Ciphertext-Policy Attribute-Based Encryption
Summary (3 min read)
1 Introduction
- In many situations, when a user encrypts sensitive data, it is imperative that she establish a specific access control policy on who can decrypt this data.
- Traditionally, this type of expressive access control is enforced by employing a trusted server to store data locally.
- In key-policy attribute based encryption, ciphertexts are associated with sets of descriptive attributes, and users’ keys are associated with policies (the reverse of their situation).
- In the work of [24, 15], collusion resistance is insured by using a secret-sharing scheme and embedding independently chosen secret shares into each private key.
- This methodology makes use of groups with efficiently computable bilinear maps, and it is the key to their security proof, which the authors give in the generic bilinear group model [6, 28].
3 Background
- The authors first give formal definitions for the security of ciphertext policy attribute based encryption .
- Next, the authors give background information on bilinear maps.
- In these definitions the attributes will describe the users and the access structures will be used to label different sets of encrypted data.
3.1 Definitions
- The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.
- From now on, unless stated otherwise, by an access structure the authors mean a monotone access structure.
- The encryption algorithm takes as input the public parameters PK, a message M , and an access structure A over the universe of attributes.
- Like identity-based encryption schemes [27, 7, 12] the security model allows the adversary to query for any private keys that cannot be used to decrypt the challenge ciphertext.
- The challenger flips a random coin b, and encrypts Mb under A ∗.
4 Our Construction
- The authors begin by describing the model of access trees and attributes for respectively describing ciphertexts and private keys.
- Next, the authors give the description of their scheme.
- Finally, the authors follow with a discussion of security, efficiency, and key revocation.
4.1 Our Model
- A party that wishes to encrypt a message will specify through an access tree structure a policy that private keys must satisfy in order to decrypt.
- Each interior node of the tree is a threshold gate and the leaves are associated with attributes.
- (We note that this setting is very expressive.the authors.the authors.
- The authors use the same notation as [15] to describe the access trees, even though in their case the attributes are used to identify the keys (as opposed to the data).
- The function att(x) is defined only if x is a leaf node and denotes the attribute associated with the leaf node x in the tree.
4.2 Our Construction
- A security parameter, κ, will determine the size of the groups.
- These polynomials are chosen in the following way in a topdown manner, starting from the root node R. For any other node x, it sets qx(0) = qparent(x)(index(x)) and chooses dx other points randomly to completely define qx.
- The key generation algorithm will take as input a set of attributes S and output a key that identifies with that set.
- If no such set exists then the node was not satisfied and the function returns ⊥.
- Now that the authors have defined their function DecryptNode, they can define the decryption algorithm.
4.3 Discussion
- The authors now provide a brief discussion about the security intuition for their scheme , their scheme’s efficiency, and how they might handle key revocation.
- This value can be blinded out if and only if enough the user has the correct key components to satisfy the secret sharing scheme embedded in the ciphertext.
- In its simplest form, the decryption algorithm could require two pairings for every leaf of the access tree that is matched by a private key attribute and (at most2) one exponentiation for each node along a path from such a leaf to the root.
- Since the attributes incorporate an exact date there must be agreement on this between the party encrypting the data and the key issuing authority.
- This sort of functionality can be realized by extending their attributes to support numerical values and their policies to support integer comparisons.
5.1 Decryption Efficiency Improvements
- While little can be done to reduce the group operations necessary for the setup, key generation, and encryption algorithms, the efficiency of the decryption algorithm can be improved substantially with novel techniques.
- The recursive algorithm given in Section 4 results in two pairings for each leaf node that is matched by a private key attribute, and up to one exponentiation for every node occurring along the path from such a node to the root (not including the root).
- Further improvements may be gained by abandoning the DecryptNode function and making more direct computations.
- Cpabe-keygen Given a master key, generates a private key for a set of attributes, compiling numerical attributes as necessary.
- The cpabe toolkit supports the numerical attributes and range queries described in Section 4.3 and provides a familiar language of expressions with which to specify access policies.
5.3 Performance Measurements
- The authors now provide some information on the performance achieved by the cpabe toolkit.
- On the test machine, the PBC library can compute pairings in approximately 5.5ms, and exponentiations in G0 and G1 take about 6.4ms and 0.6ms respectively.
- The running time of cpabe-enc is also almost perfectly linear with respect to the number of leaf nodes in the access policy.
- This was accomplished by iteratively taking random subsets of the attributes appearing in leaves of the tree and discarding those that did not satisfy it.
- The performance of cpabe-dec depends on the specific access tree of the ciphertext and the attributes available in the private key, and can be improved by some of the optimizations considered in Section 5.1.
6 Conclusions and Open Directions
- The authors created a system for Ciphertext-Policy Attribute Based Encryption.
- The authors system allows for a new type of encrypted access control where user’s private keys are specified by a set of attributes and a party encrypting data can specify a policy over these attributes specifying which users are able to decrypt.
- Finally, the authors provided an implementation of their system, which included several optimization techniques.
- The primary challenge in this line of work is to find a new systems with elegant forms of expression that produce more than an arbitrary combination of techniques.
- One limitation of their system is that it is proved secure under the generic group heuristic.
Did you find this useful? Give us your feedback
Citations
1,444 citations
Cites background from "Ciphertext-Policy Attribute-Based E..."
...42 greater than that of the BSW system....
[...]
...In Table 1 we summarize the comparisons between our schemes and the GJPS and BSW CP-ABE systems in terms of ciphertext and 2 The Sahai-Waters construction was given prior to the Key-Policy and CiphertextPolicy distinction; our interpretation is a retrospective one. key sizes and encryption and decryption times....
[...]
...First, we can view the Sahai-Waters[35] construction most “naturally” as Key-Policy ABE for a threshold gate....
[...]
...While the BSW construction is very expressive, the proof model used was less than ideal — the authors only showed the scheme secure in the generic group model, an artificial model which assumes the attacker needs to access an oracle in order to perform any group operations1....
[...]
...Taken all together our first scheme realizes the same efficiency parameters as the BSW encryption scheme, but under a concrete security assumption....
[...]
1,416 citations
1,363 citations
1,333 citations
Additional excerpts
...Improved constructions are given in [25, 27, 10]....
[...]
1,136 citations
References
14,340 citations
"Ciphertext-Policy Attribute-Based E..." refers background or methods in this paper
...Next, we give background information on bilinear maps....
[...]
...However, in these definitions the attributes will describe the users and the access structures will be used to label different sets of encrypted data....
[...]
6,902 citations
5,313 citations
5,110 citations
"Ciphertext-Policy Attribute-Based E..." refers background in this paper
...One of the primary original motivations for this was to design an error-tolerant (or Fuzzy) identity-based encryption [27, 7, 12] scheme that could use biometric identities....
[...]
...Notice that the map e is symmetric since e(ga, gb) = e(g, g)ab = e(gb, ga)....
[...]
4,257 citations
"Ciphertext-Policy Attribute-Based E..." refers background or methods or result in this paper
...In other words, in [24, 15 ], the “intelligence” is assumed to be with the key issuer, and not the encryptor....
[...]
...In the work of [24, 15 ], collusion resistance is insured by using a secret-sharing scheme and embedding independently chosen secret shares into each private key....
[...]
...As such, the techniques of [24, 15 ] do not apply to our setting, and we must develop new techniques....
[...]
...While we might consider ABE systems with different flavors of expressibility, prior work [24, 15 ] made it clear that collusion resistance is a required property of any ABE system....
[...]
...Our techniques. At a high level, our work is similar to the recent work of Sahai and Waters [24] and Goyal et al. [ 15 ] on key-policy attribute based encryption (KP-ABE), however we require substantially new techniques....
[...]
Related Papers (5)
Frequently Asked Questions (14)
Q2. What are the future works mentioned in the paper "Ciphertext-policy attribute-based encryption" ?
In the future, it would be interesting to consider attribute-based encryption systems with different types of expressibility. The authors believe an important endeavor would be to prove a system secure under a more standard and non-interactive assumption.
Q3. How long does it take to compute pairings?
On the test machine, the PBC library can compute pairings in approximately 5.5ms, and exponentiations in G0 and G1 take about 6.4ms and 0.6ms respectively.
Q4. What is the primary challenge in this line of work?
The primary challenge in this line of work is to find a new systems with elegant forms of expression that produce more than an arbitrary combination of techniques.
Q5. What is the way to use the attribute-based encryption system?
the authors would like an attribute-based encryption system to allow a key authority to give out a single key with some expiration dateX rather than a separate key2Fewer exponentiations may occur if there is an unsatisfied internal node along the path.
Q6. What is the security model for ciphertextpolicy ABE?
Like identity-based encryption schemes [27, 7, 12] the security model allows the adversary to query for any private keys that cannot be used to decrypt the challenge ciphertext.
Q7. What is the way to decrypt a message?
When a party encrypts a message on some date Y , a user with a key expiring on date X should be able to decrypt iff X ≥ Y and the rest of the policy matches the user’s attributes.
Q8. How many exponentiations for each leaf of the access tree?
In its simplest form, the decryption algorithm could require two pairings for every leaf of the access tree that is matched by a private key attribute and (at most2) one exponentiation for each node along a path from such a leaf to the root.
Q9. How can the authors handle more complex access controls?
the authors can handle more complex access controls such as numeric ranges by converting them to small access trees (see discussion in the implementation section for more details).
Q10. What is the way to compute the result of DecryptNode?
the authors imagine flattening out the tree of recursive calls to DecryptNode, then combining the exponentiations into one per (used) leaf node.
Q11. What is the running time of cpabe-dec?
In an at-4The workstation’s processor is a 64-bit, 3.2 Ghz Pentium 4.tempt to average over this variation, the authors ran cpabe-dec on a series of ciphertexts that had been encrypted under randomly generated policy trees of various sizes.
Q12. How can the authors use the attribute “Computer Science” to compare two numerical attributes?
It is also possible to construct comparisons between two numerical attributes (rather than an attribute and a constant) using roughly 3n gates, although it is less clear when this would be useful in practice.
Q13. How can the authors achieve general access structures?
it is also possible to (inefficiently) realize general access structures using their techniques by having the not of an attribute as a separate attribute altogether.
Q14. What is the advantage of a ciphertext-policy attribute-based encryption scheme?
An ciphertext-policy attribute-based encryption scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.