At Upgrade 2021, the NTT Research Summit, Dr. Kei Karasawa, NTT Research Vice President of Strategy, presented a demonstration of some of the practical personal and business use cases for attribute-based encryption, including one centered on the concept of a digital wallet.

Rather than carry a driver’s license, credit cards and the like in a physical wallet, a digital wallet would hold them on a smartphone. The wallet could also hold sensitive information such as a social security number, date of birth, and health records. But this presents a privacy risk, in that someone who is legitimately authorized to scan your phone, say to see your driver’s license, may be able to access other private information.

Attribute-based encryption solves for this problem by enabling users to grant different levels of access to a digital wallet to different people or systems.

How ABE secures a digital wallet

At an airport, you need to show your driver’s license when passing through security. With ABE, you can issue a decryption key that allows access only to those attributes of your data wallet that have to do with your driver’s license.

“You can store this key in the airport system,” Dr. Karasawa said. “After that, you can just go to the airport, send your encrypted data wallet to the system, and the system can only read these lines of data.”

A second example is reloading funds onto a transit pass via credit card. Now the transit system needs to access both your credit card and the transit pass at the same time. ABE can create a single key that grants access to both items. Once the key is stored in the transit system, you can simply hand over your digital wallet and the system will be able to access both your credit card and transit pass – but nothing else.

A third, somewhat more complicated example involves going to a sporting event at a large stadium. The venue requires proof of a Covid-19 vaccination along with a photo ID. Both are stored on your digital wallet, but you don’t want the security personnel to be able to see your address, date of birth and other sensitive data.

In this case, ABE can create a decryption key for the vaccination record and another for your ID. Once those are loaded in the venue’s security system, it can scan your digital wallet and access those two items.

In that example, speed is of the essence, given thousands of people are trying to gain entry at the same time. That’s not an issue because the access controls are embedded into the data in the digital wallet, so it works even when the system is offline. There’s no need to access another system, such as a cloud-based security server.

“The encryption supports these types of high performance systems,” Dr. Karasawa said.

He also demonstrated NTT Research’s cloud-based system that enables users to easily enter the items they want stored in their data wallets, and to generate encryption keys for various applications – such as the airport and stadium scenarios.

Business use cases for ABE

Attribute-based encryption is also applicable in business scenarios, such as a data lake. Companies store all sorts of data in data lakes and make it available to different stakeholders, including for business analytics. But much of the data is highly sensitive, such as salary data in HR records and customer information.

ABE makes it possible to make the data lake available to employees who need access to it, while protecting that sensitive information. “We can control access rights at the data layer,” Dr. Karasawa said.

The same scenario applies to smart city applications. Governments may collect all kinds of information to fuel smart city applications, including transportation and supply chain data, images of peoples’ faces and more. “Peoples’ names or faces, that kind of information should be protected at the data layer,” he said.

NTT could provide those data layer access control services. “Our future is supporting a data holder like a wallet, wallet holder, or company CISO or government CISO,” he said. Through an NTT-provided Policy Administration Point, users could set policy attributes for the items they want to protect.

“Once the data owner sets the policy, NTT provides a key generation server to deliver an encryption key and module decryption key and the controlled access right at the data layer,” Dr. Karasawa said.

Click below for the full transcript.