Improved Security Notions for Proxy Re-Encryption to Enforce Access Control. / Berners-Lee, Elizabeth.

Lecture Notes in Computer Science. Springer, 2019. p. 66-85.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

E-pub ahead of print

Standard

Improved Security Notions for Proxy Re-Encryption to Enforce Access Control. / Berners-Lee, Elizabeth.

Lecture Notes in Computer Science. Springer, 2019. p. 66-85.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Berners-Lee, E 2019, Improved Security Notions for Proxy Re-Encryption to Enforce Access Control. in Lecture Notes in Computer Science. Springer, pp. 66-85, Latincrypt 2017, 20/09/17. https://doi.org/10.1007/978-3-030-25283-0_4

APA

Vancouver

Author

Berners-Lee, Elizabeth. / Improved Security Notions for Proxy Re-Encryption to Enforce Access Control. Lecture Notes in Computer Science. Springer, 2019. pp. 66-85

BibTeX

@inproceedings{3f3a448d13364359aa7e7c1cf944435d,
title = "Improved Security Notions for Proxy Re-Encryption to Enforce Access Control",
abstract = "Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re- encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.",
keywords = "Proxy re-encryption, Cloud storage, Cryptography",
author = "Elizabeth Berners-Lee",
year = "2019",
month = "7",
day = "20",
doi = "10.1007/978-3-030-25283-0_4",
language = "English",
isbn = "978-3-030-25282-3",
pages = "66--85",
booktitle = "Lecture Notes in Computer Science",
publisher = "Springer",

}

RIS

TY - GEN

T1 - Improved Security Notions for Proxy Re-Encryption to Enforce Access Control

AU - Berners-Lee, Elizabeth

PY - 2019/7/20

Y1 - 2019/7/20

N2 - Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re- encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.

AB - Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re- encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.

KW - Proxy re-encryption, Cloud storage, Cryptography

U2 - 10.1007/978-3-030-25283-0_4

DO - 10.1007/978-3-030-25283-0_4

M3 - Conference contribution

SN - 978-3-030-25282-3

SP - 66

EP - 85

BT - Lecture Notes in Computer Science

PB - Springer

ER -