Access Control Encryption (ACE)
Access Control Encryption
Enforcing Information Flow with Cryptography
Ivan Damgård, Helene Haagh, and Claudio Orlandi
Aarhus University, Denmark
Outline
Motivation
Access Control Encryption (ACE)
Model
Definition
Construction
2
CrossFyre 2016
Motivation
Bell-Lapadula
• No Read Up
• No Write Down
3
CrossFyre 2016
Motivation: No-Read Rule
dk
m
E(ek,m)
??
ek
4
CrossFyre 2016
Motivation: No-Write Rule
m
m
m
5
CrossFyre 2016
Motivation: No-Write Rule
??
C
C’
m
Should learn as little as possible (neither the
message nor the identity of the sender)
Why: Outsource to another company.
6
CrossFyre 2016
Outline
Motivation
Access Control Encryption (ACE)
Model
Definition
Construction
7
CrossFyre 2016
Access Control Encryption
Senders:
Receivers:
𝑆𝑆1 , 𝑆𝑆2 , … , 𝑆𝑆𝑛𝑛
𝑅𝑅1 , 𝑅𝑅2 , … , 𝑅𝑅𝑛𝑛
Access Policy 𝑃𝑃: 𝑛𝑛 × 𝑛𝑛 → 0,1
𝑃𝑃 𝑥𝑥, 𝑦𝑦 = 1 : flow from 𝑆𝑆𝑥𝑥 to 𝑅𝑅𝑦𝑦 is allowed
𝑃𝑃 0, 𝑦𝑦 = 𝑃𝑃 𝑥𝑥, 0 = 0 for all 𝑥𝑥, 𝑦𝑦
𝑃𝑃 𝑋𝑋, 𝑌𝑌 = 0 iff 𝑃𝑃 𝑥𝑥, 𝑦𝑦 = 0 for all 𝑥𝑥 ∈ 𝑋𝑋, 𝑦𝑦 ∈ 𝑌𝑌
Sanitizer: Special party that routes trafic from senders
to receivers
8
Should learn as little as possible
Assumed to be “honest-but-curious”
CrossFyre 2016
San
Access Control Encryption
𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆𝑆 𝑃𝑃 → (𝑚𝑚𝑚𝑚𝑚𝑚, 𝑝𝑝𝑝𝑝)
𝐺𝐺𝐺𝐺𝐺𝐺
𝐺𝐺𝐺𝐺𝐺𝐺 𝑚𝑚𝑚𝑚𝑚𝑚, 𝑆𝑆𝑆𝑆𝑆𝑆, 𝑥𝑥 → 𝑒𝑒𝑒𝑒𝑥𝑥
𝐺𝐺𝐺𝐺𝐺𝐺 𝑚𝑚𝑚𝑚𝑚𝑚, 𝑅𝑅𝑅𝑅𝑅𝑅, 𝑦𝑦 → 𝑑𝑑𝑘𝑘𝑦𝑦
𝐺𝐺𝐺𝐺𝐺𝐺 𝑚𝑚𝑚𝑚𝑚𝑚, 𝑆𝑆𝑆𝑆𝑆𝑆 → 𝑟𝑟𝑟𝑟
𝐸𝐸𝐸𝐸𝐸𝐸 𝑒𝑒𝑒𝑒𝑥𝑥 , 𝑚𝑚 → 𝑐𝑐
𝑆𝑆𝑆𝑆𝑆𝑆 𝑟𝑟𝑟𝑟, 𝑐𝑐 → 𝑐𝑐𝑐
9
S3
S2
S1
R3
ek3
c
ek2
San
R2
rk
R1
ek1
𝐷𝐷𝐷𝐷𝐷𝐷 𝑑𝑑𝑑𝑑𝑦𝑦 , 𝑐𝑐 ′ = 𝑚𝑚 𝑖𝑖𝑖𝑖 𝑃𝑃 𝑥𝑥, 𝑦𝑦 = 1
c’
CrossFyre 2016
dk3
dk2
dk1
P(3,3)=1
P({2,3},{1,2})=0
No-Read Rule
S3ek
S2ek
S1ek
10
R3
dk3
3
E(ek3,m)
2
San
c’
R2
dk2
rk
R1
dk1
1
CrossFyre 2016
P(3,3)=1
P({2,3},{1,2})=0
No-Read Rule
S3ek
S2ek
S1ek
11
(x,m)=(?,?)
dk3
3
E(ek3,m)
2
R3
San
c’
R2
dk2
rk
R1
dk1
1
CrossFyre 2016
P({1,2},1)=1
No-Read Rule
S3ek
S2ek
S1ek
12
R3
dk3
3
E(ek1,m)
2
San
c’
R2
dk2
rk
R1
dk1
1
CrossFyre 2016
P({1,2},1)=1
No-Read Rule
S3ek
S2ek
S1ek
13
(x,m)=(?,m)
dk3
3
E(ek1,m)
2
R3
San
c’
R2
dk2
rk
R1
dk1
1
CrossFyre 2016
P({2,3},{1,2})=0
No-Write Rule
S3ek
S2ek
S1ek
14
R3
dk3
3
2
San
R2
dk2
rk
R1
dk1
1
CrossFyre 2016
P({2,3},{1,2})=0
No-Write Rule
S3ek
S2ek
S1ek
15
R3
dk3
3
m
2
1
c*
San
San(c*)
R2
rk
m=?
CrossFyre 2016
R1
dk2
dk1
Outline
Motivation
Access Control Encryption (ACE)
Model
Definition
Construction
16
CrossFyre 2016
P(1,1)=1
Single Identity ACE
S1 𝑒𝑒𝑒𝑒
S0
1.
2.
17
𝑚𝑚 = 𝐷𝐷𝐷𝐷𝐷𝐷(𝑑𝑑𝑑𝑑, 𝑐𝑐𝑐)
R1
𝑐𝑐 = 𝐸𝐸(𝑒𝑒𝑒𝑒, 𝑚𝑚)
San
𝑟𝑟𝑟𝑟
𝑐𝑐𝑐 = 𝑆𝑆𝑎𝑎𝑎𝑎(𝑟𝑟𝑟𝑟, 𝑐𝑐)
R0
Prevent direct comm.: If 𝑐𝑐 was computed from 𝑒𝑒𝑒𝑒
• yes → keep the message
• no →
destroy the message
Prevent subliminal comm.: “Sanitize” the ciphertext
CrossFyre 2016
𝑑𝑑𝑑𝑑
P(1,1)=1
Single Identity ACE
𝑐𝑐 = 𝐸𝐸 𝑎𝑎), 𝐸𝐸(𝑚𝑚
S1 𝑒𝑒𝑒𝑒 = 𝑎𝑎
S0
18
𝑐𝑐𝑐 = 𝐸𝐸 𝑟𝑟 𝑎𝑎 − 𝑎𝑎 + 𝑚𝑚 𝐸𝐸(0)
𝑚𝑚
R1
San
𝑟𝑟𝑟𝑟 = 𝑎𝑎
Additive homomorphic encryption:
• Keys: 𝑝𝑝𝑝𝑝, 𝑠𝑠𝑠𝑠
• Encrypt: 𝑐𝑐 ← 𝐸𝐸 𝑝𝑝𝑝𝑝, 𝑚𝑚 = 𝐸𝐸(𝑚𝑚)
• Decrypt: 𝑚𝑚 ← 𝐷𝐷(𝑠𝑠𝑠𝑠, 𝑐𝑐)
• Add: 𝐸𝐸 𝑚𝑚1 𝐸𝐸 𝑚𝑚2 = 𝐸𝐸 𝑚𝑚1 + 𝑚𝑚2
CrossFyre 2016
R0
𝑑𝑑𝑑𝑑 = 𝑠𝑠𝑠𝑠
P(1,1)=1
Single Identity ACE
No-Read Rule
𝑐𝑐 = 𝐸𝐸 𝑎𝑎), 𝐸𝐸(𝑚𝑚
S1 𝑒𝑒𝑒𝑒 = 𝑎𝑎
S0
19
𝑐𝑐𝑐 = 𝐸𝐸 𝑟𝑟 𝑎𝑎 − 𝑎𝑎 + 𝑚𝑚 𝐸𝐸(0)
R1
San
𝑟𝑟𝑟𝑟 = 𝑎𝑎
CrossFyre 2016
R0
𝑚𝑚 =?
𝑑𝑑𝑑𝑑 = 𝑠𝑠𝑠𝑠
P(1,1)=1
Single Identity ACE
No-Write Rule
S1 𝑒𝑒𝑒𝑒 = 𝑎𝑎
S0
20
𝑐𝑐𝑐 = 𝐸𝐸 𝑟𝑟 𝑎𝑎′ − 𝑎𝑎 + 𝑚𝑚 𝐸𝐸(0)
𝑐𝑐 = 𝐸𝐸 𝑎𝑎𝑎 , 𝐸𝐸 𝑚𝑚
𝑚𝑚 =?
R1
San
𝑟𝑟𝑟𝑟 = 𝑎𝑎
CrossFyre 2016
R0
𝑚𝑚 =?
𝑑𝑑𝑑𝑑 = 𝑠𝑠𝑠𝑠
P(x,y)=1 iff x ≤ y
Linear ACE
{San(rk1,c1),
San(rk2,c2),
San(rk3,c3)}
{c1 (random),
S3ek E(ek2,m),
3
E(ek3,m)}
S2ek , ek
2
3
S1ek ,ek , ek
1
21
San
2
R2
𝑚𝑚
dk3
dk2
rk1, rk2, rk3
3
R3
𝑚𝑚
R1
𝑚𝑚 =?
CrossFyre 2016
dk1
Access Control Encryption (ACE)
A new notion of encryption which allows one to control
the flow of information with minimal trust in the channel.
Instantiations
DDH/Paillier (linear complexity)
iO (polylog complexity)
Others? (an open problem)
http://ia.cr/2016/106
22
CrossFyre 2016
© Copyright 2025