Presentation given at the SWIM Seminar (University of Tsukuba) about the paper "Realizing Fine-Grained and Flexible Access Control to Outsourced Data with Attribute-Based Cryptosystems"*. This presentation is based on the uploader's understanding of the paper and may contain inaccurate interpretations. A summary of the paper is available at: https://mshcruz.wordpress.com/2016/07/22/summary-fine-grained-access-control-using-abe-and-abs/ *Zhao et al.: "Realizing Fine-Grained and Flexible Access Control to Outsourced Data with Attribute-Based Cryptosystems". ISPEC 2011.

1. Realizing Fine-Grained and
Flexible Access Control to
Outsourced Data with
Attribute-Based Cryptosystems
Fangming Zhao, Takashi Nishide, and Kouichi Sakurai
International Conference on Information Security Practice and Experience
Ghuangzhou, China, May 2011
SWIM Seminar
March 9, 2016
Mateus Cruz

2. Introduction ABE/ABS Proposal Performance Analysis Conclusion
OUTLINE
1 Introduction
2 ABE/ABS
3 Proposal
4 Performance Analysis
5 Conclusion

3. Introduction ABE/ABS Proposal Performance Analysis Conclusion
OUTLINE
1 Introduction
2 ABE/ABS
3 Proposal
4 Performance Analysis
5 Conclusion

4. Introduction ABE/ABS Proposal Performance Analysis Conclusion
BACKGROUND
Outsourcing of data storage
Cloud storage
Privacy concerns
Untrusted server
Encrypt data before uploading
Access controlled by keys
1 / 21

5. Introduction ABE/ABS Proposal Performance Analysis Conclusion
CONTRIBUTIONS
Flexible and fine-grained access control
read-only and read-write differentiation
Data confidentiality
Lower cost of key distribution
Integrity verification
2 / 21

6. Introduction ABE/ABS Proposal Performance Analysis Conclusion
SECURITY ASSUMPTIONS
Semi-trusted storage servers
Tries to obtain information
Does not tamper with the data
Trusted attribute authority (TA)
Manage attributes and related keys
Users
Readers (read-only)
Writers (read-write)
Can collude to obtain more information
3 / 21

7. Introduction ABE/ABS Proposal Performance Analysis Conclusion
SYSTEM OVERVIEW
4 / 21

8. Introduction ABE/ABS Proposal Performance Analysis Conclusion
OUTLINE
1 Introduction
2 ABE/ABS
3 Proposal
4 Performance Analysis
5 Conclusion

9. Introduction ABE/ABS Proposal Performance Analysis Conclusion
ATTRIBUTE-BASED ENCRYPTION
Private key associated with attributes
Access tree Tdecrypt
Defines access policies over attributes
Encrypt using access structure
Decrypt if structure is satisfied
Example
“Directors or managers or
a specifically appointed
person (trustee) can
access the data”
5 / 21

10. Introduction ABE/ABS Proposal Performance Analysis Conclusion
ATTRIBUTE-BASED SIGNATURE
Users can sign resources
Signatures are based on users’ attributes
Users verify signatures
Example
“Only director-manager
users or a specifically
appointed person (trustee)
can access the data”
6 / 21

11. Introduction ABE/ABS Proposal Performance Analysis Conclusion
OUTLINE
1 Introduction
2 ABE/ABS
3 Proposal
4 Performance Analysis
5 Conclusion

12. Introduction ABE/ABS Proposal Performance Analysis Conclusion
DATA ACCESS PROCEDURES
Create file
Encrypt phase
Sign phase
Upload phase
Read file
Verify phase
Decrypt phase
Update file
7 / 21

13. Introduction ABE/ABS Proposal Performance Analysis Conclusion
CREATE FILE
Encrypt phase
Sign phase
Upload phase
8 / 21

14. Introduction ABE/ABS Proposal Performance Analysis Conclusion
ENCRYPT PHASE
The owner encrypts a file for sharing
Based on ABE
Decryption policy based on the tree Tdecrypt
CT = Enc(PKE, M, Tdecrypt)
Notation Description
CT: ciphertext
Enc: encryption algorithm
PKE: public key for encryption
M: message
Tdecrypt: access tree
9 / 21

15. Introduction ABE/ABS Proposal Performance Analysis Conclusion
SIGN PHASE
The owner signs the ciphertext using ABS
Used to differentiate readers and writers
SG = Sign(PKS, SKS, h(CT)||t, Tsign)
Notation Description
SG: signature
Sign: sign algorithm
PKS: public key for signing
h: hash function
CT: ciphertext
t: timestamp
Tsign: access tree
10 / 21

16. Introduction ABE/ABS Proposal Performance Analysis Conclusion
UPLOAD PHASE
The owner uploads CT, SG, t
The server checks signature
Accept or reject upload
R0 = Verify(PKS, h(CT)||t, Tsign, SG)
Notation Description
R0: boolean verification value
Verify: verification algorithm
PKS: public key for signing
h: hash function
CT: ciphertext
t: timestamp
Tsign: access tree
SG: signature
11 / 21

17. Introduction ABE/ABS Proposal Performance Analysis Conclusion
READ FILE
Verify phase
Decrypt phase
12 / 21

18. Introduction ABE/ABS Proposal Performance Analysis Conclusion
VERIFY PHASE
A user obtains CT, SG, t, Tsign
Obtain public key PKS from trusted authority
Verifies if the signature is valid
R1 = Verify(PKS, h(CT)||t, Tsign, SG)
Notation Description
R1: boolean verification value
Verify: verification algorithm
PKS: public key for signing
h: hash function
CT: ciphertext
t: timestamp
Tsign: access tree
SG: signature
13 / 21

19. Introduction ABE/ABS Proposal Performance Analysis Conclusion
DECRYPT PHASE
Decrypts ciphertext using SKU
M = Decrypt(CT, SKU)
Notation Description
M: message
Decrypt: decryption algorithm
CT: ciphertext
SKU: key corresponding to attributes U
14 / 21

20. Introduction ABE/ABS Proposal Performance Analysis Conclusion
UPDATE FILE
A user...
Updates M to M1
Encrypts message:
CT1 = Enc(PKE , M1, Tdecrypt1
)
Signs ciphertext:
SG1 = Sign(PKS, SKS, h(CT1)||t1, Tsign)
Uploads CT1, SG1, t1, Tsign
The server...
Verifies the new signature
– Check writer’s attributes
Accepts or rejects the update
15 / 21

21. Introduction ABE/ABS Proposal Performance Analysis Conclusion
WRITER-READER DIFFERENTIATION
Users differentiated by ABS
Writers can produce a valid signature
Differentiation done at attribute level
Scales better than at user level
16 / 21

22. Introduction ABE/ABS Proposal Performance Analysis Conclusion
INTEGRITY
ABS offers integrity
Hash ciphertext before signing
The integrity can be verified by...
Server
Valid users
17 / 21

23. Introduction ABE/ABS Proposal Performance Analysis Conclusion
OUTLINE
1 Introduction
2 ABE/ABS
3 Proposal
4 Performance Analysis
5 Conclusion

24. Introduction ABE/ABS Proposal Performance Analysis Conclusion
COMPUTATIONAL OVERHEAD
Create and Update
One encryption operation
One sign operation
Cost grows with access structure matrix
Read
One decryption operation
One verify operation
Cost grows with attributes satisfied
Cost mainly generated by pairing computations
18 / 21

25. Introduction ABE/ABS Proposal Performance Analysis Conclusion
OUTLINE
1 Introduction
2 ABE/ABS
3 Proposal
4 Performance Analysis
5 Conclusion

26. Introduction ABE/ABS Proposal Performance Analysis Conclusion
SUMMARY
Secure data sharing scheme
Fine-grained access
Many-read-many-write
Integrity verification
19 / 21

27. Introduction ABE/ABS Proposal Performance Analysis Conclusion
FUTURE WORK
Use search on encrypted data
Many-read-many-write-many-search
Implementation to verify usability
20 / 21

28. Detailed Analysis
EXTRA SLIDES

29. Detailed Analysis
COMPLEXITY ANALYSIS
Create file
O(E1 × log p) + O(l × E0 × log p)
Read file
O(l ×L)+O(|U|×E1 ×log p)+O(l ×E0 ×log p)
Update file
O(E1 × log p) + O(l × E0 × log p)
Notation Description
E0 Cost of exponentiation operations in G0
E1 Cost of exponentiation operations in G1
L Cost of bilinear pairing
p Prime order of G0 and G1
U The attribute set in the access tree
l, t The matrix l × t of the monotone span program which is con-
verted from its corresponding access structure