Self-Updatable Encryption with Short Public Parameters and Its Extensions

Cloud storage is very popular since it has many advantages, but there is a new threat to cloud storage that was not considered before. {\it Self-updatable encryption} that updates a past ciphertext to a future ciphertext by using a public key is a new cryptographic primitive introduced by Lee, Choi, Lee, Park, and Yung (Asiacrypt 2013) to defeat this threat such that an adversary who obtained a past-time private key can still decrypt a (previously unread) past-time ciphertext stored in cloud storage. Additionally, an SUE scheme can be combined with an attribute-based encryption (ABE) scheme to construct a powerful revocable-storage ABE (RS-ABE) scheme introduced by Sahai, Seyalioglu, and Waters (Crypto 2012) that provides the key revocation and ciphertext updating functionality for cloud storage. In this paper, we propose an efficient SUE scheme and its extended schemes. First, we propose an SUE scheme with short public parameters in prime-order bilinear groups and prove its security under a $q$-type assumption. Next, we extend our SUE scheme to a time-interval SUE (TI-SUE) scheme that supports a time interval in ciphertexts. Our TI-SUE scheme has short public parameters and also secure under the $q$-type assumption. Finally, we propose the first large universe RS-ABE scheme with short public parameters in prime-order bilinear groups and prove its security in the selective revocation list model under a $q$-type assumption

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Unbounded Hierarchical Identity-Based Encryption with Efficient Revocation

Hierarchical identity-based encryption (HIBE) is an extension of identity-based encryption (IBE) where an identity of a user is organized as a hierarchical structure and a user can delegate the private key generation to another user. Providing a revocation mechanism for HIBE is highly necessary to keep a system securely. Revocable HIBE (RHIBE) is an HIBE scheme that can revoke a user\u27s private key if his credential is expired or revealed. In this paper, we first propose an unbounded HIBE scheme where the maximum hierarchy depth is not limited and prove its selective security under a q-type assumption. Next, we propose an efficient unbounded RHIBE scheme by combining our unbounded HIBE scheme and a binary tree structure, and then we prove its selective security. By presenting the unbounded RHIBE scheme, we solve the open problem of Seo and Emura in CT-RSA 2015

A Generic Construction for Revocable Identity-Based Encryption with Subset Difference Methods

To deal with dynamically changing user\u27s credentials in identity-based encryption (IBE), providing an efficient key revocation method is a very important issue. Recently, Ma and Lin proposed a generic method of designing a revocable IBE (RIBE) scheme that uses the complete subtree (CS) method by combining IBE and hierarchical IBE (HIBE) schemes. In this paper, we propose a new generic method for designing an RIBE scheme that uses the subset difference (SD) method instead of using the CS method. In order to use the SD method, we generically design an RIBE scheme by combining two-level HIBE and single revocation encryption (SRE) schemes. If the underlying HIBE and SRE schemes are adaptively (or selectively) secure, then our RIBE scheme is also adaptively (or selectively) secure. In addition, we show that the layered SD (LSD) method can be applied to our RIBE scheme and a chosen-ciphertext secure RIBE scheme also can be designed generically

CCA Security for Self-Updatable Encryption: Protecting Cloud Data When Clients Read/Write Ciphertexts

Self-updatable encryption (SUE) is a new kind of public-key encryption, motivated by cloud computing, which enables anyone (i.e. cloud server with no access to private keys) to update a past ciphertext to a future ciphertext by using a public key. The main applications of SUE is revocable-storage attribute-based encryption (RS-ABE) that provides an efficient and secure access control to encrypted data stored in cloud storage. In this setting, there is a new threat such that a revoked user still can access past ciphertexts given to him by a storage server. RS-ABE solves this problem by combining user revocation and ciphertext updating functionalities. The mechanism was designed with semantic security (CPA). Here, we propose the first SUE and RS-ABE schemes, secure against a relevant form of CCA, which allows ciphertexts submitted by attackers to decryption servers. Due to the fact that some ciphertexts are easily derived from others, we employ a different notion of CCA which avoids easy challenge related messages (we note that this type of idea was employed in other contexts before). Specifically, we define time extended challenge (TEC) CCA security for SUE which excludes ciphertexts that are easily derived from the challenge (over time periods) from being queried on (namely, once a challenge is decided by an adversary, no easy modification of this challenge to future and past time periods is allowed to be queried upon). We then propose an efficient SUE scheme with such CCA security, and we also define similar CCA security for RS-ABE and present an RS-ABE scheme with this CCA security

Self-updatable encryption with short public parameters and its extensions

Cloud storage is very popular since it has many advantages, but there is a new threat to cloud stor-age that was not considered before. Self-updatable encryption that updates a past ciphertext to a future ciphertext by using a public key is a new cryptographic primitive introduced by Lee, Choi, Lee, Park, and Yung (Asiacrypt 2013) to defeat this threat such that an adversary who obtained a past-time private key can still decrypt a (previously unread) past-time ciphertext stored in cloud storage. Additionally, an SUE scheme can be combined with an attribute-based encryption (ABE) scheme to construct a powerful revocable-storage ABE (RS-ABE) scheme introduced by Sahai, Seyalioglu, and Waters (Crypto 2012) that provides the key revocation and ciphertext updating functionality for cloud storage. In this paper, we propose an efficient SUE scheme and its extended schemes. First, we propose an SUE scheme with short public parameters in prime-order bilinear groups and prove its security under a q-type assumption. Next, we extend our SUE scheme to a time-interval SUE (TI-SUE) scheme that supports a time interval in ciphertexts. Our TI-SUE scheme has short public parameters and also secure under the q-type as-sumption. Finally, we propose the first large universe RS-ABE scheme with short public parameters in prime-order bilinear groups and prove its security in the selective revocation list model under a q-typ

Revocable Hierarchical Identity-Based Encryption with Adaptive Security

Hierarchical identity-based encryption (HIBE) can be extended to revocable HIBE (RHIBE) if a private key of a user can be revoked when the private key is revealed or expired. Previously, many selectively secure RHIBE schemes were proposed, but it is still unsolved problem to construct an adaptively secure RHIBE scheme. In this work, we propose two RHIBE schemes in composite-order bilinear groups and prove their adaptive security under simple static assumptions. To prove the adaptive security, we use the dual system encryption framework, but it is not simple to use the dual system encryption framework in RHIBE since the security model of RHIBE is quite different with that of HIBE. We show that it is possible to solve the problem of the RHIBE security proof by carefully designing hybrid games