Results 1 - 10
of
203
Achieving secure, scalable, and fine-grained data access control in cloud computing
- In Proc. of IEEE INFOCOM
, 2010
"... Abstract—Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive dat ..."
Abstract
-
Cited by 133 (8 self)
- Add to MetaCart
(Show Context)
Abstract—Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Exten-sive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models. I.
Compact e-cash
- In EUROCRYPT, volume 3494 of LNCS
, 2005
"... Abstract. This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and s ..."
Abstract
-
Cited by 122 (17 self)
- Add to MetaCart
(Show Context)
Abstract. This paper presents efficient off-line anonymous e-cash schemes where a user can withdraw a wallet containing 2 ℓ coins each of which she can spend unlinkably. Our first result is a scheme, secure under the strong RSA and the y-DDHI assumptions, where the complexity of the withdrawal and spend operations is O(ℓ + k) andtheuser’s wallet can be stored using O(ℓ + k) bits,wherek is a security parameter. The best previously known schemes require at least one of these complexities to be O(2 ℓ · k). In fact, compared to previous e-cash schemes, our whole wallet of 2 ℓ coins has about the same size as one coin in these schemes. Our scheme also offers exculpability of users, that is, the bank can prove to third parties that a user has double-spent. We then extend our scheme to our second result, the first e-cash scheme that provides traceable coins without a trusted third party. That is, once a user has double spent one of the 2 ℓ coins in her wallet, all her spendings of these coins can be traced. However, the price for this is that the complexity of the spending and of the withdrawal protocols becomes O(ℓ · k) and O(ℓ · k + k 2) bits, respectively, and wallets take O(ℓ · k) bitsofstorage. All our schemes are secure in the random oracle model.
How to Win the Clone Wars: Efficient Periodic n-Times Anonymous Authentication
, 2006
"... We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n e-tokens. She shows an etoken to a verifier to authenticate herself; each e-token can be used only once, however, the dispenser automatically refreshes e ..."
Abstract
-
Cited by 66 (14 self)
- Add to MetaCart
(Show Context)
We create a credential system that lets a user anonymously authenticate at most n times in a single time period. A user withdraws a dispenser of n e-tokens. She shows an etoken to a verifier to authenticate herself; each e-token can be used only once, however, the dispenser automatically refreshes every time period. The only prior solution to this problem, due to Damg˚ard et al. [29], uses protocols that are a factor of k slower for the user and verifier, where k is the security parameter. Damg˚ard et al. also only support one authentication per time period, while we support n. Because our construction is based on e-cash, we can use existing techniques to identify a cheating user, trace all of her e-tokens, and revoke her dispensers. We also offer a new anonymity service: glitch protection for basically honest users who (occasionally) reuse e-tokens. The verifier can always recognize a reused e-token; however, we preserve the anonymity of users who do not reuse e-tokens too often.
Chosen-Ciphertext Secure Proxy Re-Encryption
- In Proc. of ACM-CCS’007
, 2007
"... In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have ma ..."
Abstract
-
Cited by 66 (1 self)
- Add to MetaCart
(Show Context)
In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear Diffie-Hellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based definition and simulation-based definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein. 1
Delegatable Pseudorandom Functions and Applications
"... We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secret-key. PRF delega ..."
Abstract
-
Cited by 55 (0 self)
- Add to MetaCart
(Show Context)
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secret-key. PRF delegation is policy-based: the trapdoor is constructed with respect to a certain policy that determines the subset of input values which the proxy is allowed to compute. Interesting DPRFs should achieve low-bandwidth delegation: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed. The main challenge in constructing DPRFs is in maintaining the pseudorandomness of unknown values in the face of an attacker that adaptively controls proxy servers. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRF-querying proxy: achieving this raises new design challenges as policy privacy and efficiency are seemingly conflicting goals. For the important class of policies described as (1-dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the well-known tree-based GGM PRF family [15], our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constant-factor efficiency reduction, we show that our second construction is also policy private. As we finally describe, their new security and efficiency properties render our delegated PRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption. 1
Identity-based proxy re-encryption
- In ACNS ’07
, 2007
"... In a proxy re-encryption scheme a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the public-key setting. In this paper, we address the problem of Identity-Based proxy re-encryption, whe ..."
Abstract
-
Cited by 55 (0 self)
- Add to MetaCart
In a proxy re-encryption scheme a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the public-key setting. In this paper, we address the problem of Identity-Based proxy re-encryption, where ciphertexts are transformed from one identity to another. Our schemes are compatible with current IBE deployments and do not require any extra work from the IBE trusted-party key generator. In addition, they are non-interactive and one of them permits multiple re-encryptions. Their security is based on a standard assumption (DBDH) in the random oracle model.
Shared and searchable encrypted data for untrusted servers
- in DBSec, ser. Lecture Notes in Computer Science
, 2008
"... Current security mechanisms are not suitable for organisations that outsource their data management to untrusted servers. Encrypting and decrypting sensitive data at the client side is the normal approach in this situation but has high communication and computation overheads if only a subset of the ..."
Abstract
-
Cited by 51 (6 self)
- Add to MetaCart
(Show Context)
Current security mechanisms are not suitable for organisations that outsource their data management to untrusted servers. Encrypting and decrypting sensitive data at the client side is the normal approach in this situation but has high communication and computation overheads if only a subset of the data is required, for example, selecting records in a database table based on a keyword search. New cryptographic schemes have been proposed that support encrypted queries over encrypted data. But they all depend on a single set of secret keys, which implies single user access or sharing keys among multiple users, with key revocation requiring costly data re-encryption. In this paper, we propose an encryption scheme where each authorised user in the system has his own keys to encrypt and decrypt data. The scheme supports keyword search which enables the server to return only the encrypted data that satisfies an encrypted query without decrypting it. We provide a concrete construction of the scheme and give formal proofs of its security. We also report on the results of our implementation. 1
Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption
- In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy re-encryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract
-
Cited by 40 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy re-encryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosen-ciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy re-encryption schemes with chosen-ciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the Canetti-Hohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as non-interactive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the Canetti-Hohenberger scheme, they meet a relaxed flavor of chosen-ciphertext security introduced by Canetti, Krawczyk and Nielsen. 1
File System Design with Assured Delete
, 2005
"... This paper describes a system that supports high availability of data, until the data should be expunged, at which time the system makes it impossible to recover the data. This design supports two types of assured delete; where the expiration time is known at file creation, and on-demand delete of i ..."
Abstract
-
Cited by 34 (2 self)
- Add to MetaCart
This paper describes a system that supports high availability of data, until the data should be expunged, at which time the system makes it impossible to recover the data. This design supports two types of assured delete; where the expiration time is known at file creation, and on-demand delete of individual files. The design assures Previous work has described how to do this when the expiration time of a file is known at file creation time, and was particularly suited to supporting many independent clients. This paper reviews that work, but also describes how to support on-demand deletion of individual files.
Outsourcing the decryption of abe ciphertexts
- In Proceedings of the USENIX Security Symposium
, 2011
"... Attribute-based encryption (ABE) is a new vision for public key encryption that allows users to encrypt and decrypt messages based on user attributes. For example, a user can create a ciphertext that can be decrypted only by other users with attributes satisfying (“Faculty ” OR (“PhD Student ” AND “ ..."
Abstract
-
Cited by 32 (2 self)
- Add to MetaCart
Attribute-based encryption (ABE) is a new vision for public key encryption that allows users to encrypt and decrypt messages based on user attributes. For example, a user can create a ciphertext that can be decrypted only by other users with attributes satisfying (“Faculty ” OR (“PhD Student ” AND “Quals Completed”)). Given its expressiveness, ABE is currently being considered for many cloud storage and computing applications. However, one of the main efficiency drawbacks of ABE is that the size of the ciphertext and the time required to decrypt it grows with the complexity of the access formula. In this work, we propose a new paradigm for ABE that largely eliminates this overhead for users. Suppose that ABE ciphertexts are stored in the cloud. We show how a user can provide the cloud with a single transformation key that allows the cloud to translate any ABE ciphertext satisfied by that user’s attributes into a (constant-size) El Gamal-style ciphertext, without the cloud being able to read any part of the user’s messages. To precisely define and demonstrate the advantages of this approach, we provide new security definitions for both CPA and replayable CCA security with outsourcing, several new constructions, an implementation of our algorithms and detailed performance measurements. In a typical configuration, the user saves significantly on both bandwidth and decryption time, without increasing the number of transmissions.
