Attribute-based encryption

Last updated

Attribute-based encryption is a generalisation of public-key encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes (e.g. their email address, the country in which they live, or the kind of subscription they have). In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext. [1]

Contents

A crucial security aspect of attribute-based encryption is collusion-resistance: An adversary that holds multiple keys should only be able to access data if at least one individual key grants access.

Description

Attribute-based encryption is provably [2] a generalisation of identity-based encryption.

History

Identity-based encryption was first proposed in 1984 by Adi Shamir, [3] without a specific solution or proof. In 2004 Amit Sahai and Brent Waters [4] published a solution, improved in 2006 by Vipul Goyal, Omkant Pandey, Amit Sahai and Brent Waters. [5] Melissa Chase and other researchers have further proposed attribute-based encryption with multiple authorities who jointly generate users' private keys. [6] [7] [8] [9] [10] [11]

Types of attribute-based encryption schemes

There are mainly two types of attribute-based encryption schemes: Key-policy attribute-based encryption (KP-ABE) [5] and ciphertext-policy attribute-based encryption (CP-ABE). [12]

In KP-ABE, users' secret keys are generated based on an access tree that defines the privileges scope of the concerned user, and data are encrypted over a set of attributes. However, CP-ABE uses access trees to encrypt data and users' secret keys are generated over a set of attributes.

Relationship to Role-based Encryption

The related concept of role-based encryption [13] refers exclusively to access keys having roles that can be validated against an authoritative store of roles. In this sense, Role-based encryption can be expressed by Attribute-based encryption and within that limited context the two terms can be used interchangeably. Role-based Encryption cannot express Attribute-based encryption.

Usage

Attribute-based encryption (ABE) can be used for log encryption. [14] Instead of encrypting each part of a log with the keys of all recipients, it is possible to encrypt the log only with attributes which match recipients' attributes. This primitive can also be used for broadcast encryption in order to decrease the number of keys used. [15] Attribute-based encryption methods are also widely employed in vector-driven search engine interfaces. [16]

Challenges

Although the ABE concept is very powerful and a promising mechanism, ABE systems suffer mainly from two drawbacks: inefficiency and the lack of a straightforward attribute revocation mechanism.

Other main challenges are:

Attribute revocation mechanism

Revocation of users in cryptosystems is a well-studied but nontrivial problem. Revocation is even more challenging in attribute-based systems, given that each attribute possibly belongs to multiple different users, whereas in traditional PKI systems public/private key pairs are uniquely associated with a single user. In principle, in an ABE system, attributes, not users or keys, are revoked. The following paragraph now discusses how the revocation feature can be incorporated.

A simple but constrained solution is to include a time attribute. This solution would require each message to be encrypted with a modified access tree T0, which is constructed by augmenting the original access tree T with an additional time attribute. The time attribute, ζ represents the current ‘time period’. Formally, the new access structure T0 is as follows: {{{1}}}. For example, ζ can be the ‘date’ attribute whose value changes once every day. It is assumed that each non-revoked user receives his fresh private keys corresponding to the ‘date’ attribute once each day directly from the mobile key server MKS (which is the central authority) or via the regional delegates. With a hierarchical access structure, the key delegation property of CP-ABE can be exploited to reduce the dependency on the central authority for issuing the new private keys to all users every time interval. There are significant trade-offs between the extra load incurred by the authority for generating and communicating the new keys to the users and the amount of time that can elapse before a revoked user can be effectively purged. This above solution has the following problems:

  1. Each user X needs to periodically receive from the central authority the fresh private key corresponding to the time attribute, otherwise X will not be able to decrypt any message.
  2. It is a lazy revocation technique. The revoked user is not purged from the system until the current time period expires.
  3. This scheme requires an implicit time synchronization (a loose time synchronization may be sufficient) among the authority and the users.

Other concepts called 'attribute-based encryption'

A manuscript of Ari Juels and Michael Szydlo [17] dated 2004 proposed a different, non-collusion-resistant notion of attribute-based encryption.

See also

Related Research Articles

<span class="mw-page-title-main">Cipher</span> Algorithm for encrypting and decrypting information

In cryptography, a cipher is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into cipher or code. In common parlance, "cipher" is synonymous with "code", as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography.

<span class="mw-page-title-main">Tabula recta</span> Fundamental tool in cryptography

In cryptography, the tabula recta is a square table of alphabets, each row of which is made by shifting the previous one to the left. The term was invented by the German author and monk Johannes Trithemius in 1508, and used in his Trithemius cipher.

Identity-based encryption (IBE), is an important primitive of identity-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user. This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

<span class="mw-page-title-main">Key exchange</span> Cryptographic protocol enabling the sharing of a secret key over an insecure channel

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Multiple encryption is the process of encrypting an already encrypted message one or more times, either using the same or a different algorithm. It is also known as cascade encryption, cascade ciphering, multiple encryption, and superencipherment. Superencryption refers to the outer-level encryption of a multiple encryption.

Proxy re-encryption (PRE) schemes are cryptosystems which allow third parties (proxies) to alter a ciphertext which has been encrypted for one party, so that it may be decrypted by another.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

Broadcast encryption is the cryptographic problem of delivering encrypted content over a broadcast channel in such a way that only qualified users can decrypt the content. The challenge arises from the requirement that the set of qualified users can change in each broadcast emission, and therefore revocation of individual users or user groups should be possible using broadcast transmissions, only, and without affecting any remaining users. As efficient revocation is the primary objective of broadcast encryption, solutions are also referred to as revocation schemes.

Encryption software is software that uses cryptography to prevent unauthorized access to digital information. Cryptography is used to protect digital information on computers as well as the digital information that is sent to other computers over the Internet.

A deterministic encryption scheme is a cryptosystem which always produces the same ciphertext for a given plaintext and key, even over separate executions of the encryption algorithm. Examples of deterministic encryption algorithms include RSA cryptosystem, and many block ciphers when used in ECB mode or with a constant initialization vector.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted.

Entropic security is a security definition used in the field of cryptography. Modern encryption schemes are generally required to protect communications even when the attacker has substantial information about the messages being encrypted. For example, even if an attacker knows that an intercepted ciphertext encrypts either the message "Attack" or the message "Retreat", a semantically secure encryption scheme will prevent the attacker from learning which of the two messages is encrypted. However, definitions such as semantic security are too strong to achieve with certain specialized encryption schemes. Entropic security is a weaker definition that can be used in the special case where an attacker has very little information about the messages being encrypted.

In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

<span class="mw-page-title-main">Functional encryption</span>

Functional encryption (FE) is a generalization of public-key encryption in which possessing a secret key allows one to learn a function of what the ciphertext is encrypting.

<span class="mw-page-title-main">Amit Sahai</span> American cryptographer (born 1974)

Amit Sahai is an Indian-American computer scientist. He is a professor of computer science at UCLA and the director of the Center for Encrypted Functionalities.

Identity-based conditional proxy re-encryption (IBCPRE) is a type of proxy re-encryption (PRE) scheme in the identity-based public key cryptographic setting. An IBCPRE scheme is a natural extension of proxy re-encryption on two aspects. The first aspect is to extend the proxy re-encryption notion to the identity-based public key cryptographic setting. The second aspect is to extend the feature set of proxy re-encryption to support conditional proxy re-encryption. By conditional proxy re-encryption, a proxy can use an IBCPRE scheme to re-encrypt a ciphertext but the ciphertext would only be well-formed for decryption if a condition applied onto the ciphertext together with the re-encryption key is satisfied. This allows fine-grained proxy re-encryption and can be useful for applications such as secure sharing over encrypted cloud data storage.

Column level encryption is a type of database encryption method that allows user to select specific information or attributes to be encrypted instead of encrypting the entire database file. To understand why column level encryption is different from other encryption methods like file level encryption, disk encryption, and database encryption, a basic understanding of encryption is required.

Brent R. Waters is an American computer scientist, specializing in cryptography and computer security. He is currently a professor of Computer Science at the University of Texas at Austin.

References

  1. "What is Attribute-Based Encryption". Cryptography Stack Exchange. 2014.
  2. Herranz, Javier (November 2017). "Attribute‐based encryption implies identity‐based encryption". IET Information Security. 11 (6): 332–337. doi:10.1049/iet-ifs.2016.0490. eISSN   1751-8717. hdl: 2117/111526 . ISSN   1751-8709. S2CID   20290716.
  3. Shamir, Adi (1984). "Identity-Based Cryptosystems and Signature Schemes". Advances in Cryptology. Lecture Notes in Computer Science. Vol. 196. Berlin, Heidelberg: Springer Berlin Heidelberg. pp. 47–53. doi:10.1007/3-540-39568-7_5. ISBN   978-3-540-15658-1.
  4. Amit Sahai and Brent Waters, Fuzzy Identity-Based Encryption Cryptology ePrint Archive, Report 2004/086 (2004)
  5. 1 2 Vipul Goyal, Omkant Pandey, Amit Sahai and Brent Waters, Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data ACM CCS (2006)
  6. Melissa Chase, Multi-authority Attribute-Based Encryption TCC (2007)
  7. Melissa Chase and Sherman S.M. Chow, Improving privacy and security in multi-authority attribute-based encryption ACM CCS (2009)
  8. Taeho Jung, Xiang-Yang Li, Zhiguo Wan, and Meng Wan, Privacy preserving cloud data access with multi-authorities IEEE INFOCOM (2013)
  9. Taeho Jung, Xiang-Yang Li, Zhiguo Wan, and Meng Wan, Control Cloud Dhttps://gnunet.org/sites/default/files/CCS%2706%20-%20Attributed-based%20encryption%20for%20fine-grained%20access%20control%20of%20encrypted%20data.pdfata Access Privilege and Anonymity With Fully Anonymous Attribute-Based Encryption Transactions on Information Forensics and Security (2015)
  10. Allisso Lewko and Brent Waters, Decentralizing Attribute-Based Encryption EUROCRYPT (2011)
  11. Sascha Muller, Stefan Katzenbeisser, and Claudia Eckert, On multi-authority ciphertext-policy attribute-based encryption Bull. Korean Math. Soc. 46 (2009)
  12. Bethencourt, J.; Sahai, A.; Waters, B. (2007-05-01). "Ciphertext-Policy Attribute-Based Encryption". 2007 IEEE Symposium on Security and Privacy (SP '07). pp. 321–334. CiteSeerX   10.1.1.69.3744 . doi:10.1109/SP.2007.11. ISBN   978-0-7695-2848-9. S2CID   6282684.
  13. SuryakantBhise, Avdhut; R.N, Phursule (2015-01-16). "A Review of Role based Encryption System for Secure Cloud Storage". International Journal of Computer Applications. Foundation of Computer Science. 109 (14): 15–20. Bibcode:2015IJCA..109n..15S. doi: 10.5120/19255-0986 . ISSN   0975-8887.
  14. Vipul Goyal, Omkant Pandey, Amit Sahai and Brent Waters, Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Cryptology ePrint Archive, Report 2006/309 (2006)
  15. David Lubicz and Thomas Sirvent, Attribute-Based Broadcast Encryption Scheme Made Efficient First International Conference on Cryptology in Africa (2008)
  16. Bouabana-Tebibel, T (2015). "Parallel search over encrypted data under attribute based encryption on the Cloud Computing". Computers & Security. 54: 77–91. doi:10.1016/j.cose.2015.04.007.
  17. Ari Jules and Michael Szydlo, Attribute-Based Encryption: Using Identity-Based Encryption for Access Control Manuscript (2004) Archived February 21, 2014, at the Wayback Machine

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.