Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

21
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Ciphertext-Policy Attribute- Based Encryption (CP-ABE) Presented by Sherley Codio

description

Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Presented by Sherley Codio. Application Scenario. Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it. Office: Public Corruption City: Knoxville. Bob FBI Head. - PowerPoint PPT Presentation

Transcript of Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

Page 1: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

Presented by Sherley Codio

Page 2: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it

Application Scenario

Bob FBI Head

Office: Public Corruption City: Knoxville

Office: Public Corruption City: San Francisco

Office: Public Corruption City: Denver

Access structure for accessing this information: ((“Public Corruption Office” AND (“Knoxville” OR “San Francisco”))

Page 3: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Application Scenario

Advantages of replicating data across several locations:- Performance- Reliability

Page 4: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Application Scenario

Disadvantage:If a server is compromised, data confidentiality is compromised

Solution:Store data in encrypted form: Encrypted access control

Page 5: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Attribute-based encryption (ABE): New means for encrypted access control.

Ciphertexts not necessarily encrypted to one particular user.

Users’ private keys and ciphertexts associated with a set of attributes or a policy over attributes.

A “match” between user’s private key and the ciphertext, decryption is possible.

Attribute-Based Encryption (ABE)

Page 6: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Ciphertext-Policy Attribute-Based Encryption

BobAccess Structure over

attributes

ciphertext

Sends

Set of attributes

Private Key

YES

Page 7: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Ciphertext-Policy Attribute-Based Encryption

Gate

Gate Gate

Attribute Attribute Attribute

AND gate: n-of-n threshold gates OR gate: 1-of-n threshold gates

Access Structure: monotonic access Tree

ORAND

Page 8: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Ciphertext-Policy Attribute-Based Encryption

X

Kx=1 Kx=1

Threshold gate: Described by children and threshold value

Access Structure: monotonic access Tree

numx == number of children of Xkx == numx => AND gate

kx== 1 => OR gateLeaf: k == 1

Page 9: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Ciphertext-Policy Attribute-Based Encryption

r

x

Kx=1 Kx=1

Satisfying an Access Tree

γ set of attributes => Tx(γ) == 1Tx(γ) == 1 iff at least kx == 1

x is a leaf node => then Tx(γ)== 1 iff att(x) γ∈

Tr == T

Tx

att(x): denotes the attribute associated with the leaf node x

Page 10: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Difference between KP-ABE and CP-ABE

Bob Descriptive attributes

ciphertextSends

Set of attributes

Private Key

YES

CP-ABE

KP-ABE

Bob Access Structure over attributes

ciphertext

Sends

Policies

Private Key

Page 11: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

CP-ABE: Fundamental Algorithms

Setup Encrypt Keygen

Decrypt Delegate

Page 12: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

CP-ABE: Fundamental Algorithms

12

Encrypt ASetup

Implicit security parameter

Keygen Decrypt

M

S

M

MK

PK

CT

SKPK

Page 13: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Bilinear map

G0 and G1: two multiplicative cyclic groups of prime order p. g a generator of G0 and e a bilinear map, e : G0 × G0 → G1. e has the following properties:

1. Bilinearity: for all u, v G0 and a, b Zp, e(u^a, v^b) = ∈ ∈e(u, v)^ab.2. Non-degeneracy: e(g, g) =/ 1

Page 14: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

The Setup Algorithm

Public Key PK

• PK = G0, g, h = g^β , f = g^1/β, e(g, g)^α

Master key MK • (β, g^α)

Page 15: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

The Encryption Algorithm

Let, Y be the set of leaf nodes in T . The ciphertext

is constructed by giving the tree access structure

T and computing

• CT =T , C˜ = Me(g, g)^αs , C = h^s, y Y : ∀ ∈Cy = g^qy (0) , C′y = H(att(y))^qy (0)

Page 16: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

The Keygen Algorithm

Let r Zp, rj Zp, j S. Then it computes the key as∈ ∈ ∈

• SK = (D = g^(α+r)/β, j S : Dj = g^r. H(j)^rj, D′j = ∀ ∈g^rj)

Page 17: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

The Decryption Algorithm

I x is a leaf node, i = att(x), i S∈

• CT = (T , C, C,˜ y Y : Cy, C′)∀ ∈

• DecryptNode(CT, SK, x) =e(Di, Cx)/e(D′i, C′x)

• =e(g^r. H(i)^ri, g^qx(0))/e(g^ri, H(i)^qx(0)• == e(g, g)^rqx(0)

• If i / S DecryptNode(CT, SK, x) = ∈ ⊥

Page 18: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

The Decryption Algorithm

I x is a non-leaf node

Page 19: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Delegate( SK, S˜), S˜ S⊆SK = (D, j S : Dj , D′j)∀ ∈

SK ˜ = (D˜ = Df^r˜, k S˜: D˜ k = ∀ ∈Dkg^r˜H(k)^r˜k, D˜ ′k = D′kg^r˜k)

The Delegate algorithm

Page 20: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

To decrypt an attacker needs e(g, g)^αs

To recover e(g, g)^αs, C must be paired with the D component from some user’s private key.

Security Intuition

Page 21: Ciphertext-Policy  Attribute-Based  Encryption (CP-ABE)

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

e(g, g)^αs is blinded e(g, g)^rsTo blind e(g, g)^αs , correct key

components neededblinding value is randomized

How is Collusion Prevented?