group selection and key management strategies for ciphertext policy attribute based encryption n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption PowerPoint Presentation
Download Presentation
Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption

Loading in 2 Seconds...

play fullscreen
1 / 43

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption - PowerPoint PPT Presentation


  • 233 Views
  • Uploaded on

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption. Russell Martin August 9th, 2013. Contents. Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future Work.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Group Selection and Key Management Strategies for Ciphertext-Policy Attribute-Based Encryption Russell Martin August 9th, 2013

    2. Contents • Introduction to CPABE • Bilinear Pairings • Group Selection • Key Management • Key Insulated CPABE • Conclusion & Future Work

    3. Need for Attribute Based Encryption • Private Key Cryptosystems • AES • Single key for all users • Identity Based Encryption • Users given unique keys • Good for signatures, not so much encryption • Attribute Based Encryption • “Fuzzy” IBE • Decryption controlled by matching “d of k” attributes

    4. CPABE • ABE schemes are single level of control • Fine grain access control • Monotonic access trees • KPABE • Access tree in user’s key, list of attributes in ciphertext • Users encrypting files have limited control of who decrypts • CPABE • Access tree in ciphertext, list of attributes in user’s key • Users encrypting have strong control

    5. Access Tree

    6. CPABE • Five functions • Setup • Key Generation • Encryption • Decryption • Delegation

    7. Bilinear Pairings • Decisional Diffie-Hellman is easy, Computational Diffie-Hellman is hard

    8. Bilinear Pairings • Inputs most commonly elements of a specific elliptic curve • Restricted to r-torsion points of the curve • r * P = O • Computed by the Weil or Tate pairing, using Miller’s algorithm • Computation of tangent/vertical/lines between one or two points on the curve

    9. Setup • Selection of bilinear group, generators, and exponentiations

    10. Key Generation • Generate a key for the user who possesses the list of attributes, S

    11. Encryption • Encrypt the message M with the access policy τ • Y = Set of all leaf nodes in tree

    12. Decryption • Recursive decryption starting at top of tree • If leaf node, decrypt node:

    13. Decryption • If non-leaf node, polynomial interpolation from child node results

    14. Decryption • Assuming access tree satisfied, interpolation at root occured

    15. Group Selection • CPABE uses , a=1 • No justification for the usage or performance of this curve • Can we do better with performance? Size? Security?

    16. Embedding Degree • Directly related to size and security of groups of the bilinear pairing • Minimum value k such that , r = number of points on elliptic curve • Ratio of size of input group to output group • Larger embedding degree believed to be higher security

    17. Curve Types • Ben Lynn’s Pairing Based Cryptography Library • Labeled as type A through G • Type B and C not implemented in library • Types A, B, C are symmetric (supersingular) • Same group for both input elements of pairing • Types D - G are ordinary • Generated by the complex multiplication equation

    18. Curve Types • Type A - k=2, 512 bit inputs, 1024 bit outputs • Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit outputs • Type E - k=1, 1020 bit inputs, 1020 bit outputs • Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896 bit outputs • Type G - k=10, 149 bit inputs, 1490 bit outputs

    19. Performance • Tested key generation, encryption, and decryption • Encryption and Decryption were over horizontal and vertical access policies • 1 to 100 attributes in each policy • CHARM - Python library for cryptography prototyping • Overhead over C implementation for CPABE mostly in serialization & parsing

    20. Horizontal vs Vertical Access Policy

    21. Performance - Key Generation

    22. Performance - Horizontal Encryption

    23. Performance - Vertical Encryption

    24. Performance - Horizontal Decryption

    25. Performance - Vertical Decryption

    26. Performance • Operation Breakdown:

    27. Performance • Operations per function: • Key Generation - Multiplications and exponentiations , 1:2 ratio • Encryption - Multiplications and exponentiations, 3:1 ratio • Decryption - All operations, focused in output group • Pairings take up majority of CPU time

    28. Size • Key • Ciphertext

    29. Performance Summary • Type F - Fastest encryption & key gen, slowest decryption • Minor differences in horizontal vs. vertical access policies • Type G performance is not recommended • Type D is close to type E, but both slower than type A • Type F has the smallest keys, type D has the smallest ciphertexts • Focus on optimizations to pairing operation

    30. Pairings Outside of Elliptic Curves • RSA is possible, by using exponentiation as the pairing function • Still requires normal comparable security sizes - EC vs RSA • Hyperelliptic curves • Higher embedding degree is not worth additional complexity • Vector of integers • Again, restricted to integer sizes (RSA)

    31. Key Management • CPABE wants to not use trusted servers • No access control outside of ciphertext • Revocation & renewal difficult • Want immediate revocation of full keys • Minimize overhead in renewal • Focus on full key revocation, not attribute

    32. Key Management Possibilities • Key expiration date • Adds many more attributes due to numeric attributes and timestamps • Proxy Key • Additional pairings, and still direct communication with proxy server • User Blacklist • Requires to be done by user encrypting files • Hierarchical Access Roles • Large overhead, need to control number of unique values

    33. Key Insulated ABE • Temporary keys based on a time period • Revocation is not immediate • Must wait until end of time period • Pseudorandom function with identity as seed • Get next value for the next time period • Users given helper key • Updates current key to valid key for next value

    34. Key Insulated CPABE • Replace random r value in users’ keys with a pseudorandom value k • Setup - same as CPABE, except with definition of pseudorandom and hash functions • Key Generation:

    35. Key Insulated CPABE • Helper Update: • Additional value here due to gα and β private • User Update:

    36. Key Insulated CPABE • Encryption:

    37. Key Insulated CPABE • Decryption: • Interpolation - no change • Final Decryption:

    38. Performance • No changes to number of operations during pairings • Additional multiplications and hashings to handle T() in encryption/key generation • Equivalent of an additional attribute in key generation • User needs to perform multiplication for each attribute during update

    39. Size • 3 values, all in the input group • Largest in type A pairing - 1536 bits

    40. Security • Security of revocation directly linked to security of pseudorandom function • If users can compute k values, they can generate any keys • Outside of this, same security claims as CPABE • No need to hide details of T() function • Needed for encryption

    41. Disadvantages • How to handle previous time periods • Users keep old keys - large storage overhead • Force rencryption of files after number of time periods? • How to handle new users • Would not have previous keys, no access to previous files • Application depedent • Broadcast schemes work well for this

    42. Conclusion • Type F curves provide fastest key generation and encryption for CPABE • Limited in decryption due to large output groups • Type A curves provide best decryption times • Key Insulated CPABE allows non-immediate revocation at low overhead • Security same as CPABE • Issues with storage of multiple keys

    43. Future Work • Other pairing libraries (MIRACL) • Optimizations to operations • Comparison of KICPABE to other broadcast revocation schemes • Security of KICPABE under other modified CPABE models