23-
Preliminaries
Lagrange Polynomial (from Wikipedia)
-12/23-
Single Authority ABE
Step One – Feldman Verifiable Secret Sharing
 Init: First fix y ← Zq, where q is a prime.
 Secret Key (SK) for user u:
Choose a random polynomial p such that p(0) = y
and the degree of p is d-1. SK: {Di = gp(i)} ∀i∈Au ,where
Au is a attribute set of user u and g is a costant
 Encryption: E = gym, where m is a message
 Decryption: Use d SK elements Di to interpolate to
obtain Y = gp(0) = gy. Then m = E/Y
-13/23-
Single Authority ABE
Step Two – Specifying Attributes
 Let G1 be a cyclic multiplicative group of prime order q
generated by g.
 Let e(•, •) be a bilinear map such that g ∈ G1, and a, b ∈
Zq, e(ga, gb) = e(g, g)ab
 Init: First fix y, t1,…,tn ←Zq, Let Y = e(g, g)y
 SK for user u: Choose a random polynomial p such that
p(0) = y. . SK: {Di = gp(i)/ti} ∀i∈Au
 Encryption for attribute set Ac: E=Ym and {Ei = gti} ∀i∈AC
 Decryption: For d attributes i∈Ac∩Au, compute e(Ei, Di) =
e(g, g)p(i). Interpolate to find Y = e(g, g)p(0) = e(g, g)y.
Then m = E/Y.
-14/23-
Single Authority ABE
Step Three – Multiple Encryptions
 To encrypt multiple times without the decryptor needing to
get a new secret key each time.
 Init: First fix y, t1, …, tn ← Zq.
 Public Key (PK) for system: T1 = gt1 … Tn = gtn, Y = e(g,
g)y. PK = {Ti}1 ≤ I ≤ n,Y
 SK for user u: Choose a random polynomial p such that
p(0) = y. SK: {Di = gp(i)/ti} ∀i∈Au
 Encryption for attribute set Ac: E=Ys=e(g, g)ysm and {Ei =
gtis} ∀i∈AC
 Decryption: For d attributes i∈Ac∩Au, compute e(Ei, Di) =
e(g, g)p(i)s. Interpolate to find Ys = e(g, g)p(0)s = e(g, g)ys.
Then m = E/Ys.
-15/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-16/23-
Multi Authority Attribute Based Encryption
Encryption
 Attribute Set {A1C, …, ANC), pick s ∈R Zq.
 Return (E0 = mYs, E1 = g2s, {Ck, i = Tsk,i}
Decryption
 For each authority k ∈ [1, …, N]
• For any dk attributes i ∈AkC ∩ Aku, pair up Sk,i and Ck,i compute
e(Sk,i, Ck,i) = e(g1, g2)spk(i).
• Interpolate all the values e(g1, g2)spk(i) to get Pk = e(g1, g2)spk(i) =
e(g1, g2)s(vk- ∑Rkj)
 Multiply Pk’s together to get Q = e(g1, g2)s(vk- ∑Ru) = Ys/
e(g1Ru, g2s)
 Compute e(Du, E1)Q = e(g1Ru, g2s)Q = Ys
 Recover m by E0/Ys
-17/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-18/19-
Conclusion
Contribution
 Multi-authority attributed-based encryption enables a
more realistic deployment of attribute-based access
control.
Novelty
 An attribute-based encryption scheme without the
trusted authority was proposed
-19/19-
Q&A
Thank you! Any questions?