Improving Privacy and Security in Multi-Authority Attribute-Based Encryption

Advanced Information SecurityApril 6, 2010

Presenter: Semin Kim

Overview

History of Attribute-Based Encryption

Introduction of Paper

Single Authority ABE

Multi Authority ABE

Conclusions

-2/19-

Overview

History of Attribute-Based Encryption

Introduction of Paper

Single Authority ABE

Multi Authority ABE

Conclusions

-3/19-

History of Attributed-Based Encryption

1977, RSA Rivest, Shamir and Adleman Public/Private(Secret) Key

1985, IBE(Identity-Based Encryption) Shamir Allows for a sender to encrypt message to an identity

without access to a public key certificate

-4/19-

Encrypted byAddress, Name

History of Attributed-Based Encryption

2005, Fuzzy IBE Sahai and Waters A user having identity ω can decrypt a ciphertext with

public key ω’. (|ω – ω’| < threshold distance) Two interesting new applications

• Uses biometric identities.– Ex) a fingerprint of human can be

changeable by pressure, angle and noisy

• Attributed-Based Encryption (ABE)– Suppose that a party wish to encrypt a document to all users that have

a certain set of attributes– Ex) {School, Department, Course}

-> {KAIST, ICE, Ph.D}

-5/19-

Overview

History of Attribute-Based Encryption

Introduction of Paper

Single Authority ABE

Multi Authority ABE

Conclusions

-6/19-

Introduction of paper

Title Improving Privacy and Security in Multi-Authority Attribute-

Based Encryption

Conference In CCS'09: Proceedings of the 16th ACM conference on

Computer and communications security. ACM, New York, NY, USA, 2009

Authors Melissa Chase (Microsoft Research) Sherman S.M. Chow (New York University)

-7/19-

Background of paper

Motivation In single authority Attribute-Based Encryption (ABE),

there exist only one trusted server who monitors all at-tributes.

However, this may not be entirely realistic.

Goal To provide an efficient scheme to resolve the above

problem by multi-authority ABE

-8/23-

Overview

History of Attribute-Based Encryption

Introduction of Paper

Single Authority ABE

Multi Authority ABE

Conclusions

-9/19-

Preliminaries

Basic Idea of ABE Attributes of Human are different and changeable. Thus, it is difficult to find a perfect set of attributes ac-

cording to various situations.

-10/23-

SoccerActionRedReading

SoccerRedReading

A B

SoccerDramaBlueMusic

Preliminaries

Lagrange Polynomial (from Wikipedia)

-11/23-

Single Authority ABE

Step One – Feldman Verifiable Secret Sharing Init: First fix y ← Zq, where q is a prime. Secret Key (SK) for user u:

Choose a random polynomial p such that p(0) = y and the degree of p is d-1. SK: {Di = gp(i)} i A∀ ∈ u ,where Au is a attribute set of user u and g is a costant

Encryption: E = gym, where m is a message Decryption: Use d SK elements Di to interpolate to

obtain Y = gp(0) = gy. Then m = E/Y

-12/23-

Single Authority ABE

Step Two – Specifying Attributes Let G1 be a cyclic multiplicative group of prime order q

generated by g. Let e(•, •) be a bilinear map such that g G1, and a, b ∈ ∈

Zq, e(ga, gb) = e(g, g)ab

Init: First fix y, t1,…,tn ←Zq, Let Y = e(g, g)y

SK for user u: Choose a random polynomial p such that p(0) = y. . SK: {Di = gp(i)/ti} i A∀ ∈ u

Encryption for attribute set Ac: E=Ym and {Ei = gti} i A∀ ∈ C

Decryption: For d attributes i A∈ c∩Au, compute e(Ei, Di) = e(g, g)p(i). Interpolate to find Y = e(g, g)p(0) = e(g, g)y.Then m = E/Y.

-13/23-

Single Authority ABE

Step Three – Multiple Encryptions To encrypt multiple times without the decryptor needing to get a

new secret key each time. Init: First fix y, t1, …, tn ← Zq. Public Key (PK) for system: T1 = gt1 … Tn = gtn, Y = e(g, g)y.

PK = {Ti}1 ≤ I ≤ n,Y SK for user u: Choose a random polynomial p such that p(0) =

y. SK: {Di = gp(i)/ti} i A∀ ∈ u

Encryption for attribute set Ac: E=Ys=e(g, g)ysm and {Ei = gtis} i A∀ ∈ C

Decryption: For d attributes i A∈ c∩Au, compute e(Ei, Di) = e(g, g)p(i)s. Interpolate to find Ys = e(g, g)p(0)s = e(g, g)ys.Then m = E/Ys.

-14/23-

Overview

History of Attribute-Based Encryption

Introduction of Paper

Single Authority ABE

Multi Authority ABE

Conclusions

-15/19-

Multi Authority Attribute Based Encryption

Encryption Attribute Set {A1

C, …, ANC), pick s R Zq.∈

Return (E0 = mYs, E1 = g2s, {Ck, i = Ts

k,i}

Decryption For each authority k [1, …, N]∈

• For any dk attributes i A∈ kC ∩ Ak

u, pair up Sk,i and Ck,i compute e(Sk,i, Ck,i) = e(g1, g2)spk(i).

• Interpolate all the values e(g1, g2)spk(i) to get Pk = e(g1, g2)spk(i) = e(g1, g2)s(vk-

∑Rkj)

Multiply Pk’s together to get Q = e(g1, g2)s(vk- ∑Ru) = Ys/ e(g1Ru, g2

s) Compute e(Du, E1)Q = e(g1

Ru, g2s)Q = Ys

Recover m by E0/Ys

-16/23-

Overview

History of Attribute-Based Encryption

Introduction of Paper

Single Authority ABE

Multi Authority ABE

Conclusions

-17/19-

Conclusion

Contribution Multi-authority attributed-based encryption enables a

more realistic deployment of attribute-based access control.

Novelty An attribute-based encryption scheme without the

trusted authority was proposed

-18/19-

Q&A

Thank you! Any questions?

-19/19-