Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection...
-
Upload
genevieve-tulley -
Category
Documents
-
view
214 -
download
1
Transcript of Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection...
![Page 1: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/1.jpg)
Russell MartinAugust 9th, 2013
Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-
Based Encryption
![Page 2: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/2.jpg)
Contents
• Introduction to CPABE
• Bilinear Pairings
• Group Selection
• Key Management
• Key Insulated CPABE
• Conclusion & Future Work
![Page 3: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/3.jpg)
Need for Attribute Based Encryption
• Private Key Cryptosystemso AESo Single key for all users
• Identity Based Encryptiono Users given unique keyso Good for signatures, not so much encryption
• Attribute Based Encryptiono “Fuzzy” IBEo Decryption controlled by matching “d of k” attributes
![Page 4: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/4.jpg)
CPABE
• ABE schemes are single level of control
• Fine grain access controlo Monotonic access trees
• KPABEo Access tree in user’s key, list of attributes in ciphertexto Users encrypting files have limited control of who decrypts
• CPABEo Access tree in ciphertext, list of attributes in user’s keyo Users encrypting have strong control
![Page 5: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/5.jpg)
Access Tree
![Page 6: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/6.jpg)
CPABE
• Five functionso Setupo Key Generationo Encryptiono Decryptiono Delegation
![Page 7: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/7.jpg)
Bilinear Pairings
• Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard
![Page 8: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/8.jpg)
Bilinear Pairings
• Inputs most commonly elements of a specific elliptic curveo Restricted to r-torsion points of the curve
o r * P = O
• Computed by the Weil or Tate pairing, using Miller’s algorithmo Computation of tangent/vertical/lines between one or two points on the
curve
![Page 9: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/9.jpg)
Setup
• Selection of bilinear group, generators, and exponentiations
![Page 10: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/10.jpg)
Key Generation
• Generate a key for the user who possesses the list of attributes, S
![Page 11: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/11.jpg)
Encryption
• Encrypt the message M with the access policy τo Y = Set of all leaf nodes in tree
![Page 12: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/12.jpg)
Decryption
• Recursive decryption starting at top of treeo If leaf node, decrypt node:
![Page 13: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/13.jpg)
Decryption
• If non-leaf node, polynomial interpolation from child node results
![Page 14: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/14.jpg)
Decryption
• Assuming access tree satisfied, interpolation at root occured
![Page 15: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/15.jpg)
Group Selection
• CPABE uses , a=1
• No justification for the usage or performance of this curve
• Can we do better with performance? Size? Security?
![Page 16: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/16.jpg)
Embedding Degree
• Directly related to size and security of groups of the bilinear pairing
• Minimum value k such that , r = number of points on elliptic curve
• Ratio of size of input group to output group
• Larger embedding degree believed to be higher security
![Page 17: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/17.jpg)
Curve Types
• Ben Lynn’s Pairing Based Cryptography Library
• Labeled as type A through Go Type B and C not implemented in library
• Types A, B, C are symmetric (supersingular)o Same group for both input elements of pairing
• Types D - G are ordinaryo Generated by the complex multiplication equation
![Page 18: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/18.jpg)
Curve Types
• Type A - k=2, 512 bit inputs, 1024 bit outputs
• Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs
• Type E - k=1, 1020 bit inputs, 1020 bit outputs
• Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs
• Type G - k=10, 149 bit inputs, 1490 bit outputs
![Page 19: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/19.jpg)
Performance
• Tested key generation, encryption, and decryptiono Encryption and Decryption were over horizontal and vertical access policieso 1 to 100 attributes in each policy
o CHARM - Python library for cryptography prototyping Overhead over C implementation for CPABE
mostly in serialization & parsing
![Page 20: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/20.jpg)
Horizontal vs Vertical Access Policy
![Page 21: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/21.jpg)
Performance - Key Generation
![Page 22: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/22.jpg)
Performance - Horizontal Encryption
![Page 23: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/23.jpg)
Performance - Vertical Encryption
![Page 24: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/24.jpg)
Performance - Horizontal Decryption
![Page 25: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/25.jpg)
Performance - Vertical Decryption
![Page 26: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/26.jpg)
Performance
• Operation Breakdown:
![Page 27: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/27.jpg)
Performance
Operations per function: Key Generation - Multiplications and
exponentiations , 1:2 ratio Encryption - Multiplications and exponentiations,
3:1 ratio Decryption - All operations, focused in output
group Pairings take up majority of CPU time
![Page 28: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/28.jpg)
Size
• Key • Ciphertext
![Page 29: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/29.jpg)
Performance Summary
• Type F - Fastest encryption & key gen, slowest decryption
• Minor differences in horizontal vs. vertical access policies
• Type G performance is not recommended
• Type D is close to type E, but both slower than type A
• Type F has the smallest keys, type D has the smallest ciphertexts
• Focus on optimizations to pairing operation
![Page 30: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/30.jpg)
Pairings Outside of Elliptic Curves
• RSA is possible, by using exponentiation as the pairing functiono Still requires normal comparable security sizes - EC vs RSA
• Hyperelliptic curveso Higher embedding degree is not worth additional complexity
• Vector of integerso Again, restricted to integer sizes (RSA)
![Page 31: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/31.jpg)
Key Management
• CPABE wants to not use trusted serverso No access control outside of ciphertext
• Revocation & renewal difficulto Want immediate revocation of full keyso Minimize overhead in renewal
• Focus on full key revocation, not attribute
![Page 32: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/32.jpg)
Key Management Possibilities
• Key expiration dateo Adds many more attributes due to numeric attributes and timestamps
• Proxy Keyo Additional pairings, and still direct communication with proxy server
• User Blacklisto Requires to be done by user encrypting files
• Hierarchical Access Roleso Large overhead, need to control number of unique values
![Page 33: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/33.jpg)
Key Insulated ABE
• Temporary keys based on a time period
• Revocation is not immediateo Must wait until end of time period
• Pseudorandom function with identity as seedo Get next value for the next time period
• Users given helper keyo Updates current key to valid key for next value
![Page 34: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/34.jpg)
Key Insulated CPABE
• Replace random r value in users’ keys with a pseudorandom value k
• Setup - same as CPABE, except with definition of pseudorandom and hash functions
• Key Generation:
![Page 35: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/35.jpg)
Key Insulated CPABE
• Helper Update:
o Additional value here due to gα and β private
• User Update:
![Page 36: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/36.jpg)
Key Insulated CPABE
• Encryption:
![Page 37: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/37.jpg)
Key Insulated CPABE
• Decryption:
• Interpolation - no change
• Final Decryption:
![Page 38: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/38.jpg)
Performance
• No changes to number of operations during pairings
• Additional multiplications and hashings to handle T() in encryption/key generationo Equivalent of an additional attribute in key generation
• User needs to perform multiplication for each attribute during update
![Page 39: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/39.jpg)
Size
• 3 values, all in the input group
• Largest in type A pairing - 1536 bits
![Page 40: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/40.jpg)
Security
• Security of revocation directly linked to security of pseudorandom functiono If users can compute k values, they can generate any keys
• Outside of this, same security claims as CPABE
• No need to hide details of T() functiono Needed for encryption
![Page 41: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/41.jpg)
Disadvantages
• How to handle previous time periodso Users keep old keys - large storage overheado Force rencryption of files after number of time periods?
• How to handle new userso Would not have previous keys, no access to previous files
• Application depedento Broadcast schemes work well for this
![Page 42: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/42.jpg)
Conclusion
• Type F curves provide fastest key generation and encryption for CPABEo Limited in decryption due to large output groupso Type A curves provide best decryption times
• Key Insulated CPABE allows non-immediate revocation at low overheado Security same as CPABEo Issues with storage of multiple keys
![Page 43: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c7e5503460f94933eee/html5/thumbnails/43.jpg)
Future Work
• Other pairing libraries (MIRACL)
• Optimizations to operations
• Comparison of KICPABE to other broadcast revocation schemes
• Security of KICPABE under other modified CPABE models