Pairing-based constructions : efficient revocation, compact ciphertexts and generic transformation
Over the past decade, the emerging of pairing-based cryptography has attracted not only the attention from academic circle, but also industrial organizations. Starting from key agreement protocols and signature schemes based on elliptic curves, the concept of pairing-based cryptography has been wide...
Saved in:
Main Author: | |
---|---|
Other Authors: | |
Format: | Theses and Dissertations |
Language: | English |
Published: |
2015
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/65244 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
Summary: | Over the past decade, the emerging of pairing-based cryptography has attracted not only the attention from academic circle, but also industrial organizations. Starting from key agreement protocols and signature schemes based on elliptic curves, the concept of pairing-based cryptography has been widely used in many cryptographic primitives such as identity-based encryption (IBE), broadcast encryption (BE), attribute-based encryption (ABE), inner-product encryption (IPE), spatial encryption (SE) and so on. These primitives have numerous applications, particularly in the domain of access control, content distribution, mail filtering, data searching, broadcasting, tracing, and biometrics etc. Many of the research in this field are dedicated to improve the scheme efficiency, or to provide generic construction of a primitive. In this thesis we exam the following four aspects from pairing-based cryptography: key update in IBE, ciphertext update in BE, ciphertext compactness in BE and ABE, and last but not least, a generic construction of SE. Identity-based encryption has been regarded as an attractive alternative to conventional certificatebased public key systems. However, although key revocation is a fundamental requirement to any public key systems, not much work has been done in the identity-based setting. We first continue the study of revocable IBE (RIBE) initiated by Boldyreva, Goyal, and Kumar. Their proposal of a selective secure RIBE scheme, and a subsequent construction by Libert and Vergnaud in a stronger adaptive security model are based on a binary tree approach, such that their key update size is logarithmic in the number of users. We ask the question whether the key update size could be further reduced by using a cryptographic accumulator. We show that, indeed, the key update material can be made constant with some small amount of auxiliary information, through a novel combination of the Lewko andWaters IBE scheme and the Camenisch, Kohlweiss, and Soriente pairing-based dynamic accumulator. We then turn our focus to a more practical application: encrypted file sharing (EFS) system. EFS systems are widely used in real-life for sharing files, for example a computer-aided design (CAD) drawing shared between architects, consultants and contractors; or sharing scientific data among the researchers from different universities and institutes; or even for a single user who wishes to access her documents from varies devices like PC, mobile and tablet (a file sharing not among people, but devices). In this work, we first define the criteria for an ideal EFS system, then investigate, analyze and show current approaches have room for improvement. We then further propose a new primitive called updatable broadcast encryption (UBE), which could be used to achieve better efficiency for EFS systems. Through some novel techniques, we provide two concrete UBE constructions based on different broadcast encryption schemes which theoretically outperform existing approaches, and we further prove their security rigorously. Broadcast encryption and attribute-based encryption can be used for enforcing cryptographic access control at different levels of granularity. Both primitives allow a data owner to encrypt and share information with a set of intended recipients. However, current BE and ABE schemes are largely designed for encryption of single messages. In practice, it is often desirable to encrypt multiple messages simultaneously and share them with potentially different sets of recipients. While this can be done straightforwardly by applying any BE or ABE scheme to each individual message in parallel, the resulting ciphertexts are likely to be large. A fundamental reason for this is that each individual message is typically encrypted using a fresh, unique random value to have an appropriate level of security guarantee. In this work, we investigate the possibility of reusing random values across multiple messages targeting for different recipient sets during encryption, such that significant saving can be gained in the size of the resulting ciphertexts. We propose two new primitives called multi-message broadcast encryption (MM-BE) and multi-message key-policy attribute-based encryption (MM-KP-ABE), and provide two concrete constructions. Our MM-BE scheme reduces the ciphertext size of the existing straightforward approach by almost half; while our MM-KP-ABE scheme cuts down the ciphertext size from quadratic to linear complexity. Last but not least, we investigate a variant of spatial encryption (SE) we call ciphertext-policy SE (CP-SE), which combines the properties of SE and those from ciphertext-policy attribute-based encryption (CP-ABE). The resulting primitive supports non-monotone access structure. In CP-SE, the decryptability of a ciphertext depends on whether the required attribute vectors are in the same affine space that corresponding to the decryption key. This primitive gives rise to many new applications, for example, SE supporting negation, hierarchical ABE (HABE) and forward-secure ABE. In this part, we present techniques for generic construction of CP-SE from ciphertext-policy inner product encryption (CP-IPE). Our techniques are property-preserving: if the CP-IPE scheme, from which our CP-SE scheme is derived, is fully secure, then so is the resulting CP-SE scheme. Moreover, interestingly, we show that it is possible to perform transformation from the opposite direction, which is to construct a CP-IPE scheme from a given a CP-SE scheme. |
---|