Loading in 2 Seconds...
Loading in 2 Seconds...
Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption. Russell Martin August 9th, 2013. Contents. Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future Work.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption Russell Martin August 9th, 2013
Contents • Introduction to CPABE • Bilinear Pairings • Group Selection • Key Management • Key Insulated CPABE • Conclusion & Future Work
Need for Attribute Based Encryption • Private Key Cryptosystems • AES • Single key for all users • Identity Based Encryption • Users given unique keys • Good for signatures, not so much encryption • Attribute Based Encryption • “Fuzzy” IBE • Decryption controlled by matching “d of k” attributes
CPABE • ABE schemes are single level of control • Fine grain access control • Monotonic access trees • KPABE • Access tree in user’s key, list of attributes in ciphertext • Users encrypting files have limited control of who decrypts • CPABE • Access tree in ciphertext, list of attributes in user’s key • Users encrypting have strong control
CPABE • Five functions • Setup • Key Generation • Encryption • Decryption • Delegation
Bilinear Pairings • Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard
Bilinear Pairings • Inputs most commonly elements of a specific elliptic curve • Restricted to r-torsion points of the curve • r * P = O • Computed by the Weil or Tate pairing, using Miller’s algorithm • Computation of tangent/vertical/lines between one or two points on the curve
Setup • Selection of bilinear group, generators, and exponentiations
Key Generation • Generate a key for the user who possesses the list of attributes, S
Encryption • Encrypt the message M with the access policy τ • Y = Set of all leaf nodes in tree
Decryption • Recursive decryption starting at top of tree • If leaf node, decrypt node:
Decryption • If non-leaf node, polynomial interpolation from child node results
Decryption • Assuming access tree satisfied, interpolation at root occured
Group Selection • CPABE uses , a=1 • No justification for the usage or performance of this curve • Can we do better with performance? Size? Security?
Embedding Degree • Directly related to size and security of groups of the bilinear pairing • Minimum value k such that , r = number of points on elliptic curve • Ratio of size of input group to output group • Larger embedding degree believed to be higher security
Curve Types • Ben Lynn’s Pairing Based Cryptography Library • Labeled as type A through G • Type B and C not implemented in library • Types A, B, C are symmetric (supersingular) • Same group for both input elements of pairing • Types D - G are ordinary • Generated by the complex multiplication equation
Curve Types • Type A - k=2, 512 bit inputs, 1024 bit outputs • Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs • Type E - k=1, 1020 bit inputs, 1020 bit outputs • Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs • Type G - k=10, 149 bit inputs, 1490 bit outputs
Performance • Tested key generation, encryption, and decryption • Encryption and Decryption were over horizontal and vertical access policies • 1 to 100 attributes in each policy • CHARM - Python library for cryptography prototyping • Overhead over C implementation for CPABE mostly in serialization & parsing
Performance • Operation Breakdown:
Performance • Operations per function: • Key Generation - Multiplications and exponentiations , 1:2 ratio • Encryption - Multiplications and exponentiations, 3:1 ratio • Decryption - All operations, focused in output group • Pairings take up majority of CPU time
Size • Key • Ciphertext
Performance Summary • Type F - Fastest encryption & key gen, slowest decryption • Minor differences in horizontal vs. vertical access policies • Type G performance is not recommended • Type D is close to type E, but both slower than type A • Type F has the smallest keys, type D has the smallest ciphertexts • Focus on optimizations to pairing operation
Pairings Outside of Elliptic Curves • RSA is possible, by using exponentiation as the pairing function • Still requires normal comparable security sizes - EC vs RSA • Hyperelliptic curves • Higher embedding degree is not worth additional complexity • Vector of integers • Again, restricted to integer sizes (RSA)
Key Management • CPABE wants to not use trusted servers • No access control outside of ciphertext • Revocation & renewal difficult • Want immediate revocation of full keys • Minimize overhead in renewal • Focus on full key revocation, not attribute
Key Management Possibilities • Key expiration date • Adds many more attributes due to numeric attributes and timestamps • Proxy Key • Additional pairings, and still direct communication with proxy server • User Blacklist • Requires to be done by user encrypting files • Hierarchical Access Roles • Large overhead, need to control number of unique values
Key Insulated ABE • Temporary keys based on a time period • Revocation is not immediate • Must wait until end of time period • Pseudorandom function with identity as seed • Get next value for the next time period • Users given helper key • Updates current key to valid key for next value
Key Insulated CPABE • Replace random r value in users’ keys with a pseudorandom value k • Setup - same as CPABE, except with definition of pseudorandom and hash functions • Key Generation:
Key Insulated CPABE • Helper Update: • Additional value here due to gα and β private • User Update:
Key Insulated CPABE • Encryption:
Key Insulated CPABE • Decryption: • Interpolation - no change • Final Decryption:
Performance • No changes to number of operations during pairings • Additional multiplications and hashings to handle T() in encryption/key generation • Equivalent of an additional attribute in key generation • User needs to perform multiplication for each attribute during update
Size • 3 values, all in the input group • Largest in type A pairing - 1536 bits
Security • Security of revocation directly linked to security of pseudorandom function • If users can compute k values, they can generate any keys • Outside of this, same security claims as CPABE • No need to hide details of T() function • Needed for encryption
Disadvantages • How to handle previous time periods • Users keep old keys - large storage overhead • Force rencryption of files after number of time periods? • How to handle new users • Would not have previous keys, no access to previous files • Application depedent • Broadcast schemes work well for this
Conclusion • Type F curves provide fastest key generation and encryption for CPABE • Limited in decryption due to large output groups • Type A curves provide best decryption times • Key Insulated CPABE allows non-immediate revocation at low overhead • Security same as CPABE • Issues with storage of multiple keys
Future Work • Other pairing libraries (MIRACL) • Optimizations to operations • Comparison of KICPABE to other broadcast revocation schemes • Security of KICPABE under other modified CPABE models