Timed-release proxy conditional re-encryption (TRPCRE) that achieves the following goals. The uploaded files are stored in the cloud storage securely.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Provably Secure Timed-Release Proxy Conditional Re-Encryption Chun-I Fan, Jun-Cheng Chen, Shi-Yuan Huang, Jheng-Jia Huang, and Wen-Tsuen Chen National Sun Yat-sen University, Kaohsiung, Taiwan Institute for Information Industry, Taipei, Taiwan Academia Sinica, Taipei, Taiwan National Tsing Hua University, Hsinchu, Taiwan
IEEE Systems Journal, accepted, 2015
Introduction
Related Works
Outline
1
Introduction
2
Related Works
3
Preliminaries
4
Security Proofs
5
Comparisons
6
Conclusions
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction The cloud computing technologies are developed rapidly and some industries have created related applications for the environment, like Amazon EC2. Each user can hire computing resources and storage space from the cloud service providers to obtain sufficient computing capability when she/he demands. Ultra Fast Communication: 4G/LTE, 5G (up to 5Gbps and 50Gbps), Molecular/Bacterial-Inspired Communication
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction In these applications: Users are able to upload their files to servers and download them or synchronize to any devices when they need.
Drawbacks: The current cloud storage services, such as Dropbox, are indicated that the privacy of the stored files cannot be protected well. The service providers are able to access the content of each file easily since there are no restrictions or protecting mechanism performed by the users.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction
There are many works that try to solve the problem. Searchable encryption: B. Zhang and F. Zhang, ”An Efficient Public Key Encryption with Conjunctive-Subset Keywords Search,” 2011 Q. Liu, G. Wang, and J. Wu, ”Secure and Privacy Preserving Keyword Searching for Cloud Storage Services,” 2012
Secure data outsourcing: M. Zhou, Y. Mu, W. Susilo, J. Yan, and L. Dong, ”Privacy Enhanced Data Outsourcing in the Cloud,” 2012
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Motivation
File sharing is desired in the cloud environment. In 2011, Emura et al. proposed a timed-release proxy re-encryption scheme. Their scheme lacks flexibility due to the following reasons. A file owner cannot decrypt a ciphertext before the specified time arrives. It cannot support designated ciphertext delegation, where the file owner either gives all files or nothing to the receivers.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Contributions Timed-release proxy conditional re-encryption (TRPCRE) that achieves the following goals. The uploaded files are stored in the cloud storage securely. A file owner can share specified ciphertexts with designated receivers without leaking information about other ciphertexts. A file owner can attach a time factor to a designated ciphertext such that the receivers cannot decrypt it until the specified time arrives. It can provide two different ways to generate a first-level ciphertext, which is called flexible encryption. The security can be demonstrated by complete proofs.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Timed-Release Encryption
TRE: A sender can designate a time when she/he encrypts a message such that the receiver cannot decrypt the ciphertext until the time arrives. The time-lock puzzle approach The time server approach
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Timed-Release Encryption In 1993, May introduced the concept of timed-release encryption (TRE). In 1996, Rivest, Shamir, and Wagner discussed TRE further. In 1999, Crescenzo et al. proposed a protocol, which supports that the sender does not have to interact with the server. In 2005, Cathalo et al. proposed a non-interactive timed-release encryption, and it is more efficient than others. In 2005, Hwang et al. firstly showed a timed-release encryption with a pre-opening capability From 2007 to 2010, some works have been proposed by Dean et al., Nakai et al., and Matsuda et al., respectively, to enhance the performance or the security. From 2005 to 2011, Chan et al., Chalkias et al., and Fujioka et al. continued doing the research on TRE security properties.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Proxy Re-Encryption In 1998, Blaze, Bleumer and Strauss presented the first proxy re-encryption scheme. In 2005, Ateniese, Green and Hohenberger proposed the first unidirectional proxy re-encryption scheme based on bilinear maps. In 2007, Canetti and Hohenberger gave a security definition against chosen ciphertext attacks for proxy re-encryption. In 2007, Chu et al. and Green et al. proposed unidirectional identity-based proxy re-encryption schemes that can achieve the chosen ciphertext security. In 2008, Tang firstly proposed the type-based proxy re-encryption scheme, which enables the delegator to selectively delegate his encrypting right to the delegatee.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Proxy Re-Encryption In 2009, Weng et al. proposed a conditional proxy re-encryption scheme with the same properties as the typical type-based PRE scheme. In 2009, Ateniese et al. firstly analyzed the notion of key privacy which demands that anyone, including the proxy, is unable to obtain any useful information. In 2009, Livert et al. proposed the first chosen ciphertext secure unidirectional proxy re-encryption scheme. In 2010, Emura et al. proposed the first timed-release proxy re-encryption scheme. In 2012, Guo et al. proposed a bidirectional proxy re-encryption scheme.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Proxy Re-Encryption In 2012, Hanaoka et al. introduced a generic construction of a uni-directional proxy re-encryption scheme with CCA security. In 2014, Cai et al. proposed a new multi-use CCA-secure proxy re-encryption scheme. In 2014, Singh et al. constructed an ID-based unidirectional proxy re-encryption scheme using lattice-based cryptosystem. All of the above schemes cannot support both designated ciphertext delegation and timed-release delegation. In 2013, Liang et al. proposed a conditional proxy broadcast re-encryption scheme supporting timed-release. It also supports multiple receivers. It did not provide flexible encryption and complete security proofs.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Bilinear Pairing
Bilinear Pairing Let G1 , G2 denote an additive group and a multiplicative group of prime order q respectively. Let P be a generator of G1 . A bilinear mapping eˆ : G1 × G1 → G2 is with the following properties: 1. Bilinearity: eˆ(aP, bQ) = eˆ(P, Q)ab where P, Q ∈ G1 and a, b ∈ Z∗q . 2. Non-degeneracy: eˆ(P, P ) 6= 1G2 , if P is the generator of G1 . 3. Computability: There exists an efficiently computable algorithm to compute eˆ(P, Q) for any P, Q ∈ G1 .
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Decisional Bilinear Diffie-Hellman Problem
Decisional Bilinear Diffie-Hellman Problem Let G and GT be two cyclic multiplicative groups of prime order p, g be a generator of G, and e : G × G → GT be a bilinear mapping. Given (g, g a , g b , g c ) and Z for some a, b, c ∈ Z∗p and Z ∈ GT , determine whether Z = e(g, g)abc .
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Decisional Bilinear Diffie-Hellman Assumption
Decisional Bilinear Diffie-Hellman Assumption Given (g, g a , g b , g c ) ∈ G, and Z ∈ GT , there is no polynomial time algorithm that can decide if Z = e(g, g)abc with the non-negligible advantage.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Timed-Release Proxy Conditional Re-Encryption
Timed-Release Proxy Conditional Re-Encryption A timed-release proxy conditional re-encryption scheme is defined as follows, which is based on Weng et al.’s scheme in 2009. Definition (Timed-Release Proxy Conditional Re-Encryption Scheme (TRPCRE)) A timed-release proxy conditional re-encryption scheme contains nine polynomial time algorithms, Setup, TimeKeyExt, KeyGen, Enc2, Dec2, ReKeyGen, ReEnc, Enc1, and Dec1.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Timed-Release Proxy Conditional Re-Encryption
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Timed-Release Proxy Conditional Re-Encryption
Timed-Release Proxy Conditional Re-Encryption Setup(λ) → (param, ts) λ: a security parameter param: public environment parameter ts: time server’s master secret key
TimeKeyExt(param, ts, T ) → KT T : a specified time KT : timed-release key
KeyGen(param) → (pk, sk) pk: the public key of a user sk: the private key corresponding to pk
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Timed-Release Proxy Conditional Re-Encryption
Enc2(param, pk, w, m) → CT2 w ∈ {0, 1}∗ : a condition m: a message CT2 : a second-level ciphertext
Dec2(param, sk, w, CT2 ) → m or ⊥ ReKeyGen(param, ski , pkj , w, T ) → RKi,j,w,T RKi,j,w,T : a re-encryption key that can transform a CT2 encrypted for Ui into a first-level ciphertext CT1 under w, where CT1 cannot be decrypted by Uj until T arrives.
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Timed-Release Proxy Conditional Re-Encryption
ReEnc(param, RKi,j,w,T , CT2 ) → CT1 CT1 : a first-level ciphertext that can be decrypted by Uj ’s private key and the corresponding timed-release key KT .
Enc1(param, pk, T, m) → CT1 Dec1(param, sk, KT , CT1 ) → m or ⊥
Conclusions
Introduction
Related Works
Preliminaries
The Proposed Scheme Our Construction
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
The Proposed Scheme
Setup(λ) → (param, ts): The algorithm performs the following. Generate two multiplicative groups G and GT of large prime order p. Find a generator g of G. Select a bilinear mapping e : G × G −→ GT . Choose CCA secure symmetric encryption/decryption: (SymEnc, SymDec)
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
The Proposed Scheme
Setup: Choose seven one-way hash functions. H1 : G × {0, 1}∗ → G; H2 : {0, 1}∗ × GT → Z∗p ; H3 : GT → {0, 1}l ; H4 : GT → G; H5 : {0, 1}∗ → G; H6 : G × GT → Z∗p ; H7 : {0, 1}∗ → G Randomly pick the time server’s master key ts from Z∗p . Compute T S = g ts . The public environment parameter is param = {G, GT , p, g, e, SymEnc, SymDec, H1 , H2 , H3 , H4 , H5 , H6 , H7 , T S}.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
The Proposed Scheme
TimeKeyExt(param, ts, T ) → KT = H5 (T )ts KeyGen(param) → (pk, sk) 1
Pick a random element x in Z∗p and compute g x .
2
Output a public-private key pair (pk, sk) = (g x , x).
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
The Proposed Scheme
Enc2(param, pki , w, m) → CT2 : A message m ∈ {0, 1}∗ can be encrypted under a condition w ∈ {0, 1}∗ . 1
Randomly pick an element k1 in GT .
2
Compute: C1 = SymEncH3 (k1 ) (m) C2 = k1 e(pki , H1 (pki , w))H2 (m,k1 ) C3 = g H2 (m,k1 ) C4 = H7 (C1 ||C2 ||C3 )H2 (m,k1 )
3
Output CT2 = {C1 , C2 , C3 , C4 }.
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
The Proposed Scheme
Dec2(param, sk, w, CT2 ) → m or ⊥ 1
Let CT2 = {C1 , C2 , C3 , C4 } and sk = x.
2
Check if e(C4 , g) = e(H7 (C1 ||C2 ||C3 ), C3 ). If it does not hold, output ⊥ and abort. C2 Compute k10 = . x e(H1 (g , w), C3 )x Compute m0 = SymDecH3 (k10 ) (C1 ).
3
4 5
0
0
Check if C3 = g H2 (m ,k1 ) . If false, output ⊥ and abort; otherwise, return m = m0 .
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
The Proposed Scheme
Dec2: Let x = xi . The correctness is demonstrated as follows. k10
C2 k1 e(g xi , H1 (g xi , w))H2 (m,k1 ) = e(H1 (g xi , w), C3 )xi e(H1 (g xi , w), g H2 (m,k1 ) )xi xi xi H2 (m,k1 ) k1 e(g , H1 (g , w)) = = k1 e(g xi , H1 (g xi , w))H2 (m,k1 ) =
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
The Proposed Scheme
ReKeyGen(param, ski , pkj , w, T ) → RKi,j,w,T 1
Let ski = xi and pkj = g xj .
2
Pick two random elements r1 in Z∗p and k2 in GT .
3
Compute: R1 = H1 (g xi , w)xi pkjr1 R2 = g r1 H4 (k2 ) r R3 = k2 e(H5 (T ), T S)H6 (g 1 ,k2 ) r 1 R4 = g H6 (g ,k2 ) R5 = H7 (R2 ||R3 ||R4 )r1
4
Output RKi,j,w,T = {R1 , R2 , R3 , R4 , R5 }.
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
The Proposed Scheme
ReEnc(param, Ri,j,w,T , CT2 ) → CT1 1
Let Ri,j,w,T = {R1 , R2 , R3 , R4 , R5 } and CT2 = {C1 , C2 , C3 , C4 }.
2
Check if e(C4 , g) = e(H7 (C1 ||C2 ||C3 ), C3 ). If false, output ⊥ and abort. C2 Compute C20 = . e(R1 , C3 ) Set C40 = R2 , C50 = R3 , C60 = R4 , and C70 = R5 .
3
4 5
Return CT1 = {C1 , C20 , C3 , C40 , C50 , C60 , C70 }.
Introduction
Related Works
Preliminaries
Security Proofs
The Proposed Scheme Enc1(param, pkj , T, m) → CT1 1 2
3
Randomly pick k1 , k2 in GT and r1 in Z∗p . Compute: C1 = SymEncH3 (k1 ) (m) k1 C20 = e(pkj , g)r1 H2 (m,k1 ) C3 = g H2 (m,k1 ) C40 = g r1 H4 (k2 ) r C50 = k2 e(H5 (T ), T S)H6 (g 1 ,k2 ) r 1 C60 = g H6 (g ,k2 ) C70 = H7 (C40 ||C50 ||C60 )r1 Output CT1 = {C1 , C20 , C3 , C40 , C50 , C60 , C70 }.
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
The Proposed Scheme Dec1(param, sk, KT , CT1 ) → m or ⊥ 1
2
3 4
Let CT1 = {C1 , C20 , C3 , C40 , C50 , C60 , C70 } and sk = x. C50 C40 r10 = Compute k20 = and g . e(KT , C60 ) H4 (k20 ) Check if C60 = g H6 (g e(C70 , g)
Check if and abort.
0 r1
,k20 ) .
If false, output ⊥ and abort. 0
= e(H7 (C40 ||C50 ||C60 ), g r1 ). If false, output ⊥ 0
5
Compute k10 = C20 e(g r1 , C3 )x .
6
Compute m0 = SymDecH3 (k10 ) (C1 ).
7
0
0
Check if C3 = g H2 (m ,k1 ) . If false, output ⊥ and abort; otherwise, return m0 .
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
The Proposed Scheme
Dec1 (Assume x = xj .) Case 1. (CT1 be generated by Enc1) r1
1
2
C50 k2 e(H5 (T ), T S)H6 (g ,k2 ) = = k2 r 0 e(KT , C6 ) e(H5 (T )ts , g H6 (g 1 ,k2 ) ) k1 0 k10 = C20 e(g r1 , C3 )xj = e(g r1 , g H2 (m,k1 ) )xj = k1 x j e(g , g)r1 H2 (m,k1 ) k20 =
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
The Proposed Scheme
Case 2. (CT1 be generated by ReEnc) 1 2
k20 = k2 , which is the same as the above. C2 0 k10 = C20 e(g r1 , C3 )xj = e(g r1 , g H2 (m,k1 ) )xj e(R1 , C3 ) k1 e(g xi , H1 (g xi , w))H2 (m,k1 ) e(g r1 , g H2 (m,k1 ) )xj = e(H1 (g xi , w)xi g xj r1 , g H2 (m,k1 ) ) xi k1 e(g , H1 (g xi , w))H2 (m,k1 ) e(g r1 , g H2 (m,k1 ) )xj = = k1 . e(H1 (g xi , w)xi , g H2 (m,k1 ) )e(g xj r1 , g H2 (m,k1 ) )
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Security Proofs
Second-Level Ciphertext Security Theorem (The IND-2TRPCRE-CCA2 Security) For any polynomial-time adversary A who wins the IND-2TRPCRE-CCA2 game based on the proposed TRPCRE scheme with advantage at least �, there exists a polynomial-time algorithm B that can solve the DBDH problem with advantage 4� .
Introduction
Related Works
Security Proofs
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Security Proofs
First-Level Ciphertext Security Theorem (The IND-1TRPCREIS -CCA2 Security) For any polynomial-time adversary A who wins the IND-1TRPCREIS -CCA2 game based on the proposed TRPCRE scheme with advantage at least �, there exists a polynomial-time algorithm B that can solve the DBDH problem with advantage 4� .
Introduction
Related Works
Security Proofs
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Security Proofs
Timed-Release Security Theorem (The IND-1TRPCRET S -CCA2 Security) For any polynomial-time adversary A who wins the IND-1TRPCRET S -CCA2 game based on the proposed TRPCRE scheme with advantage at least �, there exists a polynomial-time algorithm B who can solve the DBDH problem with advantage 4� .
Introduction
Related Works
Security Proofs
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Security Proofs
Ciphertext Translation Security Theorem For any polynomial-time adversary A who wins the Ciphertext-Translation game based on the proposed TRPCRE scheme with advantage at least �, there exists a polynomial-time algorithm B who can solve the DBDH problem with advantage 4� .
Introduction
Related Works
Security Proofs
Preliminaries
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Properties Comparisons
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Performance Comparisons
Security Proofs
Comparisons
Conclusions
Introduction
Related Works
Preliminaries
Security Proofs
Comparisons
Conclusions
Conclusions
A file owner can authorize the cloud to transform a designated ciphertext into another one under a designated condition. A transformed ciphertext cannot be decrypted until the chosen time arrives. The proposed scheme supports flexible encryption. The security has been demonstrated by complete security models and proofs.
