Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

Transcription

1 Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Presented by Sherley Codio Fall, Privacy&Security - Virginia Tech Computer Science

2 Application Scenario Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it Office: Public Corruption City: Knoxville Bob FBI Head Office: Public Corruption City: Denver Access structure for accessing this information: (( Public Corruption Office AND ( Knoxville OR San Francisco )) Office: Public Corruption City: San Francisco Fall, Privacy&Security - Virginia Tech Computer Science 2

3 Application Scenario Advantages of replicating data across several locations: - Performance - Reliability Fall, Privacy&Security - Virginia Tech Computer Science 3

4 Application Scenario Disadvantage: If a server is compromised, data confidentiality is compromised Solution: Store data in encrypted form: Encrypted access control Fall, Privacy&Security - Virginia Tech Computer Science 4

5 Attribute-Based Encryption (ABE) Attribute-based encryption (ABE): New means for encrypted access control. Ciphertexts not necessarily encrypted to one particular user. Users private keys and ciphertexts associated with a set of attributes or a policy over attributes. A match between user s private key and the ciphertext, decryption is possible. Fall, Privacy&Security - Virginia Tech Computer Science 5

6 Ciphertext-Policy Attribute-Based Encryption Bob ciphertext Access Structure over attributes Sends Private Key Set of attributes Y E S Fall, Privacy&Security - Virginia Tech Computer Science 6

7 Ciphertext-Policy Attribute-Based Encryption Access Structure: monotonic access Tree Gate Gate AND Gate OR Attribute Attribute Attribute AND gate: n-of-n threshold gates OR gate: 1-of-n threshold gates Fall, Privacy&Security - Virginia Tech Computer Science 7

8 Ciphertext-Policy Attribute-Based Encryption Access Structure: monotonic access Tree X Kx=1 Kx=1 numx == number of children of X kx == numx => AND gate kx== 1 => OR gate Leaf: k == 1 Threshold gate: Described by children and threshold value Fall, Privacy&Security - Virginia Tech Computer Science 8

9 Ciphertext-Policy Attribute-Based Encryption Satisfying an Access Tree r Tr == T x Tx Kx=1 Kx=1 att(x): denotes the attribute associated with the leaf node x γ set of attributes => Tx(γ) == 1 Tx(γ) == 1 iff at least kx == 1 x is a leaf node => then Tx(γ)== 1 iff att(x) γ Fall, Privacy&Security - Virginia Tech Computer Science 9

10 Difference between KP-ABE and CP-ABE KP-ABE ciphertext Sends Private Key Bob Descriptive attributes Policies CP-ABE ciphertext Private Key Set of attributes Bob Access Structure over attributes Sends Y E S Fall, Privacy&Security - Virginia Tech Computer Science 10

11 CP-ABE: Fundamental Algorithms Setup Encrypt Keygen Decrypt Delegate Fall, Privacy&Security - Virginia Tech Computer Science 11

12 CP-ABE: Fundamental Algorithms Implicit security parameter M Setup PK Encrypt A S MK Keygen PK SK CT Decrypt M Fall, Privacy&Security 12 - Virginia Tech Computer Science

13 Bilinear map G0 and G1: two multiplicative cyclic groups of prime order p. g a generator of G0 and e a bilinear map, e : G0 G0 G1. e has the following properties: 1. Bilinearity: for all u, v G0 and a, b Zp, e(u^a, v^b) = e(u, v)^ab. 2. Non-degeneracy: e(g, g) =/ 1 Fall, Privacy&Security - Virginia Tech Computer Science 13

14 The Setup Algorithm Public Key PK PK = G0, g, h = g^β, f = g^1/β, e(g, g)^α Master key MK (β, g^α) Fall, Privacy&Security - Virginia Tech Computer Science 14

15 The Encryption Algorithm Let, Y be the set of leaf nodes in T. The ciphertext is constructed by giving the tree access structure T and computing CT =T, C = Me(g, g)^αs, C = h^s, y Y : Cy = g^qy (0), C y = H(att(y))^qy (0) Fall, Privacy&Security - Virginia Tech Computer Science 15

16 The Keygen Algorithm Let r Zp, rj Zp, j S. Then it computes the key as SK = (D = g^(α+r)/β, j S : Dj = g^r. H(j)^rj, D j = g^rj) Fall, Privacy&Security - Virginia Tech Computer Science 16

17 The Decryption Algorithm I x is a leaf node, i = att(x), i S CT = (T, C, C, y Y : Cy, C ) DecryptNode(CT, SK, x) =e(di, Cx)/e(D i, C x) =e(g^r. H(i)^ri, g^qx(0))/e(g^ri, H(i)^qx(0) == e(g, g)^rqx(0) If i / S DecryptNode(CT, SK, x) = Fall, Privacy&Security - Virginia Tech Computer Science 17

18 The Decryption Algorithm I x is a non-leaf node Fall, Privacy&Security - Virginia Tech Computer Science 18

19 The Delegate algorithm Delegate( SK, S ), S S SK = (D, j S : Dj, D j) SK = (D = Df^r, k S : D k = Dkg^r H(k)^r k, D k = D kg^r k) Fall, Privacy&Security - Virginia Tech Computer Science 19

20 Security Intuition To decrypt an attacker needs e(g, g)^αs To recover e(g, g)^αs, C must be paired with the D component from some user s private key. Fall, Privacy&Security - Virginia Tech Computer Science 20

21 How is Collusion Prevented? e(g, g)^αs is blinded e(g, g)^rs To blind e(g, g)^αs, correct key components needed blinding value is randomized Fall, Privacy&Security - Virginia Tech Computer Science 21