240 likes | 522 Vues
Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Presented by Sherley Codio. Application Scenario. Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it. Office: Public Corruption City: Knoxville. Bob FBI Head.
E N D
Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Presented by Sherley Codio
Application Scenario • Sharing data on distributed systems • Bob sends a sensitive memo • People with a set of credentials/attributes receives it Office: Public Corruption City: Knoxville Bob FBI Head Office: Public Corruption City: Denver Access structure for accessing this information: ((“Public Corruption Office” AND(“Knoxville” OR “San Francisco”)) Office: Public Corruption City: San Francisco
Application Scenario Advantages of replicating data across several locations: - Performance - Reliability
Application Scenario Disadvantage: If a server is compromised, data confidentiality is compromised Solution: Store data in encrypted form: Encrypted access control
Attribute-Based Encryption (ABE) • Attribute-based encryption (ABE): New means for encrypted access control. • Ciphertexts not necessarily encrypted to one particular user. • Users’ private keys and ciphertexts associated with a set of attributes or a policy over attributes. • A“match” between user’s private key and the ciphertext, decryption is possible.
Ciphertext-Policy Attribute-Based Encryption ciphertext Access Structure over attributes Sends Bob Private Key Set of attributes YES
Ciphertext-Policy Attribute-Based Encryption Access Structure: monotonic access Tree Gate Gate Gate AND OR Attribute Attribute Attribute AND gate: n-of-n threshold gates OR gate: 1-of-n threshold gates
Ciphertext-Policy Attribute-Based Encryption Access Structure: monotonic access Tree X Kx=1 Kx=1 numx == number of children of X kx== numx => AND gate kx== 1 => OR gate Leaf: k == 1 Threshold gate: Described by children and threshold value
Ciphertext-Policy Attribute-Based Encryption Satisfying an Access Tree r Tr == T x Tx Kx=1 Kx=1 att(x): denotes the attribute associated with the leaf node x γ set of attributes => Tx(γ) == 1 Tx(γ) == 1 iff at least kx == 1 x is a leaf node => then Tx(γ)== 1 iffatt(x) ∈ γ
Difference between KP-ABE and CP-ABE KP-ABE ciphertext ciphertext Sends Descriptive attributes Access Structure over attributes Sends Private Key Private Key CP-ABE Bob Bob Set of attributes Policies YES
CP-ABE: Fundamental Algorithms M Implicit security parameter Setup Encrypt A PK CT MK PK S Keygen SK Decrypt M
Bilinear map G0 and G1: two multiplicative cyclic groups of prime order p. g a generator of G0 and e a bilinear map, e : G0 × G0 → G1. e has the following properties: 1. Bilinearity: for all u, v ∈ G0 and a, b ∈ Zp, e(u^a, v^b) = e(u, v)^ab . 2. Non-degeneracy: e(g, g) =/ 1
The Delegate algorithm • Delegate( SK, S˜), S˜ ⊆ S • SK = (D, ∀j ∈ S : Dj , D′j) • SK ˜= (D˜ = Df^r˜,∀k ∈ S˜: D˜ k = Dkg^r˜H(k)^r˜k, D˜ ′k = D′kg^r˜k)
Security Intuition • To decrypt an attacker needs e(g, g)^αs • To recover e(g, g)^αs, C must be paired with the D component from some user’s private key.
How is Collusion Prevented? • e(g, g)^αs is blinded e(g, g)^rs • To blind e(g, g)^αs , correct key components needed • blinding value is randomized