Jong Hwan Park

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency

Revocation and key evolving paradigms are central issues in cryptography, and in PKI in particular. A novel concern related to these areas was raised in the recent work of Sahai, Seyalioglu, and Waters Crypto 2012 who noticed that revoking past keys should at times e.g., the scenario of cloud storage be accompanied by revocation of past ciphertexts to prevent unread ciphertexts from being read by revoked users. They introduced revocable-storage attribute-based encryption RS-ABE as a good access control mechanism for cloud storage. RS-ABE protects against the revoked users not only the future data by supporting key-revocation but also the past data by supporting ciphertext-update, through which a ciphertext at time T can be updated to a new ciphertext at time Ti¾?+i¾?1 using only the public key. Motivated by this pioneering work, we ask whether it is possible to have a modular approach, which includes a primitive for time managed ciphertext update as a primitive. We call encryption which supports this primitive a self-updatable encryption SUE. We then suggest a modular cryptosystems design methodology based on three sub-components: a primary encryption scheme, a key-revocation mechanism, and a time-evolution mechanism which controls the ciphertext self-updating via an SUE method, coordinated with the revocation when needed. Our goal in this is to allow the self-updating ciphertext component to take part in the design of new and improved cryptosystems and protocols in a flexible fashion. Specifically, we achieve the following results:

Efficient revocable identity-based encryption via subset difference methods

Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user’s credential (or private key) can be expired or revealed. revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme of Naor, Naor and Lotspiech (CRYPTO 2001) for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme of Naor et al. instead of using the CS scheme to improve the size of update keys. Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has O(r) number of group elements in an update key where r is the number of revoked users. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the layered subset difference scheme of Halevy and Shamir (CRYPTO 2002) to reduce the size of a private key.

An efficient IBE scheme with tight security reduction in the random oracle model

We present a new practical identity-based encryption (IBE) system that can be another candidate for standard IBE techniques. Our construction is based on a new framework for realizing an IBE trapdoor from pairing-based groups, which is motivated from the ‘two equation’ revocation technique suggested by Lewko et al. (IEEE Symposium on Security and Privacy, 2010). The new framework enables our IBE system to achieve a tight security reduction to the Decisional Bilinear Diffie–Hellman assumption in the random oracle model. Due to its the tightness, our system can take as input the shorter size of security parameters than the previous practical BF, SK, and

Self-updatable encryption

hbox {BB}_{1}

New chosen-ciphertext secure identity-based encryption with tight security reduction to the bilinear Diffie-Hellman problem

BB1 systems, which provides better efficiency to our system in terms of computational cost.

Efficient Revocable Identity-Based Encryption via Subset Difference Methods.

Broadcast encryption is a very powerful primitive since it can send an encrypted message to a set of users excluding a set of revoked users. Public-key broadcast encryption PKBE is a special type of broadcast encryption such that anyone can run the encryption algorithm to create an encrypted message by using a public key. In this paper, we propose a new technique to construct an efficient PKBE scheme by using the subset cover framework. First, we introduce a new concept of public-key encryption named single revocation encryption SRE and propose an efficient SRE scheme in the random oracle model. A user in SRE is represented as a group that he belongs and a member in the group. In SRE, a sender can create a ciphertext for a specified group where one member in the group is revoked, and a receiver can decrypt the ciphertext if he belongs to the group in the ciphertext and he is not revoked in the group. Second, we show that the subset difference SD scheme or the layered subset difference LSD scheme and an SRE scheme can be combined to construct a public-key revocation encryption PKRE scheme such that a set of revoked users is specified in a ciphertext. Our PKRE scheme using the LSD scheme and our SRE scheme can reduce the size of private keys and public keys by logN factor compared with the previous scheme of Dodis and Fazio.

Public-Key Revocation and Tracing Schemes with Subset Difference Methods

Revocation and key evolving paradigms are central issues in cryptography, and in PKI in particular. A novel concern related to these areas was raised in the recent work of Sahai, Seyalioglu, and Waters (CRYPTO 2012) who noticed that revoking past keys should at times (e.g., the scenario of cloud storage) be accompanied by revocation of past ciphertexts (to prevent unread ciphertexts from being read by revoked users). They introduced revocable-storage attribute-based encryption (RS-ABE) as a good access control mechanism for cloud storage. RS-ABE protects against the revoked users not only the future data by supporting key-revocation but also the past data by supporting ciphertext-update, through which a ciphertext at time T can be updated to a new ciphertext at time T + 1 using only the public key. Motivated by this pioneering work, we ask whether it is possible to have a modular approach, which includes a primitive for time managed ciphertext update as a primitive. We call encryption which supports this primitive a self-updatable encryption (SUE). We then suggest a modular cryptosystems design methodology based on three sub-components: a primary encryption scheme, a key-revocation mechanism, and a time-evolution mechanism which controls the ciphertext self-updating via an SUE method, coordinated with the revocation (when needed). Our goal in this is to allow the self-updating ciphertext component to take part in the design of new and improved cryptosystems and protocols in a flexible fashion. Specifically, we achieve the following results:We first introduce a new cryptographic primitive called self-updatable encryption (SUE), realizing a time-evolution mechanism. In SUE, a ciphertext and a private key are associated with time. A user can decrypt a ciphertext if its time is earlier than that of his private key. Additionally, anyone (e.g., a cloud server) can update the ciphertext to a ciphertext with a newer time. We also construct an SUE scheme and prove its full security under static assumptions. Following our modular approach, we present a new RS-ABE scheme with shorter ciphertexts than that of Sahai et al. and prove its security. The length efficiency is mainly due to our SUE scheme and the underlying modularity. We apply our approach to predicate encryption (PE) supporting attribute-hiding property, and obtain a revocable-storage PE (RS-PE) scheme that is selectively-secure. We further demonstrate that SUE is of independent interest, by showing it can be used for timed-release encryption (and its applications), and for augmenting key-insulated encryption with forward-secure storage. A new cryptographic primitive called self-updatable encryption is introduced to realize a time-evolution mechanism.A revocable-storage attribute-based encryption scheme with shorter ciphertexts was proposed by following our modular approach.A revocable-storage predicate encryption scheme that additionally supports attribute-hiding property is presented.

Efficient Identity-Based Encryption and Public-Key Signature from Trapdoor Subgroups.

Threshold public-key encryption can control decryption abilities of an authorized user group in such a way that each user of the group can produce only a decryption share and at least t of them should collect decryption shares to recover a message. We present a new threshold public-key encryption that is secure against selectively chosen ciphertext attacks. Semantic security against chosen ciphertext adversaries is the de facto level of security for public-key encryption deployed in practice because many encryption systems are broken in a model of chosen ciphertext security. The security of the proposed system is formally proved without random oracles under a new assumption. We also provide proof of the intractability of our assumption in the generic group model. Copyright