Russell MartinAugust 9th, 2013

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-

Based Encryption

Contents

• Introduction to CPABE

• Bilinear Pairings

• Group Selection

• Key Management

• Key Insulated CPABE

• Conclusion & Future Work

Need for Attribute Based Encryption

• Private Key Cryptosystemso AESo Single key for all users

• Identity Based Encryptiono Users given unique keyso Good for signatures, not so much encryption

• Attribute Based Encryptiono “Fuzzy” IBEo Decryption controlled by matching “d of k” attributes

CPABE

• ABE schemes are single level of control

• Fine grain access controlo Monotonic access trees

• KPABEo Access tree in user’s key, list of attributes in ciphertexto Users encrypting files have limited control of who decrypts

• CPABEo Access tree in ciphertext, list of attributes in user’s keyo Users encrypting have strong control

Access Tree

CPABE

• Five functionso Setupo Key Generationo Encryptiono Decryptiono Delegation

Bilinear Pairings

• Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard

Bilinear Pairings

• Inputs most commonly elements of a specific elliptic curveo Restricted to r-torsion points of the curve

o r * P = O

• Computed by the Weil or Tate pairing, using Miller’s algorithmo Computation of tangent/vertical/lines between one or two points on the

curve

Setup

• Selection of bilinear group, generators, and exponentiations

Key Generation

• Generate a key for the user who possesses the list of attributes, S

Encryption

• Encrypt the message M with the access policy τo Y = Set of all leaf nodes in tree

Decryption

• Recursive decryption starting at top of treeo If leaf node, decrypt node:

Decryption

• If non-leaf node, polynomial interpolation from child node results

Decryption

• Assuming access tree satisfied, interpolation at root occured

Group Selection

• CPABE uses , a=1

• No justification for the usage or performance of this curve

• Can we do better with performance? Size? Security?

Embedding Degree

• Directly related to size and security of groups of the bilinear pairing

• Minimum value k such that , r = number of points on elliptic curve

• Ratio of size of input group to output group

• Larger embedding degree believed to be higher security

Curve Types

• Ben Lynn’s Pairing Based Cryptography Library

• Labeled as type A through Go Type B and C not implemented in library

• Types A, B, C are symmetric (supersingular)o Same group for both input elements of pairing

• Types D - G are ordinaryo Generated by the complex multiplication equation

Curve Types

• Type A - k=2, 512 bit inputs, 1024 bit outputs

• Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs

• Type E - k=1, 1020 bit inputs, 1020 bit outputs

• Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs

• Type G - k=10, 149 bit inputs, 1490 bit outputs

Performance

• Tested key generation, encryption, and decryptiono Encryption and Decryption were over horizontal and vertical access policieso 1 to 100 attributes in each policy

o CHARM - Python library for cryptography prototyping Overhead over C implementation for CPABE

mostly in serialization & parsing

Horizontal vs Vertical Access Policy

Performance - Key Generation

Performance - Horizontal Encryption

Performance - Vertical Encryption

Performance - Horizontal Decryption

Performance - Vertical Decryption

Performance

• Operation Breakdown:

Performance

Operations per function: Key Generation - Multiplications and

exponentiations , 1:2 ratio Encryption - Multiplications and exponentiations,

3:1 ratio Decryption - All operations, focused in output

group Pairings take up majority of CPU time

Size

• Key • Ciphertext

Performance Summary

• Type F - Fastest encryption & key gen, slowest decryption

• Minor differences in horizontal vs. vertical access policies

• Type G performance is not recommended

• Type D is close to type E, but both slower than type A

• Type F has the smallest keys, type D has the smallest ciphertexts

• Focus on optimizations to pairing operation

Pairings Outside of Elliptic Curves

• RSA is possible, by using exponentiation as the pairing functiono Still requires normal comparable security sizes - EC vs RSA

• Hyperelliptic curveso Higher embedding degree is not worth additional complexity

• Vector of integerso Again, restricted to integer sizes (RSA)

Key Management

• CPABE wants to not use trusted serverso No access control outside of ciphertext

• Revocation & renewal difficulto Want immediate revocation of full keyso Minimize overhead in renewal

• Focus on full key revocation, not attribute

Key Management Possibilities

• Key expiration dateo Adds many more attributes due to numeric attributes and timestamps

• Proxy Keyo Additional pairings, and still direct communication with proxy server

• User Blacklisto Requires to be done by user encrypting files

• Hierarchical Access Roleso Large overhead, need to control number of unique values

Key Insulated ABE

• Temporary keys based on a time period

• Revocation is not immediateo Must wait until end of time period

• Pseudorandom function with identity as seedo Get next value for the next time period

• Users given helper keyo Updates current key to valid key for next value

Key Insulated CPABE

• Replace random r value in users’ keys with a pseudorandom value k

• Setup - same as CPABE, except with definition of pseudorandom and hash functions

• Key Generation:

Key Insulated CPABE

• Helper Update:

o Additional value here due to gα and β private

• User Update:

Key Insulated CPABE

• Encryption:

Key Insulated CPABE

• Decryption:

• Interpolation - no change

• Final Decryption:

Performance

• No changes to number of operations during pairings

• Additional multiplications and hashings to handle T() in encryption/key generationo Equivalent of an additional attribute in key generation

• User needs to perform multiplication for each attribute during update

Size

• 3 values, all in the input group

• Largest in type A pairing - 1536 bits

Security

• Security of revocation directly linked to security of pseudorandom functiono If users can compute k values, they can generate any keys

• Outside of this, same security claims as CPABE

• No need to hide details of T() functiono Needed for encryption

Disadvantages

• How to handle previous time periodso Users keep old keys - large storage overheado Force rencryption of files after number of time periods?

• How to handle new userso Would not have previous keys, no access to previous files

• Application depedento Broadcast schemes work well for this

Conclusion

• Type F curves provide fastest key generation and encryption for CPABEo Limited in decryption due to large output groupso Type A curves provide best decryption times

• Key Insulated CPABE allows non-immediate revocation at low overheado Security same as CPABEo Issues with storage of multiple keys

Future Work

• Other pairing libraries (MIRACL)

• Optimizations to operations

• Comparison of KICPABE to other broadcast revocation schemes

• Security of KICPABE under other modified CPABE models