Showing papers on "Proxy re-encryption published in 2017"

Fast Proxy Re-Encryption for Publish/Subscribe Systems

Abstract: We develop two IND-CPA-secure multihop unidirectional Proxy Re-Encryption (PRE) schemes by applying the Ring-LWE (RLWE) key switching approach from the homomorphic encryption literature. Unidirectional PRE is ideal for secure publish-subscribe operations where a publisher encrypts information using a public key without knowing upfront who the subscriber will be and what private key will be used for decryption. The proposed PRE schemes provide a multihop capability, meaning that when PRE-encrypted information is published onto a PRE-enabled server, the server can either delegate access to specific clients or enable other servers the right to delegate access. Our first scheme (which we call NTRU-ABD-PRE) is based on a variant of the NTRU-RLWE homomorphic encryption scheme. Our second and main PRE scheme (which we call BV-PRE) is built on top of the Brakerski-Vaikuntanathan (BV) homomorphic encryption scheme and relies solely on the RLWE assumption.We present an open-source C++ implementation of both schemes and discuss several algorithmic and software optimizations. We examine parameter selection tradeoffs in the context of security, runtime/latency, throughput, ciphertext expansion, memory usage, and multihop capabilities. Our experimental analysis demonstrates that BV-PRE outperforms NTRU-ABD-PRE in both single-hop and multihop settings. The BV-PRE scheme has a lower time and space complexity than existing IND-CPA-secure lattice-based PRE schemes and requires small concrete parameters, making the scheme computationally efficient for use on low-resource embedded systems while still providing 100 bits of security. We present practical recommendations for applying the PRE schemes to several use cases of ad hoc information sharing for publish-subscribe operations.

Semantic keyword searchable proxy re-encryption for postquantum secure cloud storage

Abstract: Summary With the advent of cloud computing, more and more consumers prefer to use the cloud services with the pay-as-you-consume mode. The cloud storage brings about great convenience to users, who store data in cloud and access to it using the smart devices anytime and anywhere. Consumers' information should be encrypted to guarantee the data privacy. Flexible searching on ciphertext is a critical challenge to be solved for effective data utilization. In this paper, we propose a novel semantic keyword searchable proxy re-encryption scheme for secure cloud storage. A highlight of this work is that the scheme is quantum attack resistant, while most of the available searchable encryption schemes are not. It supports not only exact keyword search but also synonym keyword search. Moreover, the data owner is capable to delegate his search right to another user using the proxy re-encryption mechanism. In the generation process of re-encryption key, the delegator and delegatee do not need to be interactive with each other. The scheme is also collusion resistant. Under the learning with errors hardness problem, this scheme is proved secure in standard model.

ESSPR: an efficient secure routing scheme based on searchable encryption with vehicle proxy re-encryption for vehicular peer-to-peer social network

Abstract: In this paper, we propose an Efficient Secure routing Scheme based on searchable encryption with vehicle Proxy Re-encryption, called ESSPR, for achieving privacy preservation of message in vehicular peer-to-peer social network (VP2PSN). Specifically, the proposed ESSPR scheme consists of six phases: system initializations phase, peer registration phase, document generation phase, document forwarding phase, vehicle proxy re-encryption phase, and document receiving phase. Based on rationale of QoS-based clustering strategy, public key encryption with keyword search, identity based aggregate signature, and proxy re-encryption, ESSPR provides privacy for keyword, privacy for resources, and authentication and data integrity of the demand’s source. In addition, ESSPR is robust against eavesdropping attack, wormhole attack, packet analysis attack, packet tracing attack, and replay attack. Through performance evaluation, we demonstrate the effectiveness of ESSPR in terms of delivery ratio, average delay, average fairness, and detection ratio under malicious peers proportions in VP2PSN.

Device, system and method for fast and secure proxy re-encryption

Abstract: A device, system and method for fast and secure Proxy Re-Encryption (PRE) using key switching. A first user is assigned first encryption and decryption keys and a second user is assigned second encryption and decryption keys. First encrypted data encrypted with the first encryption key may be re-encrypted using a proxy re-encryption key to simultaneously switch encryption keys by adding the second encryption key and cancelling the first encryption key by the first decryption key to transform the first encrypted data encrypted by the first encryption key to second encrypted data encrypted by the second encryption key, without decrypting the underlying data. The second user may be the sole system device that possesses the (e.g., private) second decryption key to decrypt the second encrypted data.

Efficient Hybrid Proxy Re-Encryption for Practical Revocation and Key Rotation.

Abstract: We consider the problems of i) using public-key encryption to enforce dynamic access control on clouds; and ii) key rotation of data stored on clouds. Historically, proxy re-encryption, ciphertext delegation, and related technologies have been advocated as tools that allow for revocation and the ability to cryptographically enforce dynamic access control on the cloud, and more recently they have suggested for key rotation of data stored on clouds. Current literature frequently assumes that data is encrypted directly with public-key encryption primitives. However, for efficiency reasons systems would need to deploy with hybrid encryption. Unfortunately, we show that if hybrid encryption is used, then schemes are susceptible to a key-scraping attack. Given a proxy re-encryption or delegation primitive, we show how to construct a new hybrid scheme that is resistant to this attack and highly efficient. The scheme only requires the modification of a small fraction of the bits of the original ciphertext. The number of modifications scales linearly with the security parameter and logarithmically with the file length: it does not require the entire symmetric-key ciphertext to be re-encrypted! Beyond the construction, we introduce new security definitions for the problem at hand, prove our construction secure, discuss use cases, and provide quantitative data showing its practical benefits and efficiency. We show the construction extends to identity-based proxy re-encryption and revocable-storage attribute-based encryption, and thus that the construction is robust, supporting most primitives of interest.

Pairing free and implicit certificate based signcryption scheme with proxy re-encryption for secure cloud data storage

Abstract: Data storage in cloud computing leads to several security issues such as data privacy, integrity, and authentication Efficiency for the user to upload and download the data in a secure way plays an important role, as users are nowadays performing these actions on all types of devices, including eg smartphones Signing and encryption of the sensitive data before hosting can solve potential security breaches In this paper, we propose a highly efficient identity based signcryption scheme and add a proxy re-encryption feature to it This allows users to store signed and encrypted data in the cloud, where the cloud server provider is able to check the authentication but not to derive the content of the message When another user requests data access, the originator of the message first checks the authorization and then provides the cloud server an encryption key to re-encrypt the stored data, enabling the requesting party to decrypt the resulting ciphertext and to validate the signature The proposed scheme is based on elliptic curve operations and does not use compute intensive pairing operations, like previous proposals

A New Security Cloud Storage Data Encryption Scheme Based on Identity Proxy Re-encryption.

Abstract: In the process of cloud data storage, data owner will encrypt data and upload it to the cloud, however, this method cannot support for encrypted data sharing. Especially, when data is shared with many users, the scalability is very weak. In order to solve this problem, we put forward a new security cloud storage data encryption scheme based on identity proxy re-encryption in this article. This scheme can flexibility share data with other users security without fully trusted cloud. For the detailed structure, we use a strong unforgeable signature scheme to make the transmuted ciphertext have publicly verification combined identity-based encryption. Furthermore, the transformed ciphertext has chosen-ciphertext security under the standard model. Because this new scheme can support fine-grained access control without using public key certificate and has better extensibility, so this scheme can be better applied into security cloud data sharing.

Lattice-Based Identity-Based Homomorphic Conditional Proxy Re-Encryption for Secure Big Data Computing in Cloud Environment

Abstract: With the arrival of the era of big data, more and more users begin to adopt public cloud storage to store data and compute data Sharing large amounts of sensitive data in the public cloud will arouse privacy concerns Data encryption is a widely accepted method to prevent information leakage How to achieve the cloud sharing and cloud computing of big data is a challenging problem Conditional proxy re-encryption can solve cloud sharing, and homomorphic encryption can achieve cloud computing In this paper, we combine conditional proxy re-encryption with homomorphic encryption to construct a lattice-based identity-based homomorphic conditional proxy re-encryption for secure big data computing in cloud environment The scheme can not only realize the encrypted data sharing in the cloud, but also can realize the encrypted data computing in the cloud That is, the homomorphic conditional proxy re-encryption scheme can homomorphically evaluate ciphertexts no matter ciphertexts are “fresh” or re-encrypted (re

Towards secure data sharing in cloud computing using attribute based proxy re-encryption with keyword search

Abstract: Cloud computing plays a significant role in big data era since it can provide dynamic, scalable virtual resource services via the Internet. However, how to enhance the security level of cloud computing is a challenging issue which is urgently to be tackled. In this paper, we center on the data security in cloud computing and present an attribute based proxy re-encryption scheme with keyword search (ABPRE-KS) to provide flexible and secure data sharing among users in the cloud. In our scheme, a user's access privileges are described by an access structure consisting of several attributes while ciphertexts are labeled by several target attributes. A delegator can transform the original ciphertexts into proxy ciphertexts encrypted by the delegatee's attributes without leaking any sensitive information to the cloud server. Besides, a search request on the ciphertexts is allowed by a delegatee if his credentials satisfy the delegatee's access policy. By security analysis, our ABPRE-KS is confidential and keyword semantic secure under BDBH assumption.

A new outsourcing conditional proxy re-encryption suitable for mobile cloud environment

Abstract: Summary The mobile cloud is a highly heterogenous and constantly evolving network of numerous portable devices utilizing the powerful back-end cloud infrastructure to overcome their severe deficiency in computing resource and offer various services such as data sharing. Inherently, in mobile cloud, the risk of user privacy invasion by the cloud operator is high. The conditional proxy re-encryption (CPRE) is a useful concept for secure group data sharing via cloud while preserving the privacy of the shared data from any unintended third parties including the cloud operator. Unfortunately, the state-of-art CPRE is not particularly designed for mobile cloud environment and therefore imposes heavy burdens to the weak mobile cloud clients. This paper introduces a new CPRE scheme, namely the CPRE for mobile cloud, which utilizes the back-end cloud to the extreme extent so that the overhead of terminals is drastically reduced. Specifically, our scheme outsources a significant amount of computation overhead caused by the following functions at terminals: (a) re-encryption key generation, (b) condition value change, and (c) decryption, to the cloud. The proposed scheme also allows users to verify the correctness of outsourced computation under refereed delegation of computation model. Our simulation results show CPRE for mobile cloud that outperforms its existing alternatives. Copyright © 2016 John Wiley & Sons, Ltd.

Proxy Re-Encryption Based on Homomorphic Encryption

Abstract: In this paper, we propose an homomorphic proxy re-encryption scheme (HPRE) that allows different users to share data they outsourced homomorphically encrypted using their respective public keys with the possibility by next to process such data remotely. Its originality stands on a solution we propose so as to compute the difference of data encrypted with Damgard-Jurik cryptosystem. It takes also advantage of a secure combined linear congruential generator that we implemented in the Damgard-Jurik encrypted domain. Basically, in our HPRE scheme, the two users, the delegator and the delegate, ask the cloud server to generate an encrypted noise based on a secret key, both users previously agreed on. Based on our solution to compute the difference in Damgard-Jurik encrypted domain, the cloud computes in clear the differences in-between the encrypted noise and the encrypted data of the delegator, obtaining thus blinded data. In order the delegate gets access to the data, the cloud just has to encrypt these differences using the delegate's public key and then removes the noise. This solution doesn't need extra communication between the cloud and the delegator. Our HPRE was implemented in the case of the sharing of uncompressed images stored in the cloud showing good time computation performance, it is unidirectional and collusion-resistant. Nevertheless, it is not limited to images and can be used with any kinds of data.

Elliptic Curve Qu-Vanstone Based Signcryption Schemes with Proxy Re-encryption for Secure Cloud Data Storage

Abstract: Data storage in cloud computing leads to several security issues such as data privacy, integrity, and authentication. Efficiency for the user to upload and download the data in a secure way plays an important role, as users are nowadays performing these actions on all types of devices, including e.g. smartphones. Signing and encryption of the sensitive data before hosting can solve potential security breaches. In this chapter, we propose two highly efficient identity based signcryption schemes. One of them is used as a building block for a proxy re-encryption scheme. This scheme allows users to store signed and encrypted data in the cloud, where the cloud server provider is able to check the authentication but not to derive the content of the message. When another user requests data access, the originator of the message first checks the authorization and then provides the cloud server with an encryption key to re-encrypt the stored data, enabling the requesting party to decrypt the resulting ciphertext and to validate the signature. The proposed scheme is based on elliptic curve operations and does not use computationally intensive pairing operations, like previous proposals.

Improved proxy re-encryption scheme for symmetric key cryptography

Abstract: A proxy re-encryption scheme is a scheme that can be executed by a semi-trusted proxy, so that we can convert a ciphertext encrypted with a key to another ciphertext without allowing the proxy to access the plaintext. A method to implement a secure proxy re-encryption is by first converting the plaintext to an intermediate form by using an all or nothing transform (AONT). In this paper, we describe an improved proxy re-encryption scheme for symmetric cipher by advocating the usage of a variant of the AONT function in the proxy re-encryption scheme. We show that the scheme secure under Chosen Plaintext Attack (CPA) for all possible types of attackers.

On Efficient Access Control Mechanisms in Hierarchy using Unidirectional and Transitive Proxy Re-encryption Schemes.

Abstract: Proxy re-encryption is a cryptographic primitive used to transform a ciphertext under one public key such that it becomes a ciphertext under another public key using a re-encryption key. Depending on the properties featured by a proxy re-encryption scheme, it can be applied to a variety of applications. In this paper, we target one such application of proxy re-encryption – access control in hierarchy, to highlight an important research gap in its design. We study how a proxy re-encryption scheme that is both unidirectional and transitive can be useful for enforcing hierarchical access control with constant computation and storage overhead on its users irrespective of the depth of the hierarchy. Also, we present improvements on the existing re-encryption schemes to make it applicable to hierarchical key assignment and achieve performance closer to that in case of a unidirectional transitive proxy re-encryption scheme.

Cloud‐aided scalable revocable identity‐based encryption scheme with ciphertext update

Abstract: Summary Key revocation and ciphertext update are two critical issues for identity-based encryption schemes. Designing an identity-based encryption scheme with key revocation and ciphertext update functionalities simultaneously is still a tricky challenge. Recently, Liang et al. introduce the notion of cloud-based revocable identity-based proxy re-encryption scheme and present a concrete scheme with aim to solve the challenge. In this paper, we first showed the scheme of Liang et al. cannot resist re-encryption key forgery attack and collusion attack. We then introduced a new cryptographic primitive, named cloud-aided revocable identity-based encryption scheme with ciphertext update (CA-RIBE-CU), to achieve both ciphertext update and key revocation for identity-based encryption schemes. We also defined the syntax and security model of CA-RIBE-CU scheme and proposed a CA-RIBE-CU scheme from bilinear pairings. Compared with the scheme of Liang et al., our proposed scheme is collusion resistant, takes lower decryption computation, and achieves constant size re-encrypted ciphertext. Finally, we proved the proposed scheme is adaptively secure under the decisional bilinear Diffie–Hellman assumption in the standard model. Copyright © 2016 John Wiley & Sons, Ltd.

Secure encrypted data deduplication with ownership proof and user revocation

Abstract: Cloud storage as one of the most important cloud services enables cloud users to save more data without enlarging its own storage. In order to eliminate repeated data and improve the utilization of storage, deduplication is employed to cloud storage. Due to the concern about data security and user privacy, encryption is introduced, but incurs new challenge to cloud data deduplication. Existing work cannot achieve flexible access control and user revocation. Moreover, few of them can support efficient ownership proof, especially public verifiability of ownership. In this paper, we propose a secure encrypted data deduplication scheme with effective ownership proof and user revocation. We evaluate its performance and prove its security. The simulation results show that our scheme is efficient and effective for potential practical employment.

Secure and Efficient Data Sharing with Atribute-based Proxy Re-encryption Scheme

Abstract: With the ever-growing production of data coming from multiple, scattered, highly dynamical sources (like those found in IoT scenarios), it is compelling to (i) provide a seamless way to outsource the management and sharing of data (as provided by cloud services); (ii) assure an high security and privacy level to such data. As such, objectives (i) and (ii) are not easily reconcilable: for example, the way data is accessed may vary according to access policies of the users and of the cloud providers that share such data. In this paper, we argue that attribute-based proxy re-encryption is a viable solution for providing the flexibility needed in dynamic scenarios like the ones envisioned by large IoT deployments. Towards, this goal we present an efficient attribute-based, proxy re-encryption scheme that can be deployed in such scenarios, along with experimental results that confirm the viability of our approach.

Identity Based Proxy Re-encryption Scheme under LWE

Abstract: The proxy re-encryption allows an intermediate proxy to convert a ciphertext for Alice into a ciphertext for Bob without seeing the original message and leaking out relevant information. Unlike many prior identity based proxy re-encryption schemes which are based on the number theoretic assumptions such as large integer factorization and discrete logarithm problem. In this paper, we first propose a novel identity based proxy re-encryption scheme which is based on the hardness of standard Learning With Error(LWE) problem and is CPA secure in the standard model. This scheme can be reduced to the worst-case lattice hard problem that is able to resist attacks from quantum algorithm. The key step in our construction is that the challenger how to answer the private query under a known trapdoor matrix. Our scheme enjoys properties of the non-interactivity, unidirectionality, anonymous and so on. In this paper, we utilize primitives include G-trapdoor for lattice and sample algorithms to realize simple and efficient re-encryption.

Attribute-based proxy re-encryption method for revocation in cloud data storage

Abstract: In the big data era, many users upload data to cloud while security concerns are growing. By using attribute-based encryption (ABE), users can securely store data in cloud while exerting access control over it. Revocation is necessary for real-world applications of ABE so that revoked users can no longer decrypt data. In actual implementations, however, revocation requires re-encryption of data in client side through download, decrypt, encrypt, and upload, which results in huge communication cost between the client and the cloud depending on the data size. In this paper, we propose a new method where the data can be re-encrypted in cloud without downloading any data. The experimental result showed that our method reduces the communication cost by one quarter in comparison with the trivial solution where re-encryption is performed in client side.

Improved Security Notions for Proxy Re-Encryption to Enforce Access Control.

Abstract: Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re-encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.

A Provably-Secure Unidirectional Proxy Re-encryption Scheme Without Pairing in the Random Oracle Model

Abstract: Proxy re-encryption (PRE) enables delegation of decryption rights by entrusting a proxy server with special information, that allows it to transform a ciphertext under one public key into a ciphertext of the same message under a different public key, without learning anything about the underlying plaintext. In Africacrypt 2010, the first PKI-based collusion resistant CCA secure PRE scheme without pairing was proposed in the random oracle model. In this paper, we point out an important weakness in the security proof of the scheme. We also present a collusion-resistant pairing-free unidirectional PRE scheme which meets CCA security under a variant of the computational Diffie-Hellman hardness assumption in the random oracle model.

Improved Security Notions for Proxy Re-Encryption to Enforce Access Control

Abstract: Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re-encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.

A Key-insulated Proxy Re-encryption Scheme for Data Sharing in a Cloud Environment.

Abstract: Proxy re-encryption (PRE) enables a semi-trusted proxy to delegate the decryption right by re-encrypting the ciphertext under the delegator’s public key to an encryption under the public key of delegatee. Fueled by the translation ability, PRE is regarded as a promising candidate to secure data sharing in a cloud environment. However, the security of the PRE will be totally destroyed in case the secret key of the delegator or the delegatee has been exposed. Despite the key exposure seems inevitable, the PRE scheme with resistance against secret key leakage has never been presented before. To deal with this intractable problem, we propose a key-insulated proxy reencryption (KIPRE) scheme by incorporating the mechanisms of PRE and key-insulated cryptosystem. In the proposed scheme, the lifetime of the secret key associated with the user, i.e., the delegator or the delegatee, has been divided into several periods. In each time period, the user can interact with his/her physically-secure but computation-limited helper to update his/her temporary secret key. On the contrary, the public keys of the users remained unchanged during the whole lifetime of the system. We then apply our KIPRE scheme to construct a practical solution to the problem of sharing sensitive information in public clouds with resilience to the key exposure. The performance evaluation and the security analysis demonstrate that our scheme is efficient and practical.