Why we need attribute-based and functional encryption

Attribute-based Encryption

Attribute-based encryption provides the ability to determine if data should be decrypted based on various attributes and policies.
The three main types of attribute-based encryption are content-based, role-based, and multi-authority access policies.

Functional encryption definition

Functional encryption is a generalization of attribute-based and identity-based encryption. It allows a user who has the proper key to compute a specific function on encrypted data and obtain an unencrypted result while other data remains protected.
With functional encryption you can learn a specific function of the data, but no more. Such a capability gives rise to a number of potential applications.
From its inception decades ago, public-key encryption has been an all-or-nothing proposition. For any given encrypted dataset, or ciphertext, if you had the correct key to open it, you had access to the entire dataset. If you didn’t have the appropriate key, you could access none of it.
In 2005, cryptographic researchers Brent Waters and Amit Sahai changed that dynamic with a paper that introduced the concepts of attribute-based encryption and functional encryption. The paper, titled “Fuzzy Identity-based Encryption,” introduced the idea that multiple keys could exist for a given ciphertext to enable different users to access different parts of the underlying dataset. (Waters is now a Distinguished Scientist with NTT Research and Sahai is a computer science professor at UCLA and NTT Research partner.)
This simple idea opens up new use cases and applications for cryptography in information security and data protection. Indeed, the International Association for Cryptologic Research (IACR), which hosted the conference at which the 2005 Waters and Sahai paper was presented, last year honored the paper with its Test of Time award. That award is fitting because we are now on the cusp of seeing their work come to fruition and at an opportune time.

Internet of Things and the data flood

With the world producing data at astounding rates, thanks in part to Internet of Things applications collecting a constant stream of data from various sensors and devices, we need ways to put that data to the best use – while protecting against data breaches and ensuring data privacy, data protection and access control.
Attribute-based and functional encryption enable advanced cryptographic capabilities that provide various levels of data security and data privacy to a large pool of data, such as an IoT data lake. They also allow a more fine-grained level of access control to data as compared to other forms of encryption, including Fully Homomorphic Encryption.

Content-based access control

With content-based access control, users can create policies that define who gets to see which types of content. Say a food delivery company wants a record of each delivery to a customer, detailing attributes including delivery date, time, driver, drop-off location, and restaurant. If the company needs to resolve a dispute about a delivery, content-based access control could ensure a manager sees only the deliveries in the address range for which he has responsibility.

Role-based access control

Role-based access control flips that dynamic around by describing the rights and privileges of each user in possession of an encryption key. When a given piece of content is encrypted, policies define which roles can decrypt which portions of the content. An NTT Researcher in the CIS Lab may decide any other NTT Research CIS lab employee may see their entire work. But for employees outside the CIS Lab, only those at an executive level or above can view the entire contents while others may see only the executive summary of research papers.

Multi-authority access policies

As its name implies, multi-authority access policies come into play when more than one organization is involved in issuing access credentials. In this case, secret keys that identify the receiver are issued by the different organizations independently of each other. Unlocking encrypted content requires the user to have both of the proper keys and to meet some pre-defined dynamic attribute, such as location.

Applications and use cases for attribute-based encryption

Attribute-based encryption gives rise to numerous use cases where companies want to apply fine-grained access control to data based on an employee role and/or the specific components of the data.

Internet of Things applications

IoT applications tend to result in the collection of massive amounts of data that is useful for predictive analytics, monitoring, security and more. In many cases, IoT data is collected in a data lake. Attribute-based encryption provides the ability to segregate the data such that any given user can access only what they need and are authorized to see.

Consider a building management system (BMS) where IoT sensors collect data on four buildings, covering heating, cooling, electricity and water. The BMS also collects data on four elevators, from two different elevator manufacturers. The building management company would have access to all data, while an elevator maintenance company would have access only to data on the four elevators. Should the maintenance company need tech support, each elevator manufacturer would have access to data only for its two elevators, not its competitor’s.
NTT could provide those data layer access control services. “Our future is supporting a data holder like a wallet, wallet holder, or company CISO or government CISO,” he said. Through an NTT-provided Policy Administration Point, users could set policy attributes for the items they want to protect.
“Once the data owner sets the policy, NTT provides a key generation server to deliver an encryption key and module decryption key and the controlled access right at the data layer,”” Dr. Karasawa said.
Below is the full video of Kei Karasawa’s ABE presentation at the NTT Research Upgrade 2021 Summit on September 20, 2021.

A smart city application could likewise allow access to data on a role-based basis. Perhaps engineers in the field can access data on all deployed infrastructure, including street and signal lights and utility infrastructure. But finance personnel see only data pertaining to electricity and water use that they need to track costs and predict usage.

Electronic medical records

Attribute-based encryption would be useful for electronic medical records applications where different players – doctors, nurses, admission, finance – are responsible for different areas, and thus are granted access only to specific slices of data.

Delivery applications

A delivery service company could collect data including pickup time and location, delivery time and location, date, originating restaurant or retailer and the like. Such data would be useful in helping the company optimize delivery processes and resolve any disputes. Along the way, it could use attribute-based encryption to provide access to data on a role- and content-based basis. Those charged with optimizing delivery routes may be able to see all data while a representative trying to resolve a dispute would see data pertaining only to the geographic area and timeframe in question.

Multi-party access policies

A use case for multi-authority access control may be when a user must have credentials from two (or more) organizations in order to be granted access to content. Perhaps a government defense contractor wants to grant access to sensitive material only to a research and development director who is a U.S. citizen. The contractor would issue credentials with a pre-defined policy stating the user’s title while the U.S. government would issue the citizenship credentials.
The multi-access policy would require the user have both credentials in order to access the sensitive data.

Performance of attribute-based encryption

Early tests indicate attribute-based encryption schemes can be implemented on a range of computer hardware configurations. Even a $30 RaspberryPi3 processor can handle encryptions with policies that are limited in scope. More complex encryptions with policies containing many branches perform well on processors ranging from an Intel i5 with 4 cores to an Intel i9 with 16 cores.

Applications and use cases for functional encryption

Functional encryption can be used for applications where it’s useful to reveal just a subset of an encrypted dataset, such as the following examples.

Secure e-mail filtering

  • Functional encryption can determine if an encrypted email message is spam, but without revealing the contents of the message.
  • Similarly, it could be used to determine whether an encrypted email is from the CEO or your spouse, and thus flagged as “important,” but again without revealing the contents to a third party.
  • Taken to the next level, functional encryption could be used to detect urgent emails – such as from a hospital with a family member’s name included – in which case the recipient is immediately alerted via text.


In law enforcement, functional encryption could be used to examine a series of surveillance photos to determine whether a particular person is included in an image – without revealing other contents of the images.

Analytics dashboard

The rise in the use of cloud computing providers to store data presents another useful application for functional encryption. Companies could store their data in an encrypted format, but without decrypting the data enable the cloud provider to publish a dashboard based on predefined criteria, such as daily or weekly key performance indicators.

Practical Business and Personal Use Cases for Attribute-based Encryption

The digital wallet

Rather than carry a driver’s license, credit cards and the like in a physical wallet, a digital wallet would hold them on a smartphone. The wallet could also hold sensitive information such as a social security number, date of birth, and health records. But this presents a privacy risk, in that someone who is legitimately authorized to scan your phone, say to see your driver’s license, may be able to access other private information.
Attribute-based encryption solves for this problem by enabling users to grant different levels of access to a digital wallet to different people or systems.

How ABE secures a digital wallet

At an airport, you need to show your driver’s license when passing through security. With ABE, you can issue a decryption key that allows access only to those attributes of your data wallet that have to do with your driver’s license.
“You can store this key in the airport system,” Dr. Karasawa said. “After that, you can just go to the airport, send your encrypted data wallet to the system, and the system can only read these lines of data.”
A second example is reloading funds onto a transit pass via credit card. Now the transit system needs to access both your credit card and the transit pass at the same time. ABE can create a single key that grants access to both items. Once the key is stored in the transit system, you can simply hand over your digital wallet and the system will be able to access both your credit card and transit pass – but nothing else.
A third, somewhat more complicated example involves going to a sporting event at a large stadium. The venue requires proof of a Covid-19 vaccination along with a photo ID. Both are stored on your digital wallet, but you don’t want the security personnel to be able to see your address, date of birth and other sensitive data.
In this case, ABE can create a decryption key for the vaccination record and another for your ID. Once those are loaded in the venue’s security system, it can scan your digital wallet and access those two items.
In that example, speed is of the essence, given thousands of people are trying to gain entry at the same time. That’s not an issue because the access controls are embedded into the data in the digital wallet, so it works even when the system is offline. There’s no need to access another system, such as a cloud-based security server.
“The encryption supports these types of high-performance systems,” Dr. Karasawa said.
He also demonstrated NTT Research’s cloud-based system that enables users to easily enter the items they want stored in their data wallets, and to generate encryption keys for various applications – such as the airport and stadium scenarios.

How ABE secures a digital wallet

Attribute-based encryption is also applicable in business scenarios, such as a data lake. Companies store all sorts of data in data lakes and make it available to different stakeholders, including for business analytics. But much of the data is highly sensitive, such as salary data in HR records and customer information.
ABE makes it possible to make the data lake available to employees who need access to it, while protecting that sensitive information. “We can control access rights at the data layer,” Dr. Karasawa said.
The same scenario applies to smart city applications. Governments may collect all kinds of information to fuel smart city applications, including transportation and supply chain data, images of peoples’ faces and more. “Peoples’ names or faces, that kind of information should be protected at the data layer,” he said.
NTT cCryptography and information security: Providing new encryption use cases for data privacy and protection in the loT age

Functional encryption VPN

Research work is just beginning on the concept of functional encryption VPNs, a solution for the ever-increasing amount of encrypted Internet traffic.
The Google Transparency Report shows the percentage of encrypted web traffic has increased from less than 50% in early 2015 to about 90% or better today for all major platforms except Linux, which sits at 77%.
To detect any threats in encrypted traffic, companies often use Transport Layer Security (TLS) inspection. TLS inspection decrypts TLS traffic, enabling security tools to look for malware and other threats, then re-encrypt the session. This, of course, presents new risks because the traffic is in the clear, unencrypted, for a period of time. A functional encryption VPN would allow deep packet inspection without fully decrypting the data, enabling users to detect malware or other threats and take appropriate remediation action but without exposing their data.

Functional encryption and quantum computing

With an eye to the future, NTT Research Scientist Pratish Datta is working on designing functional encryption schemes that are not only secure in today’s computing environments but that can withstand quantum computing.

Functional encryption vs. fully homomorphic encryption

The concept of fully homomorphic encryption (FHE) is generating significant interest and is sometimes confused with functional encryption. FHE is not, however, a form of functional encryption and should not be considered a competing technology to it.
FHE enables calculations to be performed on encrypted data without exposing the underlying data in the clear. In a medical scenario, for example, privacy laws may prevent healthcare providers from sharing sensitive data with medical researchers. If a provider homomorphically encrypts the data, however, the researcher could run analytics functions on it while it is still encrypted. When the analytics functions are complete, the researcher downloads the encrypted output and only then can decrypt to reveal the result in plain text. The underlying data is never decrypted.
While FHE is useful for such delegated computing examples, it’s not suitable for applications such as directing an email server to identify spam messages. Using FHE, the server would be able to perform any encrypted function it wants on an encrypted email, but the result is delivered in an encrypted format, not in the clear as with functional encryption. Only the user with the appropriate key would be able to decrypt the result and there would be no way of knowing whether it’s accurate. What’s more, there’s no way to tell the server to perform a specific function, such as identifying spam emails.

What about Attribute-based Access Control?

Attribute-based Access Control (ABAC) is a specification published in 2014 by the U.S. National Institute of Science and Technology (NIST) that aims at providing more than an all-or-nothing approach to encryption. It is not a standard, but rather provides a definition of ABAC and guidelines for how to implement it to secure data. It’s up to implementers to decide on the exact technologies to employ.
In practice, most ABAC implementations are at the software and system level, not the data level. NTT Research believes attributed-based encryption is an effective way to achieve ABAC while protecting the data level and providing a more granular level of control. Security schemes that only address the applications and systems layer, as well as physical and virtual perimeter, are subject to data leaks. Only by protecting the data layer can companies be assured no data will be leaked even if they should suffer a breach.
In 2018, the EU’s ETSI Technical Committee on Cybersecurity issued two specifications for using attribute-based encryption to protect personal data:

  • ETSI TS 103 458 provides a specification for applying attribute-based encryption to personally identifiable information (PII) and personal data protection on IoT devices, WLAN, cloud and mobile services.
  • ETSI TS 103 532, specifies the trust models, functions and protocols required for using attribute-based encryption as a foundation of an attribute-based access control scheme.

Milestones in the History of attribute-based and functional encryption

Timeline for Functional and Attribute-based Encryption Implementation
As the ETSI specifications suggest, functional encryption and attribute-based encryption are now mature technologies. We can expect uses cases similar to those described above to come to market soon.

2005: Brent Waters and Amit Sahai first propose the concepts of attribute-based encryption and functional encryption in their paper, “Fuzzy Identity-based Encryption.”

2006: Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters publish “Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data.” (CCS 2006: 89-98)

This paper presents the first attribute-based encryption scheme for a large class of policies, and received the “Test of Time Award” at CCS 2016, one of the top conferences for security research. Goyal is now a Senior Scientist at NTT Research.

2007: Dan Boneh and Brent Waters publish “Conjunctive, Subset, and Range Queries on Encrypted Data,” which lays out the first definitional foundations for functional encryption.

2007: Brent Waters, John Bethencourt and Amit Sahai publish “Ciphertext-Policy Attribute-Based Encryption,” which describes techniques for keeping encrypted data confidential even if the server on which it is stored is untrusted. The methods described also protect against collusion attacks.

2010: Brent Waters is awarded the Sloan Research Fellowship.

2011: The David and Lucile Packard Foundation names Brent Waters as a recipient of a Packard Fellowship for Science and Engineering.

2011: Microsoft Research selects Brent Waters as one of eight Microsoft Research Faculty Fellows of 2011.

2012: President Barack Obama presents Brent Waters with a Presidential Early Career Award for Scientists and Engineers (PECASE), the highest honor bestowed by the United States government for science and engineering professionals in the early stages of their independent research careers.

2013: Sergey Gorbunov, Vinod Vaikuntanathan and Hoeteck Wee publish “Attribute-based encryption for circuits.” (STOC 2013: 545-554). This joint work with collaborators from the University of Toronto, MIT and George Washington University presents the first attribution-based encryption scheme for essentially all access policies. The scheme additionally achieves post-quantum security. Wee is now a Senior Scientist with NTT Research.

2015: Brent Waters is awarded the Grace Murray Hopper Award for the introduction and development of the concepts of attribute-based encryption and functional encryption.

2019: The Simons Foundation names Brent Waters as a Simons Investigator, providing funding to support his cryptography work.

2020: NTT Research makes attribute-based encryption software libraries available in the marketplace for solution providers to create commercial products.