Open in app

Sign in

Write

Sign in

MAABE: Multi-Authority Attribute-Based Encryption scheme

Prof Bill Buchanan OBE FRSE
3 min readJust now

Last week, I spoke with Brent Waters, who is the co-inventor of ABE [1]:

Brent continued to work on ABE, and, in 2011, he created a decentralised approach [2]:

This creates a multi-authority (MA) attribute-based encryption (ABE) scheme, where we can split the signing of the attributes across different authorities.

Let's say that a student needs to pass Exam 1 and Exam 2 in university or Exam 1 and Exam 2 in college. We can create the policy with:

policy:="((university:exam01 AND auth2:exam01) OR 
    (university:exam02 AND auth2:exam02))"

attributes1 :="university:exam01 university:exam02"
attributes2 :="auth2:exam01 auth2:exam02"

Next, we can create the key required:

a := abe.NewMAABE()

// create three authorities, each with two attributes
 attribs1 := strings.Split(attributes1, " ")
 attribs2 := strings.Split(attributes2, " ")

university, err:= a.NewMAABEAuth("university", attribs1)
college, err:= a.NewMAABEAuth("college", attribs2)

And then encrypt using the public keys from the university and college:


    // create a msp struct out of the boolean formula
    msp, err := abe.BooleanToMSP(policy, false)

    if err != nil {
        fmt.Printf("Failed to generate the policy: %v\n", err)
    }

    // define the set of all public keys we use
    pks := []*abe.MAABEPubKey{university.PubKeys(),college.PubKeys()}


    // encrypt the message with the decryption policy in msp
    ct, err := a.Encrypt(msg, msp, pks)

The decryption then becomes:

    // choose a single user's Global ID
    gid := "gid1"

    // authority 1 issues keys to user
    keys1, err := university.GenerateAttribKeys(gid, attribs1)
    key11:= keys1[0]
    keys2, err := college.GenerateAttribKeys(gid, attribs2)
    key21 := keys2[0]

    ks1 := []*abe.MAABEKey{key11,key21} // ok


    // try to decrypt all messages
    msgRecovered, err := a.Decrypt(ct, ks1)

The full code is [here]:

package main

import (
 "fmt"
 "os"
 "github.com/fentec-project/gofe/abe"
 "strings"
)


func main() {

 policy:="((university:exam01 AND auth2:exam01) OR (university:exam02 AND auth2:exam02))"


   attributes1 :="university:exam01 university:exam02"
   attributes2 :="auth2:exam01 auth2:exam02"
 msg:="Hello"

 argCount := len(os.Args[1:])


        if (argCount>0) { msg= (os.Args[1]) }
        if (argCount>1) { policy= (os.Args[2]) }
        if (argCount>2) { attributes1= (os.Args[3]) }
        if (argCount>3) { attributes2= (os.Args[4]) }


 a :=   abe.NewMAABE()

// create three authorities, each with two attributes
    attribs1 := strings.Split(attributes1, " ")
    attribs2 := strings.Split(attributes2, " ")

 fmt.Printf("Attributes1: %v\nAttributes2: %v\nPolicy %v\n\n",attributes1,attributes2,policy)


    university, err:= a.NewMAABEAuth("university", attribs1)
    college, err:= a.NewMAABEAuth("college", attribs2)

    if err != nil {
        fmt.Printf("Failed generation authority %s: %v\n", "university", err)
    }

    // create a msp struct out of the boolean formula
    msp, err := abe.BooleanToMSP(policy, false)

    if err != nil {
        fmt.Printf("Failed to generate the policy: %v\n", err)
    }

    // define the set of all public keys we use
    pks := []*abe.MAABEPubKey{university.PubKeys(),college.PubKeys()}


    // encrypt the message with the decryption policy in msp
    ct, err := a.Encrypt(msg, msp, pks)
    if err != nil {
        fmt.Printf("Failed to encrypt: %v\n", err)
    }


    // choose a single user's Global ID
    gid := "Education"

    // authority 1 issues keys to user
    keys1, err := university.GenerateAttribKeys(gid, attribs1)
    key11:= keys1[0]
    keys2, err := college.GenerateAttribKeys(gid, attribs2)
    key21 := keys2[0]

    ks1 := []*abe.MAABEKey{key11,key21} // ok


    // try to decrypt all messages
    msgRecovered, err := a.Decrypt(ct, ks1)
    if err != nil {
        fmt.Printf("Error decrypting with keyset 1: %v\n", err)
    }


 fmt.Printf("Message: %v\nRecovered %v",msg, msgRecovered)






}

If the university provides the attributes for exam01 and exam02, and the college provides attributes for exam01 and exam02, we get:

Attributes1: university:exam01 university:exam02
Attributes2: college:exam01 college:exam02
Policy ((university:exam01 AND college:exam01) OR (university:exam02 AND college:exam02))

Message: Danger, danger!!
Recovered Danger, danger!!

If college only supplies exam01, we get:

Attributes1: university:exam01 university:exam02
Attributes2: college:exam01
Policy ((university:exam01 AND college:exam01) OR (university:exam02 AND college:exam02))

Failed to encrypt: attribute not found in any pubkey

References

[1] Goyal, V., Pandey, O., Sahai, A., & Waters, B. (2006, October). Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM conference on Computer and communications security (pp. 89–98).

[2] Lewko, A., & Waters, B. (2011, May). Decentralizing attribute-based encryption. In Annual international conference on the theory and applications of cryptographic techniques (pp. 568–588). Berlin, Heidelberg: Springer Berlin Heidelberg.

Cryptography
Cybersecurity

--

--

Prof Bill Buchanan OBE FRSE
Prof Bill Buchanan OBE FRSE

Written by Prof Bill Buchanan OBE FRSE

33K Followers
38 Following

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams