40

Can someone explain what attribute based encryption is?

I was searching for a book or something that can help me in this regard but so far I have found none. Google also returns practically nothing aside from the papers.

Patriot
  • 3,132
  • 3
  • 18
  • 65
Mark
  • 403
  • 1
  • 4
  • 4

1 Answers1

74

I try to provide a brief intro.

ABE

Attribute-based encryption (ABE) is a relatively recent approach that reconsiders the concept of public-key cryptography. In traditional public-key cryptography, a message is encrypted for a specific receiver using the receiver’s public-key. Identity-based cryptography and in particular identity-based encryption (IBE) changed the traditional understanding of public-key cryptography by allowing the public-key to be an arbitrary string, e.g., the email address of the receiver. ABE goes one step further and defines the identity not atomic but as a set of attributes, e.g., roles, and messages can be encrypted with respect to subsets of attributes (key-policy ABE - KP-ABE) or policies defined over a set of attributes (ciphertext-policy ABE - CP-ABE). The key issue is, that someone should only be able to decrypt a ciphertext if the person holds a key for "matching attributes" (more below) where user keys are always issued by some trusted party.

Ciphertext-Policy ABE

In ciphertext-policy attribute-based encryption (CP-ABE) a user’s private-key is associated with a set of attributes and a ciphertext specifies an access policy over a defined universe of attributes within the system. A user will be ale to decrypt a ciphertext, if and only if his attributes satisfy the policy of the respective ciphertext. Policies may be defined over attributes using conjunctions, disjunctions and $(k,n)$-threshold gates, i.e., $k$ out of $n$ attributes have to be present (there may also be non-monotone access policies with additional negations and meanwhile there are also constructions for policies defined as arbitrary circuits). For instance, let us assume that the universe of attributes is defined to be $\{A,B,C,D\}$ and user 1 receives a key to attributes $\{A,B\}$ and user 2 to attribute $\{D\}$. If a ciphertext is encrypted with respect to the policy $(A \wedge C) \vee D$, then user 2 will be able to decrypt, while user 1 will not be able to decrypt.

CP-ABE thus allows to realize implicit authorization, i.e., authorization is included into the encrypted data and only people who satisfy the associated policy can decrypt data. Another nice features is, that users can obtain their private keys after data has been encrypted with respect to policies. So data can be encrypted without knowledge of the actual set of users that will be able to decrypt, but only specifying the policy which allows to decrypt. Any future users that will be given a key with respect to attributes such that the policy can be satisfied will then be able to decrypt the data.

Key-Policy ABE

KP-ABE is the dual to CP-ABE in the sense that an access policy is encoded into the users secret key, e.g., $(A \wedge C) \vee D$, and a ciphertext is computed with respect to a set of attributes, e.g., $\{A,B\}$. In this example the user would not be able to decrypt the ciphertext but would for instance be able to decrypt a ciphertext with respect to $\{A,C\}$.

An important property which has to be achieved by both, CP- and KP-ABE is called collusion resistance. This basically means that it should not be possible for distinct users to "pool" their secret keys such that they could together decrypt a ciphertext that neither of them could decrypt on their own (which is achieved by independently randomizing users' secret keys).

Beyond ABE

ABE is just one type of the more general concept of functional encryption (FE) covering IBE, ABE and many other concepts such as inner product or hidden vector encryption (yielding e.g., searchable encryption) etc. It is a very active and young field of research and has many interesting applications (in particular in the field of cloud computing).

DrLecter
  • 12,547
  • 3
  • 43
  • 61
  • 12
    This is, by far, the best explanation I've got. Thank you very much for taking time to explain this in so much detail. I honestly believe that you should add this explanation to the wikipedia article of ABE as plenty of others can benefit from it. Thanks a lot once again. – Mark Jun 25 '14 at 21:54
  • am curious if there is any work done in symmetric ABE schemes – sashank Jun 26 '14 at 04:47
  • 1
    @sashank I am not aware of any work in symmetric ABE. Naive CP-ABE could be: You have an authority that distributes a distinct key per attribute. If you have a policy just build the access tree and apply recursive secret sharing (as done in all constructions that do not use linear secret sharing) and encrypt the respective shares at the attribute leaves with the respective attribute keys. Use the random root secret that you have shared down the tree as a key to encrypt the data. However, this would not be collusion resistant, which may be hard to impossible to achieve in the symmetric setting. – DrLecter Jun 26 '14 at 06:30
  • 1
    @sashank I'm intrigued. What do you understand under symmetric ABE? If your idea is too long for a comment, meybe you can post a question. – Artjom B. Jun 26 '14 at 14:53
  • 2
    @sashank, one of the big benefits of ABE is that the attributes are public, and if you possess the attribute, you can get the private key associated with it. Thus, anyone can encrypt with the attributes, but only one who possesses them can decrypt. Symmetric ABE would say that only one who possesses the attributes can encrypt with them. If that is the functionality you need, you can get that with an attribute-based signcryption scheme. – mikeazo Jun 26 '14 at 16:58
  • @mikeazo Exactly, the public encryption feature is what makes ABE that nice and interesting! – DrLecter Jun 26 '14 at 17:03
  • informally, intuitively, i believe a technique achieved by PKE could also be achieved by SKE. ABE may be lot cleanly achieved in PKE but should be possible in SKE too, imagine a master secret key split into key shares per attribute or something but i did not think through how ABE can be realized using SKE – sashank Jun 27 '14 at 09:56
  • @DrLecter can u point me to the "recursive secret sharing" schemes you were saying above ? – sashank Sep 20 '14 at 04:15
  • @sashank These are not special schemes. They simply use Shamir recursively for the access tree (if you look for instance at the first CP-ABE construction by Bethencourt et al. you will see what I mean). – DrLecter Sep 20 '14 at 11:18
  • @DrLecter , the paper , "Building Encrypted and Searchable log" has two schemes, the first one, i would say is symmetric ABE – sashank Sep 25 '14 at 13:19
  • @sashank I will take a look at the paper, but could take some days as I am quite busy at the moment. – DrLecter Sep 25 '14 at 14:01
  • Probably my question is really naive, but I wasn't able to figure it out by myself, so I'm going to ask to you experts. During the private keys issuing phase, the Master key is used in combination with the policy to generate them. Thus, at that time, the key issuer already knows which keys will access the plaintext and which won't. This reduces the problem to a single access-key distribution for authorized entities. If what I said is correct, I really can't understand the role of ABE. – MaVVamaldo Nov 03 '14 at 14:36
  • @MaVVamaldo What you say is not correct. Firstly you seem to refer to KP-ABE. Yes, at the time of issuing keys it is determined what the key holder can potentially decrypt (here the policy is enoded in the key). Note that encryption works with respect to master system parameters (an arbitrary subset of attributes). So you can encrypt something not knowing which persons can potentially decrypt, but you know everyone that is able to decrypt will have a policy encoded into his key that is satisfied with respect to ALL attributes used to produce the ciphertext. – DrLecter Nov 04 '14 at 07:34
  • @DrLecter, thank you for your response. I have a problem in seeing the separation of roles between public (U-k), private (R-k), and master (M-k) key holders. In asymmetric cryptography it's clear why a key is called "public". It is used by a lot of users. Here in ABE it's weirder: all these keys are associated with a policy, so who could be interested in using the U-k but the data owner? Now, since the most sensitive information is the M-k, the data owner should have it. And the M-k owner is also the one to issue the R-ks, which requires an authentication step. From here, my first question. – MaVVamaldo Nov 04 '14 at 10:43
  • @MaVVamaldo In the ABE setting there are no specific user public keys. There are only the master secret (known to the issuer), the master system parameters (known to all) and the users' secret keys. – DrLecter Nov 04 '14 at 10:54
  • @DrLecter, let me focus on the private key (P-k) issuing phase. Given a specific domain (say e-health), the M-k owner prepares one P-k for every possible role which should have access to the plaintext (all the cardiologists and nurses). At this stage there is NO LINK between a role and the individual. So, in this reference scenario, there SHOULD BE another entity which is in charge of distributing these attribute-based key to some individuals. This imply an authentication phase. Does this scenario represent the normal way to use ABE? – MaVVamaldo Nov 05 '14 at 10:22
  • @DR lecturer probably my question sounds too wierd but i request you to please explain the mathrmatical expression involved in cp-abe technique along with an example if possible.. –  Aug 06 '15 at 11:10
  • Is ABE currently practical, and what about FE? – Jus12 Nov 08 '16 at 19:04