1 / 43

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption. Russell Martin August 9th, 2013. Contents. Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future Work.

cid
Télécharger la présentation

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption Russell Martin August 9th, 2013

  2. Contents • Introduction to CPABE • Bilinear Pairings • Group Selection • Key Management • Key Insulated CPABE • Conclusion & Future Work

  3. Need for Attribute Based Encryption • Private Key Cryptosystems • AES • Single key for all users • Identity Based Encryption • Users given unique keys • Good for signatures, not so much encryption • Attribute Based Encryption • “Fuzzy” IBE • Decryption controlled by matching “d of k” attributes

  4. CPABE • ABE schemes are single level of control • Fine grain access control • Monotonic access trees • KPABE • Access tree in user’s key, list of attributes in ciphertext • Users encrypting files have limited control of who decrypts • CPABE • Access tree in ciphertext, list of attributes in user’s key • Users encrypting have strong control

  5. Access Tree

  6. CPABE • Five functions • Setup • Key Generation • Encryption • Decryption • Delegation

  7. Bilinear Pairings • Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard

  8. Bilinear Pairings • Inputs most commonly elements of a specific elliptic curve • Restricted to r-torsion points of the curve • r * P = O • Computed by the Weil or Tate pairing, using Miller’s algorithm • Computation of tangent/vertical/lines between one or two points on the curve

  9. Setup • Selection of bilinear group, generators, and exponentiations

  10. Key Generation • Generate a key for the user who possesses the list of attributes, S

  11. Encryption • Encrypt the message M with the access policy τ • Y = Set of all leaf nodes in tree

  12. Decryption • Recursive decryption starting at top of tree • If leaf node, decrypt node:

  13. Decryption • If non-leaf node, polynomial interpolation from child node results

  14. Decryption • Assuming access tree satisfied, interpolation at root occured

  15. Group Selection • CPABE uses , a=1 • No justification for the usage or performance of this curve • Can we do better with performance? Size? Security?

  16. Embedding Degree • Directly related to size and security of groups of the bilinear pairing • Minimum value k such that , r = number of points on elliptic curve • Ratio of size of input group to output group • Larger embedding degree believed to be higher security

  17. Curve Types • Ben Lynn’s Pairing Based Cryptography Library • Labeled as type A through G • Type B and C not implemented in library • Types A, B, C are symmetric (supersingular) • Same group for both input elements of pairing • Types D - G are ordinary • Generated by the complex multiplication equation

  18. Curve Types • Type A - k=2, 512 bit inputs, 1024 bit outputs • Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs • Type E - k=1, 1020 bit inputs, 1020 bit outputs • Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs • Type G - k=10, 149 bit inputs, 1490 bit outputs

  19. Performance • Tested key generation, encryption, and decryption • Encryption and Decryption were over horizontal and vertical access policies • 1 to 100 attributes in each policy • CHARM - Python library for cryptography prototyping • Overhead over C implementation for CPABE mostly in serialization & parsing

  20. Horizontal vs Vertical Access Policy

  21. Performance - Key Generation

  22. Performance - Horizontal Encryption

  23. Performance - Vertical Encryption

  24. Performance - Horizontal Decryption

  25. Performance - Vertical Decryption

  26. Performance • Operation Breakdown:

  27. Performance • Operations per function: • Key Generation - Multiplications and exponentiations , 1:2 ratio • Encryption - Multiplications and exponentiations, 3:1 ratio • Decryption - All operations, focused in output group • Pairings take up majority of CPU time

  28. Size • Key • Ciphertext

  29. Performance Summary • Type F - Fastest encryption & key gen, slowest decryption • Minor differences in horizontal vs. vertical access policies • Type G performance is not recommended • Type D is close to type E, but both slower than type A • Type F has the smallest keys, type D has the smallest ciphertexts • Focus on optimizations to pairing operation

  30. Pairings Outside of Elliptic Curves • RSA is possible, by using exponentiation as the pairing function • Still requires normal comparable security sizes - EC vs RSA • Hyperelliptic curves • Higher embedding degree is not worth additional complexity • Vector of integers • Again, restricted to integer sizes (RSA)

  31. Key Management • CPABE wants to not use trusted servers • No access control outside of ciphertext • Revocation & renewal difficult • Want immediate revocation of full keys • Minimize overhead in renewal • Focus on full key revocation, not attribute

  32. Key Management Possibilities • Key expiration date • Adds many more attributes due to numeric attributes and timestamps • Proxy Key • Additional pairings, and still direct communication with proxy server • User Blacklist • Requires to be done by user encrypting files • Hierarchical Access Roles • Large overhead, need to control number of unique values

  33. Key Insulated ABE • Temporary keys based on a time period • Revocation is not immediate • Must wait until end of time period • Pseudorandom function with identity as seed • Get next value for the next time period • Users given helper key • Updates current key to valid key for next value

  34. Key Insulated CPABE • Replace random r value in users’ keys with a pseudorandom value k • Setup - same as CPABE, except with definition of pseudorandom and hash functions • Key Generation:

  35. Key Insulated CPABE • Helper Update: • Additional value here due to gα and β private • User Update:

  36. Key Insulated CPABE • Encryption:

  37. Key Insulated CPABE • Decryption: • Interpolation - no change • Final Decryption:

  38. Performance • No changes to number of operations during pairings • Additional multiplications and hashings to handle T() in encryption/key generation • Equivalent of an additional attribute in key generation • User needs to perform multiplication for each attribute during update

  39. Size • 3 values, all in the input group • Largest in type A pairing - 1536 bits

  40. Security • Security of revocation directly linked to security of pseudorandom function • If users can compute k values, they can generate any keys • Outside of this, same security claims as CPABE • No need to hide details of T() function • Needed for encryption

  41. Disadvantages • How to handle previous time periods • Users keep old keys - large storage overhead • Force rencryption of files after number of time periods? • How to handle new users • Would not have previous keys, no access to previous files • Application depedent • Broadcast schemes work well for this

  42. Conclusion • Type F curves provide fastest key generation and encryption for CPABE • Limited in decryption due to large output groups • Type A curves provide best decryption times • Key Insulated CPABE allows non-immediate revocation at low overhead • Security same as CPABE • Issues with storage of multiple keys

  43. Future Work • Other pairing libraries (MIRACL) • Optimizations to operations • Comparison of KICPABE to other broadcast revocation schemes • Security of KICPABE under other modified CPABE models

More Related