llow
a user to view data if his access policy allows it. While the use

of trusted
servers allows for a relatively straightforward solution the

re is a large
downside to this approach --- both the servers and their

storage must be
trusted and remain uncompromised. A natural solution to
this problem is to
encrypt stored data. However traditional public-key
encryption methods
require that data be encrypted to one particular use

r''s public key and are
unsuitable for expressing more complex access co

ntrol policies.

In this talk I will present recent work on a new cr

yptographic primitive called
Attribute-Based Encryption (ABE) that was
created to address this issue.
Attribute-Based Encryption allows for e

xpressive access policies over
encrypted data. In an ABE system encrypte

d data is annotated with descriptive
attributes and users'' private keys
are ascribed access formulas over these
attributes. For example if Car

ol is assigned to read and process
systems-seminar messages during the y

ear 2007 she would be ascribed the
private key with the access formula

Subj:Systems-Seminar AND Year:2007.

I will focus this talk on the ch

allenges of creating ABE systems that are both
secure and efficient. In

particular an ABE system must be secure against an
attacker that collec

ts several private keys from different colluding users. We
also want to

avoid designs that are prohibitively expensive; for example a
solution
should not include a separate public key/private for every possible
acc

ess control policy that might ever be used. In addition I will talk about<

br>recent efforts in implementing Attribute-Based Encryption and making it<