Method, apparatus, and program product for enabling access to flexibly redacted content
First Claim
1. A computer controlled method for generating one or more capability keys related to an unencrypted data unit comprising:
- selecting one or more attributes from a list of attributes related to said unencrypted data unit;
using a computer, computing a key descriptor responsive to a selection of one or more access rights capable of being represented by a monotone boolean relationship between said one or more attributes;
generating one or more random numbers;
generating one or more shares responsive to said monotone boolean relationship and responsive to a master secret;
generating a unique capability key responsive to one or more cryptosystem parameters, said one or more shares and said one or more random numbers, wherein said unique capability key and said key descriptor together enable decryption of sensitive information within a selectively encrypted data unit created from the unencrypted data unit; and
providing said unique capability key and said key descriptorwherein at least one of said one or more access rights is specified as a threshold relationship of said one or more attributes from a subset of said one or more attributes;
wherein the generating said one or more shares further comprises selecting a random polynomial of degree I−
1 responsive to said master secret wherein said one or more shares can be represented as one or more respective points on said random polynomial;
wherein the threshold relationship is operative to reduce the number of shares and number of auxiliary values; and
wherein I is the number of attributes in the threshold relationship.
2 Assignments
0 Petitions
Accused Products
Abstract
A capability key is generated that provides access to sensitive information within a selectively encrypted data unit created from an unencrypted data unit. A user specifies access rights as a monotone boolean relationship between a selection of a list of attributes related to the unencrypted data unit. This relationship is used to compute a key descriptor. Next one or more shares of a master secret is generated responsive to the monotone boolean relationship and a random number. Next a unique capability key is computed from one or more cryptosystem parameters, the one or more shares and the random number. The unique capability key and the key descriptor together enable decryption of sensitive information within a selectively encrypted data unit created from an unencrypted data unit. Finally, the unique capability key and the key descriptor are provided to allow decryption of sensitive information within the selectively encrypted data unit.
-
Citations
26 Claims
-
1. A computer controlled method for generating one or more capability keys related to an unencrypted data unit comprising:
-
selecting one or more attributes from a list of attributes related to said unencrypted data unit; using a computer, computing a key descriptor responsive to a selection of one or more access rights capable of being represented by a monotone boolean relationship between said one or more attributes; generating one or more random numbers; generating one or more shares responsive to said monotone boolean relationship and responsive to a master secret; generating a unique capability key responsive to one or more cryptosystem parameters, said one or more shares and said one or more random numbers, wherein said unique capability key and said key descriptor together enable decryption of sensitive information within a selectively encrypted data unit created from the unencrypted data unit; and providing said unique capability key and said key descriptor wherein at least one of said one or more access rights is specified as a threshold relationship of said one or more attributes from a subset of said one or more attributes; wherein the generating said one or more shares further comprises selecting a random polynomial of degree I−
1 responsive to said master secret wherein said one or more shares can be represented as one or more respective points on said random polynomial;wherein the threshold relationship is operative to reduce the number of shares and number of auxiliary values; and wherein I is the number of attributes in the threshold relationship. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
a central processing unit (CPU), a memory coupled to said CPU, an attribute logic configured to select one or more attributes from a list of attributes related to said unencrypted data unit; a key descriptor generation logic configured to compute a key descriptor responsive to a selection of one or more access rights capable of being represented by a monotone boolean relationship between said one or more attributes; a random number generator configured to generate one or more random numbers; a share generation logic configured to generate one or more shares responsive to said monotone boolean relationship and responsive to a master secret; a key generation logic configured to generate a unique capability key responsive to one or more cryptosystem parameters, said one or more shares and said one or more random numbers, wherein said unique capability key and said key descriptor together enable decryption of sensitive information within a selectively encrypted data unit created from the unencrypted data unit; and a provision logic configured to provide said unique capability key and said key descriptor wherein at least one of said one or more access rights is specified as a threshold relationship of said one or more attributes from a subset of said one or more attributes; wherein the generating said one or more shares further comprises selecting a random polynomial of degree I−
1 responsive to said master secret wherein said one or more shares can be represented as one or more respective points on said random polynomial;wherein the threshold relationship is operative to reduce the number of shares and number of auxiliary values; and wherein I is the number of attributes in the threshold relationship. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product comprising:
-
a non-transitory computer-usable data carder providing instructions that, when executed by a computer, cause said computer to perform a method to generate one or more capability keys related to an unencrypted data unit, said method comprising; selecting one or more attributes from a list of attributes related to said unencrypted data unit; computing a key descriptor responsive to a selection of one or more access rights capable of being represented by a monotone boolean relationship between said one or more attributes; generating one or more random numbers; generating one or more shares responsive to said monotone boolean relationship and responsive to a master secret; generating a unique capability key responsive to one or more cryptosystem parameters, said one or more shares and said one or more random numbers, wherein said unique capability key and said key descriptor together enable decryption of sensitive information within a selectively encrypted data unit created from the unencrypted data unit; and providing said unique capability key and said key descriptor wherein at least one of said one or more access rights is specified as a threshold relationship of said one or more attributes from a subset of said one or more attributes; wherein the generating said one or more shares further comprises selecting a random polynomial of degree I−
1 responsive to said master secret wherein said one or more shares can be represented as one or more respective points on said random polynomial;wherein the threshold relationship is operative to reduce the number of shares and number of auxiliary values; and wherein I is the number of attributes in the threshold relationship. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
-
Specification