attribute-based encryption in systems with resource...

UPTEC F 16037

Examensarbete 30 hpJuni 2016

Attribute-Based Encryption in Systems with Resource Constrained Devices in an Information Centric Networking Context

Joakim Borgh

Teknisk- naturvetenskaplig fakultet UTH-enheten Besöksadress: Ångströmlaboratoriet Lägerhyddsvägen 1 Hus 4, Plan 0 Postadress: Box 536 751 21 Uppsala Telefon: 018 – 471 30 03 Telefax: 018 – 471 30 00 Hemsida: http://www.teknat.uu.se/student

Abstract

Attribute-Based Encryption in Systems with ResourceConstrained Devices in an Information CentricNetworking ContextJoakim Borgh

An extensive analysis of attribute-based encryption (ABE) in systems with resourceconstrained devices is performed. Two system solutions of how ABE can beperformed in such systems are proposed, one where the ABE operations areperformed at the resource constrained devices and one where ABE is performed at apowerful server. The system solutions are discussed with three different ABEschemes. Two of the schemes are the traditional key policy ABE (KP-ABE) andciphertext policy ABE (CP-ABE). The third scheme is using KP-ABE to simulateCP-ABE, in an attempt to benefit from KP-ABE being computationally cheaper thanCP-ABE while maintaining the intuitive way of using CP-ABE.

ABE is a computationally expensive encryption method which might not be feasible toperform at the resource constrained sensors, depending on the hardware.

An implementation of a CP-ABE scheme with a 128-bit security level was written andused to evaluate the feasibility of ABE on a sensor equipped with an ARM Cortex-M3processor having 32 kB RAM and 256 kB flash. It is possible to perform CP-ABE onthe sensor used in this project. The limiting factor of feasibility of ABE on the sensoris the RAM size. In this case policy sizes up to 12 attributes can be performed on thesensor.

The results give an idea of the feasibility of encryption with ABE on sensors. Inaddition to the results several ways of improving performance of ABE on the sensorare discussed.

ISSN: 1401-5757, UPTEC F16 037Examinator: Tomas NybergÄmnesgranskare: Christian RohnerHandledare: Börje Ohlman

Popularvetenskaplig sammanfattning

”Smart city” eller smart stad ar en term som asyftar en framtida stadsvision dar information- ochkommunikationsteknologi (ICT) ar en vasentlig del. I en smart stad kan ICT anvandas for attmata olika aspekter i staden, oka effektiviteten av tjanster som staden erbjuder samt forbattrasamverkan mellan medborgare och stat. Datan som samlas in under matningar kan ge informa-tion om vilket tillstand ett visst omrade befinner sig i och hur detta paverkar medborgarnas halsa.Dessa matningar utfors av sma sensorer som kan integreras i byggnader, bilar eller andra object.Dessa sensorer ar en del av det sa kallade Internet of Things (IoT). Enheter i IoT ar vanligtvisbegransade i termer of berakningsformaga av praktiska skal som att minska priset pa enheten ellerfor att minska energiforbrukningen for att forlanga batteritiden.

Datan som samlas in av sensorerna kan goras tillganglig for allmanheten genom att ladda uppden till ett natverk. For att delningen over natverket ska vara effektiv kan Information-CentricNetworking (ICN) anvandas. ICN ar en alternativ natverksarkitektur dar datan i natverket arnamngiven istallet for andpunkterna som i dagens internet. I ICN kan data sparas i mellanlig-gande noder, t.ex. routrar. Datan som efterfragas kan hamtas oavsett var i natverket den arlagrad och darfor kan flaskhalsar i natverket undvikas. Dessutom genom att namnge datan blirkonsumenterna i natverket ovetande om varifran datan hamtas vilket kan vara till fordel i natverkdar alla noder inte alltid ar tillgangliga i natverket.

En del av datan som samlas in kan eventuellt vara privat och maste darfor ha nagon sorts skyddsa att bara behoriga personer har tillgang till datan. Ett vanligt satt att forhindra obehoriga franatt ta del av datan ar att kryptera den. Traditionella krypteringsmetoder krypterar datan tillen specifik person och maste darfor krypteras en gang per behorig person och skapar saledes enny fil per person. Detta ar problematiskt da dessa filer inte kan nyttjas om de sparas i routrari natverket, eftersom enbart en specifik person kan oppna dem. En lovande losning till detta arAttribute-Based Encryption (ABE).

ABE tillater den som krypterar att kryptera datan utan att veta identiteten pa alla mottagare.Istallet anvander den som krypterar beskrivande attribut for att specificera vem som ar behorigatt avkryptera datan. Kryptering med ABE har egenskapen att datan bara behover krypteras engang oavsett antalet mottagare, darfor kan denna krypterade datan ocksa sparas i routrar. Dettagor ABE till en lamplig krypteringstyp for ICN. Nackdelen med ABE ar att det ar en kostsamkrypteringsmetod i termer av berakningar. Denna egenskapen kan vara problematisk i ett systemdar sensorer med begransad berakningsformaga maste utfora krypteringen.

I detta project foreslas tva system losningar till hur ABE kan anvandas i system som innehallerenheter med begransad berakningsformaga. Losningarna diskuteras baserat pa experimentellaresultat av ABE kryptering pa en sensor. Den mest lampliga losningen beror pa hur begransadesensorerna ar i berakningsformaga, antalet beskrivande attribut som anvands vid kryptering samteventuella tidskrav som finns i tillampningsomradet.

iii

Contents

1 Introduction 11.1 Project description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Background 32.1 Information Centric Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 Content Centric Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.2 Security in ICN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2.1 Symmetric key encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2.2 Public key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2.3 Security levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.3 Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.4 Mathematical tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.4.1 Cyclic group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4.2 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4.3 Elliptic curve cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.4.4 Multiplicative and additive notation . . . . . . . . . . . . . . . . . . . . . . 72.4.5 Pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.4.6 Lagrange polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.5 Shamir’s Secret Sharing Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.6 Security on sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.7 Attribute-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.7.1 General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.7.2 Multi-authority ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.7.3 Key revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.7.4 Computational requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 112.7.5 ABE on resource constrained devices . . . . . . . . . . . . . . . . . . . . . . 122.7.6 The low-level operations of ABE . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Software 153.1 QEMU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 Valgrind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3 Relic-toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.4 The Functional Encryption Library . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4 Hardware 164.1 Laptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.2 Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5 Schemes 175.1 Scheme discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175.2 Simulated CP-ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

6 System 216.1 System overview and scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216.2 Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.2.1 Proposal I - Authority ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . 216.2.2 Proposal II - Sensor ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7 Implementation 23

8 Results 258.1 Sensor performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

iv

9 Discussion 289.1 System proposals and schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

9.1.1 Simple CP-ABE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

10 Conclusions 31

11 Acknowledgements 32

v

1 Introduction

The term smart city is often used to describe an urban development vision where information andcommunication technology (ICT) is a vital part. The ICT can be used to monitor certain aspectsof the city, increase efficiency of services provided by the city and improve interactivity betweencitizens and government. The data collected from monitoring can be used to draw conclusionsabout the state of the surroundings and how it affects the health of the citizens. The monitoringis performed by small sensors which can be integrated into buildings, cars or other objects. Thesesensors are part of the so called Internet of Things (IoT). Devices in the IoT are usually resourceconstrained for practical reasons such as reducing the prize of the device and limiting energy con-sumption to increase battery lifetime.

The data collected by the sensors is made available by uploading it to a network. To have anefficient sharing across the network Information-Centric Networking (ICN) can be used. ICN is analternative network architecture where the data is named rather than the end-points. ICN allowsdata to be cached at intermediate nodes, such as routers. The data requested can be obtainedregardless of where in the network it is stored and therefore congestion and bottlenecks can beavoided. Additionally, by naming content the consumers in the network become source agnosticwhich is beneficial in networks where not all nodes are in the network at all times.

Some of the data gathered might be sensitive and should therefore have some protection suchthat it can not be accessed by unauthorized persons. A classical way enforcing access control isby encrypting the data. Traditional encryption methods encrypt the data for a specific user andmust therefore be encrypted once for every user it is intended for, i.e. creating a separate objectper user. This conflicts with the main property of ICN as this encrypted data object can only beaccessed by one person and thus this object does not benefit from being cached in the network.A promising solution to this is attribute-based encryption (ABE).

ABE allows the encryptor to encrypt the data without knowing the identities of all recipients.Instead the encryptor uses descriptive attributes to specify who can access the data. With ABEthe data only needs to be encrypted once regardless of how many recipients there are, thus theencrypted data can be cached and therefore ABE is suitable for ICN. The cost of this expressive-ness is computational efficiency. The ABE operations are expensive and might conflict with theresource constrained sensors.

In this project two ways of employing ABE in systems with resource constrained devices are pre-sented. The solutions are discussed based on experimental results of the encryption algorithmof ABE on a resource constrained sensor. The most suitable solution is determined by the com-putational power of the sensor, the maximum policy length and the time requirements of theapplication. In addition three different ABE schemes are discussed for these two system solutions.

1.1 Project description

There is an ongoing project named ”Green IoT” which is working towards making Uppsala a smartcity. This project is a collaboration between different universities, companies and other researchinstitutions. The collaborators are Uppsala University, KTH, SICS, Uppsala Kommun, Ericsson,IBM, SenseAir AB, Upwis AB and 4Dialog AB. In this project sensors are being deployed in thecity to gather data about air pollution. One part of this project is to evaluate the performanceof information-centric networking (ICN) in this context and it is within this part that this thesisis performed [5]. A conceptual picture of the setup of the system can be seen in Figure 1, thisis a general setup and describes how the data is transmitted from the sensors to the user in thenetwork.

1

Figure 1: A conceptual image of the Green IoT system.

Suppose that the data collected by the sensors is sensitive and the gateway is not trusted. Thedata should therefore be encrypted and this encryption must take place at the sensors as thegateway is not trusted. In an ICN context a promising encryption type is attribute-based encryp-tion (ABE). However, ABE is significantly more costly in terms of computations than traditionalencryption methods and the sensors in the system are resource-constrained devices.

The goal of this project is to investigate how ABE can be used in this system with resource-constrained devices under the assumption that the gateway is not a trusted entity. In otherwords, the intention is to answer the question: ”Is it possible to perform ABE at the sensors andto what extent, or must other solutions be considered and if so, what are these other solutions?”

2

2 Background

2.1 Information Centric Networking

When the current Internet architecture was created it was designed with communication betweentwo computers in mind. Lately the way we use the Internet has shifted from communication to-wards content distribution such as video, photo and document sharing. Therefore the architectureof Internet can be redesigned to improve content-dissemination to better suit the way Internet isused today. An attempt of doing so is called Information Centric Networking (ICN). In ICN thecontent is addressed and named, rather than the end-points. This allows content to be retrievedregardless of where in the network it may be stored and can therefore reduce congestion and bot-tlenecks in the network. There are some different examples of ICN architectures, among the mostpopular are Named Data Networking (NDN) and Content-Centric Networking (CCN) [25] .

There are three key changes required to shift the model from communication towards distribution,these are:

1. Naming: Name and address the content rather than the end-points. This allows content tobe retrieved regardless of where in the network it is stored.

2. Memory: In a communication network the memory is invisible. In a distribution networkthe memory in the network (i.e. routers cache) is utilized to possibly cache content which isrequested often.

3. Security: In a communication network the security is based upon establishing a safe channelbetween the end-points. In a distribution network the security is based on securing thecontent itself as it is disseminated within the network and can be obtained from anywherewithin the network by knowing the contents name.

2.1.1 Content Centric Networking

Content-centric networking is an example of an ICN architecture created by Palo Alto ResearchCenter (PARC).

Communication in CCN uses two packet types: interest packets and content packets. A consumerasks for content by sending an interest packet. Any CCN node which possess the content re-quested in the interest packet will respond with a content packet with the requested content. ACCN node may forward an interest packet if it can not satisfy the request itself. The CCN nodehas forwarding tables that determine which direction to send the interest packet. Content packetscontain, in addition to the requested data, the full name, a signature for the packet, informationthat identifies the signer and support details. This additional information is useful to ensure theintegrity of the content. CCN employs flow balance meaning that an interest packet is alwaysanswered by only one content packet and no content packet is sent without a request.

Further information and more detailed description of CCN can be found in [25].

2.1.2 Security in ICN

Encryption is a tool to secure the content itself, which is needed in ICN. Traditional encryptionmethods are problematic in ICN as they encrypt the data for a specific user, thus data encryptedthis way does not benefit from caching as it is a separate object for every user. In ICN attribute-based encryption (ABE) is a promising encryption method as the data is described by attributesand a single object is needed to encrypt it to any amount of users. Therefore the encrypted datacan also be cached, thus the efficient content dissemination can be maintained for encrypted datatraffic too.

Other efforts of enforcing access control in ICN have been made, for example in [19] an encryption-based access control framework is presented for ICN. It is particularly useful for large content or

3

content which consist of many content objects such as a video. Another idea to ensure objectsecurity is called Interest Based Access Control (IBAC) and is presented in [15]. IBAC workswith an idea that only authorized consumers should be able to issue proper interests for protectedcontent objects. This is realized through obfuscating the names of protected content files. Thismethod is susceptible to attacks from eavesdroppers and denial of service-attacks. The method isnot mutually exclusive with encryption and could perhaps be used together with encryption forfiles that contain particularly sensitive information.

2.2 Encryption

There are three commonly used keywords in information security, these are:

1. Confidentiality - The assurance that only authorized entities can get access to the contentof the file.

2. Integrity - The assurance that the content of a file has not been tampered with or altered.

3. Authenticity - The assurance that one entity is the entity he/she/it claims to be.

Encryption is a tool to encode to the contents of a file/message to provide confidentiality and onlyallow users with a correct key to decode it. This is done by encoding the message (also calledplaintext) into a ciphertext. The ciphertext is a non-trivial obfuscation of the plaintext. In orderto restore the plaintext, the ciphertext has to be decoded with the proper key which should onlybe known to authorized recipients. Encryption does not guarantee that the message will not beintercepted by an adversary, it just obstructs the adversary from seeing the real message. It ispossible for an adversary to decrypt a message without possessing the key for decryption, however,for an elaborate encryption scheme it requires tremendous amounts of computational resourcesand large amounts of time. There are two main groups of encryption: symmetric key encryptionand public key encryption.

2.2.1 Symmetric key encryption

Symmetric key encryption is an encryption scheme where the same key is used for encryption anddecryption. This requires both parties to have exchanged a key, which should be used during thecommunication, prior to the secure communication. There are different ways to securely exchangea shared key for the parties and one of these are public key encryption.

One of the most common symmetric encryption algorithms is Advanced Encryption Standard(AES).

2.2.2 Public key cryptography

In public key encryption (or asymmetric encryption) every user in the system generates a keypair, a public key and a private key. A user’s public key is public and anyone in the system canaccess it and a user’s private key should be kept private. The asymmetric encryption algorithmhas the property that if encrypted with a particular public key it can only be decrypted by thecorresponding private key. Suppose that a user Alice wants to encrypt a message to another userBob in the system. If Alice encrypts her message with Bob’s public key and then sends the messageto Bob, Bob can then decrypt the message using his private key. This type of encryption requiresno pre-determined shared secret to begin secure communication as only the intended recipientcan decrypt the message. The public and private key of a user is related by some cryptographicalgorithm which is based on some mathematical problem which currently has no efficient solution,e.g. integer factorization and discrete logarithm. It is computationally easy to generate a publicand private key pair for a user. The security of the encryption lies in the difficulty of computingthe private key from the corresponding public key.

The public encryption algorithms known today require significantly more computational effortthan the symmetric key encryption algorithms do. Therefore it is common to initialize a session

4

with a public key message to share a symmetric key and then use this symmetric key the rest ofthe session.

A benefit of public-key encryption is that if one of the parties, say Bob, is reckless with his privatekey then only messages intended for Bob are compromised. Thus Alice is not penalized by Bob’srecklessness and can securely communicate with any other party but Bob.

One of the most widely used public-key encryption methods is called RSA, named after thesurnames (Rivest, Shamir and Adleman) of the creators of the algorithm.

2.2.3 Security levels

In cryptography the security level of a scheme is often measured in bits, e.g. 80 bit security. Thismeasure origins from the key length of a symmetric key. If there is no structural weakness of thesymmetrical encryption algorithm an attacker’s only option is to do a brute force attack. Thismeans that the attacker makes an exhaustive search by trying all possible keys in the entire keyspace. A key of length of 80 bits means that the key space consists of 280 different keys. Byincreasing the key length the number of possible keys grows exponentially and the security levelis increased as well.

In asymmetric encryption the key length does not directly correspond to the security level. In-stead the security of asymmetric encryption is dependent on the intractability of the underlyingmathematical problems such as integer factorization. However, the National Institute of Stan-dards and Technology (NIST) and other institutes have guidelines for translating the key size ofasymmetric encryption algorithms to a security level in terms of symmetric key length. For ex-ample NIST guidelines state that for 80 bit security RSA a prime modulus of 1024 bits is needed.More information about key length recommendations can be found in [2].

2.3 Serialization

Serialization is the process of writing a data structure to a format, a sequence of bytes, which canbe stored in a file, a memory buffer or transferred over a network. The reconstruction from thisformat back to the data structure is called deserialization. The C programming language has nobuilt-in serialization function and therefore one has to be written manually if needed. A sequenceof bytes in C is represented by a byte array, i.e. an array of uint8 t. In Listing 1 a simpleexample of serialization and deserialization of an int in C can be seen. Serialization is hardwaredependent as the endianness of the architecture might differ.

5

Listing 1: A simple example of serialization and deserialization of an integer.

/∗ S e r i a l i z a t i o n o f an i n tb u f f e r , b y t e array where the s e r i a l i z e d i n t w i l l be s t o r e dva l , i n t to s e r i a l i z e ∗/

void i n t t o b y t e s ( u i n t 8 t ∗ bu f f e r , int va l ){for ( int i = 0 ; i < s izeof ( int ) ; ++i ){

b u f f e r [ i ] = va l >> 8∗ i ;}

}

/∗ D e s e r i a l i z a t i o n o f an i n t∗ va l , p o i n t e r to i n t where d e s e r i a l i z e d i n t w i l l be s t o r e d∗ b u f f e r , b y t e array c o n t a i n i n g s e r i a l i z e d i n t ∗/

void b y t e s t o i n t ( int ∗val , u i n t 8 t ∗ b u f f e r ){int i , tmp ;∗ va l = 0 ;for ( i = 0 ; i < s izeof ( int ) ; ++i ){

tmp = b u f f e r [ i ] ;∗ va l += tmp << 8∗ i ;

}}

2.4 Mathematical tools

In this section some mathematical tools needed for the understanding of the implementation andthe scheme are introduced. The tools are described briefly and at a level sufficient for understand-ing of this project, for more information about a particular mathematical tool see the referencesof that section.

2.4.1 Cyclic group

A group in mathematics is a set of elements which are associated to an operation that combinesany two elements in the group to form a third element in the group. In order for the set and theoperation · to qualify as a group G they must satisfy the four group axioms:

1. Closure: if a, b ∈ G, then a · b ∈ G

2. Associativity: a · (b · c) = (a · b) · c

3. Indentity element: There exists an identity element e such that a · e = a

4. Inverse: Every element has an inverse, that is: for every a there exists b such that a · b = e

In a cyclic group there exist a single element g from which every other element in the set can beobtained by repeatedly applying the group operation to g. The element g is called the generatorof the group [18].

An example of a cyclic group is the set {0, 1, 2, 3} with addition modulo 4. In this case the element1 is a generator of the group, as every element in the group can be obtained by adding 1 to itself.

2.4.2 Finite fields

A finite field is a mathematical group with a finite number of elements. An example of a finitefield is all the integers modulo a number p, this finite field is denoted Zp.

6

2.4.3 Elliptic curve cryptography

Elliptic curve cryptography (ECC) is a type of public key encryption based on elliptic curve groupsover finite fields. An elliptic curve is the set of points described by the equation:

y2 = x3 + ax+ b, (1)

where a and b are parameters that determine the shape of the curve. An elliptic curve group Gconsists of the elliptic curve and a group operation called addition, denoted by ’+’. Furthermorea point at infinity is needed, denoted 0 which serves as the identity element.

In addition to the four group axioms the addition operation of elliptic curve groups has the prop-erty of being commutative, i.e. if P,Q ∈ G then P +Q = Q+ P .

For the purposes of this project a high level understanding of the elliptic curve group is sufficient,for more detailed information see [29].

2.4.4 Multiplicative and additive notation

In group theory there are two notations which are commonly used, multiplicative and additivenotation. In elliptic curve groups the additive notation is normally used. However, when describinggeneral schemes which may use different groups some authors use multiplicative notation. Table1 shows how the operations of the different notations correspond to each other.

Table 1: Shows how the different notations correspond to each other, P,Q are elements in thegroup and a is a scalar.

Multiplicative notation Additive notationPQ P +QP a aP

1 (identity element) 0 (referred to as point at infinity)

2.4.5 Pairing

In a multiplicative notation the pairing operation can be written as:

e : G1 ×G2 → GT , (2)

where G1,G2 and GT are three multiplicative cyclic groups of prime order p and e is a bilinearmap. Let g1 be a generator of G1 and g2 be a generator of G2. The bilinear map e has thefollowing properties:

1. Bilinearity: for all u ∈ G1 and all v ∈ G2 and a, b ∈ Zp, we have: e(ua, vb) = e(u, v)ab.

2. Non-degeneracy: e(g1, g2) 6= 1.

Also notice that the map e is symmetric because e(ga1 , gb2) = e(g1, g2)ab = e(gb1, g

a2 ) [33].

If G1 = G2 the pairing is called symmetric otherwise it is an asymmetric pairing i.e. whenG1 6= G2.

2.4.6 Lagrange polynomial

In polynomial interpolation, where a set of points {(x1, y1), . . . , (xn, yn)} is given and one finds apolynomial which goes through these points, the Lagrange polynomial is the unique polynomialof least degree that assumes these points. The Lagrange polynomial L(x) is computed from

L(x) =

n∑i=1

yi`i(x), (3)

7

where ì is the Lagrange basis polynomials which in turn are computed by

ì(x) =

n∏i6=j,j=1

x− xjxi − xj

. (4)

2.5 Shamir’s Secret Sharing Scheme

The basic idea of Shamir’s secret sharing is that it requires 2 points to uniquely define a line, 3points to uniquely define a parabola and more generally k points uniquely define a (k− 1) degreepolynomial. This idea can be used to construct a k of n threshold secret, i.e. the secret is splitinto n parts and it requires k parts to fully reconstruct the secret. This secret sharing has theproperty that someone with knowledge of (k− 1) or fewer parts can not determine the secret, butanyone with k or more parts can easily recover the secret [27].

Suppose that there is a secret s which is to be shared in a k of n threshold fashion. The first stepis to generate a (k − 1) degree polynomial

P (x) = a0 + a1x+ · · ·+ ak−1xk−1 (5)

by setting a0 = s and randomizing coefficients (a1, a2, . . . , ak−1). Even though s could be setas any coefficient it is common practice to choose P (0) = s. Then n points on this curve areevaluated, creating the shares (xi, P (xi)) for i = 1, . . . , n.

Reconstructing the secret s given any k shares: {(x1, P (x1)), . . . , (xk, P (xk))} is done by com-puting the Lagrange polynomial evaluated at zero. This in turn is done by first computing theLagrange basis polynomials evaluated at zero:

ì(0) =∏i6=j

xjxj − xi

, (6)

then the secret can be reconstructed by

s = P (0) =

k∑i=1

P (xi)ì(0). (7)

2.6 Security on sensors

The popularity of sensor networks is increasing due to the versatility and the low cost of thenetworks which yield cheap solutions to many applications. The increase of interest in sensor net-works also directly increases the demand of proper security solutions in sensor networks. Sensornetworks are constrained in terms of resources and computing power and they are employed ina different manner than ordinary computer networks. Therefore they face different security chal-lenges than ordinary computer networks, thus the ordinary computer networks security solutionsmay not be appropriate in a sensor network due to the constrained nature of the network.

The major concerns that stems from the hardware constraints of the sensors are the limitation inmemory, storage space and power. The limited memory and storage space forces the code relatedto security to be small in size. Regarding the power consumption one has to take into accountthe extra processing work inferred by the security operations (encryption, decryption, signing andverification) and the additional energy required to transmit the message overhead introduced bythe security algorithms [32].

Symmetric key encryption is typically no problem to perform at the resource constrained sensors.In fact, it is not uncommon that sensors have built-in hardware support for symmetric encryption,as it is a vital part of secure communication. However, public key encryption is more expensiveand since sensors generally don’t have hardware support for public key encryption it requires a

8

software implementation. Such an implementation consumes several kB of the constrained de-vice’s memory space because it requires implementations of multi-precision integers and modulararithmetic.

There have been several research attempts that try to circumvent the need of public key encryp-tion on sensors. However, these attempts do not yield the same degree of security or functionality.Thus, actual public key encryption is preferred on the sensors [24].

Elliptic curve cryptography (ECC) tends to be the most popular choice for public key encryptionat sensors due to the small key sizes and relatively fast computations. For example, to achievea 80-bit security level a 160-bit curve in ECC is needed while RSA needs a 1024-bit key. In[24] ECC operations are implemented for sensors and different optimization techniques to reduceRAM usage, ROM usage and time for the operations are shown. They manage to run the ECCoperations on sensors with only 10 kB of RAM. These results suggest that public key encryptionat sensors is feasible and this is likely to become even better with time as more powerful sensorswill be available for cheaper prices.

Another issue with public key encryption is that in order to avoid man-in-the-middle attackscertificates have to be issued (called a public key infrastructure). These certificates have to bestored, exchanged and verified which infers extra storage, communication and computations forthe sensors. This has prompted researchers to explore different ways of key exchange among theseidentity-based encryption (which is the encryption type that attribute-based encryption sprungfrom) can be found. In identity-based encryption pairings have to be computed which is also acomponent of attribute-based encryption. These pairings are regarded computationally expensive,even so in [26] a pairing is computed on a 8-bit processor with only 4 kB of RAM.

2.7 Attribute-based encryption

2.7.1 General information

Attribute-based encryption (ABE) is a form of public key encryption where data is described withattributes as meta-data. The attributes decide how the data is encrypted. This way data can bemade accessible only to entities that have the corresponding keys, which also consists of attributes.Unlike traditional public-key encryption methods ABE allows the encryption to be expressive andnot only for a particular user. There are two types of ABE: Key-Policy ABE (KP-ABE) andCiphertext-Policy ABE (CP-ABE). In KP-ABE the access policy is embedded in a user’s privatekey and the attributes are used to describe the ciphertext. In CP-ABE the policy is embedded inthe ciphertext and each user’s private key is a collection of attributes. In both types of ABE asuccessful decryption can happen if and only if the attributes of the ciphertext/user’s key satisfiesthe access policy in user’s key/ciphertext. An example of a CP-ABE could be that a physicianencrypts a patient’s health record under the access policy: (“Physician” AND “Hospital A”) OR (“Insurance company A” AND “Health Insurance Department”). A user that wants to decryptthis file must then possess the attributes of being a physician and be affiliated with a certainhospital or that the user has the attributes of working at the health insurance department of aparticular insurance company. The person performing the encryption does not need to know theexact identities of the all authorized recipients instead it suffices with specifying these descriptiveattributes.

The descriptive access policy which is specified is turned into an access tree before it is embeddedin the user’s key/ciphertext. It is turned into an access tree to be able to enforce the policy viasecret sharing in a structured way. In Figure 2 the access tree corresponding to the descriptiveaccess policy specified in the above example is shown.

9

Figure 2: The access tree generated from the descriptive access policy: (“Physician” AND

“Hospital A”) OR ( “Insurance company A” AND “Health Insurance Department”).

A typical ABE system consists of four algorithms: setup, key-generation, encrypt and decrypt.Below a description of the algorithms is shown for CP-ABE. The same algorithms are present ina KP-ABE system but one associates the ciphertext CT with a set of attributes S instead of anaccess policy A and embeds an access policy in the user’s private key instead of a set of attributes S.

Algorithm Functionsetup No input except an implicit security parameter. This al-

gorithm is called only upon initialization of the system togenerate public key PK and master-key MSK in the sys-tem.

encrypt Input: a message M , the public key PK and an accesspolicy A for which the message should be encrypted. Itoutputs a ciphertext CT which is the encrypted messagewith the access policy A embedded.

key-generation Input: the master-key MSK and a set of attribute S asinput. It outputs the private-key SK corresponding to theattributes in S.

decrypt Input: a ciphertext CT , the public key PK and SK as in-put. SK is the private key of the user trying to decrypt. Ifthe decryption is successful (i.e SK contains the attributessatisfying access policy A) it will output the original mes-sage M .

The low-level inner workings of an ABE system is based on elliptic curve cryptography and isexplained in more detail in section 2.7.6.

An essential property of a well-designed ABE system is collusion resistance. This means that ifusers combine their private keys they should not be able to decrypt files which they could not de-crypt individually. Relating back to the former example of the encrypted patient’s health record,if there are two users A, with the attributes (“Hospital B”, “physician”), and B, with the at-tributes (“Hospital A”, “Nurse”). Neither of them can open the patient’s health record withtheir key alone, therefore they should not be able to do so if they would collude. The solutionto this presented in [14] is that every user has a random number associated with their privatekey which blinds the secret. If the same key has been used for all the decryption the secret cansuccessfully be ”unblinded”, but if different keys are used the blinding of the secret remains andthus collusion will not work.

In an ABE system a key authority (or only authority) is needed to generate the users’ keys. Thisauthority is required to be fully trusted as it will issue all of the keys.

10

2.7.2 Multi-authority ABE

Having a single authority is simple but it has a few drawbacks. As all trust is put into one au-thority the entire system (i.e. all files within the system) is compromised if this authority wouldbe corrupt or compromised in other ways. A well-designed multi-authority system distributes thetrust among different authorities such that several malicious/compromised authorities is needed tocompromise the entire system. Additionally one might want different authorities to issue differentattributes. For example there might be some national medical agency which keeps track of andvalidates licenses for physicians and therefore it would be appropriate if they were an authorityand could issue the attribute Physician. Similarly it is most appropriate and convenient that ahospital issues the attributes of working at this particular hospital, i.e. the hospital A would issuethe attribute Hospital A.

If a file would be encrypted under the policy: "Physician" AND "Hospital A" in the systemabove, it would require two attributes from different authorities to successfully decrypt. In such asystem collusion resistance can not be achieved the same way as before, as it relied on one author-ity using the same blinding (a random number per user) of the secret. In [22] a multi-authoritysystem (where any user can become an authority) is presented which is collusion resistant whereno central authority is needed to verify the keys. Instead every user in the system is assigned aglobal identifier (GID) which acts as a linchpin for the keys issued by different authorities. Anyattempt of decrypting by combining keys issued for different GIDs will fail.

An elaborate solution such as [22] is not always necessary. If the policies that files are encryptedunder in the system only consist of attributes issued from one key authority then one can justdefine a disjoint system per authority. This is implemented in [13] where everyone can be a keyauthority but every key authority is associated with a separate public key i.e. every authoritydefines a separate system. This means that a key can only consist of attributes from one authority.In the article it is used for a privacy aware online social network where every user becomes a keyauthority to generate keys to their “friends” to grant access to their statuses, photos e.t.c.

2.7.3 Key revocation

One of the benefits of ABE is when a new user enters the system or gets additional attributeshe/she just needs to get his/her key and everything will work as intended. The same is not true forwhen a user’s privileges are being revoked. In order to enforce attribute-/key revocation re-keyingto all the authorized users is required.

In ICN another issue of key-revocation is present namely that the content encrypted under theprevious key might still be cached in a router. Removing such content by ordering all copies ofit destroyed might be impossible or at least severely damage the performance of the network. Asolution for immediate revocation in ICN, which is presented in [28], is to employ a proxy serverand split the content messages into two: one with the access structure and one with the data. Theaccess structure should be stored at the proxy. When a user wants to access this content he/shewill send two interest packets: one for the data and one for the access structure. In the accessstructure interest packet the user will append his/her user id. The proxy will validate that thisuser has not gotten his/her privileges revoked. If the user is authorized then a non-cacheable datapacket containing the access structure is sent to the user and the user can decrypt the content. Ifthe user is not authorized he/she can not decrypt the file as the access structure is missing. Anadvantage of this system is that a change in the access policy to some content is immediate (asthe access policy is only stored at the proxy) and the already cached content can remain in thenetwork without being compromised.

2.7.4 Computational requirements

ABE is significantly more costly in terms of computations than other common public-key encryp-tion methods such as RSA. In [13] it is stated that an ABE operation is between 100 - 1000 timesslower than those of RSA. This is often times not a problem if the calculations are done on a

11

workstation, but when mobile devices are considered the computational effort is one of the biggestissues as it is also related to energy consumption.

Two factors which has a large impact on performance of ABE is the number of attributes in thepolicy and the security level. Both are dependent on the application, but [17] mentions that itis common to end up with quite complex access policies (i.e. many attributes) even in ordinaryapplications and it is particularly true for access policies that contain integer comparison operators.

The computational effort needed for ABE operations scales linearly with the amount of attributesin the system. Generally KP-ABE is faster than CP-ABE and especially for the algorithmskey-generation and encrypt [12, 34].

2.7.5 ABE on resource constrained devices

The combination of ICN and the Internet of Things (IoT) is quite natural as the many of theapplications in IoT are sensors collecting data for some purpose. The sensor data is then sharedacross a network to users or other devices, for this sharing to be efficient ICN is a good option. Incase the data from the sensors contain private information one should enforce some access controlto ensure that the information stays private. As already mentioned ABE is a promising approachfor access control in ICN without losing the efficiency properties of ICN. In an ideal situationone would like to perform the encryption at the source of the data before transmitting the dataacross the network. However, the IoT devices are limited in computational power and ABE is anexpensive encryption type.

There are mainly two topics being discussed in research when considering ABE for resource con-strained devices. These are ABE feasibility on mobile phones and ABE in sensor networks. Whendiscussing feasibility of ABE on mobile phones the question is usually about if the run time isacceptable for a certain application rather than if the computations are possible to perform atall, as the mobile phones are not resource constrained devices in a strict sense. Sensors are trulyresource constrained with microprocessors having RAM sizes ranging from 20 kB (or even less) to1 MB, in contrast to modern mobile phones having processors with several cores and RAM sizesof at least 512 MB.

Research regarding ABE feasibility on smartphones has been performed in [12, 34]. In [34] anevaluation of ABE on an Android smartphone is presented with an ABE implementation in Java.In the conclusions it is stated that the performance of ABE on mobile devices is too poor to beacceptable even for the lowest security level (mainly based on execution time). This conclusionis then questioned in [12] where the same measures are presented but for a C implementation onAndroid. This implementation is considerably faster and in the conclusions it is stated that ABEis definitely feasible on smartphones. However, the feasibility is dependent on the application asthe ABE operations for the highest security levels require 1 second per attribute in the policy forthe efficient C code.

Another idea which has been explored and presented in [17] is to outsource the decryption ofABE to the cloud to reduce the expensive computations needed for a resource constrained device.This greatly increases the performance of ABE on smartphones but it requires access to a thirdparty cloud/proxy and an Internet connection. Furthermore, initiating or resuming a cloud sessiontakes some time which is something that might make this less attractive depending on application.

In research regarding ABE in sensor networks it is common to not consider actually performingthe ABE operations on the sensor. Instead a common solution (with some variations) is for thesensor to share a symmetric key with a server which is capable of doing the ABE operations. Thusthe sensor sends the data encrypted with symmetric key encryption to this powerful server. Theserver encrypts the data with ABE and publishes it to the network. This is the case in [30] wheresensors monitoring peoples health share a symmetric key with a more powerful device. Anothersimilar idea is presented in [31] where the resource constrained nodes have unconstrained trusted

12

neighbor nodes which can support them in their calculations.

The straight-forward solution where the sensors perform the ABE operations is rarely discussedbecause of its questionable feasibility. The gain of performing ABE on the sensors is that if it isa multi-authority system, then there would be no trusted third party which can decrypt all thedata that the sensor publishes to the network.

2.7.6 The low-level operations of ABE

There are several different implementations and schemes of ABE, in this project the CP-ABEscheme described in section 3, ”Our most Efficient Construction”, of [33] is implemented and thusthe operations described below is from that paper with some slight modifications to adapt it froma symmetric pairing scheme to an asymmetric pairing scheme:

Setup: The setup algorithm takes no input and chooses two groups G1 and G2 of prime order p,two generators g1 and g2. In addition it chooses two random exponents b, α ∈ Zp. The public keyis published as:

PK = {g1, g2, e(g1, g2)α, gb1, gb2}

and the master secret key is set as MSK = α.

Keygen: The key generation algorithms takes the master secret key MSK and a set of attributesS as input. The algorithm first chooses a random t ∈ Zp and then creates the private key as:

User key = {K = gα2 gbt2 , L = gt2,∀x ∈ S : Kx = htx},

where hx is the attribute string of attribute x hashed to an element of G1.

Encrypt: The encryption operation takes the public key PK, the message to encrypt and anaccess policy A as input. The algorithm first chooses a random s ∈ Zp and computes

B = e(g1, g2)αs. (8)

B is then hashed to a symmetric key of 128 bits and used to symmetrically encrypt the message.The access policy is then parsed to create an access tree. Shamir’s secret sharing is used to embedthe shares of the secret s in the nodes of the access tree. This is done by treating AND-gates asa n of n secret sharing and OR-gates as a 1 of n secret sharing. The nodes of the access tree willhave a unique number i and a share si associated with them. The algorithm also chooses randomr1, .., rn ∈ Zp. The ciphertext is published as

CT = {C = gs, Ci = gbsih−rii , Di = gri2 },

together with the access policy and the symmetrically encrypted message.

Decrypt: The decryption algorithm takes as input a ciphertext CT for access policy A and a userkey for a set of attribute S. The lagrange basis polynomials evaluated at zero, ì(0), are computedfor the indices involved in A by

ì(0) =∏

j∈A,i6=j

xjxj − xi

.

The decryption algorithm computes

e(C,K)∏i∈A e(Ci, L)e(Di,Ki)ì(0)

(9)

which can be rewritten to

e(gs1, gbt2 g

α2 )∏

i∈A e((gbsi1 h−rii )ì(0), gt2)e(h

tì(0)i , gri2 )

(10)

13

by replacing the variables to express it more explicitly. (10) can be further rewritten by usingproperties of bilinearity which allows exponents to be interchanged since e(g1, g

x2 ) = e(gx1 , g2),

e(g1, g2)αse(g1, g2)bst∏i∈A e(g

bsi1 h−rii , gt)ì(0)e(hrii , g

t)ì(0). (11)

Additionally using the property e(R, T )e(S, T ) = e(RS, T ), yields

e(g1, g2)αse(g1, g2)bst∏i∈A e(g

bsi1 , gt)ì(0)

. (12)

Since the only i-dependence is present in the exponent of the denominator it can be expressed as:

e(g1, g2)αse(g1, g2)bst

e(g1, g2)bt∑

i∈A siì(0). (13)

Recall the property of Lagrange basis polynomials,∑i siì(0) = L(0) thus it recreates the coeffi-

cient at zero which is the secret s. Therefore (13) is:

e(g1, g2)αse(g1, g2)bst

e(g1, g2)bst= e(g1, g2)αs (14)

which is equal to the element B from (8). Thus, hashing (14) to a 128 symmetric key will yieldthe exact same symmetric key which was used during encryption.

The scheme is using the Decisional Diffie-Hellman (DDH) assumption which loosely states that noalgorithm can efficiently differentiate on the tuples {ga, gb, gab} and {ga, gb, gc} where a, b and care chosen randomly [33]. If this assumption would not hold then the system would not be secure.

14

3 Software

3.1 QEMU

QEMU is an emulation software, which supports a wide spectrum of CPUs, including micropro-cessors. In this project it was used prior to acquiring hardware in order to see that the codecompiled and fit into the flash of the target device. The time required for encryption in QEMUis significantly faster than on the actual device. This is because QEMU aims at being as fast aspossible in terms of emulation. Thus one can not run QEMU and expect the same performancein terms of time. However, QEMU can be of use when determining feasibility. If the programruns in QEMU then it will most likely run on the actual device too, albeit slower. Additionalinformation about QEMU can be found in [8].

3.2 Valgrind

Valgrind is a system for debugging and profiling Linux programs. Valgrind contains several toolswhich can be useful while debugging but is most famous for its heap profiler. In this projectValgrind is used to measure the RAM usage of different programs. This can be done by usingvalgrind’s tool massif, the heap profiler, together with the flag --stacks=yes [10].

3.3 Relic-toolkit

The relic-toolkit is a cryptographic meta-toolkit with emphasis on efficiency and flexibility. Therelic-toolkit is used in the implementation in this project because of it’s platform flexibility whichincludes support for Contiki and bare-metal applications. For more information about the relic-toolkit and the source code see [9].

3.4 The Functional Encryption Library

The functional encryption library (libfenc) is an open-source library that contains implementationfor the KP-ABE scheme presented in [21] and a CP-ABE scheme presented in [33]. The authorsof the functional encryption library made the library publicly available as their paper [11] waspublished. The paper evaluates their code on an iPhone 4. The functional encryption library isdependent on the GMP library [4] and the PBC library [7]. For additional information aboutlibfenc and the source code see [3].

15

4 Hardware

4.1 Laptop

The laptop used in this was project had an Intel Core i5-2410M CPU @ 2.30 GHz x 4, and aRAM size of 4 GB. The laptop runs Ubuntu 14.04. This laptop is from now on referred to as thelaptop.

4.2 Sensor

The sensor used in this project is equipped with a STM32L151VCT6 microcontroller which hasan ARM Cortex-M3 core with 256 kB flash and 32 kB RAM. The sensor has no operating systemwhich is referred to as bare-metal. This sensor is from now on referred to as the sensor.

16

5 Schemes

5.1 Scheme discussion

KP-ABE is the oldest of the two types of ABE, presented for the first time in [16] in 2006. Shortlyafter, the paper introducing CP-ABE was published in [14] in 2007. In KP-ABE the attributesdescribe the encrypted object and the private keys are policies based on these attributes. InCP-ABE the attributes describe the users in the system and the encrypted objects are encryptedaccording to policies based on these attributes. An example of CP-ABE is presented in Figure3 and an example of KP-ABE is presented in Figure 4, both of them being in a school context.In the CP-ABE example the file is encrypted such that only teachers at a particular school canopen it. In the KP-ABE example it is not trivial to determine who the recipient is, instead theattributes describe the file and in this case one could imagine that the file is Jan Janson’s gradesand he is a student in class 9A at school A. CP-ABE is in a sense more intuitive than KP-ABEat least seen from the encryptor’s point of view. By describing the users who may access thecontent the encryptor know what attributes the recipients have. In contrast to KP-ABE whereit is non-trivial to determine who has access and therefore the responsibility of access control liesmore with the authority issuing the keys than the encryptor.

In figure 5 one can see time required for encryption for KP-ABE and CP-ABE on the laptop usingKP-ABE implementation [6] and CP-ABE implementation [1]. It is clear that the encryptionoperation of KP-ABE is faster than the encryption operation of CP-ABE. Moreover, in Figure6 the RAM requirements of KP-ABE and CP-ABE on the laptop can be seen as a function ofnumber of attributes. Considering both these figures it is clear that KP-ABE is computationallycheaper than CP-ABE, both in terms of encryption time and RAM usage. The result displayedin the two figures are consistent with the results presented in [34, 12] .

Figure 3: An example of CP-ABE. Figure 4: An example of KP-ABE.

17

Figure 5: The encryption time of CP- and KP-ABE on the laptop as a function of number ofattributes.

Figure 6: The RAM usage of CP- and KP-ABE on the laptop as a function of number of attributes.

With the knowledge of KP-ABE being computationally cheaper it is worthwhile considering usingKP-ABE if it is viable in the current application. However, this might be inconvenient for theusers performing encryption as the access control is shifted more heavily towards the authorities.If this is acceptable in the considered application then KP-ABE is preferable in terms of compu-tations, but if it is not acceptable then one might still want to utilize the knowledge of KP-ABEbeing more lightweight than CP-ABE.

5.2 Simulated CP-ABE

A trivial way of trying to imitate CP-ABE with KP-ABE would be to tag the encrypted objectwith attributes that the describes intended recipients, such as Teacher and Parent. However,this tagging is ambiguous, should any teacher be able to decrypt the file or is it only users beingboth a teacher and a parent that should be able to decrypt? Intuitively a user that is a teachershould be able to decrypt an object only tagged with Teacher, thus the private key policy mustcontain a segment which allows decryption if the Teacher attribute is tagged. However, havingsuch a part in the private key policy makes it impossible to enforce policies such as Parent AND

Teacher, because as long as the object is tagged with the Teacher attribute decryption is possible.Therefore this scheme does not achieve the same expressiveness as CP-ABE, tagging an encrypted

18

object with: Teacher, Parent, effectively results in the policy Teacher OR Parent. Regardlessof the amount of attributes the object is tagged with they will be combined with OR, thus havingone of these attributes is sufficient to decrypt. This means it is essentially group encryption andthat is why it will be referred to as ”group KP-ABE”. Group encryption can also be achievedin a simple way by using RSA, where a group is assigned a public key and each member of thatgroup has the corresponding private key. Thus group KP-ABE is an expensive way of performinggroup encryption as it has already exists in less computationally expensive ways, thus employinggroup KP-ABE is not beneficial as it comes with the cost of KP-ABE but only the expressivenessof normal group encryption.

In [23] a more elaborate way to ”simulate” CP-ABE with KP-ABE is presented. This is done byspecifying a certain structure of the key policies. In the paper it is introduced because they alreadyemploy KP-ABE in the system to encrypt personal health records among physicians but they alsowant to allow the patient owning the personal health record to be able to share it in an easy andexpressive way to e.g. family or insurance company. For the purposes of user sharing CP-ABE ismore convenient than KP-ABE, therefore they introduce a method of mimicking CP-ABE withKP-ABE which is referred to as ”simulated CP-ABE” from now on. In their paper the purposeof simulated CP-ABE is solely for user convenience and not for potential performance gains. Em-ploying simulated CP-ABE might potentially decrease the cost of encryption while maintainingthe intuitive way of using CP-ABE at the cost of expressiveness.

The simulated CP-ABE system is constructed in the following way: All private keys’ policystructure will be the same and the general structure is shown in Figure 7. The top level AND gateis between different authorities. The second level AND gate is between different attribute typeswithin this authority. The third level OR gate is between attributes of this attribute type. In everyattribute type there will exist a wildcard attribute ”∗” which every user in the system will haveregardless of clearance level. The wildcard attribute is helpful for the encryptor to specify ”do notcare about this attribute type”.

Figure 7: The policy structure of the private keys to simulate CP-ABE with KP-ABE. In theimage 11 indicates that it is from authority 1 and attribute type 1.

Examples of possible authorities could be Ericsson, Uppsala University (UU) or Swedish Insti-tute of Computer Science (SICS). Different attribute types which Ericsson could have would beposition, department and other attributes. Among the type positions there could be the follow-ing attributes: developer, manager, thesis student and ∗Ericssonposition (the wildcard attribute forauthority Ericsson attribute type position). When encrypting in this system the encryptor mustspecify at least one attribute from every attribute type there is. If one attribute type is not relevant

19

for a certain policy then the wildcard attribute of that type needs to be specified when encrypting.

An example of the general structure of the private keys in a simulated CP-ABE system can be seenin Figure 8. In this example only one authority is considered, therefore it has only two levels, i.e.the first AND gate is between different attribute types which in this case are position and depart-ment. The second level gate is an OR gate between different attributes within the attribute type.Everybody in the system will at least have the two wildcard attributes, ∗1 and ∗2. If one wants toencrypt a file to any developer in the network department then the ciphertext should be taggedwith: network, developer, which essentially will enforce the policy: network AND developer.Another example could be if one wants to encrypt a file to anyone at the video department thenone tags the file with: ∗1, video, which enforces the policy: video. An additional example couldbe to encrypt a file to all the people working at the network or the video department. This isdone by tagging the ciphertext with: network, video, ∗1, which enforces the policy: network

OR video.

The expressiveness is limited, for example the policy video OR manager can not be achieved inthe private key structure shown in Figure 8. However, some OR policies are possible to enforcee.g. network OR video. This means that the one has to be careful during the construction of thegeneral structure of the private keys such that all desired policies actually can be achieved.

Figure 8: An example of how the general structure of the private keys in simulated CP-ABE couldlook.

For certain systems this might be computationally cheaper than CP-ABE while maintaining anintuitive way of specifying the policy. The systems where simulated CP-ABE can be beneficial iswhen the CP-ABE policies are consistently about the same size in terms of number of attributes.A benefit of simulated CP-ABE is that it requires no knowledge of the underlying computationsin order to implement in a system, albeit it might be cumbersome. Thus if there is a KP-ABEimplementation available, anyone with basic knowledge of the high level concepts of KP-ABE canimplement the simulated CP-ABE scheme.

The drawback of this scheme is that is scales poorly. Every encrypted object will be encryptedwith at least the number of attribute types there are in the system, because if an attribute type isnot required the wildcard of that type must be specified during encryption. This would be disas-trous if the system size was 1000 attribute types and the desired policy only required 3 attributetypes, meaning an overhead of 997 attributes when encrypting. It also limits the flexibility, asall private keys must have the same principal structure. These two properties indicate that thissystem would not work on a global level, instead this scheme is suited for systems with a limitedamount of authorities.

20

6 System

6.1 System overview and scenario

In Figure 9 a conceptual image of the system considered is shown, where the sensors gathersensitive data. This data is sent to a gateway which forwards it to the ICN network. Since thedata is sensitive it must be encrypted to protect it from unauthorized users. The gateway is nota trusted entity and therefore the encryption must take place at the sensor. To fully utilize thecaching capabilities of the ICN network ABE is employed. This is a problem since ABE is costlyin terms of computations and the sensors are resource constrained.

Figure 9: A conceptual image of the system considered

6.2 Proposals

Two proposals are suggested to how ABE can be applied in such a system. In Figure 10 the samesystem is shown but with the authority added which is a necessary entity for ABE to work. Thearrows represent communication and the dotted arrows are only present in proposal I and aretherefore not always needed. Both proposals will employ ABE, however they differ in where theABE operations are applied. The first system, the Authority ABE, does not require the sensorsto perform any ABE operations and in the other, the ABE sensor system, the sensors perform theABE operations. The first system works for any sensor capable of symmetric encryption and thesecond system requires the sensor to be more powerful. Neither of these systems are novel. Thefirst system (with some variations) is what typically is used when ABE is considered in systemswith resource constrained devices. The second system is the straight-forward way of applying ABEon a sensor, but it is rarely considered due to the questionable feasibility. Both of the systemsare agnostic to which ABE scheme is employed, i.e. they can employ any of the ABE schemesdescribed in section 5.

Figure 10: A conceptual image of the system with an authority included.

6.2.1 Proposal I - Authority ABE

In this system the sensor and an authority shares a symmetric key, indicated by the bottom leftdotted arrow in Figure 10. The sensors encrypt the data under the symmetric key. This encrypted

21

data is published to the network through the gateway. The sensor keeps the symmetric key pri-vate. The authority can then proceed to encrypt the symmetric key with ABE under the desiredpolicy and publish this encrypted key to the network, this is represented by the bottom rightdotted arrow in Figure 10. The encrypted data from the sensor should include an identifier to thesymmetric key such that users requesting the encrypted data also can request the encrypted key.To access the data from the sensors a user must successfully decrypt the symmetric key.

The advantage of this system is that the sensors only need to perform symmetric encryption,which is a cheap operation, regardless of the policy. Thus, the work load for the sensor is smalland constant.

The biggest drawback of this system is that the authority, which shares the symmetric key with thesensor, will be able to decrypt any message this sensor publishes as the authority has the symmetrickey. This system also requires end-to-end communication between sensor and authority.

6.2.2 Proposal II - Sensor ABE

If the sensors are powerful enough to perform ABE operations then one can reduce proposal I toexclude the authority from the encryption. In this system the sensor would perform the encryptionsingle-handedly. This can be illustrated by Figure 10 by neglecting the dotted arrows, i.e. thesensor gathers data which it encrypts under ABE and publishes to the network. In this systemthe only purpose of the authority is to provide the users in the network with private keys.

The advantage of this system is that it requires no end-to-end communication between authorityand sensor. Additionally if the ABE system is multi-authority then there is no single third partythat can decrypt all the data.

The drawback is the computational requirement of the sensors, which limits the feasibility of thesystem. The computations on the sensor will naturally be slower than on a more powerful serverwhich can potentially be an issue if time is an important factor. However, it is reasonable tobelieve that the sensor will be encrypting for the same access policy repeatedly (as it will mostlikely gather the same type of data for long periods of time), then the sensor does not have toencrypt every data object it publishes with ABE encryption. Instead it encrypts under ABE forthe first data object and then uses the same symmetric key for a certain amount of time. Thisway the sensor only has to perform ABE encryption when refreshing the symmetric key used forencryption of the data.

22

7 Implementation

In this project an implementation of CP-ABE which runs on microprocessors bare-metal has beenwritten. The implementation is based upon the functional encryption library (libfenc) for CP-ABE but rewritten to exclude the dependence of GMP and PBC and instead use the relic-toolkit.The GMP and PBC library are not directly applicable to Contiki and bare-metal applications,but it is possible that they can be changed to suit such applications. However, the relic-toolkitofficially supports Contiki and bare-metal applications which is why it was the preferred choice.

The process of rewriting libfenc required mainly changing the computational parts of the library.Some parts of the PBC library does not have an exact counterpart in the relic-toolkit, thus re-quiring more than just replacing a function call. The CP-ABE scheme description in [33] uses amultiplicative notation and this is also the case for the PBC library, but the relic-toolkit uses anadditive notation.

The relic-toolkit and PBC both have the structure of function calls where the first input to thefunction is where the result of the operation is stored, i.e. if the function call is func(c, a, b),then the operation is performed with a and b and stored in c. Therefore if func would be theaddition operation then the function call func(c, a, b) computes c = a+ b. In the relic-toolkitthe call func(a, a, b) is allowed and computes a = a + b, but that sort of overwriting is notallowed in PBC.

The PBC library has one type and it is called element t. This type is used regardless if it is anelement of Zp,G1,G2 or GT . In this sense the relic-toolkit has a more intuitive naming of thetypes where fp t is an element of Zp, g1 t is an element of G1, g2 t is an element of G2 and gt t

is an element of GT . The authors of libfenc put effort into naming their variables by appendingZ, ONE, TWO or T to the variable name to indicate which group it belongs to. This namingconvention is useful, but some functions accept any group element as input and proceeded to callgeneral functions such as element to hash() which works regardless of which group the elementactually belongs to. These general functions had to be replaced by a function for every groupelement type with relic-toolkit.

The implementation achieves a 128-bit security level by using the pairing-friendly elliptic curveBN P256 of the relic-toolkit.

In the description of the CP-ABE scheme in [33] (which the implementation is based on) it statesthat the prime order of the elliptic curve groups G1,G2 and GT should be the same as the primeorder of the finite field Zp. This makes the elliptic curve anomalous which is a weaker form ofelliptic curves in terms of security, i.e. there exists more efficient ways to break a scheme usingsuch a curve [20]. Most likely [33] described it this way to relieve the reader of unnecessary com-plex expressions and instead focus on the scheme itself. libfenc uses an anomalous elliptic curve,i.e. where the prime order of the elliptic curve groups are the same as the finite field. This isnot the case for the curve BN P256 of the relic-toolkit. This can potentially cause issues whenreconstructing the secret. If n is the prime order of G1,G2 and GT and p is the prime order ofZp. One has to make sure to share the secret and calculate the Lagrange basis polynomials in afinite field modulus n (or also written Zn), this is because the secret reconstruction takes place inthe exponent of the elliptic curve groups and thus work in Zn.

In a bare-metal application there is no built-in support for C calls to malloc() and free(), asthe memory allocation is usually handled by the operating system. The code in the libfenc librarywas therefore rewritten to avoid as much dynamic memory allocation as possible. However, whenconstructing the access tree in the beginning of the encryption algorithm it is hard not to use somekind of dynamic memory allocation. Therefore a naive implementation of malloc() and free()

was written and used when the dynamic allocation could not be changed to static allocation. Thenaive implementation can be seen in Listing 2. As one can see free() is not implemented, which isthe main reason to refrain from using this naive dynamic memory allocation unless it is absolutely

23

necessary.

Listing 2: A naive implementation of malloc() and free().

u i n t 8 t heap [ HEAPSIZE ] = {0} ; // g l o b a l b y t e arrayint heapInd = 0 ; // g l o b a l in t , keep ing t r a c k o f index o f heap

u i n t 8 t ∗ na ive ma l l o c ( int bytes ){i f ( ( heapInd + bytes ) >= HEAPSIZE){

p r i n t f ( ” A l l o c a t i o n f a i l e d : No heap memory l e f t ! \n” ) ;return NULL;

} else {heapInd += bytes ;

return &( heap [ heapInd ] ) ;}

}

void n a i v e f r e e ( u i n t 8 t ∗ va l ){// Do noth ing

}

Another property of a bare-metal application is that there is no file system. Therefore the imple-mentation has the public parameters of the system hard-coded, but it is possible to change it tosupport reading in the public parameters as a byte array. The encryption is done by generatingthe symmetric key and encrypting the data (in the format of a byte array) with this symmetrickey. The ciphertext, which contains the information needed for decryption, is also on the formatof a byte array. In a real application this ciphertext byte array and encrypted data would betransmitted over the network, but in this project the ciphertext byte array has been printed tothe terminal instead in order to verify the computations of the sensor and make sure decryptionis possible.

24

8 Results

8.1 Sensor performance

In Table 2 the average run time of the main operations of the ABE on the laptop and the sensoris shown. In particular one can note that randomizing elements in G1,G2 or GT is a significantoperation requiring almost as much time as an exponentiation in the respective elliptic curvegroup. One can also see that the sensor is several magnitudes slower than the laptop for alloperations, which is an expected result.

Table 2: The execution time of the main cryptographic operations on the laptop and the sensor.Operation Time on laptop [s] Time on sensor [s]rand. element in G1 7.7 · 10−4 0.12rand. element in G2 4.7 · 10−3 1.12rand. element in GT 5.6 · 10−3 0.90exp. in G1 1.2 · 10−3 0.22exp. in G2 3.6 · 10−3 1.16exp. in GT 1.1 · 10−2 2.05mul. in G1 5 · 10−6 8 · 10−4

mul. in G2 1.4 · 10−5 3.9 · 10−3

mul. in GT 4.3 · 10−5 0.01

In Figure 11 the time needed for encryption at the sensor is shown as a function of number ofattributes in the policy. The line is not smooth, because the resolution on the time measurementson the sensor is in seconds. If the bumps are neglected or smoothed out one can see that it isa trend to being linear in number of attributes which is what is expected. Adding an attributeto the policy adds between 1 to 2 seconds to the encryption time. For one attribute it takes 3seconds which means that there is a small overhead of about 1 second as well. Therefore one canpessimistically approximate the encryption time by enc time = 1 + 2 · nr attr. The policy sizeranges from 1 to 12 attributes, the upper limit is set because the sensor does not have sufficientRAM to support larger policies.

Figure 11: The encryption time of CP-ABE on the sensor as a function of number of attributes.

In Figure 12 the RAM usage as a function of number of attributes is shown. The measurementsof RAM was taken with Valgrind on the laptop. Even though the laptop and the sensor havedifferent instruction sets it is reasonable to believe that the laptop RAM usage is representative

25

for the sensor RAM usage. This reasoning is based on the fact that the sensor, which has 32 kBof RAM, could not perform encryption for policies of 13 attributes which on the laptop requiredslightly below 32 kB of RAM.

Figure 12: The RAM usage on the laptop as a function of number of attributes.

The ciphertext, which is the additional overhead to an encrypted message with ABE, consists ofn+ 1 g1 t elements, n g2 t elements, the policy string and a list of the attributes. In relic-toolkitthere are functions to compress elements of g1 t and g2 t and these can be utilized to reducemessage overhead. In Figure 13 the ciphertext size in bytes can be seen as a function of numberof attributes in the encryption policy. There are four lines in the figure, each corresponding todifferent methods of reducing the ciphertext size.

One of these methods are utilizing built-in compression methods from the relic-toolkit. Compress-ing the ciphertext introduces two new operations pack() and unpack(). pack() is fast and addsa negligible overhead to the serilization function. unpack() significantly slows down the deserial-ization process. The deserialization process is not part of the encryption operation so the sensorswill not be affected by this overhead. Additionally the deserialization process is a minor part ofthe decryption algorithm, thus it will not affect the decryption time. It is therefore preferred tocompress the ciphertext.

The ciphertext structure contains the elements, a policy string and an attribute list. The attributelist is necessary to have during the computations but it is derivable from the policy string. There-fore if one wants to reduce the ciphertext size one can omit the attribute list from the serialization.This reduces the time required for serialization but as it is a minor operation it has a negligibleimpact on encryption time. However, it forces the decryptor to reconstruct the attribute list fromthe policy. This reconstruction process infers a negligible overhead to the decryption algorithm.

26

Figure 13: The ciphertext size in bytes for different optimization techniques as a function ofnumber of attributes.

27

9 Discussion

9.1 System proposals and schemes

In the sensor ABE system one of the benefits listed is that there will exist no single third partythat can decrypt all the data if it is a multi-authority scenario. This is not true if the policy canbe satisfied by attributes from only one of these authorities as the system is essentially reducedto a single authority system for this policy. Therefore the best case scenario, in terms of security,is when attributes from several different authorities is needed to satisfy a policy.

In the authority ABE system, the authority is considered a powerful entity and it should haveno problem to perform the computations of CP-ABE. Therefore in the authority ABE system itis less interesting to look into alternative schemes which limits expressiveness and flexibility toreduce computational requirements. However, if it would be suitable to employ KP-ABE in thesystem then it is also beneficial to do so from a computational point of view, but the simulatedCP-ABE is far less interesting for a computationally powerful system.

In the sensor ABE system, where the resource constrained sensors perform the encryption, alloptions might be of interest. The first standpoint one should consider is if KP-ABE could be aviable choice, if so it would be the most beneficial to employ in terms of computation. If CP-ABEis preferred for the system one has to perform a comparison between simulated CP-ABE and CP-ABE. Simulated CP-ABE is beneficial if the system contains a limited amount of authorities andwhere the policies are about the same size in terms of number of attributes. Otherwise the CP-ABE scheme is better, additionally the CP-ABE scheme does not limit the flexibility of policiesin the system.

9.1.1 Simple CP-ABE

In the paper where libfenc is introduced there are three different schemes that are evaluated [11].These schemes are a KP-ABE scheme referred to as LSW (KP) in the paper and two CP-ABEschemes referred to as WCP(CP) and WSCP(CP-lite). In the released version of libfenc there isonly support for two of these three schemes, WCP and LSW. The missing scheme, WSCP, hasthe limitation that an attribute can only appear once within a policy, thus it is slightly limitedin expressiveness. The interesting part of this scheme is that it is significantly faster than theWCP scheme and also the LSW scheme which is a KP scheme, this can be seen in Figure 14(this figure is copied from [11] where it is Figure 6). There are no measurements of the RAM us-age in [11] and because the public implementation is incomplete no such measurement is available.

The expressiveness limitation is small compared to the performance gain of WSCP, at least interms of time. A reasonable, slightly pessimistic, assumption is that it requires as much RAM asthe ordinary WCP scheme, even so it would still be a better choice than WCP. More informationabout the RAM usage is needed to draw further conclusions, but this scheme is definitely of inter-est. The issue is that the information provided in the paper [11] and at the website for libfenc [3]differs in where the WSCP scheme can be found and it can not be found in any of the given papers.

Even if this scheme can’t be located it gives an idea of the fact that even more efficient schemesmight be available which does not compromise the expressiveness in a large extent. This is apromising area to look further into for CP-ABE at the sensors.

28

Figure 14: The encryption times of the implementations presented in [11], note that the scale ofthe y-axes are different. (This figure is copied from [11], where it is Figure 6).

9.2 Implementation

In the GMP library there exist a part called mini-gmp which is a scaled down version of GMPintended for usage in applications where the full GMP library not viable. However, the PBClibrary is dependent on parts of the GMP library which is not in the mini-gmp library, but itmight still be possible adding these parts from the GMP library to mini-gmp, if one want to usePBC rather than relic-toolkit.

The implementation has room for improvements. In particular there exists a library for the sensorwhich utilizes built-in hardware support for some cryptographic operations. Using this librarycould potentially reduce the time needed for encryption and should therefore be further investi-gated.

Additionally it could be interesting adding support for KP-ABE in the implementation and per-forming experiments for comparison between CP and KP-ABE. This would be useful for applica-tions where both CP and KP-ABE is a viable choice. Furthermore, an implementation of KP-ABEwould enable measurements and analysis of the simulated CP-ABE scheme too.

The current implementation only has support for a security level of 128-bit, which is considereda quite high security level. In some applications a lower security level might suffice e.g. 112-bitsecurity. Lowering the security level will reduce both encryption time and RAM usage [12], essen-tially making larger policies viable.

The two methods to reduce the ciphertext size are cheap and reduce the size significantly, there-fore it is recommended to use both of these methods. Both of the methods are supported in theimplementation, but the option to not compress the elements exists as well.

The size of the ciphertext is also dependent on the security level as the elements of the ciphertextreduces in size when the security level is reduced. In 128-bit security a g1 t element requires 65bytes if unpacked or 33 bytes if packed. A g2 t element requires 129 bytes unpacked or 65 bytesif packed. In 112-bit security a g1 t element requires 57 bytes unpacked and 29 bytes packed, ag2 t element requires 113 bytes unpacked or 57 bytes packed. In general a certain security levelx is achieved by having a prime field of size 2x. A g1 t element requires 2 prime field elementsunpacked or 1 prime field if packed and an additional byte, whereas a g2 t element requires 4prime field elements unpacked or 2 prime field elements if packed and an additional byte and theprime field elements are of size 2x bytes.

29

9.3 Results

As earlier mentioned, multiple-authority (MA) ABE is where the gain of performing the ABEoperations on the sensors would be the largest as the trusted third party is removed. In general,MA-systems increase the complexity of the encryption and decryption operations. It is still likelythat these operations are feasible on sensors of the type used in this thesis project, but futurework could include investigating performance of MA-ABE encryption on this sensor.

In the current encryption time tests the resolution of the measurements are in seconds, which is apoor resolution. It suffices to give an idea of the running time but more accurate measurementswould give results that are in agreement with other ABE papers discussing ABE encryption timesuch as [14, 12, 34], namely that the time is linear in number of attributes.

A common measure in the Internet of Things context is energy consumption, as many of thedevices are powered by battery. Performing experiments and comparing the results of the energyconsumption for the sensors in the two different systems presented here would be useful to drawfurther conclusions of the feasibility of ABE on sensors.

The sensors that are deployed in the Green IoT project are running the operating system Con-tiki. Contiki will infer some overhead and therefore it could be relevant to investigate how theperformance of the encryption is affected by running Contiki on the sensors.

30

10 Conclusions

Performing ABE on sensors is possible for systems where the policy size is rather small and whentime is not a scarce resource. However, the time issue has a solution which might suffice in someapplications. The solution is to use the same symmetric key from ABE encryption for a certainamount of time and only refresh it when needed. This way the sensor does not have to performthe expensive ABE operations for every data packet it sends.

The bottleneck of performing ABE on the sensors is the RAM size of the sensors.

In terms of which system solution to use the sensor ABE system is the recommended one, if itis feasible. This is because it removes the need for end-to-end communication between authori-ty/server and sensor and it removes the trusted third party which can decrypt all the sensor data.If it is a single authority and end-to-end communication between authority and sensor is possiblethen it doesn’t really matter which system one chooses. However, if end-to-end communication isproblematic and one must introduce a new trusted third party in addition to the authority, such asa server, then it is beneficial to go with the sensor ABE system as this additional party is abundant.

If the authority ABE system, i.e. the system where the sensor and authority share a symmetrickey, is to be used it is not worthwhile putting effort into designing a simulated CP-ABE systemas the authority is powerful. The CP-ABE system is more intuitive and there is no reason togive up this system on the basis of computational efficiency in the authority ABE case. However,if KP-ABE is a viable choice for the application then it should be chosen from a computationalefficiency point of view.

When the sensor ABE system is being considered one could first see if KP-ABE would be a viablechoice, if so then use it. If the expressiveness of CP-ABE is necessary then one should make athorough comparison between CP-ABE and simulated CP-ABE. Simulated CP-ABE is beneficialif the system contains a limited amount of authorities and where the policy sizes does not differmuch. Otherwise the CP-ABE scheme is better, additionally the CP-ABE scheme does not limitthe flexibility of policies in the system.

The most promising suggestion to improve the implementation is to use the library which utilizesthe built-in hardware support for some cryptographic operations. Additionally, the Simple CP-ABE scheme is of particular interest for future implementations.

31

11 Acknowledgements

I want to thank my supervisors Borje Ohlman and Edith Ngai for making this project possibleand giving me the opportunity to perform my thesis work at Ericsson. I also want to send myappreciation to the collaborators of the Green IoT project and Vinnova, who is co-funding theGreen IoT project. In particular I would like to thank Adrian Caragea at Upwis AB for helping meget started with the sensor Upwis provided me with and Christian Rohner at the IT-departmentof Uppsala University for reviewing my thesis.

32

References

[1] CP-ABE implementationhttp://hms.isi.jhu.edu/acsc/cpabe/

[2] Cryptographic key length recommendationhttps://www.keylength.com/

[3] Functional Encryption Libraryhttps://code.google.com/archive/p/libfenc/

[4] Gnu MP Bignum (GMP) Libraryhttps://gmplib.org/

[5] Green IoT Webpagehttp://user.it.uu.se/∼eding810/GreenIoT/

[6] KP-ABE implementationhttps://github.com/gustybear/kpabe

[7] Pairing-Based Cryptography (PBC) libraryhttps://crypto.stanford.edu/pbc/

[8] QEMUhttp://wiki.qemu.org/Main Page

[9] relic-toolkit, D. F. Aranha and C. P. L. Gouvea, RELIC is an Efficient LIbrary for Cryptog-raphy, https://github.com/relic-toolkit/relic

[10] Valgrindhttp://valgrind.org/

[11] J.A. Akinyele, C.U. Lehmann, M.D. Green, M.W. Pagano, Z.N.J. Peterson A.D. Rubin, Self-Protecting Electronic Medical Records Using Attribute-Based Encryption, Cryptology ePrintArchive, Report 2010/565, http://eprint.iacr.org/, 2010.

[12] M. Ambrosin, M. Conti, T. Dargahi, On the Feasibility of Attribute-Based Encryption onSmartphone Devices, arXiv:1504.00619

[13] R. Baden, A. Bender, N. Spring, B. Bhattacharjee, D. Starin, Persona: An online so-cial network with user-defined privacy, SIGCOMM Computer Communications Review,39(4):135–146, 2009.

[14] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-Policy Attribute-Based Encryption, In: IEEESymposium on Security and Privacy, pp. 321-334 (2007)

[15] C. Ghali, M. Schlosberg, G. Tsudik, C. A. Wood, Interest-Based Access Control for ContentCentric Networks, arXiv:1505.06258

[16] V. Goyal, O. Pandey, A. Sahai, B. Waters, Attribute Based Encryption for Fine-GrainedAccess Conrol of Encrypted Data, In ACM conference on Computer and CommunicationsSecurity (ACM CCS), 2006.

[17] M. Green, S. Hohenberger, B. Waters, Outsourcing the Decryption of ABE Ciphertexts,InUSENIX Security Symposium, page 3, 2011.

[18] M. Hazewinkel, Cyclic Groups, Encyclopedia of Mathematics (2001)

[19] J. Kurihara, E. Uzun, C. A. Wood, An encryption-based access control framework for content-centric networking, in Proc. IFIP Networking 2015, May 2015.

[20] F.Leprevost, J.Monnerat, S.Varrette, S. Vaudenay, Generating anomalous elliptic curves,Information Processing Letters 93, 2005, pp.225-230.

33

[21] A. Lewko, A. Sahai, B. Waters, Revocation Systems with Very Small Private Keys, Proceed-ings of the 2010 IEEE Symposium on Security and Privacy, p. 273-285, 2010

[22] A. Lewko, B. Waters, Decentralizing Attribute-Based Encryption, Cryptology ePrint ArchiveReport 2010/351 (2010), http://eprint.iacr.org/

[23] M. Li , S. Yu , Y. Zheng , K. Ren, W. Lou, Scalable and secure sharing of personal healthrecords in cloud computing using attribute-basedencryption, IEEE Trans. Parallel Distrib.Syst., vol. 24, no. 1, pp. 131-143, 2013

[24] A. Liu, P. Ning, TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wire-less Sensor Networks, in Proceedings of the 7th International Conference on InformationProcessing in Sensor Networks (IPSN 2008), SPOTS Track, pages 245–256, April 2008.

[25] P. Mahadevan, CCNx 1.0 Tutorial, PARC, Tech. Rep., March 2014

[26] L. B. Oliveira, M. Scott, J. Lopez, R. Dahab, TinyPBC: Pairings for authenticated identity-based non-interactive key distribution in sensor networks, Cryptology ePrint Archive, Report2007/482, 2007. http://eprint.iacr.org/.

[27] A. Shamir, How to share a secret, Communications of the ACM 22 (11): 612-613

[28] R. S. da Silva, S. D. Zorzo, An Access Control Mechanism to Ensure Privacy in Named DataNetworking using Attribute-based Encryption with Immediate Revocation of Privileges, IEEECCNC 2015

[29] J.H. Silverman, The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, 106. 1986,Springer-Verlag.

[30] Y-L. Tan, B-M. Goi, R. Komiya, S-Y. Tan, A Study of Attribute-Based Encryption for BodySensor Networks, Informatics Engineering and Information Science (2011): 238-247

[31] L. Touati, Y. Challal, A. Bouabdallah, C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things, International Conference on advanced Network-ing, Distributed Systems and Applications, 2014, Bejaia, Algeria. pp. 64-69, 2014.

[32] J.P. Walters, Z. Liang, W. Shi, V. Chaudhary, Wireless Sensor Network Security: A Survey,Security in Distributed, Grid and Pervasive Computing Yang Xiao (Eds), year 2006

[33] B. Waters, Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient,and Provably Secure Realization, Cryptology ePrint Archive Report 2008/290 (2008),http://eprint.iacr.org/

[34] X. Wang, J. Zhang, E. M. Schooler, M. Ion. Performance evaluation of attribute-based en-cryption: Toward data privacy in the IoT, In ICC’14, 2014

34

attribute-based encryption in systems with resource...

Documents