On the Feasibility of Attribute-Based Encryption
on Smartphone Devices
Attribute-Based Encryption (ABE) is a powerful cryptographic tool that allows fine-grained access control over data. Due to its features, ABE has been adopted in several applications, such as encrypted storage or access control systems. Recently, researchers argued about the non acceptable performance of ABE when implemented on mobile devices. Indeed, the non feasibility of ABE on mobile devices would hinder the deployment of novel protocols and services–that could instead exploit the full potential of such devices. However, we believe the conclusion of non usability was driven by a not-very efficient implementation.
In this paper, we want to shine a light on this concern by studying the feasibility of applying ABE on smartphone devices. In particular, we implemented AndrABEn, an ABE library for Android operating system. Our library is written in the C language and implements two main ABE schemes: Ciphertext-Policy Attribute-Based Encryption, and Key- Policy Attribute-Based Encryption. We also run a thorough set of experimental evaluation for AndrABEn, and compare it with the current state-of-the-art (considering the same experimental setting). The results confirm the possibility to effectively use ABE on smartphone devices, requiring an acceptable amount of resources in terms of computations and energy consumption. Since the current state-of-the-art claims the non feasibility of ABE on mobile devices, we believe that our study (together with the AndrABEn library that we made available online) is a key result that will pave the way for researchers and developers to design and implement novel protocols and applications for mobile devices.
On the Feasibility of Attribute-Based Encryption
on Smartphone Devices
|University of Padua, Italy|
|Mauro Conti ††thanks: Mauro Conti is supported by a European Marie Curie Fellowship (N. PCIG11-GA-2012-321980). This work is also partially supported by the Italian MIUR PRIN Project TENACE (N. 20103P34XC), and the University of Padua PRAT 2014 Project on Mobile Malware.|
|University of Padua, Italy|
|West Tehran Branch,|
|Islamic Azad University, Iran|
Attribute-Based Encryption (ABE) is a public key encryption scheme first introduced in 2005 by Sahai and Waters [?]. In this scheme, both encryption and decryption are based on attributes (e.g., age, gender, or job position), that can be either related to the private keys of the users, or to the ciphertext. A user can restrict access to a specific piece of data by defining an access policy. As an example, an access policy can be expressed as a boolean expression such as , where , and are attributes and the possible values for attributes are implicitly or . Researchers proposed two main types of ABE schemes, namely Key-Policy Attribute-Based Encryption (KP-ABE) [?] and Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [?].
Compared to the other encryption approaches, ABE presents several advantages [?]. First, it allows the data owner to apply a fine grained access control over data, based on attributes and policies. Second, ABE schemes are scalable and independent of the number of authorized users. Moreover, ABE by construction is resilient against collusion attacks. Finally, while traditional public key infrastructures impose a noticeable communication and storage overhead due to the exchange of cryptographical material, using ABE the data owner can encrypt data by using a set of attributes, without exchanging any certificates or identifying the client [?].
Several factors influence the performance of ABE in real applications, such as the number of attributes used for defining an access policy, the desired security level, and the capabilities of the underlying device, in terms of available memory and CPU speed. Some researchers have already studied the feasibility of using ABE on mobile devices [?]; however, most of the existing studies do not consider all the factors, or actually do not implement ABE on smartphone. In [?], Wang et al. evaluated the performance of CP-ABE and KP-ABE on laptop and smartphone devices. They implemented both schemes by Java language, and evaluated different metrics. The authors concluded that the ABE performance is unacceptable on Android smartphone. However, the usefulness of ABE in mobile applications is evident, and its non feasibility on such devices would be a big obstacle to deployment of new services and to benefit from its advantages. Therefore, obtaining acceptable performance is the biggest challenge for guaranteeing the use of ABE on resource constraint devices.
The contribution of this paper is a comprehensive and careful study of the feasibility of ABE operations on Android smartphone devices. In particular, differently from what claimed in [?], we show that it is possible to achieve reasonable performance for the main ABE operations, even on smartphone devices. We provide AndrABEn, an implementation of CP-ABE [?] and KP-ABE [?] as a C library for Android smartphones. We integrated such library into Android using the Android Native Development Kit (NDK) tool. We evaluated our implementation, and compared its performance with the Java-based study and implementation proposed by Wang et al. in their work presented at ICC 2014 [?], considering the same experimental settings111We re-implemented the proposal in [?] due to the unavailability of the original source code.. The results of our thorough evaluation show that the performance of our solution is an order of magnitude higher than the one in [?]. Accordingly, our results prove that applying ABE is indeed feasible on current mobile devices, such as Samsung Galaxy Nexus smartphone—on which we ran our experiments. Finally, we made the AndrABEn library freely available [?] for researchers and developers.
The rest of the paper is organized as follows. In Section On the Feasibility of Attribute-Based Encryption on Smartphone Devices we present some related work. In Section On the Feasibility of Attribute-Based Encryption on Smartphone Devices we introduce the preliminaries and background on ABE. In Section On the Feasibility of Attribute-Based Encryption on Smartphone Devices, we present AndrABEn, our proposed implementation for CP-ABE and KP-ABE, and provide an analysis of its performance. We also discuss and compare our results with the ones in [?]. Finally, in Section On the Feasibility of Attribute-Based Encryption on Smartphone Devices we draw our conclusions.
Due to the increasing use of mobile devices, evaluating the performance of cryptographic algorithms on mobile devices is an important issue that has been considered in several research studies [?, ?, ?, ?]. As an example, Braga and Nascimento [?] evaluated the feasibility of cryptographic algorithms on Android smartphone devices. They assessed the portability of cryptographic libraries on a Samsung i9100 and measured the performance of applying these libraries on the Android devices; however, in their analysis they did not consider ABE.
Recently, the concept of ABE has been used in various schemes to deal with data confidentiality, privacy and access control issues. Unfortunately, most of these research studies did not evaluate the actual feasibility of adopting ABE in their proposed approaches. However, few researchers focused on such assessment; we discuss some of them in the following.
In [?], Baden et al. presented Persona, an Online Social Network, where users are able to hide their personal information. They provided privacy by encrypting data with ABE. They implemented their solution on a first generation iPhone device, by cross-compiling the cpabe library [?] and its dependencies for the iPhone SDK 2.2.1. They obtained an average decryption and encryption time of 254 ms and 926 ms respectively, considering access structures containing one to five attributes. However, the authors did not provide an implementation of ABE on the Android smartphone.
Along the same line of studies, we also proposed a system for efficient software updates distribution, over untrusted distribution networks in [?]. We used CP-ABE to guarantee flexible access control. In this work, we only provided evaluations measured on a laptop device with two 2.4 GHz Intel Core 2 Duo CPUs. Based on our experimental results, the CP-ABE encryption and decryption time for five attributes are 77.47 ms and 32.62 ms, respectively. We realized that not providing a proper feasibility assessment is a big limitation for this type of proposals. In this paper, we aim to fill this gap and pave the way for developing further solutions assuming the feasibility of ABE for mobile devices.
A study similar to the one we are going to discuss in this paper was carried out in [?]. The authors evaluated the performance of CP-ABE and KP-ABE in terms of execution time, data overhead, energy consumption, CPU and memory usage. They implemented these two ABE schemes using Java on a laptop with a 1.60 GHz Intel Quad-Core i7 2677M CPU and a smartphone runs Android 4.04 with a 1.60 GHz Intel Atom Z2460. The authors stated that applying ABE on Android smartphone devices is not practical with acceptable performance. In this paper, we show that this conclusion mostly depends on the specific implementation provided in [?], and it does not hold in general.
Finally, in [?] Green et al. proposed an alternative approach for efficient ABE decryption. In their solution, a part of the ABE decryption is outsourced to a third party cloud, highly reducing the load on the client device. However, while representing a good option to facilitate the ABE operations on devices with limited resources, this solution requires additional resources compared to in-device decryption, such as a third-party cloud entity, as well as Internet connectivity.
To the best of our knowledge, we are the first that show the reasonable performance of ABE on Android devices, and provide a publicly available implementation for Android smartphone devices [?]. Indeed, existing ABE implementations for Android showed a high computation overhead on mobile platforms [?, ?]. We prepared and cross-compiled two ABE C libraries, to be used on the Android mobile devices, thus proving the feasibility of such schemes on this platform. While we leave this as a future work, we expect that AndrABEn can be easily extended for other mobile devices and Internet of Things (IoT) devices.
This section provides the fundamentals of Key-Policy ABE (KP-ABE) [?], and Ciphertext-Policy ABE (CP-ABE) [?]. Both CP-ABE and KP-ABE, are public key schemes. In a KP-ABE scheme, the data owner encrypts the data specifying a set of attributes. Each user owns a private key that reflects a specific policy. She will be able to decrypt a ciphertext if and only if the attributes embedded into the ciphertext satisfy the policy in . It consists of four functions:
Setup. It takes as input an implicit security parameter and outputs the public parameter , and a master key .
Encryption. It takes as input a message , a set of attributes , and the public parameter , and outputs the ciphertext .
KeyGen. It takes as input an access policy , the master key and the public parameter . It outputs a decryption key reflecting the given policy.
Decryption. It takes as input the ciphertext that is encrypted under the set of attributes ; the decryption key , that represents the access policy ; and the public parameter . It outputs the message if and only if “satisfies” the access policy .
Different from KP-ABE, in the CP-ABE scheme, the data owner encrypts her data enforcing an access policy. Users are provided with private keys representing a set of attributes. Only users having attributes that satisfy an access policy will be able to decrypt the ciphertext. A CP-ABE scheme provides the following functions:
Setup. It takes as input an implicit security parameter and outputs the public parameter , and a master key .
Encryption. It takes as input a message , an access policy , and the public parameter , and outputs the ciphertext .
KeyGen. It takes as input a set of attributes , the master key and the public parameter . It outputs a decryption key reflecting the given attributes.
Decryption. It takes as input the ciphertext that is encrypted under the access policy ; the decryption key representing a set of attributes ; and the public parameter . It outputs the message if and only if “satisfies” the access policy .
Similar to other pairing-based schemes, the complexity of CP-ABE and KP-ABE depends on the number of exponentiations and pairing operations performed by each of their algorithms [?]. In the CP-ABE scheme [?], the efficiency of the KeyGen algorithm depends on the number of attributes to be applied to the newly generated key. Herein, the algorithm performs two exponentiations for each attribute. Similarly, the Encryption operation requires two exponentiations for each attribute in the specified policy. The same complexity is required also by the KeyGen and Encryption operations in the KP-ABE scheme [?]. However, the efficiency of the Decryption function for CP-ABE mainly depends on how the policy enforced on the ciphertext and on the private key used for its decryption. This makes an estimation of the complexity of such operation a non trivial task [?]. The same holds for the KP-ABE Decryption operation, which strongly depends on the attributes set and the access policy specified in the ciphertext and the private key, respectively.
In this section, we provide an in-depth analysis of the performance of AndrABEn (Section On the Feasibility of Attribute-Based Encryption on Smartphone Devices), and a comparison with the implementation in [?] (Section \thefigure).
Our ABE implementation [?] comprises two libraries: the cpabe library [?], which implements the scheme proposed by Bethencourt et al. in [?], and a publicly available custom implementation [?] of the KP-ABE scheme proposed by Goyal et al. in [?]. The original code has been slightly modified, in order to be integrated into Android mobile devices. Both libraries employ Type pairings provided by the PBC library [?]. Type pairings are built on top of an elliptic curve: over a finite field , for some prime , and have a fixed embedding degree [?]. Therefore, the security strength of the scheme can be tuned by modifying two parameters: the size of the field , and the prime order of the base point [?]. Table On the Feasibility of Attribute-Based Encryption on Smartphone Devices shows the security level of both CP-ABE and KP-ABE schemes, according to [?].
|Security level bits||80||112||128|
|bit length of||160||224||256|
|bit length of||512||1024||1536|
AndrABEn is implemented on Android 4.3, “Jelly Beam”. We carried out our experimental evaluation on a Samsung Galaxy Nexus device (1.2 GHz dual-core ARM Cortex-A9 CPU, 1 GB RAM). For completeness and comparison, we also tested our libraries on a laptop device (Ubuntu 14.4 LTS, 1.8 GHz 4x Intel Core™ i7-4500U CPU, 8 GB RAM).
We evaluated KeyGen, Encryption and Decryption operations, varying the number of attributes adopted from one to 30. We consider this range to be representative enough for a wide range of real world applications of ABE [?].
We tested both ABE schemes with security levels of 80, 112 and 128 bits, and measured average execution time, CPU and memory utilization, and energy consumption on mobile devices. Note that, as in other public key schemes, in ABE the actual encryption of the ciphertext is performed by means of a symmetric key, which is in turn encrypted with the public key. Therefore, we evaluate both encryption and decryption operations performed on a symmetric key. This makes our analysis independent from the size of the ciphertext.
Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices presents the average time overhead for Encryption and Decryption operations for both CP-ABE and KP-ABE schemes. The results are presented for both Android and Laptop devices. They have been obtained as an average of 100 executions for each operation, varying the number of employed attributes and adopting different levels of security.
As we can see in Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices, in general, the time required to perform each operation depends directly on the number of attributes that are used. Adopting a security value of 80 bits (which is reasonable for several medium-level security applications [?]) the CP-ABE Encryption operation remains under 4 s on the Android smartphone. Similarly, the CP-ABE KeyGen operation requires less than 2 s to be executed. However, adopting a security level of 112 or 128 bits, the time overhead imposed by CP-ABE on Android smartphone is much higher, while we argue being still usable for non-interactive applications (e.g., encrypted data to be uploaded to a cloud storage service). Indeed, in such applications the encryption could be carried out in a background process. For KP-ABE, however, the time required to perform the various operations is lower, and even the adoption of a security level of 128 bits is feasible on Android smartphone. On laptop, the evaluation results confirm the practicality of both CP-ABE and KP-ABE schemes, requiring a reasonable time for both KeyGen ( s), and Encryption ( s) operations.
We measured CPU utilization on Android smartphone by collecting the required information from the system files /proc/stat, and /proc/[pid]/stat, where pid is the id of the application’s process. The CPU utilization remains under for each of the three operations, for both CP-ABE and KP-ABE, i.e., the operations fully utilize one of the two CPUs provided by the underlying platform.
We measured the average memory space required by AndrABEn, adopting a range between one to 30 attributes. We realized that our implementations utilize between and MBytes of RAM space. We argue that such amount is acceptable for modern smartphones such as the Samsung Galaxy Nexus—used in our experiments.
To better understand the behavior of AndrABEn in large scale scenarios, we also measured the average memory consumption employing 10, 100 and 1000 attributes. Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices shows the obtained results. As expected, the amount of required RAM grows with the number of employed attributes. Here, one of the main advantages of running CP-ABE and KP-ABE on native code is the possibility to manage the heap usage directly, without relying on the Dalvik VM. Indeed, in such case the use of the expensive garbage collector significantly slows down the overall execution [?].
Energy consumption is a major concern in mobile devices. Therefore, a desirable implementation of a cryptographic tool for mobile devices, should consume as less energy as possible. We measured the average energy consumption for each of the CP-ABE and KP-ABE operations, by using the well-known PowerTutor Android application [?]. Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices shows the obtained results. As we can see, with a security level of 80 and 112 bits, the energy required by both schemes remains low, making their use suitable on smartphones.
In what follows, we provide a brief comparison of our proposal, AndrABEn, against the implementation proposed in [?], on the Android platform.
Unfortunately, the code used in [?] does not seem to be publicly available. Moreover, in [?], the authors performed their evaluation on a device (and a specific processor in smartphone) which is not easily available anymore (an Android smartphone with a 1.60 GHz Intel Atom Z2460 processor and 1 GB RAM). For these reasons, to compare with the implementation proposed in [?], we can only rely on the numbers reported in [?] itself. Most of the discussion that follows is based on this approach. Moreover, for a further validation we also re-implemented the solution proposed in [?] and performed some additional comparison. As a side note we observe that, since our implementation is single threaded, it does not take advantage from the dual-core CPU of the device we used for our measurements. Furthermore, both the device we adopted and the one used in [?] are equipped with the same RAM memory (i.e., 1 GB).
As shown in Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices, the execution time for both CP-ABE and KP-ABE with AndrABEn is significantly lower compared to the results reported in [?]. In particular, the CP-ABE key generation with AndrABEn requires less than 30 s, while with the implementation proposed in [?], key generation requires around 200 s. Similarly, AndrABEn performs CP-ABE encryption and decryption in less than 30 s and 20 s, respectively, while in the implementation proposed in [?], encryption and decryption operations take on average 70 s and 80 s, respectively. Moreover, the average execution time reported in [?] for all the three main KP-ABE operations, considering 26 attributes and a security level of 128 bits, is s for encryption, while decryption and key generation operations require between s and s. Instead, our AndrABEn implementation of KP-ABE requires a considerably lower execution time for each of the main operations, i.e., 12 s for decryption (Figure (f)), and 3 s for encryption (Figure (d)) and key generation (Figure (b)).
In order to compare the energy consumption of AndrABEn (which is illustrated in Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices) with the implementation proposed in [?] for CP-ABE, let us consider 10 attributes and a security level of 128 bits. With AndrABEn, each of the main CP-ABE operations, i.e., key generation, encryption and decryption, consumes almost 5 J, while with the implementation proposed in [?], key generation consumes between 70 J and 100 J, and encryption and decryption operations consume 30 J and 40 J, respectively. Furthermore, compared to AndrABEn, also the KP-ABE implementation of key generation, encryption and decryption provided in [?] require a considerably higher amount of energy. Indeed, while our implementation of the three main KP-ABE operations requires less than 5 J, the implementation in [?] requires between 15 J and 40 J.
The comparison reported up to this point considered directly the performance results reported in [?]. However, for a further validation we also developed our own Java-based implementation of the CP-ABE scheme in [?], following the specifications reported in [?]. We evaluated our Java implementation (which we believe being similar to the one used in [?], for which code is not available) on the same device we used to evaluate AndrABEn. Due to space limitations, we only provide a comparison of the different execution time for the two solutions, which is presented in Figure On the Feasibility of Attribute-Based Encryption on Smartphone Devices. As we can see, the execution time for CP-ABE with AndrABEn is significantly lower compared to the results obtained with our Java based implementation, that in turn presents results that are consistent with the ones provided in [?]. As an example, let us consider the execution time obtained with 25 attributes and a security level of 128 bits. Our CP-ABE AndrABEn implementation requires 25 s to perform the key generation, while the Java-based implementation requires 360 s to perform the same task. Similarly, the CP-ABE encryption and decryption operations with AndrABEn require on average 26 s and 19 s, while our Java-based implementation performs encryption and decryption in 340 s and 172 s, respectively.
Overall, we can conclude that, compared with the approach discussed in [?], AndrABEn provides significantly better performance, in terms of execution time, memory and CPU usage, and energy consumption.
With the increasing use of cloud environment and smart devices connected to the Internet of Things, exchanged data confidentiality and access control to the stored data become a challenging issue. Attribute-Based Encryption is one of the best solutions that can be used to satisfy users privacy concerns [?]. However, its performance on resource constraint devices is a challenging issue, and still represents a big concern for researchers willing to use ABE to develop novel privacy-preserving and access control solutions for such devices.
In this paper, we studied the feasibility of applying ABE on smartphone devices and presented AndrABEn, an implementation of ABE in C language. We also provided a comparative analysis with a similar research study [?] in which the authors proposed a Java-based implementation of ABE for Android smartphone. Based on the results of our thorough experiments, we conclude that using ABE on Android smartphones and similar devices is feasible. The evidence that we bring in this paper will be a reference for applicability of ABE in resource-constrained devices.
-  ANDRABEN library. http://spritz.math.unipd.it/projects/andraben.
-  CP-ABE implementation. http://hms.isi.jhu.edu/acsc/cpabe/.
-  KP-ABE implementation. https://github.com/gustybear/kpabe.
-  Pairing Based Cryptography library. http://crypto.stanford.edu/pbc/.
-  M. Ambrosin, C. Busold, M. Conti, A. R. Sadeghi, and M. Schunter. Updaticator: Updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In ESORICS’14, pages 76–93, 2014.
-  R. Baden, A. Bender, N. Spring, B. Bhattacharjee, and D. Starin. Persona: An online social network with user-defined privacy. SIGCOMM Computer Communications Review, 39(4):135–146, 2009.
-  J. Bethencourt, A. Sahai, and B. Waters. Ciphertext-policy attribute-based encryption. In SP’07, pages 321–334, 2007.
-  J. W. Bos, M. E. Kaihara, T. Kleinjung, A. K. Lenstra, and P. L. Montgomery. On the security of 1024-bit rsa and 160-bit elliptic curve cryptography. Cryptology ePrint Archive, Report 2009/389, 2009. http://eprint.iacr.org/.
-  A. M. Braga and E. N. Nascimento. Portability evaluation of cryptographic libraries on android smartphones. In CSS’12, volume 7672, pages 459–469, 2012.
-  M. Brown, D. Hankerson, J. López, and A. Menezes. Software implementation of the nist elliptic curves over prime fields. In Topics in Cryptology - CT-RSA 2001, volume 2020, pages 250–265. 2001.
-  V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attribute-based encryption for fine-grained access control of encrypted data. In CCS’06, pages 89–98, 2006.
-  M. Green, S. Hohenberger, and B. Waters. Outsourcing the Decryption of ABE Ciphertexts. In USENIX Security Symposium, page 3, 2011.
-  Y. Kawahara, T. Takagi, and E. Okamoto. Efficient implementation of tate pairing on a mobile phone using java. In CIS’06, volume 2, pages 1247–1252, 2006.
-  C.-C. Lee, P.-S. Chung, and M.-S. Hwang. A survey on attribute-based encryption schemes of access control in cloud environments. IJ Network Security, 15(4):231–240, 2013.
-  M. Li, W. Lou, and K. Ren. Data security and privacy in wireless body area networks. IEEE Wireless Communications, 17(1):51–58, 2010.
-  B. Lynn. On the implementation of pairing-based cryptosystems. PhD thesis, Stanford University, 2007.
-  A. Sahai and B. Waters. Fuzzy identity-based encryption. In EUROCRYPT’05, pages 457–473, 2005.
-  S. Tillich and J. Grossschaedl. A survey of public-key cryptography on j2me-enabled mobile devices. In ISCIS’04, pages 935–944. 2004.
-  P. Tysowski and M. Hasan. Hybrid Attribute- and Re-Encryption-Based Key Management for Secure and Scalable Mobile Applications in Clouds. IEEE Transactions on Cloud Computing, 1(2):172–186, 2013.
-  A. G. Voyiatzis, K. G. Stefanidis, and D. N. Serpanos. Increasing lifetime of cryptographic keys on smartphone platforms with the controlled randomness protocol. In WESS’11, pages 1–6, 2011.
-  X. Wang, J. Zhang, E. M. Schooler, and M. Ion. Performance evaluation of attribute-based encryption: Toward data privacy in the iot. In ICC’14, 2014.
-  L. Zhang, B. Tiwana, Z. Qian, Z. Wang, R. P. Dick, Z. M. Mao, and L. Yang. Accurate online power estimation and automatic battery behavior based power model generation for smartphones. In CODES/ISSS ’10, pages 105–114, 2010.