Thesis Defense Presentation

Report
Russell Martin
August 9th, 2013
Contents
•
•
•
•
•
•
Introduction to CPABE
Bilinear Pairings
Group Selection
Key Management
Key Insulated CPABE
Conclusion & Future Work
Need for Attribute Based Encryption
•
Private Key Cryptosystems
o
•
o
Identity Based Encryption
o
•
AES
Single key for all users
o
Users given unique keys
Good for signatures, not so much encryption
Attribute Based Encryption
o
o
“Fuzzy” IBE
Decryption controlled by matching “d of k” attributes
CPABE
•
•
•
ABE schemes are single level of control
Fine grain access control
o
KPABE
o
•
Monotonic access trees
o
Access tree in user’s key, list of attributes in ciphertext
Users encrypting files have limited control of who decrypts
CPABE
o
o
Access tree in ciphertext, list of attributes in user’s key
Users encrypting have strong control
Access Tree
CPABE
•
Five functions
o
o
o
o
o
Setup
Key Generation
Encryption
Decryption
Delegation
Bilinear Pairings
•
Decisional Diffie-Hellman is easy, Computational
Diffie-Hellman is hard
Bilinear Pairings
•
Inputs most commonly elements of a specific elliptic
curve
o
•
Restricted to r-torsion points of the curve
o
r*P=O
Computed by the Weil or Tate pairing, using Miller’s
algorithm
o
Computation of tangent/vertical/lines between one or two points on the
curve
Setup
•
Selection of bilinear group, generators, and
exponentiations
Key Generation
•
Generate a key for the user who possesses the list of
attributes, S
Encryption
•
Encrypt the message M with the access policy τ
o
Y = Set of all leaf nodes in tree
Decryption
•
Recursive decryption starting at top of tree
o
If leaf node, decrypt node:
Decryption
•
If non-leaf node, polynomial interpolation from child
node results
Decryption
•
Assuming access tree satisfied, interpolation at root
occured
Group Selection
•
•
•
CPABE uses
, a=1
No justification for the usage or performance of this
curve
Can we do better with performance? Size? Security?
Embedding Degree
•
•
•
•
Directly related to size and security of groups of the
bilinear pairing
Minimum value k such that
, r = number of
points on elliptic curve
Ratio of size of input group to output group
Larger embedding degree believed to be higher
security
Curve Types
•
•
•
•
Ben Lynn’s Pairing Based Cryptography Library
Labeled as type A through G
o
Type B and C not implemented in library
Types A, B, C are symmetric (supersingular)
o
Same group for both input elements of pairing
Types D - G are ordinary
o
Generated by the complex multiplication equation
Curve Types
•
•
•
•
•
Type A - k=2, 512 bit inputs, 1024 bit outputs
Type D (MNT Curves) - k=6, 159 bit inputs, 954 bit
outputs
Type E - k=1, 1020 bit inputs, 1020 bit outputs
Type F (Barreto-Naehrig) - k=12, 158 bit inputs, 1896
bit outputs
Type G - k=10, 149 bit inputs, 1490 bit outputs
Performance
•
Tested key generation, encryption, and decryption
o
o
o
Encryption and Decryption were over horizontal and vertical access policies
1 to 100 attributes in each policy
CHARM - Python library for cryptography
prototyping
 Overhead over C implementation for CPABE
mostly in serialization & parsing
Horizontal vs Vertical Access Policy
Performance - Key Generation
Performance - Horizontal Encryption
Performance - Vertical Encryption
Performance - Horizontal Decryption
Performance - Vertical Decryption
Performance
•
Operation Breakdown:
Performance
Operations per function:
 Key Generation - Multiplications and
exponentiations , 1:2 ratio
 Encryption - Multiplications and exponentiations,
3:1 ratio
 Decryption - All operations, focused in output
group
 Pairings take up majority of CPU time
Size
•
Key
•
Ciphertext
Performance Summary
•
•
•
•
•
•
Type F - Fastest encryption & key gen, slowest
decryption
Minor differences in horizontal vs. vertical access
policies
Type G performance is not recommended
Type D is close to type E, but both slower than type
A
Type F has the smallest keys, type D has the smallest
ciphertexts
Focus on optimizations to pairing operation
Pairings Outside of Elliptic Curves
•
•
•
RSA is possible, by using exponentiation as the
pairing function
o
Still requires normal comparable security sizes - EC vs RSA
Hyperelliptic curves
o
Higher embedding degree is not worth additional complexity
Vector of integers
o
Again, restricted to integer sizes (RSA)
Key Management
•
•
CPABE wants to not use trusted servers
o
Revocation & renewal difficult
o
•
No access control outside of ciphertext
o
Want immediate revocation of full keys
Minimize overhead in renewal
Focus on full key revocation, not attribute
Key Management Possibilities
•
•
•
•
Key expiration date
o
Adds many more attributes due to numeric attributes and timestamps
Proxy Key
o
Additional pairings, and still direct communication with proxy server
User Blacklist
o
Requires to be done by user encrypting files
Hierarchical Access Roles
o
Large overhead, need to control number of unique values
Key Insulated ABE
•
•
•
•
Temporary keys based on a time period
Revocation is not immediate
o
Must wait until end of time period
Pseudorandom function with identity as seed
o
Get next value for the next time period
Users given helper key
o
Updates current key to valid key for next value
Key Insulated CPABE
•
•
•
Replace random r value in users’ keys with a
pseudorandom value k
Setup - same as CPABE, except with definition of
pseudorandom and hash functions
Key Generation:
Key Insulated CPABE
•
•
Helper Update:
o
Additional value here due to gα and β private
User Update:
Key Insulated CPABE
•
Encryption:
Key Insulated CPABE
•
Decryption:
•
•
Interpolation - no change
Final Decryption:
Performance
•
•
•
No changes to number of operations during pairings
Additional multiplications and hashings to handle T()
in encryption/key generation
o
Equivalent of an additional attribute in key generation
User needs to perform multiplication for each
attribute during update
Size
•
•
3 values, all in the input group
Largest in type A pairing - 1536 bits
Security
•
•
•
Security of revocation directly linked to security of
pseudorandom function
o
If users can compute k values, they can generate any keys
Outside of this, same security claims as CPABE
No need to hide details of T() function
o
Needed for encryption
Disadvantages
•
How to handle previous time periods
o
•
•
o
Users keep old keys - large storage overhead
Force rencryption of files after number of time periods?
How to handle new users
o
Would not have previous keys, no access to previous files
Application depedent
o
Broadcast schemes work well for this
Conclusion
•
Type F curves provide fastest key generation and
encryption for CPABE
o
•
o
Limited in decryption due to large output groups
Type A curves provide best decryption times
Key Insulated CPABE allows non-immediate
revocation at low overhead
o
o
Security same as CPABE
Issues with storage of multiple keys
Future Work
•
•
•
•
Other pairing libraries (MIRACL)
Optimizations to operations
Comparison of KICPABE to other broadcast
revocation schemes
Security of KICPABE under other modified CPABE
models

similar documents