Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection...

43
Russell Martin August 9th, 2013 Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

Transcript of Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection...

Page 1: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Russell MartinAugust 9th, 2013

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-

Based Encryption

Page 2: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Contents

• Introduction to CPABE

• Bilinear Pairings

• Group Selection

• Key Management

• Key Insulated CPABE

• Conclusion & Future Work

Page 3: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Need for Attribute Based Encryption

• Private Key Cryptosystemso AESo Single key for all users

• Identity Based Encryptiono Users given unique keyso Good for signatures, not so much encryption

• Attribute Based Encryptiono “Fuzzy” IBEo Decryption controlled by matching “d of k” attributes

Page 4: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

CPABE

• ABE schemes are single level of control

• Fine grain access controlo Monotonic access trees

• KPABEo Access tree in user’s key, list of attributes in ciphertexto Users encrypting files have limited control of who decrypts

• CPABEo Access tree in ciphertext, list of attributes in user’s keyo Users encrypting have strong control

Page 5: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Access Tree

Page 6: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

CPABE

• Five functionso Setupo Key Generationo Encryptiono Decryptiono Delegation

Page 7: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Bilinear Pairings

• Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard

Page 8: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Bilinear Pairings

• Inputs most commonly elements of a specific elliptic curveo Restricted to r-torsion points of the curve

o r * P = O

• Computed by the Weil or Tate pairing, using Miller’s algorithmo Computation of tangent/vertical/lines between one or two points on the

curve

Page 9: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Setup

• Selection of bilinear group, generators, and exponentiations

Page 10: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Generation

• Generate a key for the user who possesses the list of attributes, S

Page 11: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Encryption

• Encrypt the message M with the access policy τo Y = Set of all leaf nodes in tree

Page 12: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Decryption

• Recursive decryption starting at top of treeo If leaf node, decrypt node:

Page 13: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Decryption

• If non-leaf node, polynomial interpolation from child node results

Page 14: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Decryption

• Assuming access tree satisfied, interpolation at root occured

Page 15: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Group Selection

• CPABE uses , a=1

• No justification for the usage or performance of this curve

• Can we do better with performance? Size? Security?

Page 16: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Embedding Degree

• Directly related to size and security of groups of the bilinear pairing

• Minimum value k such that , r = number of points on elliptic curve

• Ratio of size of input group to output group

• Larger embedding degree believed to be higher security

Page 17: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Curve Types

• Ben Lynn’s Pairing Based Cryptography Library

• Labeled as type A through Go Type B and C not implemented in library

• Types A, B, C are symmetric (supersingular)o Same group for both input elements of pairing

• Types D - G are ordinaryo Generated by the complex multiplication equation

Page 18: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Curve Types

• Type A - k=2, 512 bit inputs, 1024 bit outputs

• Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs

• Type E - k=1, 1020 bit inputs, 1020 bit outputs

• Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs

• Type G - k=10, 149 bit inputs, 1490 bit outputs

Page 19: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance

• Tested key generation, encryption, and decryptiono Encryption and Decryption were over horizontal and vertical access policieso 1 to 100 attributes in each policy

o CHARM - Python library for cryptography prototyping Overhead over C implementation for CPABE

mostly in serialization & parsing

Page 20: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Horizontal vs Vertical Access Policy

Page 21: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance - Key Generation

Page 22: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance - Horizontal Encryption

Page 23: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance - Vertical Encryption

Page 24: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance - Horizontal Decryption

Page 25: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance - Vertical Decryption

Page 26: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance

• Operation Breakdown:

Page 27: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance

Operations per function: Key Generation - Multiplications and

exponentiations , 1:2 ratio Encryption - Multiplications and exponentiations,

3:1 ratio Decryption - All operations, focused in output

group Pairings take up majority of CPU time

Page 28: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Size

• Key • Ciphertext

Page 29: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance Summary

• Type F - Fastest encryption & key gen, slowest decryption

• Minor differences in horizontal vs. vertical access policies

• Type G performance is not recommended

• Type D is close to type E, but both slower than type A

• Type F has the smallest keys, type D has the smallest ciphertexts

• Focus on optimizations to pairing operation

Page 30: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Pairings Outside of Elliptic Curves

• RSA is possible, by using exponentiation as the pairing functiono Still requires normal comparable security sizes - EC vs RSA

• Hyperelliptic curveso Higher embedding degree is not worth additional complexity

• Vector of integerso Again, restricted to integer sizes (RSA)

Page 31: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Management

• CPABE wants to not use trusted serverso No access control outside of ciphertext

• Revocation & renewal difficulto Want immediate revocation of full keyso Minimize overhead in renewal

• Focus on full key revocation, not attribute

Page 32: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Management Possibilities

• Key expiration dateo Adds many more attributes due to numeric attributes and timestamps

• Proxy Keyo Additional pairings, and still direct communication with proxy server

• User Blacklisto Requires to be done by user encrypting files

• Hierarchical Access Roleso Large overhead, need to control number of unique values

Page 33: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Insulated ABE

• Temporary keys based on a time period

• Revocation is not immediateo Must wait until end of time period

• Pseudorandom function with identity as seedo Get next value for the next time period

• Users given helper keyo Updates current key to valid key for next value

Page 34: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Insulated CPABE

• Replace random r value in users’ keys with a pseudorandom value k

• Setup - same as CPABE, except with definition of pseudorandom and hash functions

• Key Generation:

Page 35: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Insulated CPABE

• Helper Update:

o Additional value here due to gα and β private

• User Update:

Page 36: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Insulated CPABE

• Encryption:

Page 37: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Key Insulated CPABE

• Decryption:

• Interpolation - no change

• Final Decryption:

Page 38: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Performance

• No changes to number of operations during pairings

• Additional multiplications and hashings to handle T() in encryption/key generationo Equivalent of an additional attribute in key generation

• User needs to perform multiplication for each attribute during update

Page 39: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Size

• 3 values, all in the input group

• Largest in type A pairing - 1536 bits

Page 40: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Security

• Security of revocation directly linked to security of pseudorandom functiono If users can compute k values, they can generate any keys

• Outside of this, same security claims as CPABE

• No need to hide details of T() functiono Needed for encryption

Page 41: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Disadvantages

• How to handle previous time periodso Users keep old keys - large storage overheado Force rencryption of files after number of time periods?

• How to handle new userso Would not have previous keys, no access to previous files

• Application depedento Broadcast schemes work well for this

Page 42: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Conclusion

• Type F curves provide fastest key generation and encryption for CPABEo Limited in decryption due to large output groupso Type A curves provide best decryption times

• Key Insulated CPABE allows non-immediate revocation at low overheado Security same as CPABEo Issues with storage of multiple keys

Page 43: Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Future Work

• Other pairing libraries (MIRACL)

• Optimizations to operations

• Comparison of KICPABE to other broadcast revocation schemes

• Security of KICPABE under other modified CPABE models