Two Secure Anonymous Proxy-based Data Storages * Olivier Blazy 1 - - PowerPoint PPT Presentation

Two Secure Anonymous Proxy-based Data Storages *

Olivier Blazy1 Xavier Bultel2 Pascal Lafourcade2

Université de Limoges, Xlim, Limoges, France Clermont Université Auvergne, LIMOS, Clermont-Ferrand, France

July 29, 2016 SECRYPT 2016, Lisbon

*This research was conducted with the support of the “Digital Trust” Chair

from the University of Auvergne Foundation.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 1 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob (pkb, skb) Proxy

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob (pkb, skb) Proxy re-key rkb→a

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob Offline (rkb→a) Proxy

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob Offline (rkb→a) Proxy c c = Epkb(m)

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob Offline (rkb→a) Proxy c c = Epkb(m) c′ c′ = RErkb→a(c) = Epka(m)

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob Offline (rkb→a) Proxy c c = Epkb(m) c′ c′ = RErkb→a(c) = Epka(m) m = Dska(c′)

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

Proxy Re-Encryption (PRE)

Alice (pka, ska) Bob Offline (rkb→a) Proxy c c = Epkb(m) c′ c′ = RErkb→a(c) = Epka(m) m = Dska(c′) P learns nothing about m (IND-CPA).

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 2 / 20

PRE History

Blaze et al. (1998) First definition of PRE. Ivan et al. (2003) Formal treatment. Ateniese et al. (2006) Unidirectional PRE. Canetti et al. (2007) CCA security. Libert et al. (2007) Unidirectional + CCA.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 3 / 20

PRE History

Blaze et al. (1998) First definition of PRE. Ivan et al. (2003) Formal treatment. Ateniese et al. (2006) Unidirectional PRE. New application: encrypted storage management. Canetti et al. (2007) CCA security. Libert et al. (2007) Unidirectional + CCA.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 3 / 20

PRE based storage

User (pku, sku) Proxy Owner (pko, sko) Encrypted storage

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE based storage

User (pku, sku) Proxy Owner (pko, sko) Encrypted storage re-key rko→u

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE based storage

User (pku, sku) rko→u Proxy Owner Offline Encrypted storage

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE based storage

User (pku, sku) rko→u Proxy Owner Offline Encrypted storage file c ? file c ? Check user rights

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE based storage

User (pku, sku) rko→u Proxy Owner Offline Encrypted storage c = Epko(m) c′ = Epku(m) c′ = RErko→u(c) m = Dsku(c′)

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE based storage

User (pku, sku) rko→u Proxy Owner Offline Encrypted storage c = Epko(m) c′ = Epku(m) c′ = RErko→u(c) m = Dsku(c′) Semi-trust proxy:

• No info about m
• P knows U id.
• P knows U rights
• P knows c

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE based storage

User (pku, sku) rko→u Proxy Owner Offline Encrypted storage c = Epko(m) c′ = Epku(m) c′ = RErko→u(c) m = Dsku(c′) Semi-trust proxy:

• No info about m
• P knows U id.
• P knows U rights
• P knows c

Goal: more privacy!

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 4 / 20

PRE & anonymity?

Ateniese et al. (2009) Anonymous re-encryption key. Shao et al. (2012) Anonymity for recipient message. Zheng et al. (2014) Anonymous re-encryption key + CCA.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 5 / 20

PRE & anonymity?

Ateniese et al. (2009) Anonymous re-encryption key. Shao et al. (2012) Anonymity for recipient message. Zheng et al. (2014) Anonymous re-encryption key + CCA. → Only partial anonymity.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 5 / 20

Our idea

User Proxy Owner (pkgi, skgi) Encrypted storage member of the group i

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User Proxy Owner (pkgi, skgi) Encrypted storage member of the group i Member key MSKi proxy key K

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage file c ?

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage c = Epkgi(m)

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage c = Epkgi(m) User knows MSKi and c

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage Randomization with r MSK′

i and c′

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage Randomization with r MSK′

i and c′

MSK′

i, c′

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage Randomization with r MSK′

i and c′

c′′ c′′ = REK,MSK′

i (c′) Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K Proxy Owner Offline Encrypted storage c′′ c′′ = REK,MSK′

i (c′)

m = Dr(c′′)

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our idea

User (MSKi) K ???? Owner Offline Encrypted storage m = Dr(c′′) MSK′

i and c′

Semi-trust proxy:

• No info about m
• No info about U id.
• No info about i
• No info about c

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 6 / 20

Our contribution

Two schemes:

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 7 / 20

Our contribution

Two schemes: DRAS: Direct revocation mechanism: The owner can revoke anybody anytime. Pay-per-download model. Weak anonymity.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 7 / 20

Our contribution

Two schemes: DRAS: Direct revocation mechanism: The owner can revoke anybody anytime. Pay-per-download model. Weak anonymity. IRAS: Indirect revocation mechanism: the owner can revoke users periodically. Monthly-fee model. Full anonymity.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 7 / 20

1

introduction

2

DRAS

3

IRAS

4

Conclusion

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 8 / 20

DRAS

P-Gen(P): generate proxy keys (PKP, SKP). G-Gen(P): generate group key (PKGj, SKGj). Join(SKGj, WL, Ui): generate a group member key MSKj

i.

Encrypt(PKGj, m): encrypt m for group j. Revoke(MSKj

i, BL): revoke a user.

Open(VIEW, WL): desanonymize a transaction. ProxyDec(Ui, P): decryption protocol between a user and the proxy.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 9 / 20

DRAS

Keys construction: Proxy keys (PKP, SKP) for an encryption scheme. Group key (PKG, SKG) = (gγ, γ). Member key MSK = (t, EncPKP( t

γ)).

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 10 / 20

DRAS

Keys construction: Proxy keys (PKP, SKP) for an encryption scheme. Group key (PKG, SKG) = (gγ, γ). Member key MSK = (t, EncPKP( t

γ)).

The encryption algorithm is an ElGamal variant: Keys Secret sk = x, public pk = gx. Encryption Pick r and compute (C1, C2) = (pkr, gr · m). Decryption Compute m =

C2 C1/sk

1 Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 10 / 20

DRAS: Decryption protocol

C = (C1, C2) = (gr·γ, gr · m) MSK = (MSK1, MSK2) = (t, EncPKP( t

γ))

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 11 / 20

DRAS: Decryption protocol

C = (C1, C2) = (gr·γ, gr · m) MSK = (MSK1, MSK2) = (t, EncPKP( t

γ))

(PKP; MSK; C) (SKP; BL) s

$

← Z∗

p; B = (C1)s B,MSK2

− − − − − − − − → If MSK2 ∈ BL then abort; else w = DecSKP(MSK2) m =

C2 D(1/s·t) D

← − − − − − − − − D = (B)w = (Cs

1)

t γ = gs·r·t

=

gr·m gs·r·t· 1

s·t = gr·m

gr

Output m Output VIEW = MSK2.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 11 / 20

DRAS: Decryption protocol

C = (C1, C2) = (gr·γ, gr · m) MSK = (MSK1, MSK2) = (t, EncPKP( t

γ))

(PKP; MSK; C) (SKP; BL) s

$

← Z∗

p; B = (C1)s B,MSK2MSK2

− − − − − − − − → If MSK2 ∈ BL then abort; else w = DecSKP(MSK2) = t

γ

m =

C2 D(1/s·t) D

← − − − − − − − − D = (B)w = (Cs

1)

t γ = gs·r·t

=

gr·m gs·r·t· 1

s·t = gr·m

gr

Output m Output VIEW = MSK2. Proxy links user who uses two times the same member key

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 11 / 20

1

introduction

2

DRAS

3

IRAS

4

Conclusion

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 12 / 20

ElGamal is malleable

C = (gr, gx·r.m) C′ = ((gr)s, (gx·r.m)s) = (g(r·s), g(r·s)·x · ms). Decryption: m′ = ms = g(r·s)·x·(ms)

g(r·s)

. Difficult to link C and C′ (Diffie-Hellman problem). The message m is hidden.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 13 / 20

Indirect Revocation Anonymous Storage

O-Gen(P): generate owner (PKO, SKO). P-Gen(P): generate proxy key pair (PKP, SKP). G-Gen(P): generate group key pair (PKG, SKG). Join(SKGj, SKO, PKP): generate a group member key MSK. O-Update(SKO, PKO): update (PKO, SKO). U-Update(MSKj

i, SKO): update MSK.

Encrypt(PKGj, m): encrypt a message m. ProxyDec(Ui, P): decryption protocol between a user and the proxy.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 14 / 20

(Simplified) IRAS parameters

Keys constructions: P = (G1, G2, GT, g1, g2, e, PKE, S). Proxy keys (PKP, SKP) = (gp

2, p).

Group keys (PKG, SKG) = (gγ

1, γ).

Member key MSK = (gp·s

2 , gs 2 · g1/γ 2

).

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 15 / 20

(Simplified) IRAS parameters

Keys constructions: P = (G1, G2, GT, g1, g2, e, PKE, S). Proxy keys (PKP, SKP) = (gp

2, p).

Group keys (PKG, SKG) = (gγ

1, γ).

Member key MSK = (gp·s

2 , gs 2 · g1/γ 2

). The encryption algorithm is an ElGamal bilinear variant: Keys Secret sk = x, public pk = gx

1.

Encryption Pick r and compute (C1, C2) = (pkr, e(g1, g2)r · m). Decryption Compute m =

C2 e(C1,g2)1/sk

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 15 / 20

(Simplified) Decryption protocol

C = (C1, C2) = (gr·γ

1 , e(g1, g2)r · m)

MSK = (MSK1, MSK2) = (gp·s

2 , gs 2 · g

1 γ

2 )

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 16 / 20

(Simplified) Decryption protocol

C = (C1, C2) = (gr·γ

1 , e(g1, g2)r · m)

MSK = (MSK1, MSK2) = (gp·s

2 , gs 2 · g

1 γ

2 )

(C; MSK) (p) α, β

$

← Z∗

p

MSK′ = (MSKα

1, MSKα 2)

C′

1 = Cβ 1 C′

1,MSK′

− − − − − − − − → D = e(gr·γ·β

1

,

MSK′

2

MSK′1/p

1 )

m =

C2 D

1 α·β =

e(g1,g2)r·m e(g1,g2)

r·α·β α·β

D

← − − − − − − − − = e(g1, g2)r·α·β

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 16 / 20

Provable IRAS

Many tools to construct a provable scheme: Proof of a signature on MSK from MSK′. Revocation: The owner updates his signing key, but does not re-sign MSK. Damgård-ElGamal (CCA1). Smooth projective hash functions.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 17 / 20

1

introduction

2

DRAS

3

IRAS

4

Conclusion

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 18 / 20

DRAS

Direct revocation. Simple and efficient scheme. CPA secure. Not fully anonymous.

IRAS

Indirect revocation. Not efficient, use complex tools to be provably secure. CPA secure. Fully anonymous.

Future work

Increase and simplify IRAS. Without Damgård-ElGamal and SPHF.

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 19 / 20

Thank you for your attention. Questions?

Olivier Blazy, Xavier Bultel, Pascal Lafourcade (Université de Limoges, Xlim, Limoges, France, Clermont Université Auvergne, LIMOS, Cler Two Secure Anonymous Proxy-based Data Storages July 29, 2016 20 / 20