A Practical Guide to Attribute-based Encryption
and Functional Encryption
Cryptography and information security: Providing new encryption use cases for data privacy and protection in the IoT age
Why We Need Attribute-based and Functional Encryption
From its inception decades ago, public-key encryption has been an all-or-nothing proposition. For any given encrypted dataset, or ciphertext, if you had the correct key to open it, you had access to the entire dataset. If you didn’t have the appropriate key, you could access none of it.
In 2005, cryptographic researchers Brent Waters and Amit Sahai changed that dynamic with a paper that introduced the concepts of attribute-based encryption and functional encryption. The paper, titled “Fuzzy Identity-based Encryption,” introduced the idea that multiple keys could exist for a given ciphertext to enable different users to access different parts of the underlying dataset. (Waters is now a Distinguished Scientist with NTT Research and Sahai is a computer science professor at UCLA and NTT Research partner.)
This simple idea opens up new use cases and applications for cryptography in information security and data protection. Indeed, the International Association for Cryptologic Research (IACR), which hosted the conference at which the 2005 Waters and Sahai paper was presented, last year honored the paper with its Test of Time award. That award is fitting because we are now on the cusp of seeing their work come to fruition – and at an opportune time.
Internet of Things and the data flood
With the world producing data at astounding rates, thanks in part to Internet of Things applications collecting a constant stream of data from various sensors and devices, we need ways to put that data to the best use – while protecting against data breaches and ensuring data privacy, data protection and access control.
Attribute-based and functional encryption enable advanced cryptographic capabilities that provide various levels of data security and data privacy to a large pool of data, such as an IoT data lake. They also allow a more fine-grained level of access control to data as compared to other forms of encryption, including Fully Homomorphic Encryption.
Attribute-based Encryption Definition
Attribute-based encryption provides the ability to determine if data should be decrypted based on various attributes and policies.
The three main types of attribute-based encryption are content-based, role-based, and multi-authority access policies.
Content-based access control
With content-based access control, users can create policies that define who gets to see which types of content. Say a food delivery company wants a record of each delivery to a customer, detailing attributes including delivery date, time, driver, drop-off location, and restaurant. If the company needs to resolve a dispute about a delivery, content-based access control could ensure a manager sees only the deliveries in the address range for which he has responsibility.
Role-based access control
Role-based access control flips that dynamic around by describing the rights and privileges of each user in possession of an encryption key. When a given piece of content is encrypted, policies define which roles can decrypt which portions of the content. An NTT Researcher in the CIS Lab may decide any other NTT Research CIS lab employee may see their entire work. But for employees outside the CIS Lab, only those at an executive level or above can view the entire contents while others may see only the executive summary of research papers.
Multi-authority access policies
As its name implies, multi-authority access policies come into play when more than one organization is involved in issuing access credentials. In this case, secret keys that identify the receiver are issued by the different organizations independently of each other. Unlocking encrypted content requires the user to have both of the proper keys and to meet some pre-defined dynamic attribute, such as location.
Applications and use cases for attribute-based encryption
Attribute-based encryption gives rise to numerous use cases where companies want to apply fine-grained access control to data based on an employee role and/or the specific components of the data.
Internet of Things applications
IoT applications tend to result in the collection of massive amounts of data that is useful for predictive analytics, monitoring, security and more. In many cases, IoT data is collected in a data lake. Attribute-based encryption provides the ability to segregate the data such that any given user can access only what they need and are authorized to see.
Consider a building management system (BMS) where IoT sensors collect data on four buildings, covering heating, cooling, electricity and water. The BMS also collects data on four elevators, from two different elevator manufacturers. The building management company would have access to all data, while an elevator maintenance company would have access only to data on the four elevators. Should the maintenance company need tech support, each elevator manufacturer would have access to data only for its two elevators, not its competitor’s.
A smart city application could likewise allow access to data on a role-based basis. Perhaps engineers in the field can access data on all deployed infrastructure, including street and signal lights and utility infrastructure. But finance personnel see only data pertaining to electricity and water use that they need to track costs and predict usage.
Electronic medical records
Attribute-based encryption would be useful for electronic medical records applications where different players – doctors, nurses, admission, finance – are responsible for different areas, and thus are granted access only to specific slices of data.
A delivery service company could collect data including pickup time and location, delivery time and location, date, originating restaurant or retailer and the like. Such data would be useful in helping the company optimize delivery processes and resolve any disputes. Along the way, it could use attribute-based encryption to provide access to data on a role- and content-based basis. Those charged with optimizing delivery routes may be able to see all data while a representative trying to resolve a dispute would see data pertaining only to the geographic area and timeframe in question.
Multi-party access policies
A use case for multi-authority access control may be when a user must have credentials from two (or more) organizations in order to be granted access to content. Perhaps a government defense contractor wants to grant access to sensitive material only to a research and development director who is a U.S. citizen. The contractor would issue credentials with a pre-defined policy stating the user’s title while the U.S. government would issue the citizenship credentials. The multi-access policy would require the user have both credentials in order to access the sensitive data.
Performance of attribute-based encryption
Early tests indicate attribute-based encryption schemes can be implemented on a range of computer hardware configurations. Even a $30 RaspberryPi3 processor can handle encryptions with policies that are limited in scope. More complex encryptions with policies containing many branches perform well on processors ranging from an Intel i5 with 4 cores to an Intel i9 with 16 cores.
Functional Encryption Definition
Functional encryption is a generalization of attribute-based and identity-based encryption. It allows a user who has the proper key to compute a specific function on encrypted data and obtain an unencrypted result while other data remains protected.
With functional encryption you can learn a specific function of the data, but no more. Such a capability gives rise to a number of potential applications.
Applications and use cases for functional encryption
Functional encryption can be used for applications where it’s useful to reveal just a subset of an encrypted dataset, such as the following examples.
Secure e-mail filtering
- Functional encryption can determine if an encrypted email message is spam, but without revealing the contents of the message.
- Similarly, it could be used to determine whether an encrypted email is from the CEO or your spouse, and thus flagged as “important,” but again without revealing the contents to a third party.
- Taken to the next level, functional encryption could be used to detect urgent emails – such as from a hospital with a family member’s name included – in which case the recipient is immediately alerted via text.
In law enforcement, functional encryption could be used to examine a series of surveillance photos to determine whether a particular person is included in an image – without unveiling other contents of the images.
The rise in use of cloud computing providers to store data presents another useful application for functional encryption. Companies could store their data in an encrypted format, but – without decrypting the data – enable the cloud provider to publish a dashboard based on predefined criteria, such as daily or weekly key performance indicators.
Functional encryption VPN
Research work is just beginning on the concept of functional encryption VPNs, a solution for the ever-increasing amount of encrypted Internet traffic.
The Google Transparency Report shows the percentage of encrypted web traffic has increased from less than 50% in early 2015 to about 90% or better today for all major platforms except Linux, which sits at 77%.
To detect any threats in encrypted traffic, companies often use Transport Layer Security (TLS) inspection. TLS inspection decrypt TLS traffic, enabling security tools to look for malware and other threats, then re-encrypt the session. This, of course, presents new risks because the traffic is in the clear, unencrypted, for a period of time. A functional encryption VPN would allow deep packet inspection without fully decrypting the data, enabling users to detect malware or other threats and take appropriate remediation action but without exposing their data.
Functional encryption and quantum computing
With an eye to the future, NTT Research Scientist Pratish Datta is working on designing functional encryption schemes that are not only secure in today’s computing environments but that can withstand quantum computing.
Functional Encryption vs. Fully Homomorphic Encryption
The concept of fully homomorphic encryption (FHE) is generating significant interest and is sometimes confused with functional encryption. FHE is not, however, a form of functional encryption and should not be considered a competing technology to it.
FHE enables calculations to be performed on encrypted data without exposing the underlying data in the clear. In a medical scenario, for example, privacy laws may prevent healthcare providers from sharing sensitive data with medical researchers. If a provider homomorphically encrypts the data, however, the researcher could run analytics functions on it while it is still encrypted. When the analytics functions are complete, the researcher downloads the encrypted output and only then can decrypt to reveal the result in plain text. The underlying data is never decrypted.
While FHE is useful for such delegated computing examples, it’s not suitable for applications such as directing an email server to identify spam messages. Using FHE, the server would be able to perform any encrypted function it wants on an encrypted email, but the result is delivered in an encrypted format, not in the clear as with functional encryption. Only the user with the appropriate key would be able to decrypt the result and there would be no way of knowing whether it’s accurate. What’s more, there’s no way to tell the server to perform a specific function, such as identifying spam emails.
What about Attribute-based Access Control?
Attribute-based Access Control (ABAC) is a specification published in 2014 by the U.S. National Institute of Science and Technology (NIST) that aims at providing more than an all-or-nothing approach to encryption. It is not a standard, but rather provides a definition of ABAC and guidelines for how to implement it to secure data. It’s up to implementers to decide on the exact technologies to employ.
In practice, most ABAC implementations are at the software and system level, not the data level. NTT Research believes attributed-based encryption is an effective way to achieve ABAC while protecting the data level and providing a more granular level of control. Security schemes that only address the applications and systems layer, as well as physical and virtual perimeter, are subject to data leaks. Only by protecting the data layer can companies be assured no data will be leaked even if they should suffer a breach.
In 2018, the EU’s ETSI Technical Committee on Cybersecurity issued two specifications for using attribute-base encryption to protect personal data:
- ETSI TS 103 458 provides a specification for applying attribute-based encryption to personally identifiable information (PII) and personal data protection on IoT devices, WLAN, cloud and mobile services.
- ETSI TS 103 532, specifies the trust models, functions and protocols required for using attribute-based encryption as a foundation of an attribute-based access control scheme.
Timeline for Functional and Attribute-based Encryption Implementation
As the ETSI specifications suggest, functional encryption and attribute-based encryption are now mature technologies. We can expect uses cases similar to those described above to come to market soon.
NTT Research has software libraries ready for use by engineers who are building next-generation security solutions. For more information, contact us at: www.URLTK.com
Milestones in the History of attribute-based and functional encryption
2005: Brent Waters and Amit Sahai first propose the concepts of attribute-based encryption and functional encryption in their paper, “Fuzzy Identity-based Encryption.”
2006: Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters publish “Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data.” (CCS 2006: 89-98)
This paper presents the first ABE scheme for a large class of policies, and received the “Test of Time Award” at CCS 2016, one of the top conferences for security research. Goyal is now a Senior Scientist at NTT Research.
2007: Dan Boneh and Brent Waters publish “Conjunctive, Subset, and Range Queries on Encrypted Data,” which lays out the first definitional foundations for functional encryption.
2007: Brent Waters, John Bethencourt and Amit Sahai publish “Ciphertext-Policy Attribute-Based Encryption,” which describes techniques for keeping encrypted data confidential even if the server on which it is stored is untrusted. The methods described also protect against collusion attacks.
2010: Brent Waters is awarded the Sloan Research Fellowship.
2012: President Barack Obama presents Brent Waters with a Presidential Early Career Award for Scientists and Engineers (PECASE), the highest honor bestowed by the United States government for science and engineering professionals in the early stages of their independent research careers.
2013: Sergey Gorbunov, Vinod Vaikuntanathan and Hoeteck Wee publish “Attribute-based encryption for circuits.” (STOC 2013: 545-554). This joint work with collaborators from the University of Toronto, MIT and George Washington University presents the first ABE scheme for essentially all access policies. The scheme additionally achieves post-quantum security. Wee is now a Senior Scientist with NTT Research.
2015: Brent Waters is awarded the Grace Murray Hopper Award for the introduction and development of the concepts of attribute-based encryption and functional encryption.
2019: The Simons Foundation names Brent Waters as a Simons Investigator, providing funding to support his cryptography work.
2020: NTT Research makes attribute-based encryption software libraries available in the marketplace for solution providers to create commercial products.
In May 2020, NTT Distinguished Scientist Brent Waters reflected on the 15 years since he and Amit Sahai published their 2005 ABE paper “Fuzzy Attribute-Based Encryption.”
Contributions of Attribute-Based Encryption
By Brent Waters
A paper that Dr. Amit Sahai and I wrote fifteen years ago recently received some attention. Every year, the International Association for Cryptologic Research (IACR) looks back 15 years and selects three papers presented at its events that have proved to have had an enduring impact. This year the IACR honored our paper “Fuzzy Attribute-Based Encryption” from Eurocrypt 2005, a conference organized by the IACR, with one of its “Test of Time” awards.
What we introduced in that paper was the concept of Attribute-Based Encryption (ABE). This award has been an occasion for me to think back over how this concept has impacted the field of cryptography. I was asked in this article to reflect on what were the research contributions of ABE and why the community cares about it 15 years later. Below I put forward three distinctive ways in which I believe the work has had impact.
First, there is ABE as its own application. Traditionally, encryption was through a limited lens, where my ciphertext is targeted toward one particular individual’s public keys. Using ABE, one can share data according to access control policies. For example, a ride sharing service might encrypt sensitive information and tag it with the attributes of the GPS location of the ride, time and driver’s name. And an employee working for the company could have a policy that allows them to read all data that exist within a certain GPS bounding box of the region and were created after the employee assumed their position. There has been growing interest in industry in deploying ABE. For instance, two years ago ETSI announced standards for ABE with an eye toward deployment in 5G settings. Companies, including NTT, are actively exploring producing ABE solutions.
The second type of contribution involves ABE as a component of building other cryptographic systems. This has had a significant impact in the cryptographic research community where several works have leveraged ABE to get new results. Examples include results on such problems as reusable garbled circuits, traitor tracing and non-interactive zero knowledge proofs, among others. The impact on the research community has been large, with the original paper reaching several thousand citations.
Finally, the spirit and concepts of ABE have inspired us to rethink encryption in even bigger and grander ways. Here is where the idea of functional encryption comes in. Even in ABE, the end goal is to allow or disallow a user to have access to a message. In functional encryption one can allow them to only learn a function of a message. For example, I can allow my mail-server to test whether an encrypted email of mine is spam or not – but learn nothing more. The concept of functional encryption was a product that came out of the rethinking of encryption that started with ABE some 15 years ago.