Upload
tadhg
View
34
Download
0
Embed Size (px)
DESCRIPTION
Improving Privacy and Security in Multi-Authority Attribute-Based Encryption. Advanced Information Security April 6, 2010 Presenter: Semin Kim. Overview. History of Attribute-Based Encryption Introduction of Paper Single Authority ABE Multi Authority ABE Conclusions. Overview. - PowerPoint PPT Presentation
Citation preview
Improving Privacy and Security in Multi-Authority Attribute-Based Encryption
Advanced Information SecurityApril 6, 2010
Presenter: Semin Kim
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-2/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-3/19-
History of Attributed-Based Encryption
1977, RSA Rivest, Shamir and Adleman Public/Private(Secret) Key
1985, IBE(Identity-Based Encryption) Shamir Allows for a sender to encrypt message to an identity
without access to a public key certificate
-4/19-
Encrypted byAddress, Name
History of Attributed-Based Encryption
2005, Fuzzy IBE Sahai and Waters A user having identity ω can decrypt a ciphertext with
public key ω’. (|ω – ω’| < threshold distance) Two interesting new applications
• Uses biometric identities.– Ex) a fingerprint of human can be
changeable by pressure, angle and noisy
• Attributed-Based Encryption (ABE)– Suppose that a party wish to encrypt a document to all users that have
a certain set of attributes– Ex) {School, Department, Course}
-> {KAIST, ICE, Ph.D}
-5/19-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-6/19-
Introduction of paper
Title Improving Privacy and Security in Multi-Authority Attribute-
Based Encryption
Conference In CCS'09: Proceedings of the 16th ACM conference on
Computer and communications security. ACM, New York, NY, USA, 2009
Authors Melissa Chase (Microsoft Research) Sherman S.M. Chow (New York University)
-7/19-
Background of paper
Motivation In single authority Attribute-Based Encryption (ABE),
there exist only one trusted server who monitors all at-tributes.
However, this may not be entirely realistic.
Goal To provide an efficient scheme to resolve the above
problem by multi-authority ABE
-8/23-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-9/19-
Preliminaries
Basic Idea of ABE Attributes of Human are different and changeable. Thus, it is difficult to find a perfect set of attributes ac-
cording to various situations.
-10/23-
SoccerActionRedReading
SoccerRedReading
A B
SoccerDramaBlueMusic
Preliminaries
Lagrange Polynomial (from Wikipedia)
-11/23-
Single Authority ABE
Step One – Feldman Verifiable Secret Sharing Init: First fix y ← Zq, where q is a prime. Secret Key (SK) for user u:
Choose a random polynomial p such that p(0) = y and the degree of p is d-1. SK: {Di = gp(i)} i A∀ ∈ u ,where Au is a attribute set of user u and g is a costant
Encryption: E = gym, where m is a message Decryption: Use d SK elements Di to interpolate to
obtain Y = gp(0) = gy. Then m = E/Y
-12/23-
Single Authority ABE
Step Two – Specifying Attributes Let G1 be a cyclic multiplicative group of prime order q
generated by g. Let e(•, •) be a bilinear map such that g G1, and a, b ∈ ∈
Zq, e(ga, gb) = e(g, g)ab
Init: First fix y, t1,…,tn ←Zq, Let Y = e(g, g)y
SK for user u: Choose a random polynomial p such that p(0) = y. . SK: {Di = gp(i)/ti} i A∀ ∈ u
Encryption for attribute set Ac: E=Ym and {Ei = gti} i A∀ ∈ C
Decryption: For d attributes i A∈ c∩Au, compute e(Ei, Di) = e(g, g)p(i). Interpolate to find Y = e(g, g)p(0) = e(g, g)y.Then m = E/Y.
-13/23-
Single Authority ABE
Step Three – Multiple Encryptions To encrypt multiple times without the decryptor needing to get a
new secret key each time. Init: First fix y, t1, …, tn ← Zq. Public Key (PK) for system: T1 = gt1 … Tn = gtn, Y = e(g, g)y.
PK = {Ti}1 ≤ I ≤ n,Y SK for user u: Choose a random polynomial p such that p(0) =
y. SK: {Di = gp(i)/ti} i A∀ ∈ u
Encryption for attribute set Ac: E=Ys=e(g, g)ysm and {Ei = gtis} i A∀ ∈ C
Decryption: For d attributes i A∈ c∩Au, compute e(Ei, Di) = e(g, g)p(i)s. Interpolate to find Ys = e(g, g)p(0)s = e(g, g)ys.Then m = E/Ys.
-14/23-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-15/19-
Multi Authority Attribute Based Encryption
Encryption Attribute Set {A1
C, …, ANC), pick s R Zq.∈
Return (E0 = mYs, E1 = g2s, {Ck, i = Ts
k,i}
Decryption For each authority k [1, …, N]∈
• For any dk attributes i A∈ kC ∩ Ak
u, pair up Sk,i and Ck,i compute e(Sk,i, Ck,i) = e(g1, g2)spk(i).
• Interpolate all the values e(g1, g2)spk(i) to get Pk = e(g1, g2)spk(i) = e(g1, g2)s(vk-
∑Rkj)
Multiply Pk’s together to get Q = e(g1, g2)s(vk- ∑Ru) = Ys/ e(g1Ru, g2
s) Compute e(Du, E1)Q = e(g1
Ru, g2s)Q = Ys
Recover m by E0/Ys
-16/23-
Overview
History of Attribute-Based Encryption
Introduction of Paper
Single Authority ABE
Multi Authority ABE
Conclusions
-17/19-
Conclusion
Contribution Multi-authority attributed-based encryption enables a
more realistic deployment of attribute-based access control.
Novelty An attribute-based encryption scheme without the
trusted authority was proposed
-18/19-
Q&A
Thank you! Any questions?
-19/19-