Self-Updatable Encryption: Time Constrained Access Control with - - PowerPoint PPT Presentation

self updatable encryption time constrained
SMART_READER_LITE
LIVE PREVIEW

Self-Updatable Encryption: Time Constrained Access Control with - - PowerPoint PPT Presentation

Jul 12, 2023 715 likes •996 views

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung Korea University, US Naval Academy, Korea

slide-1
SLIDE 1

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency

ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung

Korea University, US Naval Academy, Korea University, Sangmyung University, Google Inc. and Columbia University

slide-2
SLIDE 2

Overview

Motivation

A revocable-storage attribute-based encryption (RS-ABE) is a good access control mechanism for cloud storage by supporting key-revocation and ciphertext-update

We ask whether it is possible to have a modular approach for RS-ABE by using a primitive for time-evolution mechanism

Results

We introduce a self-updatable encryption (SUE) for a time evolution mechanism, and construct an efficient SUE scheme

We present a new revocable-storage attribute-based encryption (RS-ABE) scheme with shorter ciphertexts

We also obtain a revocable-storage predicate encryption (RS-PE) scheme that supports attribute-hiding property

2

slide-3
SLIDE 3

Introduction

Cloud Storage

Cloud data storage has many advantages: A virtually unlimited amount of space can be allocated, and storage management can be easier

Moreover, it provides great accessibility: Users in any geographic location can access their data through the Internet

3

Cloud storage

slide-4
SLIDE 4

Introduction

Access Control for Cloud Storage

Access control is one of greatest concerns: the senstive data should be protected from any illegal access from outsiders or from insiders

A revocable ABE (R-ABE) can be used for access control in cloud storage by revoking a user’s private key if his credential is expired

4

User B User A encrypt (time T) SK SK decrypt (He is revoked at time T) R-ABE KGC UK UK is broadcasted at time T

slide-5
SLIDE 5

Introduction

Novel Concern in Cloud Storage

Sahai, Seyalioglu, and Waters (Crypto 2012) pointed out that R-ABE alone does not suffice in managing dynamic credentials for cloud storage

R-ABE cannot prevent a revoked user from accessing ciphertexts that were created before the revocation, since the old private key is enough for decryption

5

T T-1 T+1 T+2 UK(T) SK

User is revoked at time T+1

T-1 T UK(T) SK

O

UK(T+1)

X X

slide-6
SLIDE 6

Introduction

Revocable-Storage ABE

To solve the previous issue, Sahai et al. introduced a novel RS-ABE that supports not only key-revocation but also ciphertext update

That is, a ciphertext at any time T can be updated to a new ciphertext at time T+1 by any party just using the public key (by the cloud server)

6

T T -1 T+1 T+2 UK(T) SK

X X

UK(T+1)

X

Key-revocation is provided Ciphertext-update is provided (cloud server can update by using public key)

+1 +1

slide-7
SLIDE 7

Introduction

Our Motivation

Key-revocation and key-evolution are importance issues in cryptosystem design, and ciphertext-update (time-evolution) can be useful elsewhere

We want to achieve ciphertext-update (time-evolution) in other encryption scheme and use it as an underlying primitive

7

Key-Revocation Revocation Systems Key-Evolution Forward-Secure Cryptosystems Ciphertext-Update New Primitive Cryptographic Protocols

slide-8
SLIDE 8

Introduction

Our Approach

We take a modular approach for RS-ABE by combining three components: a primary encryption scheme, a key-revocation mechanism, and a time-evolution mechanism

This approach has potential benefits since each mechanism may have independent interest and it may open the door to optimizations

8

Key-revocation scheme Piece-wise ABE The previous approach Key-revocation scheme Primary encryption scheme (ABE) Time-evolution scheme (SUE) Our modular approach

slide-9
SLIDE 9

Self-Updatable Encryption

Overview

Self-updatable encryption (SUE) is a new cryptographic primitive that realizes a time-evolution mechanism

A private key and a ciphertext are associated with time Tk and Tc, and a private key for Tk can decrypt a ciphertext for Tc if Tc  Tk

Additionally, anyone can update a ciphertext with time Tc to a new ciphertext with new time Tc+1

9

CTT-1 SKT SKT-1 SKT+1 CTT

UpdateCT T T-1 T+1 Time

X X O O O CTT+1

UpdateCT

slide-10
SLIDE 10

Self-Updatable Encryption

Definition

SUE is a new type of PKE with the ciphertext updating property (time- evolution mechanism)

An SUE scheme consists of algorithms: Setup, GenKey, Encrypt, UpdateCT, RandCT, and Decrypt

10

Setup(Tmax)  MK,PP GenKey(T,MK,PP)  SKT Encrypt(T,M,PP)  CTT UpdateCT(CTT,T+1,PP)  CTT+1 Decrypt(CTT,SKT’,PP)  M RandCT(CTT,PP)  CTT

T T+1

SKT CTT CTT+1 SKT+1

UpdateCT(-) GenKey(-) Encrypt(-) Decrypt(-) RandCT(-) GenKey(-)

slide-11
SLIDE 11

Self-Updatable Encryption

Design Principle

A full binary tree is used to represent time by assigning time periods to tree nodes in pre-order traversal

A private key for time Tk is associated with a node vk and a ciphertext for time Tc is associated with nodes {vi} for all time TiTc

11

1 2 3 4 5 8 14 6 7 10 11 13 12 9

SK2 SK8 CT4

slide-12
SLIDE 12

Self-Updatable Encryption

Design Principle

If a ciphertext has the delegation property such that it’s association can be changed from a node to it’s chid node, then ciphertext can be shorten

The design idea of SUE is similar to that of forward-secure encryption, but ciphertexts are delegated in SUE (not private keys)

12

CT4

delegation delegation

Ciphertext can be associated with just logTmax nodes

slide-13
SLIDE 13

Self-Updatable Encryption

Ciphertext Delegatable Encryption

CDE is a new type of PKE that has the ciphertext delegation property, and it can be used to build an SUE scheme

A CDE scheme could be derived from an HIBE scheme by switching the structure of private keys and that of ciphertexts

13

HIBE.PrivateKey HIBE.Ciphertext HIBE

key delegation

CDE.PrivateKey CDE.Ciphertext CDE

ciphertext delegation

slide-14
SLIDE 14

Self-Updatable Encryption

Ciphertext Delegatable Encryption

We start from the HIBE scheme of Boneh and Boyen (Eurocrypt 2004) to derive a CDE scheme

The ciphertext delegation property of CDE could be obtained from the key delegation property of HIBE

14 1 1 2 2

[ , , ( ) , ( ) ]

r r r r

SK g w g F L F L

1 1

1 1

[ , ( ) , ]

s s s s

CT g w F L g 

1 2 1 2

1 1 2 2

[ , ( ) ( ) , , ]

s s s s s s

CT g w F L F L g g  

1 1

1 1

[ ( ) , ]

r r

SK g F I g

1 1 2 2

[ , ( ) , ( ) ]

s s s

CT g F I F I 

1 2 1 2

1 1 2 2

[ ( ) ( ) , , ]

r r r r

SK g F I F I g g

 

BB_HIBE CDE

slide-15
SLIDE 15

L1 L4 L9 T=6

Self-Updatable Encryption

SUE Construction

SKTGenKey(T, MK, PP): The private key of SUE for time T is associated with path nodes Path(v) from the root node to a tree node v where v is associated with T

15

Lj = label string

  • f node vj

6 1 1 2 4 3 9

[ , , ( ) , ( ) , ( ) ]

r r r r r

SK g w g F L F L F L

slide-16
SLIDE 16

T=4

Self-Updatable Encryption

SUE Construction

CTTEncrypt(T, PP): The ciphertext of SUE for time T consists of ciphertexts of CDE for root nodes of all subtrees that cover all time TiT

The number of group elements in SUE can be reduced from O(log2Tmax) to O(logTmax) by carefully reusing the randomness of CDE

16

3 3 1 2 1 2 1 2 2 1 1

4 1 1 2 3 3 8 1 1 2 4 1 2

[ , ( ) ( ) ( ) , , , ] [ , ( ) ( ) , ] [ , ( ) , ]

s s s s s s s s s s s s s s s s s

CT g w F L F L F L g g g g w F L F L g g w F L g

   

L2 L4 L8 L1 L3 T=5 T=8

slide-17
SLIDE 17

T=4 T=5 T=6 T=7 T=8

Self-Updatable Encryption

SUE Construction

CTT+1UpdateCT(CTT, T+1, PP): The ciphertext of SUE can be updated to next time by using the ciphertext delegation algorithm of CDE

17

1 2 1 2 1 1

5 1 1 2 4 1 2

[ , ( ) ( ) , , ] [ , ( ) , ]

s s s s s s s s s s

CT g w F L F L g g g w F L g

   

3 3 1 2 1 2 3 3 1 2 1 2 1 1

6 1 1 2 4 3 9 1 1 2 4 3 10 1 2

[ , ( ) ( ) ( ) , , , ] [ , ( ) ( ) ( ) , , , ] [ , ( ) , ]

s s s s s s s s s s s s s s s s s s s s

CT g w F L F L F L g g g g w F L F L F L g g g g w F L g

         

slide-18
SLIDE 18

T=4

Self-Updatable Encryption

SUE Construction

MDecrypt(CTT, SKT’, PP): If TT’, then a CDE ciphertext in SUE ciphertext can be decrypted by using the decryption algorithm of CDE

18

UpdateCT

MCDE.Decrypt(CTCDE,SK,PP) T=6

slide-19
SLIDE 19

Self-Updatable Encryption

Discussions

Efficiency: The number of group elements in SK is O(logTmax) and the number of group elements in CT is O(logTmax)

Exponential Number of Time Periods: Our SUE scheme can support an exponential number (2) of time periods by setting the tree depth to be the security parameter

Time Interval: By combining two SUE schemes (one for future SUE and another for past SUE), we expect to build an SUE scheme for time interval [TL,TR]

Differenct Constructions: We expect that different HIBE schemes will result different SUE schemes with different efficiency tradeoffs

19

slide-20
SLIDE 20

Revocable-Storage ABE

Definition

RS-ABE is an attribute-based encryption (ABE) that additionally supports both key revocation and ciphertext update

RS-ABE consits of algorithms: Setup, GenKey, UpdateKey, Encrypt, UpdateCT, RandCT, and Decrypt

20

Setup()  MK,PP GenKey(S,u,MK,PP)  SKS,u Encrypt(,T,M,PP)  CT,T UpdateCT(CT,T,T+1,PP)  CT,T+1 Decrypt(CT,T,SKS,u,UKT’,R,PP)  M RandCT(CT,T,PP)  CT,T UpdateKey(T,R,MK,PP)  UKT,R

Encrypt(-) Decrypt(-)

SKS,u CTA,T UKT,R

UpdateCT(-) RandCT(-) GenKey(-) UpdateKey(-) Setup(-)

slide-21
SLIDE 21

Revocable-Storage ABE

Design Principle

Our scheme combines three components: a primary encryption scheme (CP-ABE), a key-revocation scheme, and a time-evolution scheme (SUE)

To prevent collusion-attacks, the key-revocation scheme uses a secret- sharing method when it combines two encryption components

21

Private key SKS,u Update key UKT,R ABE i SUE  - i ABE SUE 

Complete Subset Scheme [NNL01] Ciphertext-Policy ABE [LOSTW10]

slide-22
SLIDE 22

Revocable-Storage ABE

RS-ABE Construction

GenKey: A private key (SK) consists of ABE private keys associated with path nodes of a user where the user is assigned to a leaf node of a binary tree of the CS scheme

22

ABE i ABE i ABE i ABE i ABE i ABE i

SK

slide-23
SLIDE 23

Revocable-Storage ABE

RS-ABE Construction

UpdateKey: An update key (UK) consists of SUE private keys associated with covering subsets for non-revoked users (i.e. root nodes of subtrees that cover non-revoked users)

23

SUE  - i SUE  - i

UK

SUE  - i SUE  - i

X

Revoked User

slide-24
SLIDE 24

Revocable-Storage ABE

RS-ABE Construction

Encrypt: A ciphertext (CT) consits of an SUE ciphertext and an ABE ciphertext with the same random exponent for secret sharing

Decrypt: If a user is not revoked (uR) at time T, then a ciphertext with time T can be decrypted by an SUE private key from SK and an ABE private key from UK

24

ABE i SUE  - i

ABE SUE 

SK UK CT

ABE SUE

e(g,g)s

slide-25
SLIDE 25

Conclusion

Other Applications

Revocable-Storage Predicate Encryption (RS-PE): By using an inner- product encryption (IPE) scheme as a primary encryption scheme, we can build an RS-PE scheme that provides the attribute-hiding property in ciphertexts

Timed-Release Encryption (TRE): TRE is a PKE such that a ciphertext with time T can be decrypted after T. An SUE scheme can be used to build a TRE scheme

Key-Insulated Encryption (KIE) with Ciphertext Forward Security: KIE is a PKE that provides tolerance against key exposures. By combining KIE and SUE schemes, we can build a KIE scheme with forward-secure storage

25

slide-26
SLIDE 26

Thank You

26