sequential systems towards distributed systems, cloud ... encryption schemes is to prevent the revelation of the keys ..... In the beginning the cloud storage.
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016
A Comparison of Proxy Re-Encryption Schemes – A Survey Anum Khurshid, Fiaz Gul Khan, Abdul Nasir Khan Department of Computer Science, COMSATS Institute of /information Technology Abbottabad, Pakistan
Abstract— Proxy Re-Encryption has been used since the need for forwarding an encrypted message to a party for whom it was not encrypted was highlighted in the form of delegation rights by Blaise, Bleumer and Strauss. Various Proxy Re-Encryption schemes have been introduced till today mainly focusing on demonstrating features like transitivity and collusion-resistance to ensure minimal trust on the proxy and maximum key-privacy. This survey highlights some major schemes introduced, classifies them based on their directionality, brings to light their major advantages and disadvantages, and provides a detailed comparative study based on the key features a Proxy ReEncryption Scheme must possess in order for its widespread. Index words— bilinear maps, CCA secure, collusion resistance, CPA secure, delegation rights, Deffie-Hellman key exchange, DBDH assumptions, Proxy Re-Encryption; transitivity.
I. INTRODUCTION Considering the direction of development from traditional sequential systems towards distributed systems, cloud computing where different computational infrastructures are available to the users as services (infrastructure as a service, platform as a service, software as a service etc), IOT; security and privacy of data has become the primary concern of organizations and users worldwide because these developments require an unavoidable sharing of resources, personal and confidential data over the network. Although network security schemes have been implemented and provide access and authorization controls, need still remains of further improvement. Proxy re-encryption is a relatively new data encryption technique devised primarily for distributed data and file security. The goal of proxy re-encryption is allowing the re-encryption of one cipher text to another cipher text without relying or trusting the third party that performs the transfer. In situations where one user wishes for another user to decrypt a message using its own or a new secret key instead of the first user’s secret key, one technique involves the assistance of a proxy. An easily implemented re-encryption scheme is one in which the proxy is given possession of both Users’ keys so the message can be converted to plaintext and then re-encrypted for the second user but this is comparatively weak. User1’s secret key decrypts the cipher-text to plaintext, while User2’s secret key encrypts it. But this is a violation of the primary goal of security; the purpose of proxy reencryption schemes is to prevent the revelation of the keys involved in re-encryption and the plaintext that needs to be reencrypted to the proxy. In this context the method mentioned above is not ideal. So for these scenarios where trust cannot be
placed in a proxy, the requirement here is to convert messages encrypted under User1’s public key to messages encrypted under User2’s public key without the proxy being able to decrypt the message. The scheme that ensures this arrangement is known as proxy re-encryption. Even though Proxy re-encryption schemes are basically a version of existing encryption schemes consisting of selection of text, generation of keys, sharing or transmitting of keys between concerned parties, conversion from plaintext to cipher-text on one end and conversion from cipher-text to plaintext on the other end, the difference arises with the introduction of two more properties.
Fig.1. Representation of Proxy Re-Encryption
Directionality If the re-encryption scheme is reversible—that is, the same reencryption key is used to translate messages from User1 to User2, as well as from User2 to User1 the scheme is classified as a bi-directional scheme. In these schemes if a user forwards a message to another, it automatically gives rights to the receiver to communicate with the sender. Such re-encryption keys are hence generated with the keys of both sender and receiver and with their mutual trust and consent. A unidirectional scheme is one-way in this context; giving a higher level of security and making it a feasible option in non trusted setups where message conveying is essential but not to an extent where receiver should be given rights to respond to it. So if a message is re-encrypted from User1 to User2 with a key, it cannot be used for re-encryption from User2 to User1. Moreover uni-directional schemes are more useful since they can be converted to bidirectional scheme at any time simply by running it in both directions, i.e. from User1 to User2 and from User2 to User1 [14]. Transitivity
392
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016
Transitivity in proxy re-encryption schemes is defined as the number of re-encryptions allowed by an algorithm. A transitive PRE scheme would allow a cipher text to be reencrypted from User1 to User2, and then again from User2 to User3 and so on. While a non-transitive scheme would allow a cipher text to be re-encrypted for a single time (or a predefined limited number). This implies that inn non-transitive schemes the proxy does not have the authority to assign delegation rights to others beside the pair of communicating users. Besides the above mentioned properties, some more of the security properties demonstrated by existing proxy reencryption schemes are [3] the inability of the proxy to view plaintext irrespective of the scheme. The secret keys are generated at the data owner’s end, and the proxy in no way can derive the secret keys of the sender or receiver from the re-encryption key. The transitivity and delegation level of an applied scheme depends on the trust matrix of the involved parties, on the fact level of security at each party’s end and the priorities of the involved parties (security, confidentiality, integrity, etc). The need of PRE schemes was first highlighted when Mambo and Okamoto in 1997 mentioned the concept of
delegating decryption rights to improve efficiency instead of the conventional decrypt-and-then-encrypt approaches. [2] This work was enhanced by Blaze, Bleumer, and Strauss (BBS) in 1998 when they proposed an application called atomic proxy re-encryption. In their proposed schemed a partially-trusted proxy was allowed to perform conversion from a cipher-text for one user into a cipher-text for another user but was not allowed to access the underlying plaintext. [1] Although efficiently computable, flexible and applicable the adoption of BBS re-encryption over a larger application domain for managing encrypted file systems has been hindered by considerable security risks. [4] These methods are still under process of maturity and require fine tuning before being adopted in every organization. II. CLASSIFICATION AND ANALYSIS OF PROXY REENCRYPTION SCHEMES
Fig. 2. Classification of Proxy Re-Encryption Schemes Based on Directionality
393
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016
and the condition. Similarly to decrypt the message the receiver should meet the pre-defined conditions. The challenge now remains to construct CCA-secure C-PRE schemes with anonymous conditions rather than known predefined conditions. [10]
A. Type and Identity Based Proxy Re-encryption Scheme This scheme has thrown light on the problem of multiple delegations of decryption rights. Suppose the delegator wants two different users to view different sub parts of his message. The solution would be to place trust in the proxy to re-encrypt the selective parts of the cipher-texts using this method. This fails if the proxy is corrupted. A better but unrealistic alternative is choosing a separate pair of keys for each delegate. The type-and-identity-based proxy re-encryption scheme is based on the BonehFranklin Identity Based Encryption scheme [19] enabling implementation of different access control policies for cipher-texts against multiple receivers. The messages are categorized into different types according to the decryption rights of the intended receivers. The main benefit of this scheme is the single pair of keys which provides re-encryption capability to the proxy for his cipher-texts against his receivers. But the proposed scheme works only for the cipher-texts generated by the sender. The method is described as follows: Users categorize their messages into different types Setup and Encrypt are the same as in the BonehFranklin scheme Re-Encrypt(msg,type,msg_id) : the algorithm outputs the cipher-text ‘sub_msg’ = (msg1,msg2,msg3) based on the message and the type given by user. Each sub message is meant to be decrypted by the respective receiver and no one else. Decrypt(sub_msg,skid) : Given a cipher-text ‘sub_msg’ = (msg1,msg2,msg3), the algorithm outputs the message ‘msg’ based on the ‘skid’ of the receiver. Hence every receiver gets the sub message intended for him and nothing more. [7] Another scheme and its construction is discussed in [15] based entirely on type of the user is also discussed and its various versions are implemented.
C. Attribute Based Proxy Encryption Scheme The Attribute based proxy re-encryption schemes provide a better option especially when impersonating a user is an active issue. Moreover the problem of authentication of a user is easily solved by this. Attribute based PRE involves various user attributes like city, country, street number, GPS coordinates, or any other set of attributes that are predefined while encryption. When a user possesses these attributes only then is the decryption of a message possible and allowed. The identification of these attributes is based on a certain threshold i.e. if the attributes of the receiver match the required attribute set by a certain degree or level, the decryption access is granted and the message can be decrypted by only using these attributes and the secret key. So even if a single attribute doesn’t meet the threshold the whole decryption fails. This is a general scheme whose various modifications exist, namely Cipher-Text policy attribute based encryption and Key policy attribute based encryption which are widely implemented. This mechanism is joined with the proxy re-encryption and implemented in various categories. D. Key Private Proxy Re-encryption Scheme Key Private Proxy Re-Encryption also known as Anonymous Proxy Re-Encryption introduces the notion of keeping the keys private such that even the proxy that performs the transformation of message cannot identify or differentiate between the involved users. None of the early PRE schemes provided key security. This scheme is CPA-secure but work is still in progress regarding CCA-safe key private PRE schemes. If a proxy communicates with multiple users it should not be able to reveal to a user what other parties are communicating with it from the message being transmitted or the set of re-encryption keys available. This information should not lead to the users. The necessity and benefit of a key private scheme is that nobody can detect who has access to a certain message i.e. complete anonymity of the users involved in a communication. [9]
B. Conditional Proxy Re-encryption Scheme In situation where fine-grained delegation is required requiring fulfillment of a predetermined condition, the notion of conditional proxy re-encryption (or CPRE) was introduced, whereby only cipher-text satisfying one condition set by Sender is allowed to be transformed and then decrypted by receiver. The scheme is proven to be CCA-secure. The scheme is now improved to work based on multiple conditions rather than one as was its initial version. The conditions can be anything specified by the involved parties and the construction of the algorithm. They can be a set of pre-defined integers, the sending or receiving conditions of the parties, the physical location of the sender or the receiver. The message to be sent is encrypted using the receiver’s public key
E. Ciphertext-Policy Attribute based Proxy Reencryption: Ciphertext-Policy ABPRE is a joint construction of attribute-based encryption and traditional proxy reencryption scheme. It is proven to be secure against CPA. It is a type of ABE where the key is associated
394
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016
sets. The data is then encrypted based on the above mentioned access structure. Now when a user requests for a certain data, it is re-encrypted with the internal time of the system, hence setting up a valid access time for decryption by the user. Therefore a user satisfying the access structure i.e. the attribute set can successfully attempt decryption if the time hasn’t expired [6].
with an access structure namely a group of attributes defining the type of user that should be given access and decryption rights. This solves the issue of multiple users and key distribution over a large audience. Key management creates an overhead in such situations and this algorithm is beneficial in this context. Recent variations of this algorithm are proven secure against chosen ciphertext attacks under decisional q-parallel BDH assumption [11]. This algorithm has widespread applications in medical domains where patient records are continuously being transferred and referred from one doctor or facility to another. It provides a fine grained access control to the user over the delegates enabling it to specify who can decipher the data or message by setting with it a set of attributes [13]. CP – ABPRE scheme is a collusion resistant uni-directional scheme and is associated with a monotonic access structure. A CCA secure version of CP-ABPRE is also constructed in [16].
G. Threshold Proxy Re-encryption Scheme There are three problems in a decentralized cloud storage system. First, high level of traffic between the user and storage servers leads to more computation by the user. Second, key management becomes a problem for the user because security is broken if the user’s keys are compromise. Thirdly, directly forwarding a user’s messages to another one is not feasible. The proposed system is constructed around the proposed scheme named Threshold Proxy ReEncryption. In the beginning the cloud storage system stores user details in some database. The user needs to get registered in the database, by entering his data like user_name, user_gender, user_location, user_password, user_birthdate, and user_e-mail address. The user then logs into the system using his credentials that were initially registered. The file is forwarded contained in a folder along with the user and recipients name, a security question for decryption access, the file containing the key for decryption and the status of the message. The file is transferred using the receiver’s email and public key. After the file is received by the receiver, the selected file is downloaded. But before downloading the file, he has to download the key file that was sent in the same folder. In order to download the key file, receiver has to enter the following details like file name, the secure question and its answer. Now the key is revealed to the receiver with which the message can be downloaded and decrypted. [8]
F. Time/Clock Based Proxy Re-encryption Scheme A cloud environment is composed of several independent servers communicating to provide services. In a time based re-encryption scheme, each cloud server is allowed to independently re-encrypt data automatically in contrast to the previous methods where the data was encrypted only after receiving a command from the sender [18]. This allows an automatic re-encryption of data based on the internal time of the cloud servers rather than by manual commands. The data is associated with a control structure for defining access and a time for which the access is granted [18]. Hence every piece of data stored in the cloud is associated with a set of attributes that define the type of user the data is meant for and a time structure which basically specifies the time limit for which the data will be accessible to the user. The receiver is issued keys that become effective during the specified access times, implying that the receiver can decrypt the message using only those keys which match the access time. The data owner and the Cloud Service Provider share the secret key. This key is later used to create subkeys for the users and when re-encrypting the data along with the clock time of the system. This combination of access structure facilitates user revocation and distribution of delegation rights. The algorithm is based on the Bilinear Deffie-Hellman assumption like most proxy re-encryption schemes. The algorithm operates in the following mechanism. First the algorithm is setup by generating the master key, public key and defining a universal attribute set from which the individual attributes will be late selected. Then the CSP identifies all its users and generates secret keys for them based on their attribute
ANALYSIS Type Based PRE provides semantic security and cipher-text privacy control but on the other hand encoding operations over encrypted messages is not possible limiting its widespread use. Key-Private PRE provides security against Chosen cipher-text Attack but the privacy proof of this scheme is more difficult than Chosen plaintext attack. Identity-based PRE is secure against an adaptive CCA but it is difficult to find such constructions for the algorithm that are multi-use, efficient and CCA secured. Ciphertext Policy Attribute-Based PRE provides a fine grained access control over data by limiting the decryption writes based on various attributes of the
395
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016
partially trusted party for re-encryption but avoid any harm to data. Outsourced Filtering of Encrypted Spam: The filtering of encrypted emails performed by freelancing contractors which is a requirement due to spamming and hoaxing performed by hackers and trouble makers is an application of proxy reencryption that is equally applicable but less known. The amount of such emails has overwhelmed the filtering capacity of many small businesses. This has lead to a potential market for email filtering outsourcing. The advancement in techniques used by these hackers has rendered basic filtering measure useless. With the help of proxy re-encryption, incoming encrypted email can be forwarded to an external contractor for filtering at the first email gateway, without any risk of exposure of the underlying plaintexts. [4] This survey discusses in detail the various PRE schemes introduced till now starting from Mambo and Okamoto [2], their pros and cons and applications of each in respective fields.
receiver but it has an average efficiency and flexibility compared to the other schemes. Conditional PRE schemes provide a very efficient mechanism against CCA but it is very difficult to design C-PRE schemes that are CCA secure. Time based PRE is a more recent modification of PRE schemes which provides a scalable user revocation and reduces the workload of data owners. The major disadvantage of this scheme is that it require s the effective time period to be same for all attributes associated with the user. Threshold PRE enables data forwarding efficiently but it requires very high access control which becomes difficult to provide. III. APPLICATIONS OF PRE Proxy re-encryption has many exciting applications in addition to the previous proposals [Blaze et al. 1998; Dodis and Ivan 2003[5]; Jakobsson 1999; Zhou et al. 2004] for performing cryptographic operations on storage-limited devices, law enforcement and most commonly in email forwarding. In particular, proxy cryptography has a natural application to secure network file storage: Secure File Systems: A secure file system is the most obvious application of proxy re-encryption because we always assume that a storage system will be nontrusted and in PRE the goal is to use a non-trusted or
IV. COMPARATIVE STUDY The following table shows a comparative study of the PRE schemes discussed above based on the properties of directionality, multi-use, transitivity, interactivity, security, key-privacy, collusion resistance, and the assumption on which the algorithm is built:
TABLE I COMPARISON OF PRE TECHNIQUES
Schemes/ Key Features
Typebased PRE [15] Bi
Identitybased PRE [14] Uni
Key-private PRE [9]
Conditional PRE [10]
Clock-based PRE [6] Uni
Thresholdbased PRE[8] Bi
Ciphertext PolicyABPRE[11] Uni
Uni
Uni
Multiple-use
No
Yes
No
No
No
-
Yes
Transitivity
No
No
No
No
No
No
No
Non-Interactive
Yes
Yes
Yes
Yes
Yes
No
Yes
Key-private
Yes
-
Yes
-
-
-
-
Collusion-resistant
No
No
Yes
Yes
-
Yes
Yes
Fine-grained delegation Ciphertext-private
Yes
Yes
-
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Key-pairs
1
-
1
-
1
-
-
Secure against
CPA,CCA
CPA
CCA
CPA
-
CPA, CCA
Assumption
DBDH, Co BDH
CPA(if multiuse), CCA(if single use) DBDH
DBDH
3-quotient BDH
BDH
-
Decisional q-parallel BDH
Unidirectional /Bidirectional
396
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 6, June 2016
Proxy Re-Encryption for Cloud Data Sharing, 10th International Conference, ISPEC 2014, Fuzhou, China, May 5-8, 2014. [17] Shamir, A Identity-Based cryptosystem and signature schemes, Advances in Cryptology, pp. 47-53, 1984. [18] Bhavya G, P. Ramachandran, Manasa V. and Srividhya V.R. Time Based Re-Encryption in Unreliable Clouds, International Conference on Advances in Computer and Electrical Engineering (ICACEE'2012), Manila (Philippines), 2012. [19] D. Boneh and M. Franklin, Identity-Based Encryption from the Weil Pairing, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19–23, 2001.
V. CONCLUSION This paper briefly discusses various proxy reencryption schemes, their general mechanism and implementation. They are then broadly classified based on directionality and a comparison is given after analyzing the schemes for traits that should be a part of every successful proxy re-encryption algorithm. Future work on proxy re-encryption should include features of key-privacy and transitivity. Since most schemes are collusion resistant and key-private but an efficient mechanism also providing transitivity is missing.
Anum Khurshid was born on 11th February 1992 in KPK, Pakistan. She did her BS in Computer Science from COMSATS Institute of Information Technology, Abbottabad. She is currently a student of MS in Computer Science in COMSATS Institute of Information Technology, Abbottabad.
REFERENCES [1] M. Blaze, G. Bleumer and M. Strauss, Divertible protocols and atomic proxy cryptography, Proceedings of Eurocrypt ’98, volume 1403, pages 127–144, 1998. [2] M. Mambo and E. Okamoto, Proxy cryptosystems: Delegation of the power to decrypt cipher texts, IEICE Trans. Fund, Electronics Communications and Computer Science, E80-A/1:54– 63, 1997. [3] M. Nabeel, Proxy re-encryption, Nabeel's Blog, Seen March 2016, http://mohamednabeel.blogspot.ca/2011/03/proxy-reencryption.html [4] G. Ateniese, K. Fu, M. Green and S. Hohenberger, Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage, Proceedings of 12th Annual Network and Distributed System Security Symposium (NDSS), February 2005. [5] Y. Dodis and A. Ivan, Proxy Cryptography Revisited, Proceedings of Annual Network and Distributed System Security Symposium (NDSS), 2003. [6] Q. Liu, G. Wang, and J. Wu, Clock-Based Proxy Re-encryption Scheme in Unreliable Clouds, 41st International Conference on Parallel Processing Workshops, 2012. [7] L. Ibraimi, Q. Tang, P. Hartel, W. Jonker, A Type-and-Identitybased Proxy Re-Encryption Scheme and its Application in Healthcare, Secure Data Management, Springer, 2008. [8] S. Saduqulla and S. Karimulla, Threshold Proxy Re-Encryption in Cloud Storage System, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 3, Issue 11, November 2013. [9] G. Ateniese, K. Benson and S. Hohenberger, Key-Private Proxy Re-Encryption, Topics in Cryptology, Springer, 2009. [10] J. Weng, R. H. Deng, X. Ding, C. Chu and J. Lai, Conditional Proxy Re-Encryption Secure against Chosen-Cipher text Attack, ASIACCS, pp. 322-332, 2009. [11] K. Liang, L. Fang, D. S. Wong, and W. Susilo, A CiphertextPolicy Attribute-Based Proxy Re-Encryption with ChosenCiphertext Security, 5th International Conference on Intelligent Networking and Collaborative Systems (INCoS), 2013. [12] G. Asharov, A. Jain, A. Lopez, E. Tromer, V. Vaikundanathan and D. Wichs, Multiparty Computation with low communication, computation and interaction via threshold FHE, Proceeding EUROCRYPT12, Springer, pp. 483-501, 2012. [13] A. Sahai and B. Waters, Fuzzy Identity Based Encryption, Springer, pp. 457-473, 2005. [14] M. Green, G. Ateniese, Identity-Based Proxy Re-Encryption, 5th International Conference, ACNS 2007, Zhuhai, China, 2007 [15] Q. Tang, A Type-Based Proxy Re-Encryption and its construction, Proceeding Ninth International Conference Cryptology India, pp. 47-53, 2008. [16] K. Liang, M. H. Au, W. Susilo, D. S. Wong, G. Yang, and Y. Yu, An Adaptively CCA-Secure Ciphertext-Policy Attribute-Based
Dr. Fiaz Gul was born on 22-111982, in a beautiful valley Abbottabad of KPK. He did graduation and MS from COMSATS Institute of Information Technology Abbottabad in the field of Computer Science. For specialization master and Doctorate he won the HEC scholarship under the project UESTP for Politecnico di Torino Italy. Currently he is serving as an Assistant Professor in Computer Science Department at COMSATS Abbottabad, Pakistan. Dr. Abdul Nasir did PhD, University of Malaya, Kuala Lumpur, Malaysia, 2014. His Field of Specialization: Wireless Network, Cloud Computing, and Mobile Computing Security and Privacy. He is currently assistant Professor in Computer Science Department at COMSATS Institute of Information Technology, Abbottabad, Pakistan.
397
https://sites.google.com/site/ijcsis/ ISSN 1947-5500
