crypto slides

8/10/2019 Crypto Slides

1/22

Ciphertext-Policy Attribute-Base Encryption (CP-ABE)

Ciphertext-Policy Attribute-Base

Encryption

(CP-ABE)

Muhannad Darnasser

Computer Sciences DepartmentRochester Institute of Technology


2/22


Introduction

OutlineIntroduction

Background - Bilinear MapsCommentary

Applications - Bilinear Maps

Computational Diffie-Hellman problemDecisional Diffie-Hellman problem

CP-ABEHow it works

SetupEncryptKey GeneratorDecrypt

Questions

References


3/22


Introduction

Introduction

What is the need for CP-ABE?

Public key Scheme.

Enhance key management.

One Encryption key, Multiple decryption keys. Encrypt for privileges not for users.


4/22


Background - Bilinear Maps

Bilinear Maps


5/22



Definition of a Bilinear Map

Definition

A bilinear mapfrom G1 G2 to G3 is a functione:G1 G2 G3 such that for all u G1, v G2, a, b Z,

e(ua, vb) =e(u, v)ab .

Where G1, G2, and G3 are cyclic groups of the same order.


6/22



Admissible Bilinear Map

Definition

The mappere is admissible ife(g1, g2) is a generator for G3and it is efficiently Computable.

Those are the maps we are going to use.


7/22



Commentary

Relationships BetweenG1,G2, andG3 G1, G2, and G3 are all isomorphic to one another since

they have the same order and are cyclic They are different groups in the sense that we represent

the elements and compute the operations differently Normally, however,G1=G2 (in addition to being

isomorphic) From now on we assume this unless otherwise noted Denote both by G =G1 =G2

G andG3 may have either composite or prime order Makes a difference in how they work / are used Most often prime order

IfG= G3 called a self-bilinear map Very powerful No known examples.


8/22



Computational Diffie-Hellman problem

Computational Diffie-Hellman problem CDHP The CDHP: given P, aP, bP in G, Find abP.

Giveng, ga, gb, to find ab use e(ga, gb) =e(g, g)ab tomove to another domain and use Discrete log to solve the

problem.


9/22



Decisional Diffie-Hellman problem

Decisional Diffie-Hellman problem DDHP DDHP: given P, aP, bP, cP in G, decide whether c = ab

(modulo the order of P).

Giveng, ga, gb, gc, determine whether c ab mod qby

just checking whethere(ga

, gb

) =e(g, gc

) e(ga, gb) =e(g, g)ab

?=e(g, g)c =e(g, gc)

C h P l A b B E (CP ABE)


10/22


CP-ABE

CP-ABE


11/22

Ci he te t P li Att ib te B se E ti (CP ABE)


12/22


CP-ABE

How it works

How it works...Example Attributes: {Doctor,Nurse,A,B,C}.

Users: User1: {Doctor,A}.

User2: {Doctor, C

}.

User3: {Nurse,B}.

Access Tree:

Ciphertext Policy Attribute Base Encryption (CP ABE)


13/22


CP-ABE

CP-ABE Functions Setup.

Encrypt.

Key Generator.

Decrypt. Delegate (will not be covered).



14/22


CP-ABE

Setup

Setup Choose a bilinear G0 of prime Order p and generator g

Choose Random exponents, Zp PK= G0, g ,h=g

, f=g1/, e(g, g)

Master Key is(, g)



15/22


CP-ABE

Encrypt

Encrypt(PK,M,) M is the message to be encrypted.

is the tree access structure.

Choose polynomialqx for each node x in including the

leaves. the order of the polynomialqx is kx 1where kx is the

threshold of node x

For the Root R choose qR(0) =s where s is a random

number Zp and choose random points to completelyconstruct the polynomial.

For other nodes qx(0) =qparent(x)(index(x))



16/22


CP-ABE

Encrypt

Encrypt(PK,M,) Cont. CT = (, C=Me(g, g)s, C=hs,y Y :Cy =

gqy(0), Cy =H(att(y))qy(0))

Y is the set of the leaf Nodes.

H is a hash function defined as a random OracleH : {0, 1} G0



17/22

p y yp ( )

CP-ABE

Key Generator

KeyGen(MK,S) Sis a list of attributes associated with the private key.

Choose r Zp Choose rj Zp for each attribute j S

SK= (D=g(+r)/,j S:Dj =g

r.H(j)rj , Dj =grj)



18/22

( )

CP-ABE

Decrypt

Decrypt(CT,SK,x) DecryptNode(CT,SK,x) = e(Di,Cx)

e(Di,C

x)

= e(gr.H(i)ri ,gqx(0))

e(gri ,H(i)qx(0)) = e(g

r.gri ,gqx(0))

e(gri ,gqx(0)) = e(g,g)

rqx(0)+riqx(0)

e(g,g)riqx(0)

=e(g, g)rqx(0)

This function is a recursive, starting from the root nodeof the tree until the leaves.

if the attributes satisfies the tree then the Root will besatisfied

Recall: that qx(0) =s for the root. A= DecryptNode(CT,SK,r) =e(g, g)rqR(0) =

e(g, g)rs



19/22

CP-ABE

Decrypt

Decrypt(CT,SK,x) Cont.

C/(e(C,D)/A) = C/(e(hs, g(+r)/)/e(g, g)rs)

=

Me(g,g)se(g,g)rs

e(g

s

,g

(+r)/

)=

Me(g,g)s+rs

e(g,g)s+rs

= M



20/22

CP-ABE

Finally

CP-ABE was an improvement over KP-ABE. CP-ABE needs some fine grain access improvements.

CP-ABE also needs some improvements in keysrevocation.



21/22

Questions

Questions



22/22

References

References John Bethencourt, Amit Sahai, and Brent Waters.

Ciphertext-Police Attribute-Based Encryption. IEEESymposium on Security and Privacy 07, pp. 321-334,IEEE, 2007.

http://www.cs.berkeley.edu/~bethenco/

bilinear_maps.pdf Accessed: April/2012

http:

//www.larc.usp.br/~pbarreto/pblounge.html

Accessed: April/2012
http://www.cs.berkeley.edu/~bethenco/bilinear_maps.pdfhttp://www.cs.berkeley.edu/~bethenco/bilinear_maps.pdfhttp://www.cs.berkeley.edu/~bethenco/bilinear_maps.pdfhttp://www.cs.berkeley.edu/~bethenco/bilinear_maps.pdfhttp://www.larc.usp.br/~pbarreto/pblounge.htmlhttp://www.larc.usp.br/~pbarreto/pblounge.htmlhttp://www.larc.usp.br/~pbarreto/pblounge.htmlhttp://www.larc.usp.br/~pbarreto/pblounge.htmlhttp://www.larc.usp.br/~pbarreto/pblounge.htmlhttp://www.larc.usp.br/~pbarreto/pblounge.htmlhttp://www.cs.berkeley.edu/~bethenco/bilinear_maps.pdfhttp://www.cs.berkeley.edu/~bethenco/bilinear_maps.pdf

crypto slides

Documents