Attribute-Based%20Encryption%20with%20Non-Monotonic%20Access%20Structures

1
Attribute-Based Encryption with Non-Monotonic
Access Structures
Brent Waters SRI International
Amit Sahai UCLA
Rafail Ostrovsky UCLA
2
Server Mediated Access Control
File 1

• Server stores data in clear
• Expressive access controls

Access list John, Beth, Sue, Bob Attributes
Computer Science , Admissions
3
Distributed Storage

• Scalability
• Reliability

Downside Increased vulnerability
4
Traditional Encrypted Filesystem

• Encrypted Files stored on Untrusted Server
• Every user can decrypt its own files

• Files to be shared across different users?
  Credentials?

Lost expressivity of trusted server approach!
5
Attribute-Based Encryption SW05
Goal Encryption with Expressive Access Control

• Label files with attributes

6
Attribute-Based Encryption
Univ. Key Authority
7
Attribute-Based Encryption

• Ciphertext has set of attributes
• Keys reflect a tree access structure
• Decrypt iff attributes from CT
• satisfy keys policy

8
Central goal Prevent Collusions

• If neither user can decrypt a CT,
• then they cant together

Ciphertext M, Computer Science, Hiring
9
Current ABE Systems GPWS06

• Monotonic Access Formulas
• Tree of ANDs, ORs, threshold (k of N)
• Attributes at leaves
• NOT is unsupported!

OR
AND
Bob
Computer Science
Admissions
10
Key Generation
Public Parameters
gt1, gt2,.... gtn, e(g,g)y
Fresh randomness used for each key generated!
Greedy Decryption
11
Supporting NOTs OSW07

• Example Peer Review of Other Depts.

Bob is in C.S. dept gt Avoid Conflict of Interest
AND
Dept. Review
Year2007
Challenge Cant attacker just ignore CT
components?
12
A Simple Solution

• Use explicit not attributes
• Attribute NotAdmissions, NotBiology
• Problems
• Encryptor does not know all attributes to negate
• Huge number of attributes per CT

• NotAnthropology
• NotAeronautics
• NotZoology

13
Technique 1 Simplify Formulas
Use DeMorgans law to propagate NOTs to just the
attributes
AND
Dept. Review
Public Policy
Computer Science
14
Revocation Systems NNL01,NP01

• Broadcast to all but a certain set of users
• Application Digital content protection

P1
P2
P3
15
Applying Revocation Techniques

• Focus on a particular Not Attribute

16
Applying Revocation Techniques

• Focus on a particular Not Attribute

• Attribute in Not as nodes identity

• Attributes in CT as Revoked Users

Node ID not in revoked list gtsatisfied N.B.
Just one node in larger policy
17
Polynomial Revocation NP01

• Pick a degree n polynomial q( ), q(0)a
• n1 points to interpolate
• User t gets q(t)
• Encryption gs ,
  ,Mgsa
• Revoked x1, , xn

gsq(x1) , ..., gsq(xn)
gsq(t)
Can interpolate to gsq(0)gsa iff t not in
x1,xn
18
ABE with Negation

• Push NOTs to leaves
• Apply ABE key generation
• Collusion resistance still key!
• Treat non-negated attributes same
• New Type of Polynomial Revocation at Leaves

19
System Sketch
Choose degree n polynomial q(), q(0)b
Public Parameters
Can compute gq(x)
gq(0), gq(1),.... gq(n),
If points different can compute e(g,g)srb
t
20
Conclusions and Open Directions

• Goal Increase expressiveness of Encryption
  Systems
• Provided Negation to ABE systems
• Challenge Decryptor Ignores Bad Attributes
• Solution Revocation techniques
• Future
• ABE with Circuits
• Other cryptographic access control

21
Thank You