Attribute-Based Encryption

Brent Waters

Access Control

🗶

Access Control by Encryption

Idea: Need secret key to access data

Realistic Data Sharing

Problem: Disconnect between policy and mechanism

?

• Burden on provider

A Fundamental Gap

• Key Lookup
• Group Key Management

• Online-Service
• Complex
• Several Keys

A New Vision

Attribute-Based Encryption

Attribute-Based Encryption: A New Perspective

Public Parameters

Access Predicate: f( )

If f(X)=1

Why Attribute-Based Encryption?

Late Binding Access Control:

e.g. Network Logs

Why Attribute-Based Encryption?

Late Binding Access Control:

e.g. Network Logs

• Encrypt packet payload, tag with metadata

Src:123.3.4.77 AND

Date: 12/5/07

• Distribute capabilities later

Why Attribute-Based Encryption?

Efficiency:

vs.

Scales with policy complexity

Why Attribute-Based Encryption?

AND

ACLU

?

Receiver Privacy:

Salary > 1M

Attribute-Based Encryption for Formulas [SW05]

PK

MSK

“CS255-TA”

“PhD”

“CS255-TA”

“Undergrad”

✔

🗶

🗶

✔

✔

🗶

🗶

Key Authority

✔

Line of Research: [SW05, GPSW06, BSW07, BW07, OSW07,KSW08…]

A First Approach

Question: Can we build attribute-based encryption from standard techniques?

Attempt: Public Key Encryption + Secret Sharing

Secret Sharing [S78,B78,BL86]

• Ideas extend to more complex sharing

s

s

Share_A = s

Share_B = r

Share_C = s-r

• Use finite field e.g. Z_p

A First Approach

Combine S.S. and PKE

PK_A

SK_B

PK_B

SK_A

E_A(R)

E_B(M-R)

R

?

M-R

M

Collusion Attack!

Collusion Attacks: The Key Threat

Kevin:

“CS255-TA”

“Undergrad”

James:

“PhD”

“Graphics”

Need: Key “Personalization”

Tension: Functionality vs. Personalization

Elliptic Curve Techniques

G : multiplicative of prime order p. (Analogy: Z_q^*)

High Level: Single Multiplication

Key for satisfying functionality + personalization

​

Bilinear map e: G×G → G_T

e(g^a, g^b) = e(g,g)^ab ∀a,b∈Z_p, g∈G

​

Intuitive Hardness Discrete Log:

Given: g, g^a Hard to get: a

System Setup

Key Generation

‘t’ ties components together

Personalization!

Key Personalization (Intuition)

Kevin:

“CS255-TA”

…

James:

“PhD”

…

Random t

Random t’

Components are incompatible

(Formal security proofs in papers)

Encryption

n leaf nodes

y₁, ... y_n

f ( ) =

Share₁=s

Share₂=r

Share₃=s-r

s

CT:

Making it work

CT:

Goal: Compute and cancel to get M

“CS255-TA”

“PhD”

Message Randomization

Making it work

CT:

“CS255-TA”

“PhD”

SK:

Message Randomization

Personalized Randomization

New goal: Personalized to user

Use Bilinear Map for Decryption

Making it work

“CS255-TA”

“PhD”

• Shares are personalized

(Use Bilinear-Map)

• Linearly Combine

Personalized Randomization

Security

Theorem: System is (semantically) secure under chosen key attack

Number Theoretic Assumption:

Bilinear Diffie-Hellman Exponent [BBG05]

Attribute-Based Encryption Encryption Summary

• Tension: Functionality vs. Personalization

[SW05, GPSW06,PTMW06, BSW07, OSW07]

• Fundamental Change: Public Key Cryptography

Other Advances

ABE from Learning with Errors GVW13

• Quantum Resistance
• Circuit Functionality

Registered ABE HLWW23

• Removes central authority

FIPS and ABE?