In a real life situation, revocation needs to handle two things:
(1) Make the policy under which data is encrypted is invalid for revoked user(s).
(2) Re-encrypt the affected data to reflect the revocation. (If we do not re-encrypt, a revoked user can use her old credentials to access the encrypted data.)
Let's get started using a simple example.
Bob shares an encrypted file in a public cloud with Alice, Ted and Tim. In order to make the encryption process efficient, Bob can a group encryption technique such as ABE (attribute based encryption) or BE (broadcast encryption) or even a simple symmetric key encryption. For this example, we focus only on ABE. I will devote a separate blog post for broadcast encryption.The beauty of the group based encryption technique is that Bob needs to do ONLY ONE encryption for all the people with whom he shares the file.
Some background information: In a modern group based encryption scheme, users are assigned attributes and the users having the same set of attributes belong to the same group. Let's say for this example, Bob has tagged Alice, Ted and Tim with the attributes "cool_friend" and "buddy", and is using ABE cryptosystem.
Access control policy
Bob has his own KGC (key generation center) to run the ABE cryptosystem. Bob generates the master secret key MK and public key PK. (Keygen(k) --> MK, PK)
Keygen operations
Encrypt(SK, M, policy("cool_friend", "buddy") steps
Secret Key generation for Alice and Tim (Similarly for Ted - not shown above)
Secret keys for users are generated by Bob based on a linear secret sharing scheme. Shamir's secret sharing scheme is the most popular choice. For simplicity, for this example, I am using simple addition as the linear secret sharing scheme. (Notice that the secret keys given to Alice and Tim and generated using different sets of secret shares. This is to prevent collisions. Interested readers are encouraged to read [3] for more in-depth details on preventing collisions.) For complex monotonic policies, the typical approach is to build an access tree and internally use the Shamir's secret sharing scheme.
Now Alice, Ted and Tim can decrypt the document using their secret keys.
Alice decrypting Bob's message
In a typical ABE setting, how does Bob do this revocation?
a. Generate new secret keys for Ted and Alice for the attribute "cool_friend" and "buddy", and send these to them (this process results in a new master secret key SK' and public key PK' as well.)
b. Download the encrypted document from the cloud and decrypt it (Decrypt(SK, C) --> M) and re-encrypt (Encrypt(PK', M, policy("cool_friend" AND "buddy")) --> C') and upload back to the cloud.
Can we do better? Can we delegate the re-encryption to the cloud itself? (The subject of this post.)
Decrypt -> Re-encrypt is off the table since in order to do that, Bob needs to give SK to the cloud, which is what Bob does not want to do in the first place - Bob wants to hide the content from the cloud. So, is there a way out for this problem?
One possible approach is as follows:
- Execute step 1
- Ask the cloud to do an onion encryption over the current encryption
Problem: size of the onion gets bigger and bigger as we do more revocations.
Can we do better? Yes, we can incrementally change the ciphertext using the technique called ciphertext delegation [1]. I am showing you a simplified version of ciphertext delegation here. Please read [1] for more details.
The idea behind ciphertext delegation is to allow another party to re-encrypt a file under a more restrictive policy than the original policy without decrypting the file. That is, originally encrypted as Encrypt(PK, M, P) = C, then do the delegation: Delegate(PK, C, P') = Encrypt(PK, M, P'), where P' is a more restrictive policy than the original policy P.
How can we encrypt under a more restrictive policy? Recall that the policies we deal with have a linear structure. We can restrict such policies in many ways. Here are some possible approaches:
- increase node threshold (for example from OR to AND)
- add an additional attribute to the access tree
- remove a subtree from the access tree
For illustration purpose, I will be using the second option. I am introducing a new attribute called "time" to restrict the policy.
Restrictive policy
Bob uploads some public information to the cloud so that it can re-encrypt and also some additional public information to allow only Alice and Ted recover the secret components for the attribute "time". It is done in a way that Tim will not be able to recover the secret for the attribute "time". Hence, Tim will not be able to satisfy the new restrictive policy.
New public information given to the cloud to re-encrypt in the cloud
Additional secret given only to Alice and Ted
Bob can use several approaches to give this additional secret only to Alice and Ted. One approach is that Bob may give this secret directly to Alice or Ted. Another approach is to utilize a broadcast encryption technique to encrypt this secret for only Alice and Ted and upload to the cloud as public information.
The following equations shows how the cloud does the re-encryption:
It is easy to see that using their other credentials and the above new value, Alice and Ted can decrypt the re-encrypted file. However, as Tim cannot generate the above value, he will not be able to access the re-encrypted file.
It should be noted that the above scheme fails if Alice or Ted collude with Tim. I leave the readers to figure out a collision resistant way to do the ciphertext delegation (hint: read [1] :) I hope this post gave you some idea about how to do re-encryption for ABE in the cloud itself without decrypting.
References:
[1] http://eprint.iacr.org/2012/437.pdf [CRYPTO 2012]
[2] http://research.microsoft.com/en-us/um/people/vipul/abe.pdf [CCS 2007]
[3] http://eprint.iacr.org/2004/086.pdf [CCS 2006]
5 comments:
Hi,
I am looking into attribute based encryption, but am finding it difficult to understand what bilinear pairings are and how they work.
Could you say what exactly linear secret sharing schemes are? How are they used in ABE.
Harsha,
I would start from the first linear secret sharing scheme by Shamir:
http://www.cs.tau.ac.il/~bchor/Shamir.html
The following could be helpful as well to understand the technical details:
http://echidna.maths.usyd.edu.au/kohel/tch/MATH3024/Lectures/lectures_11.pdf
Please note that bilinear pairing has nothing to do with secret sharing.
You may want to refer to an introductory material on bilinear pairing before trying to understand ABE.
Thanks so much for the material on the linear sharing - i had been searching for quite a bit, but I guess I didn't know where to look.
Would you have any links that explain bilinear pairings in a simple msnner?
I had thought these two were linked in some way...
If my understanding is correct secret sharing is used for "creating access policies" right?... using attributes? So each secret or share would be an attribute? no?
Very lengthy but informative article. You mentioned lots of information in your article in effective way. I like your article.Its helped me in my seminar. I discussed all the above information with my friend circle also.
eSignature
Would you have any links that explain bilinear pairings in a simple msnner?
Post a Comment