Identity-based conditional proxy re-encryption

Last updated

Identity-based conditional proxy re-encryption (IBCPRE) is a type of proxy re-encryption (PRE) scheme in the identity-based public key cryptographic setting. [1] An IBCPRE scheme is a natural extension of proxy re-encryption on two aspects. The first aspect is to extend the proxy re-encryption notion to the identity-based public key cryptographic setting. The second aspect is to extend the feature set of proxy re-encryption to support conditional proxy re-encryption. By conditional proxy re-encryption, a proxy can use an IBCPRE scheme to re-encrypt a ciphertext but the ciphertext would only be well-formed for decryption if a condition applied onto the ciphertext together with the re-encryption key is satisfied. This allows fine-grained proxy re-encryption and can be useful for applications such as secure sharing over encrypted cloud data storage.

Contents

Introduction

A public-key encryption scheme allows anyone who has the public key of a receiver to encrypt messages to the receiver using the public key in such a way that only the corresponding private key known only to the receiver can decrypt and recover the messages. The public key of a user, therefore, can be published for allowing everyone to use it for encrypting messages to the user while the private key of the user has to be kept secret for the decryption purpose. Both the public key and the corresponding private key of the user are generated by the user in general. [2]

Under the identity-based cryptographic setting, the public key of the user can be an arbitrary string of bits, provided that the string can uniquely identify the user in the system. The unique string, for example, can be an email address, a phone number, and a staff ID (if used only internally within an organization). However, the corresponding private key is no longer generated by the user. From the public key, which is a unique binary string, there is a key generation center (KGC), which generates and issues the private key to the user. The KGC has a public key, which is assumed to be publicly known, and the encryption and decryption then work under the unique binary string defined public key and the corresponding private key, respectively, with respect to the KGC’s public key.

Proxy re-encryption allows a ciphertext, which originally can only be decrypted by a user, to be transformed by a public entity, called proxy, to another ciphertext so that another user can also decrypt. Suppose the two users are Alice and Bob. Alice has some messages: M1, M2, … Mn. She intends to encrypt them under her public key, and then upload the encrypted messages to some server.

Now when Alice wants to share these n encrypted messages with Bob, Alice can use a proxy re-encryption scheme to allow the server to re-encrypt these n encrypted messages so that Bob can decrypt these re-encrypted messages directly using his own private key.

To do so in the proxy re-encryption scheme, Alice uses her private key and the public key of Bob to generate a re-encryption key. Alice then sends the re-encryption key to the server. Upon receiving this re-encryption key, the server uses the key to transform all the n encrypted messages C1, C2, …, Cn to a new form denoted as D1, D2, …, Dn. Bob can then download D1, D2, …, Dn, decrypt them, and recover the messages M1, M2, … Mn using his private key.

In an identity-based conditional proxy re-encryption (IBCPRE) system, users set their public keys as unique identities of the users. One of the main advantages of using identity-based cryptographic algorithms is the elimination of public key certificates, which can help enhance the usability of the target security applications. The term ‘Conditional’ in IBCPRE refers to an additional feature, which allows each encrypted message to have a ‘tag’ associated with. In addition to the tag, each re-encryption key also has a ‘tag’ attached. The IBCPRE is designed so that only if the tag of an encrypted message matches with the tag of a re-encryption key can the encrypted message be re-encrypted.

Features

One of the key features of IBCPRE is that when a data owner encrypts messages, the encryption is done for themselves and only they themselves can decrypt the encrypted messages using their secret key. There is no need for them to know in advance about who that they would like to share the encrypted messages with. In other words, picking the friends to share with by them can be done after they encrypt the messages and uploads them to the server.

Another feature of IBCPRE is that it supports end-to-end encryption. The server which stores the encrypted messages cannot decrypt the messages both before and after the re-encryption.

IBCPRE supports one-to-many encryption. The data owner can choose multiple friends to share their data with. For multiple friends to share the encrypted messages with, the owner simply needs to generate a re-encryption key for each of their friends and send all the re-encryption keys to the server for carrying out the re-encryption. The number of re-encryption keys that they need to generate depends on the number of friends that they want to share the encrypted messages with. It does not depend on the number of encrypted messages. One re-encryption key will allow the server to convert all the encrypted messages, provided the tag of the encrypted messages and the tag of the re-encryption key matches.

The conditional ‘tag’ of the IBCPRE facilitates the fine-grained access of encrypted messages. By setting different tag values onto different encrypted messages, the data owner can control the exact set of encrypted messages that they want to share with any particular friends of theirs, with great flexibility.

Applications

Consider a user Alice who encrypts some messages M1, M2, …, Mt with a tag ‘Private’, Mt+1, Mt+2, …, Mm with a tag ‘toShareWithFamily’, Mm+1, Mm+2, …, Mn with a tag ‘toShareWithFriend’, using IBCPRE under her unique identity, which is considered as the public key of Alice. Alice then uploads the corresponding encrypted messages C1, C2, …, Ct, Ct+1, …, Cm, Cm+1, …, Cn to a server.

When Alice is about to share Mm+1, Mm+2, …, Mn with another user Bob, who becomes her friend recently, Alice generates a re-encryption key using IBCPRE with an associated tag ‘toShareWithFriend’. This generation is done by taking as input Alice’s private key and Bob’s identity. Then Alice sends the re-encryption key to the server. By using the re-encryption key, the server runs the IBCPRE re-encryption function on Cm+1, Cm+2, …, Cn for transforming them into another form, Dm+1, Dm+2, …, Dn so that Bob can decrypt them directly using his private key. This transformation can be done as the tag associated with the encrypted messages, namely ‘toShareWithFriend’, matches with the tag associated with the re-encryption key.

Note that the server cannot transform C1, C2, …, Ct, Ct+1, …, Cm to another form for Bob to decrypt using the re-encryption key because the tag of these m encrypted messages, namely ‘Private’ or 'toShareWithFamily', does not match with the tag of the re-encryption key. Also note that the server cannot retrieve any of the messages at any time.

IBCPRE has been used for secure cloud data sharing and related key management solutions in products of AtCipher Limited.

Schemes and security

A related concept to proxy re-encryption called decrypt right delegation was introduced by Mambo and Okamoto [3] in 1997. Then in 1998, Blaze, Bleumer and Strauss [4] formalized the notion of proxy re-encryption by giving a definition to the set of algorithms of a proxy re-encryption scheme. The authors also proposed a scheme for achieving chosen-plaintext security (CPA-security). Later on, various PRE schemes have been proposed. [5] [6] [7] [8] [9] [10] [11] [12]

In 2007, Green and Ateniese [13] and Ivan and Dodis [9] independently proposed several proxy re-encryption schemes in the identity-based cryptographic setting. This type of scheme is usually called identity-based proxy re-encryption (IBPRE). The schemes are unidirectional, namely, the re-encryption key is for one party to re-encrypt cipher-texts to another party, but not vice versa. A new re-encryption key has to be generated for the other direction of re-encryption. In terms of security, the security analyses of the schemes have been done in the random oracle model. One is CPA-secure, multi-hop and the other is chosen-ciphertext-attack-secure (CCA-secure), single-hop. The schemes, however, are not collusion resistant. This means that if a proxy colludes with the corresponding delegatee, the private key of the delegator will be compromised. CPA-secure IBPRE schemes secure without random oracles were subsequently proposed by Matsuo [14] and Mizuno and Doi. [15]

Type-based PRE [16] and conditional PRE (CPRE) [17] are designed to ensure that the proxy can re-encrypt a ciphertext tagged with a specific condition only if the re-encryption key given by the delegator is tagged with the same condition. Two identity-based CPRE (IBCPRE) schemes were proposed to achieve conditional control in both re-encryption and identity-based re-encryption by Liang et al., [18] and achieved CCA security in the standard model, and the other by Shao et al. [19] and achieved CCA security in the random oracle model.

See also

Related Research Articles

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest that is widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be unpredictable or unique. Randomization is crucial for some encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message. For block ciphers, the use of an IV is described by the modes of operation.

In cryptography and computer security, a man-in-the-middle (MITM) attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties.

<span class="mw-page-title-main">Ciphertext</span> Encrypted information

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

ID-based encryption, or identity-based encryption (IBE), is an important primitive of ID-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user. This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

<span class="mw-page-title-main">Key exchange</span> Cryptographic protocol enabling the sharing of a secret key over an insecure channel

Key exchange is a method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

In cryptography and steganography, plausibly deniable encryption describes encryption techniques where the existence of an encrypted file or message is deniable in the sense that an adversary cannot prove that the plaintext data exists.

The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of the Decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998, it is an extension of the ElGamal cryptosystem. In contrast to ElGamal, which is extremely malleable, Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a universal one-way hash function and additional computations, resulting in a ciphertext which is twice as large as in ElGamal.

Proxy re-encryption (PRE) schemes are cryptosystems which allow third parties (proxies) to alter a ciphertext which has been encrypted for one party, so that it may be decrypted by another.

In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. For HTTPS, the long-term secret is typically the private key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords. By generating a unique session key for every session a user initiates, the compromise of a single session key will not affect any data other than that exchanged in the specific session protected by that particular key. This by itself is not sufficient for forward secrecy which additionally requires that a long-term secret compromise does not affect the security of past session keys.

Mental poker is the common name for a set of cryptographic problems that concerns playing a fair game over distance without the need for a trusted third party. The term is also applied to the theories surrounding these problems and their possible solutions. The name comes from the card game poker which is one of the games to which this kind of problem applies. Similar problems described as two party games are Blum's flipping a coin over a distance, Yao's Millionaires' Problem, and Rabin's oblivious transfer.

Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational Diffie–Hellman problem.
Two variants of IES are specified: Discrete Logarithm Integrated Encryption Scheme (DLIES) and Elliptic Curve Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

In cryptography, a hybrid cryptosystem is one which combines the convenience of a public-key cryptosystem with the efficiency of a symmetric-key cryptosystem. Public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely. However, they often rely on complicated mathematical computations and are thus generally much more inefficient than comparable symmetric-key cryptosystems. In many applications, the high cost of encrypting long messages in a public-key cryptosystem can be prohibitive. This is addressed by hybrid systems by using a combination of both.

Attribute-based encryption is a generalisation of public-key encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes. In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.

The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003. Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng. SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.

References

  1. Ge, Chunpeng (May 2017). "Identity-based conditional proxy re-encryption with fine grain policy". Computer Standards & Interfaces. 52: 1–9. doi: 10.1016/j.csi.2016.12.005 via Elsevier Science Direct.
  2. "WHAT IS A DIGITAL ENVELOPE?". RSA Laboratories .
  3. M. Mambo; E. Okamoto (1997). Proxy cryptosystems: Delegation of the power to decrypt ciphertexts. IEICE Transactions E80-A(1). pp. 54–63.
  4. M. Blaze; G. Bleumer; M. Strauss (1998). Divertible protocols and atomic proxy cryptography. EUROCRYPT. LNCS, vol. 1403: Springer. pp. 127–144.{{cite book}}: CS1 maint: location (link)
  5. B. Libert; D. Vergnaud (2011). Unidirectional chosen-ciphertext secure proxy re-encryption. IEEE Transactions on Information Theory 57(3): IEEE. pp. 1786–1802.{{cite book}}: CS1 maint: location (link)
  6. T. Isshiki; M. H. Nguyen; K. Tanaka (2013). Proxy re-encryption in a stronger security model extended from CT-RSA2012. CT-RSA 2012. LNCS, vol. 7779: Springer. pp. 277–292.{{cite book}}: CS1 maint: location (link)
  7. G. Hanaoka; Y. Kawai; N. Kunihiro; T. Matsuda; J. Weng; R. Zhang; Y. Zhao (2012). Generic construction of chosen ciphertext secure proxy re-encryption. CT- RSA. LNCS, vol. 7178: Springer. pp. 349–364.{{cite book}}: CS1 maint: location (link)
  8. B. Libert; D. Vergnaud (2008). Unidirectional chosen-ciphertext secure proxy re-encryption. Public Key Cryptography. LNCS, vol. 4939: Springer. pp. 360–379.{{cite book}}: CS1 maint: location (link)
  9. 1 2 A. A. Ivan; Y. Dodis (2003). Proxy cryptography revisited. NDSS: The Internet Society.
  10. R. Canetti; S. Hohenberger (2007). Chosen-ciphertext secure proxy re-encryption. ACM Conference on Computer and Communications Security: ACM. pp. 185–194.
  11. G. Ateniese; K. Fu; M. Green; S. Hohenberger (2006). Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1). pp. 1–30.{{cite book}}: CS1 maint: location (link) CS1 maint: location missing publisher (link)
  12. G. Ateniese; K. Fu; M. Green; S. Hohenberger (2005). Improved proxy re-encryption schemes with applications to secure distributed storage. NDSS: The Internet Society.
  13. M. Green; G. Ateniese (2007). Identity-based proxy re-encryption. ACNS. LNCS, vol. 4521: Springer. pp. 288–306.{{cite book}}: CS1 maint: location (link)
  14. T. Matsuo (2007). Proxy re-encryption systems for identity-based encryption. Pairing. LNCS, vol. 4575: Springer. pp. 247–267.{{cite book}}: CS1 maint: location (link)
  15. T. Mizuno; H. Doi (2011). Secure and efficient IBE-PKE proxy re-encryption. IEICE Transactions 94-A(1): IEICE. pp. 36–44.{{cite book}}: CS1 maint: location (link)
  16. Q. Tang (2008). Type-based proxy re-encryption and its construction. INDOCRYPT. LNCS, vol. 5365: Springer. pp. 130–144.{{cite book}}: CS1 maint: location (link)
  17. J. Weng; R. H. Deng; X. Ding; C. K. Chu; J. Lai (2009). Conditional proxy re-encryption secure against chosen-ciphertext attack. ASIACCS: ACM. pp. 322–332.
  18. K. Liang; Z. Liu; X. Tan; D. S. Wong; C. Tang (2013). "A CCA-Secure Identity-Based Conditional Proxy Re-Encryption without Random Oracles". Information Security and Cryptology – ICISC 2012. Lecture Notes in Computer Science. Vol. 7839. The 15th International Conference on Information Security and Cryptology (ICISC 2012), LNCS 7839: Springer. pp. 231–246. doi:10.1007/978-3-642-37682-5_17. ISBN   978-3-642-37681-8.{{cite book}}: CS1 maint: location (link)
  19. J. Shao; G. Wei; Y. Ling; M. Xie (June 2011). "Identity-Based Conditional Proxy Re-Encryption". 2011 IEEE International Conference on Communications (ICC). Proceedings of IEEE International Conference on Communications, ICC 2011: IEEE. pp. 1–5. doi:10.1109/icc.2011.5962419. ISBN   978-1-61284-232-5. S2CID   34372106.{{cite book}}: CS1 maint: location (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.