Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection...
-
Upload
genevieve-tulley -
Category
Documents
-
view
214 -
download
1
Transcript of Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection...
Russell MartinAugust 9th, 2013
Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-
Based Encryption
Contents
• Introduction to CPABE
• Bilinear Pairings
• Group Selection
• Key Management
• Key Insulated CPABE
• Conclusion & Future Work
Need for Attribute Based Encryption
• Private Key Cryptosystemso AESo Single key for all users
• Identity Based Encryptiono Users given unique keyso Good for signatures, not so much encryption
• Attribute Based Encryptiono “Fuzzy” IBEo Decryption controlled by matching “d of k” attributes
CPABE
• ABE schemes are single level of control
• Fine grain access controlo Monotonic access trees
• KPABEo Access tree in user’s key, list of attributes in ciphertexto Users encrypting files have limited control of who decrypts
• CPABEo Access tree in ciphertext, list of attributes in user’s keyo Users encrypting have strong control
Access Tree
CPABE
• Five functionso Setupo Key Generationo Encryptiono Decryptiono Delegation
Bilinear Pairings
• Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard
Bilinear Pairings
• Inputs most commonly elements of a specific elliptic curveo Restricted to r-torsion points of the curve
o r * P = O
• Computed by the Weil or Tate pairing, using Miller’s algorithmo Computation of tangent/vertical/lines between one or two points on the
curve
Setup
• Selection of bilinear group, generators, and exponentiations
Key Generation
• Generate a key for the user who possesses the list of attributes, S
Encryption
• Encrypt the message M with the access policy τo Y = Set of all leaf nodes in tree
Decryption
• Recursive decryption starting at top of treeo If leaf node, decrypt node:
Decryption
• If non-leaf node, polynomial interpolation from child node results
Decryption
• Assuming access tree satisfied, interpolation at root occured
Group Selection
• CPABE uses , a=1
• No justification for the usage or performance of this curve
• Can we do better with performance? Size? Security?
Embedding Degree
• Directly related to size and security of groups of the bilinear pairing
• Minimum value k such that , r = number of points on elliptic curve
• Ratio of size of input group to output group
• Larger embedding degree believed to be higher security
Curve Types
• Ben Lynn’s Pairing Based Cryptography Library
• Labeled as type A through Go Type B and C not implemented in library
• Types A, B, C are symmetric (supersingular)o Same group for both input elements of pairing
• Types D - G are ordinaryo Generated by the complex multiplication equation
Curve Types
• Type A - k=2, 512 bit inputs, 1024 bit outputs
• Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs
• Type E - k=1, 1020 bit inputs, 1020 bit outputs
• Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs
• Type G - k=10, 149 bit inputs, 1490 bit outputs
Performance
• Tested key generation, encryption, and decryptiono Encryption and Decryption were over horizontal and vertical access policieso 1 to 100 attributes in each policy
o CHARM - Python library for cryptography prototyping Overhead over C implementation for CPABE
mostly in serialization & parsing
Horizontal vs Vertical Access Policy
Performance - Key Generation
Performance - Horizontal Encryption
Performance - Vertical Encryption
Performance - Horizontal Decryption
Performance - Vertical Decryption
Performance
• Operation Breakdown:
Performance
Operations per function: Key Generation - Multiplications and
exponentiations , 1:2 ratio Encryption - Multiplications and exponentiations,
3:1 ratio Decryption - All operations, focused in output
group Pairings take up majority of CPU time
Size
• Key • Ciphertext
Performance Summary
• Type F - Fastest encryption & key gen, slowest decryption
• Minor differences in horizontal vs. vertical access policies
• Type G performance is not recommended
• Type D is close to type E, but both slower than type A
• Type F has the smallest keys, type D has the smallest ciphertexts
• Focus on optimizations to pairing operation
Pairings Outside of Elliptic Curves
• RSA is possible, by using exponentiation as the pairing functiono Still requires normal comparable security sizes - EC vs RSA
• Hyperelliptic curveso Higher embedding degree is not worth additional complexity
• Vector of integerso Again, restricted to integer sizes (RSA)
Key Management
• CPABE wants to not use trusted serverso No access control outside of ciphertext
• Revocation & renewal difficulto Want immediate revocation of full keyso Minimize overhead in renewal
• Focus on full key revocation, not attribute
Key Management Possibilities
• Key expiration dateo Adds many more attributes due to numeric attributes and timestamps
• Proxy Keyo Additional pairings, and still direct communication with proxy server
• User Blacklisto Requires to be done by user encrypting files
• Hierarchical Access Roleso Large overhead, need to control number of unique values
Key Insulated ABE
• Temporary keys based on a time period
• Revocation is not immediateo Must wait until end of time period
• Pseudorandom function with identity as seedo Get next value for the next time period
• Users given helper keyo Updates current key to valid key for next value
Key Insulated CPABE
• Replace random r value in users’ keys with a pseudorandom value k
• Setup - same as CPABE, except with definition of pseudorandom and hash functions
• Key Generation:
Key Insulated CPABE
• Helper Update:
o Additional value here due to gα and β private
• User Update:
Key Insulated CPABE
• Encryption:
Key Insulated CPABE
• Decryption:
• Interpolation - no change
• Final Decryption:
Performance
• No changes to number of operations during pairings
• Additional multiplications and hashings to handle T() in encryption/key generationo Equivalent of an additional attribute in key generation
• User needs to perform multiplication for each attribute during update
Size
• 3 values, all in the input group
• Largest in type A pairing - 1536 bits
Security
• Security of revocation directly linked to security of pseudorandom functiono If users can compute k values, they can generate any keys
• Outside of this, same security claims as CPABE
• No need to hide details of T() functiono Needed for encryption
Disadvantages
• How to handle previous time periodso Users keep old keys - large storage overheado Force rencryption of files after number of time periods?
• How to handle new userso Would not have previous keys, no access to previous files
• Application depedento Broadcast schemes work well for this
Conclusion
• Type F curves provide fastest key generation and encryption for CPABEo Limited in decryption due to large output groupso Type A curves provide best decryption times
• Key Insulated CPABE allows non-immediate revocation at low overheado Security same as CPABEo Issues with storage of multiple keys
Future Work
• Other pairing libraries (MIRACL)
• Optimizations to operations
• Comparison of KICPABE to other broadcast revocation schemes
• Security of KICPABE under other modified CPABE models