History of ABE

ciphertexts, the message encrypted to the attributes/identities “over-18” and “student”, and encrypting those resulting ciphertexts again with the attribute “male” to create two final ciphertexts. Now, when both final ciphertexts are published, a male student can obtain the message by first decrypting one of the ciphertexts with his key for the attribute “male” and subsequently decrypt the obtained result with his key for the attribute “student”. However, Alice, a female student, could decrypt the ciphertext too, as long as she colludes with another male. In order to do so, she first asks Bob to decrypt the ciphertext— which he can with his “male” attribute key—and she decrypts the result from Bob with her own “student” attribute key.

ABE, in contrast to IBE,does provide protection against this collusion at- tack. We call a scheme collusion resistantwhen two users who cannot decrypt a message individually—with their own private key—cannot combine their keys in order to jointly decrypt the ciphertext.

Definition 17(Collusion resistance [SW05]). No group of users should be able to combine their keys in such a way that they can decrypt a ciphertext that none of them alone could.

In case no policies are needed, i.e., messages will only be encrypted to one single attribute, the advantage of ABE over IBE disappears. The use of IBE still has a slight advantage over public-key cryptography as the public key for each attribute does not have to be determined before one could encrypt to the attribute. If we do not consider this to be a problem, we could even consider to use symmetric encryption. Symmetric cryptography has the advantage of being much faster than asymmetric cryptography. However, using symmetric cryptography has an inherent drawback compared to the asymmetric variant: because the encryption key is identical to the decryption key, the encryptor automatically obtains the privilege to decrypt other data with the same attribute as well.

Since we do not want to make any concessions regarding usability of our encryption scheme, we will further examine ABE.

4.2

History of ABE

The concept of Attribute-Based Encryption (ABE) evolved out of the notion of IBE. Sahai and Waters [SW05] have created an encryption method which they called Fuzzy Identity-Based Encryption. The goal of the scheme is to allow a user to encrypt messages to an identityω and enable the recipient of the ciphertext to decrypt the ciphertext if his identity ω0 _{is close enough to}

the identityω. They envisioned two goals for their scheme. One was to allow encryption to a biometric feature, e.g., the feature vector of an iris scan. The second application is what they calledattribute-based encryption.

Their scheme is the first proposed ABE scheme. In the scheme, the ci- phertext and the private keys are associated with attributes (or features of a biometric). The ciphertext can only be decrypted when enough attributes of the private key match with the attributes associated with the ciphertext. This makes the definition of anaccess policypossible. The use of a policy allows more fine-grained access control over the encrypted data. For example, if Alice wants to encrypt a message to all females over 18, she associates the ciphertext with

the attribute set {“female”,“over-18”} and requires that the decryptor should possess both attributes—she sets the threshold value k = 2. Newer schemes allow more complex policies where propositional logic can be used, i.e., policies like “(femaleandover-18)or (maleanddriver’s license)” are possible.

Goyal et al. [GPS+_{06] propose a new scheme which allows the incorporation}

of policies into the private key. They describe two different types of ABE: Key- Policy ABE (KP-ABE)—for which they also provide a working scheme—and Ciphertext-Policy ABE (CP-ABE). In a KP-ABE scheme, the ciphertext is associated with a set of attributes and on the user’s private key a policy is de- fined. The policy determines which messages can be decrypted with the private key. In a CP-ABE scheme, the situation is reversed. The policy is defined over the ciphertext and the private key is associated with a set of attributes. The first CP-ABE scheme was created by Bethencourt, Sahai, and Waters [BSW07]. Both the work of Goyal et al. and Bethencourt, Sahai, and Waters allow the creation of policies by combining attributes with the use of and, or and—

the generalization—k-out-of-noperators. We will elaborate on the differences

between KP-ABE and CP-ABE in the next section.

4.3

ABE Use Cases

The main advantage of ABE is that the encryptor does not need to know the precise identity of the person to whom he encrypts the data. Moreover, ABE enables one to distribute data via a cloud network in order to assert high avail- ability, without having to worry about access control or a compromised or cor- rupt server. Attribute-Based Encryption has practical use cases in several fields, e.g., military or other hierarchical structures, and even in the field of personal health records. The policy over a set of attributes defines who is able to decrypt what data. Thus the choice between KP-ABE and CP-ABE boils down to the choice who must define the access policy.

For instance, in a military scenario, it might be desirable for the military leaders, i.e., the TTP, to determine who can access which files. A KP-ABE scheme suites this scenario best, allowing the military leaders to create an ac- cess policy for each user. Soldiers can then encrypt data by associating it with the document’s metadata, e.g., the creation time or location and the squadron or rank of the author. If the encrypted data are associated with the correct at- tributes, only the soldiers granted access by the military leaders will be able to decrypt the ciphertext. The encryptor does not need to know who is granted ac- cess to which files. Broadcast encryptionis also an example where KP-ABE can be used [GPS+_{06]. Premium channels can be broadcast encrypted and clients are}

given only the decryption keys for the content they paid for. The broadcasts are associated with attributes and clients are given a key in which a client specific policy resides. A policy in the form of “package:sport or (package:movieand

genre:action)” will allow a client to watch action movies and sport broadcasts. In contrast, a CP-ABE scheme is useful in a scenario where the encryptor is also the owner of his data. In this case,the user—and not the TTP—has to be able to determine who may decrypt the resulting ciphertext. In a centralized personal health record, a patient should be able to determine whom he gives access to his data. By using a CP-ABE scheme, the patient can encrypt his data in such a way that he is the one who determines which doctors have access

4.4. Intuition Behind General ABE Schemes 29

KP-ABE CP-ABE

Key describes a policy describes a set of attributes

Ciphertext associated with a set

of attributes associated with a policy TTP determines the policy determines the attributes

Encryptor determines the attributes determines the policy

Table 4.1: Differences between KP-ABE and CP-ABE. to which parts of his personal health record.

The differences between KP-ABE and CP-ABE are summarized in Table 4.1.

4.4

Intuition Behind General ABE Schemes