Pre-Constrained Encryption

In all existing encryption systems, the owner of the master secret key has the ability to decrypt all ciphertexts. In this work, we propose a new notion of pre-constrained encryption (PCE) where the owner of the master secret key does not have "full" decryption power. Instead, its decryption power is constrained in a pre-specified manner during the system setup. We present formal definitions and constructions of PCE, and discuss societal applications and implications to some well-studied cryptographic primitives

Efficient Construction for Full Black-Box Accountable Authority Identity-Based Encryption

Accountable authority identity-based encryption (A-IBE), as an attractive way to guarantee the user privacy security, enables a malicious private key generator (PKG) to be traced if it generates and re-distributes a user private key. Particularly, an A-IBE scheme achieves full black-box security if it can further trace a decoder box and is secure against a malicious PKG who can access the user decryption results. In PKC\u2711, Sahai and Seyalioglu presented a generic construction for full black-box A-IBE from a primitive called dummy identity-based encryption, which is a hybrid between IBE and attribute-based encryption (ABE). However, as the complexity of ABE, their construction is inefficient and the size of private keys and ciphertexts in their instantiation is linear in the length of user identity. In this paper, we present a new efficient generic construction for full black-box A-IBE from a new primitive called token-based identity-based encryption (TB-IBE), without using ABE. We first formalize the definition and security model for TB-IBE. Subsequently, we show that a TB-IBE scheme satisfying some properties can be converted to a full black-box A-IBE scheme, which is as efficient as the underlying TB-IBE scheme in terms of computational complexity and parameter sizes. Finally, we give an instantiation with the computational complexity as O(1) and the constant size master key pair, private keys, and ciphertexts

Efficient Ciphertext-policy Attribute Based Encryption for Cloud-Based Access Control

Outsourcing data to some cloud servers enables a massive, flexible usage of cloud computing resources and it is typically held by different organizations and data owners. However, various security concerns have been raised due to hosting sensitive data on an untrusted cloud environment, and the control over such data by their owners is lost after uploading to the cloud. Access control is the first defensive line that forbids unauthorized access to the stored data. Moreover, fine-grained access control on the untrusted cloud can be enforced using advanced cryptographic mechanisms. Some schemes have been proposed to deliver such access control using Ciphertext-policy attribute based encryption (CP-ABE) that can enforce data owners’ access policies to achieve such cryptographic access control and tackle the majority of those concerns. However, some challenges are still outstanding due to the complexity of frequently changing the cryptographic enforcements of the owners’ access policies in the hosted cloud data files, which poses computational and communicational overheads to data owners. These challenges are: 1) making dynamic decisions to grant access rights to the cloud resources, 2) solving the issue of the revocation process that is considered as a performance killer, and 3) building a collusion resistant system. The aim of our work is to construct an access control scheme that provides secure storing and sharing sensitive data on the cloud and suits limited-resources devices. In this thesis, we analyse some of the existing, related issues and propose a scheme that extends the relevant existing techniques to resolve the inherent problems in CP-ABE without incurring heavy computation overhead. In particular, most existing revocation techniques require re-issuing many private keys for all non-revoked users as well as re-encrypting the related ciphertexts. Our proposed scheme offers a solution to perform a novel technique that dynamically changes the access privileges of legitimate users. The scheme drives the access privileges in a specific way by updating the access policy and activating a user revocation property. Our technique assigns processing-intensive tasks to cloud servers without any information leakage to reduce the computation cost on resource-limited computing devices. Our analytical theoretical and experimental findings and comparisons of our work with related existing systems indicate that our scheme is efficient, secure and more practical compared to the current related systems, particularly in terms of policy updating and ciphertext re-encryption. Therefore, our proposed scheme is suited to Internet of Things (IoT) applications that need a practical, secure access control scheme. Moreover, to achieve secure, public cloud storage and minimise the limitations of CP-ABE which mainly supports storing data only on a private cloud storage system managed by only one single authority, our proposed access control scheme is extended to a secure, critical access control scheme with multiple authorities. This scheme ought to be carefully designed to achieve fine-grained access control and support outsourced-data confidentiality. In addition, most existing multi-authority access control schemes do not properly consider the revocation issue due to the difficulty of addressing it in distributed settings. Therefore, building a multi-authority CP-ABE scheme along with addressing changes to policy attributes and users, have motivated many researchers to develop more suitable schemes with limited success. By leveraging the existing work, in this thesis, we propose a second CP-ABE scheme that tackles most of the existing work’s limitations and allows storing data securely on a public cloud storage system by employing multiple authorities which manage a joint set of attributes. Furthermore, the proposed scheme efficiently maintains the revocation by adapting the two techniques used in the first proposed single authority access control scheme to allow dynamic policy update and invalidate a revoked user’s secret key that eliminates collusion attacks. In terms of computation overhead, the proposed multi-authority scheme outsources expensive operations of encryption and decryption to a cloud server to mitigate the burden on a data owner and data users, respectively. Our scheme analysis and the theoretical and implemented results demonstrate that our scheme is scalable and efficient