Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Attribute Based Encryption
1. Public Key Infrastructure:
Encryption & Decryption:
1. Bob Request Alice's Public key
Public Key Infrastructure
from KDC 4. Alice uses her private key to
Alice decrypt messages encrypted by Bob.
Public Key
2.PKI signs the Public key & send
Private Key
Bob it to Bob
3. Bob uses her public key to
encrypt message for Alice.
Disadvantage:
1. To communicate with Alice, Bob, at first, has to communicate with the PKI.
2. Identity Based Encryption (IDE):
In IDE, one’s publicly known identity (ex. email address) is being used as his/her public key where as
corresponding private key is generated from the known identity.
IDE encryption scheme is a four algorithms/steps scheme where the algorithms are i. Setup Algorithm ii.
Key (private key) Generation Algorithm iii. Encryption Algorithm iv. Decryption Algorithm.
Setup and Key Generation:
Private Key Generator
(PKG)
1. Set up Algorithm
generate a master key for
Alice
Master Key
2. Alice show & Prove her 3. Given the identity, Key Generation Algorithm
Identity to PKG generate Private key for Alice.
Identity Private Key
Ex: alice@example.org
Encryption & Decryption:
1. Bob knows & uses Alice's Private Key Generator
Identity to encrypt the message (PKG)
Bob Alice
Master Key
2. Alice uses her Private Key to
decrypt the message
Identity Private Key
Ex.alice@example.org
Advantage:
1. Bob does not need to contact KDC / CA for Alice’s Public Key. He knows Alice’s Identity which he
uses to encrypt message for Alice.
3. Fuzzy Identity Based Encryption (Fuzzy-IDE):
Fuzzy Identity of a person is a set of descriptive attributes which a predefined error tolerance capability.
In Fuzzy-IDE, these attributes are used as one’s known public key.
Setup & Key Generation
Private Key Generator
(PKG)
1. Given a Error Tolerance factor d,
set up algorithm generates a
Master key for Alice.
Master Key
2. Alice's Identity w is being
decided
Fuzzy Identity (w) Private Key
3. Given Identity w, Key Generation
Algorithm generates Alice's Private
Attr1 ... AttrN key.
Advantage:
With her private key, Alice can decrypt messages encrypted with her own identity (w). She can
also decrypt messages encrypted with other’s identity (w’) if |w ∩w’| >= d.
Encryption & Decryption in Fuzzy IDE System
1. Charlie encrypt Message(M) 3. Alice can also decrypt M with her
with Bob's Identity w' private Key with (|w∩w'| >= d)
Charlie Bob Alice
(Identity w'') (Identity w') (Identity w)
2. Bob can decrypt M with his
private Key
Example:
Person Fuzzy Identity d Comment
Alice w={“exam-committee”, “chair”, 2 Alice can decrypt everything that Bob &
“system”} Charile can Decrypt. Because |w ∩w’|>=2
and |w ∩w’’|>=2
Bob w’={“exam-committee”, 3 Bob can only decrypt message encrypted
“faculty”, “system”, “usa”} with Charlie’s identity as |w’ ∩w’’|>=3
Charlie w’’={“exam-committee”, 4 Charlie cannot decrypt any message that
“student”, “system”, “usa”} are encrypted with others identity.
4. Attribute-based Encryption (or Key-policy ABE):
Access Tree / Key-policy(Ƭ):
Access Policy to be associated with private key where leaf nodes are attributes coming from fuzzy
identity.
OR
AND Dean 2 out of 3
Computer Science Admission- Computer Science Admission- faculty
committee committee
Account Setup & Key-generation:
Private Key Generator
(PKG)
1. Setup Algorithm generates
Alice's Master Key
Master Key
4. Given the Key-policy, Key
Generation Algorithm generates
2. Alice's Identity is being decided Private key for Alice.
Fuzzy Identity (w) Private Key
3. Alice's Key Policy is being
decided from her identity
Attr1 ... AttrN Key Policy
Encryption & Decryption:
3. Alice can decrypt M if her key
policy is satisfied with γ. ie Ƭ(γ)=1
Bob Alice
Charlie (Identity w)
(Identity w')
(Identity w'')
2. Bob can decrypt M if his
1. Charlie encrypt Message(M) key policy is satisfied with γ.
with a set of attributes γ (not
ie Ƭ(γ)=1
with anyone's identity )
5. Example:
Assuming, Alice has the following key policy
OR
AND Dean 2 out of 3
Computer Science Admission- Computer Science Admission- faculty
committee committee
Alice can decrypt a file encrypted with the attribute set {“Computer Science”, “Admission committee”}.
But she cannot decrypt another ciphertext associated with attributes {“Computer Science”, “program-
committee”}.
Variations of ABE:
Ciphertext-Policy ABE vs. Key-policy ABE:
While in original ABE (key-policy ABE) access policy is associated with the private key, in Ciphertext–
policy ABE, access policy is associated in the ciphertext.
Key-policy ABE Ciphertext-policy ABE
pon B E
s
ts
Ciphertext Private key ent
com y A
en
Ciphertext Private key
pon
ed t-polic
ed y ABE
com
Sel hertex
Attribute
sel -polic
Policy
Association Association Policy Attribute
e ct
e ct
Association
K ey
Cip
Association
6. ABE with monotonic Access Structure vs. ABE with non-monotonic Access Structure:
Monotonic Access structure uses ‘AND gate’, ‘OR gate’, or ‘k out of N’ threshold gate.
Non-Monotonic Access structure uses Monotonic Access structure and additional ‘NOT gate’.
Example: OR
Monotonic
Access Dean 2 out of 3
AND
structure
Computer Science Admission- Computer Science Admission- faculty
committee committee
Example: OR
Non-
Monotonic AND Dean 2 out of 3
Access
structure
Computer Science Admission- Computer Science program- NOT
committee committee
Student
Hierarchical ABE (HABE):
In HABE, the attributes are classified into trees according to their relationship defined in the access
control system. Every node in this tree is associated with an attribute, and an ancestral node can derive
its descendant’s key, but the reverse is not allowed.
Attribute1
Attribute1 can be used instead of
any or all the attributes of this
tree
Attribute2 can be used instead of
attribute4 or attribute 5 or both of
them but not vice versa. Attribute2
Attribute3
Attribute4 Attribute5
Single Authority ABE vs. Multi-authority ABE: