Data encryption is a fundamental tool for ensuring the confidentiality of sensitive data. In an encryption system, readable ‘cleartext’ data is mathematically transformed (or ‘encrypted’) into ‘ciphertext’ using a cryptographic key. A recipient with an appropriate cryptographic key can reverse the encryption process (‘decrypt’) to recover the original cleartext data. If the system is designed properly, the encrypted ciphertext should reveal no information about the original cleartext.
Historically, many encryption systems used the same key for both encryption and decryption of data. A limitation of this approach stems from the fact that the key must then be securely distributed to all parties before any encrypted messages can be exchanged. Indeed, the ‘key distribution problem’ has long been recognized as a major challenge facing cryptographic security systems.
The development of public key encryption schemes such as the system developed by Ronald Rivest, Adi Shamir, and Leonard Adleman (“RSA system”) represents a major step towards solving the key distribution problem. In this approach keys are created in pairs, with each pair including a “public key” and a “secret key”. The public key can be used to encrypt messages, but cannot be used to decrypt. Thus a user can widely distribute the public key, and retain the secret key for decryption.
Unfortunately, the public key encryption model has several limitations. First, prior to encrypting the message the sender must know the identities of each individual to whom the message will be delivered. Secondly, he must know the individuals' public keys. This is challenging in many common usage scenarios. For example, an employee might wish to securely share data with all members of the ‘Accounting’ group, but might not have a full listing of the group members and their keys. Furthermore, once encrypted, the document would not be accessible to any new members who should later join the group.
Among the approaches for resolving this issue, one solution, ‘Attribute Based Encryption’, replaces the public (encryption) key with two values: a parameter generated by a trusted party known as an Authority, and a ‘policy’ describing the attributes of the users to whom the message was addressed. The Authority also generates decryption keys that each embed one or more attributes describing a user. A key can be used to decrypt the ciphertext if and only if it contains attributes that satisfy the policy used to encrypt. It should be noted that in an ‘Attribute Based Encryption’ scheme only certain limited types of policies may be employed.
In the Attribute Based Encryption approach, all keys and parameters are created by a single Authority. In practice, there are situations where it is desirable to use two or more Authorities, each responsible for a different set of Attributes. Unfortunately the basic Attribute Based Encryption approach does not support encryption policies that reference multiple authorities.