1 / 21

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Presented by Sherley Codio. Application Scenario. Sharing data on distributed systems Bob sends a sensitive memo People with a set of credentials/attributes receives it. Office: Public Corruption City: Knoxville. Bob FBI Head.

Télécharger la présentation

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Presented by Sherley Codio

  2. Application Scenario • Sharing data on distributed systems • Bob sends a sensitive memo • People with a set of credentials/attributes receives it Office: Public Corruption City: Knoxville Bob FBI Head Office: Public Corruption City: Denver Access structure for accessing this information: ((“Public Corruption Office” AND(“Knoxville” OR “San Francisco”)) Office: Public Corruption City: San Francisco

  3. Application Scenario Advantages of replicating data across several locations: - Performance - Reliability

  4. Application Scenario Disadvantage: If a server is compromised, data confidentiality is compromised Solution: Store data in encrypted form: Encrypted access control

  5. Attribute-Based Encryption (ABE) • Attribute-based encryption (ABE): New means for encrypted access control. • Ciphertexts not necessarily encrypted to one particular user. • Users’ private keys and ciphertexts associated with a set of attributes or a policy over attributes. • A“match” between user’s private key and the ciphertext, decryption is possible.

  6. Ciphertext-Policy Attribute-Based Encryption ciphertext Access Structure over attributes Sends Bob Private Key Set of attributes YES

  7. Ciphertext-Policy Attribute-Based Encryption Access Structure: monotonic access Tree Gate Gate Gate AND OR Attribute Attribute Attribute AND gate: n-of-n threshold gates OR gate: 1-of-n threshold gates

  8. Ciphertext-Policy Attribute-Based Encryption Access Structure: monotonic access Tree X Kx=1 Kx=1 numx == number of children of X kx== numx => AND gate kx== 1 => OR gate Leaf: k == 1 Threshold gate: Described by children and threshold value

  9. Ciphertext-Policy Attribute-Based Encryption Satisfying an Access Tree r Tr == T x Tx Kx=1 Kx=1 att(x): denotes the attribute associated with the leaf node x γ set of attributes => Tx(γ) == 1 Tx(γ) == 1 iff at least kx == 1 x is a leaf node => then Tx(γ)== 1 iffatt(x) ∈ γ

  10. Difference between KP-ABE and CP-ABE KP-ABE ciphertext ciphertext Sends Descriptive attributes Access Structure over attributes Sends Private Key Private Key CP-ABE Bob Bob Set of attributes Policies YES

  11. CP-ABE: Fundamental Algorithms

  12. CP-ABE: Fundamental Algorithms M Implicit security parameter Setup Encrypt A PK CT MK PK S Keygen SK Decrypt M

  13. Bilinear map G0 and G1: two multiplicative cyclic groups of prime order p. g a generator of G0 and e a bilinear map, e : G0 × G0 → G1. e has the following properties: 1. Bilinearity: for all u, v ∈ G0 and a, b ∈ Zp, e(u^a, v^b) = e(u, v)^ab . 2. Non-degeneracy: e(g, g) =/ 1

  14. The Setup Algorithm

  15. The Encryption Algorithm

  16. The Keygen Algorithm

  17. The Decryption Algorithm

  18. The Decryption Algorithm

  19. The Delegate algorithm • Delegate( SK, S˜), S˜ ⊆ S • SK = (D, ∀j ∈ S : Dj , D′j) • SK ˜= (D˜ = Df^r˜,∀k ∈ S˜: D˜ k = Dkg^r˜H(k)^r˜k, D˜ ′k = D′kg^r˜k)

  20. Security Intuition • To decrypt an attacker needs e(g, g)^αs • To recover e(g, g)^αs, C must be paired with the D component from some user’s private key.

  21. How is Collusion Prevented? • e(g, g)^αs is blinded e(g, g)^rs • To blind e(g, g)^αs , correct key components needed • blinding value is randomized

More Related