ICS Theory Group

CompSci 269S, Spring 2007: Theory Seminar

Apr 6, 2007, 1:00pm, in Bren Hall 1423

Attribute-Based Encryption: A Cryptosystem for Expressive Access Control on Encrypted Data

Brent Waters, SRI


Several distributed file and information systems require complex access-control mechanisms, where access decisions depend upon attributes of the protected data and access policies assigned to users. Traditionally, such access-control mechanisms have been enforced by a server that acts as a trusted reference monitor; the monitor will only allow a user to view data if his access policy allows it. While the use of trusted servers allows for a relatively straightforward solution, there is a large downside to this approach — both the servers and their storage must be trusted and remain uncompromised. A natural solution to this problem is to encrypt stored data. However, traditional public-key encryption methods require that data be encrypted to one particular user's public key and are unsuitable for expressing more complex access control policies.

In this talk, I will present recent work on a new cryptographic primitive, called Attribute-Based Encryption (ABE), that was created to address this issue. Attribute-Based Encryption allows for expressive access policies over encrypted data. In an ABE system encrypted data is annotated with descriptive attributes and users' private keys are ascribed access formulas over these attributes. For example, if Carol is assigned to read and process systems-seminar messages during the year 2007, she would be ascribed the private key with the access formula

"Subj:Systems-Seminar" AND "Year:2007".
I will focus this talk on the challenges of creating ABE systems that are both secure and efficient. In particular, an ABE system must be secure against an attacker that collects several private keys from different colluding users. We also want to avoid designs that are prohibitively expensive; for example, a solution should not include a separate public key/private for every possible access control policy that might ever be used. In addition, I will talk about recent efforts in implementing Attribute-Based Encryption and making it available as a tool to be used by researchers in systems security.