Group Selection and Key Management Strategies for Ciphertext -Policy Attribute-Based Encryption

1. Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption Russell Martin Advisors: Dr. MarcinLukowiak & Dr. StanislavRadziszowski Department of ComputerEngineering, Rochester Instituteof Technology, Rochester, NY-14623 Bilinear Groups What is CPABE? Key Management • One of the weaknesses of current cryptosystems is not the security of the algorithm, but the security of the keys. This weakness is amplified when the same key is used between multiple users. To combat this issue, Identity-Based Encryption systems were designed to allow each user to have a unique key, and allowing authorized users to decrypt files. • CPABE was designed by Bethencourt, Waters, and Sahai as a means of allowing expressive and controlled access to encrypted files by defining a user’s key as a set of attributes, and authorizing decryption if these attributes satisfy an access tree. • An access tree in CPABE is created on a per-file basis, with leaf nodes representing properties the user key must contain, and non-leaf nodes (AND, OR, or X OUT OF Y). • CPABE consists of five operations [3]: • Setup – Produce Public and Master Keys • Public Key: • Master Key: • Key Generation – Produce a key to be given to a user • Secret Key: • Encryption – Encrypt a message with a given monotonic access tree. • Ciphertext: • Decryption – Attempt to Decrypt a Message. Succeeds if the user satisfies the access tree. • Decrypted Message: • A is obtained from polynomial interpolation at the root node. • Delegation – Produce a new Key with the same or lesser attributes as a user’s key. • New Secret Key: A Bilinear Group is function e(u,v) that satisfies the following properties: Bilinearity: Non-degeneracy: A bilinear group is said to be symmetric when both inputs are the same group: Generally, an asymmetric bilinear group is: Where G1 and GT are of order r, and G2 consists of elements of order dividing r. • The goals in Key Management for CPABE are: • Securely revoke keys permanently • Allow renewal of keys/addition of attributes without creating a brand new key • Not require all decryptions to go through a trusted server • A compromised trusted server does not compromise the entire scheme. • Several Key Management Schemes have been found for CPABE, but none meet all of these criterion. • Proxy-Based: The use of this proxy requires access to the trusted proxy server • Temporary Keys: Users must have multiple keys, which is a large memory overhead because CPABE keys are large. • My goal is to attempt a form of hierarchical access control, which instead of trusted servers distributes the roles, allowing multiple users to represent the roles needed for key management, increasing security by requiring multiple nodes to be compromised in order to compromise the entire scheme. Examples of Elliptic Curves (Source: Wikipedia) Group Selection The Pairing Based Cryptography (PBC) library by Lynn [6] was used to perform the underlying elliptic curve operations such as pairings in the BSW implementation of CPABE. This library implements seven types of elliptic curves as the underlying field for the bilinear groups, denoted Type A through Type G. Types A, B, and C are pairings over supersingular curves, while Types D through G are asymmetric pairings over ordinary (also referred to as MNT) curves. To use ordinary curves, modifications must be made to CPABE to allow the pairings to take elements from two different input groups. Can CPABE be modified to support asymmetric curves? Yes, this already exists in the CHARM Cryptography library [1]. Can groups outside of elliptic curves be used for Bilinear Mappings in CPABE? Theoretically yes, but the added complexity does not improve performance enough [5]. Which bilinear mapping produces the best performance for CPABE? This is one of my research goals. It has been shown that some implementations that switched to asymmetric pairings improved performance [2]. Future Work Example of Monotonic Access Tree Used in CPABE (Source: IEEE Computer Society) What bilinear pairing produces the best performance for CPABE? What bilinear pairing produces the least overhead for CPABE? Can CPABE be modified to support key management? If so, how much overhead is required? Current Results The CHARM cryptography library has proven that CPABE can properly work with asymmetric bilinear pairings. [1] However, encryption and key generation take roughly three times as long with one asymmetric implementation. Decryption time is approximately doubled. [4] The current overhead for CPABE ciphertexts is 630 bytes, and 250-300 bytes for each attribute. [7] Encryption and Key Generation scale linearly with number of attributes, decryption is less predictable. [3] References [1] J. A. Akinyele, M. Green, and A. Rubin. Charm: A Framework for Rapidly Prototyping Cryptosystems. 2011. Available online at http://http://hms.isi.jhu.edu/papers/charm11.pdf [2] L. Chen, P. Morrissey, and N. Smart. Pairings in trusted computing. Pairing-Based Cryptography–Pairing 2008, pages 1–17, 2008. [3] J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-policy attribute-based encryption. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 321–334. IEEE, 2007 [4] S. Jahid and N. Borisov. PIRATTE: Proxy-based Immediate Revocation of ATTribute-based Encryption. 2012. [5] B. Lynn. On the Implementation of Pairing-Based Cryptosystems. PhD thesis, Stanford University, 2007. [6] B. Lynn. The Pairing-Based Cryptography Library. Available at http://crypto.stanford.edu/pbc/, December 2010. [7] Z. Zhou and D. Huang. On efficient ciphertext-policy attribute based encryption and broadcast encryption. In Proceedings of the 17th ACM Conference on Computer and Communications Security, pages 753–755. ACM, 2010. Example of Successful Asymmetric Encryption/Decryption in CHARM Research Required for CPABE Acknowledgements • No Justification for Bilinear Group Used • CPABE Inherently Prevents Key Management Methods Thanks to my advisors, as well as Dr. Yang and all of the staff from the Computer Engineering department.