Patent Grant
9537838
Encrypted databases provide data protection (security) in cloud platforms and/or database-as-a-service settings. In encrypted databases, data (plaintext) can be encrypted at the client to provide encrypted data (ciphertext), which can be provided to the database for storage. In some examples, a third-party provides and maintains the database. That is, the database is outsourced to the third-party. For example, a client encrypts data using one or more encryption keys to provide encrypted data, which the client sends to the third-party for storage in the database.
Outsourcing a database offers efficient resource management and low maintenance costs for clients, but exposes outsourced data (client data) to a service provider (the third-party providing the database and its agents). One issue is periodically re-encrypting the database (e.g., changing the encryption key(s)), because it may be difficult to determine whether an encryption key has been compromised and data is at risk. In one traditional approach, the entire database is downloaded, is rekeyed using a different encryption key, and is uploaded back to the database. This download, rekey, and upload implies huge communication costs and often a significant downtime.
Implementations of the present disclosure include computer-implemented methods for proxy re-encryption of encrypted data stored in a first database of a first server and a second database of a second server. In some implementations, actions include receiving a first token at the first server from a client-side computing device, providing a first intermediate re-encrypted value based on a first encrypted value and the first token, transmitting the first intermediate re-encrypted value to the second server, receiving a second intermediate re-encrypted value from the second server, the second intermediate re-encrypted value having been provided by encrypting the first encrypted value at the second server based on a second token, providing the first encrypted value as a first re-encrypted value based on the first intermediate re-encrypted value and the second intermediate re-encrypted value, and storing the first re-encrypted value in the first database. Other implementations of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices.
These and other implementations can each optionally include one or more of the following features: the first encrypted value and the first re-encrypted value are encrypted using deterministic encryption; actions further include: providing a third intermediate re-encrypted value and a fourth intermediate re-encrypted value based on a second encrypted value and the first token, transmitting the third intermediate re-encrypted value and the fourth intermediate re-encrypted value to the second server, receiving a fifth intermediate re-encrypted value and a sixth intermediate re-encrypted value from the second server, the fifth intermediate re-encrypted value and the sixth intermediate re-encrypted value having been provided at the second server based on a second token, providing the second encrypted value as a second re-encrypted value based on the third intermediate re-encrypted value, the fourth intermediate re-encrypted value, the fifth intermediate re-encrypted value and the sixth intermediate re-encrypted value, and storing the second re-encrypted value in the first database; the second encrypted value and the second re-encrypted value are encrypted using randomized encryption; the first database and the second database store the same encrypted data; the first token and the second token are each provided by the client-side computing device based on an encryption key that the encrypted value was encrypted with, and a new encryption key; and the first re-encrypted value is also provided by the second server and is stored in the second database.
The present disclosure also provides a computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations in accordance with implementations of the methods provided herein.
The present disclosure further provides a system for implementing the methods provided herein. The system includes one or more processors, and a computer-readable storage medium coupled to the one or more processors having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations in accordance with implementations of the methods provided herein.
It is appreciated that methods in accordance with the present disclosure can include any combination of the aspects and features described herein. That is, methods in accordance with the present disclosure are not limited to the combinations of aspects and features specifically described herein, but also include any combination of the aspects and features provided.
The details of one or more implementations of the present disclosure are set forth in the accompanying drawings and the description below. Other features and advantages of the present disclosure will be apparent from the description and drawings, and from the claims.
Like reference symbols in the various drawings indicate like elements.
Implementations of the present disclosure are generally directed to proxy re-encryption of encrypted data stored in a database. More specifically, implementations of the present disclosure provide a joint protocol for proxy re-encryption of encrypted data stored in a first database and a second database.
In some implementations, the server systems 104a, 104b include at least one server device 108a, 108b and at least one data store 110a, 110b. In the example of
In some implementations, the network 106 can include a large computer network, such as a local area network (LAN), a wide area network (WAN), the Internet, a cellular network, a telephone network (e.g., PSTN) or an appropriate combination thereof connecting any number of communication devices, mobile computing devices, fixed computing devices and server systems.
In accordance with implementations of the present disclosure, the server systems 104a, 104b can each maintain a database that stores encrypted data, e.g., an encrypted database. In some examples, the data (plaintext) is encrypted at the computing device 102, and the encrypted data (ciphertext) is sent to the server systems 104a, 104b over the network 106 for storage. In some implementations, and as described herein, the server systems 104a, 104b can be provided by respective third-party service providers, which store and provide access to the encrypted data.
In some implementations, a database is part of a database system that also includes a query execution engine. In some examples, the query execution engine receives a query (e.g., a search token from a client), provides a query plan based on the query, executes the query plan to provide a response (e.g., encrypted data from the database that is responsive to the query), and transmits the response to the client (e.g., from which the query was received).
As introduced above, one issue with outsourced databases is periodically re-encrypting the data stored in the database (e.g., changing the encryption key). For example, it may be difficult to determine whether a key has been compromised and data is at risk. Consequently, the data is periodically re-encrypted. Traditional approaches to re-encryption can results in significant communication costs and downtime (e.g., bandwidth and time required to download, rekey, and upload).
In view of this, implementations of the present disclosure provide a proxy re-encryption (PRE) scheme for re-encrypting encrypted data stored in an outsourced database (e.g., cloud database). In accordance with the present disclosure, the PRE scheme is unidirectional, multi-use and adjustable. With regard to unidirectional, if a current encryption key is compromised and the server (third-party server) can revert to the earlier encryption key, the server can decrypt all new ciphertexts. This breaks the basic security guarantee of encrypted cloud databases. Consequently, implementations of the present disclosure are uni-directional, in that the encryption key of encrypted data cannot be reverted to an earlier encryption key. With regard to multi-use, rekeying can occur regularly (e.g., at predefined intervals) and may even occur exceptionally (e.g., in response to a known compromise). An intermediate, one-time re-encryption does not solve the problem for long running databases. With regard to adjustable, adjustable encryption (also referred to as onion encryption) enables security in the database, while enabling the execution of previously unknown queries. More specifically, adjustable encryption enables data stored in the database to be encrypted with different encryption schemes, which are only removed if required to execute a query. In some examples, in case a column is used in a query as a search condition, the column can be adjusted from, for example, a first encryption that is indistinguishability under chosen plaintext attack (IND-CPA) secure to a second encryption that is less secure, but enables execution of the search condition. In view of this, and as described in further detail herein, the PRE scheme of the present disclosure is able to rekey multiple encryption schemes.
In accordance with implementations of the present disclosure, multiple third-party service providers (also referred to as cloud providers) are used to source the encrytped database. For example, two third-party service providers (TSPs) can be used. With reference to
In accordance with implementations of the present disclosure, and as described in further detail herein, re-encryption (re-keying) operations are executed by both of the third-party service providers in a joint protocol (e.g., the first TSP and the second TSP of
Implementations of the present disclosure can further provide cryptographic enforcement of access control (e.g., controlling which users are the client are able to access which data based on one or more access control policies (ACPs)). For example a file collection or database, which uses adjustable encryption for searches and different keys to enforce different access rights can be considered. An access policy granting or revoking operations in this database requires changing the key of the affected data (e.g., a user is granted access to data, a user's access to data is revoked). Implementations of the present disclosure can effect this change without downloading the data from the encrypted database.
Implementations of the present disclosure will be described in further detail with reference to an example threat model. In accordance with the example threat model, a data owner outsources its data in the cloud. The data owner, however, wants to maintain confidentiality of the data against honest-but-curious cloud providers (e.g., the cloud providers are passive, such that a cloud provider can read all information stored on the outsourced database, but do not manipulate the stored data or issued search queries). The cloud providers are independent. That is, the cloud providers do not collude. To protect the confidentiality of data in the face of honest-but-curious cloud providers, the data (plaintext) is encrypted to provide encrypted data (ciphertext), which will be outsourced in the cloud.
In view of the example threat model, implementations of the present disclosure supports encrypted query processing by applying adjustable encryption. As an example, a data column encrypted with DET encryption and with randomized RND encryption, in respective onion layers, is outsourced in the cloud. This prevents honest-but-curious cloud providers from accessing data. In some examples, the RND encryption ensures that the encrypted data is IND-CPA secure. However, RND encryption only supports the execution of a limited set of query operations (e.g., SQL operations), which include, for example, projection, set union, and count. Consequently, it might be necessary to adjust the encryption from RND encryption to DET encryption to support other query operations. In some examples, DET encryption is less secure than RND encryption. For example, DET encryption only ensures that the encrypted data is indistinguishability under a known plaintext attack (IND-KPA) secure. DET encryption, however, efficiently supports a wider range of query operations, such as, for example, selection, group by, count distinct, equi-join, and set difference. That is, for example, a search equality query of plaintexts is performed as a search equality query of ciphertexts. The encryption adjustment is executed by the cloud provider and is triggered by a query of the data owner. For this, the data owner sends an adjustment key to the cloud provider. Adjustable encryption leaks less information to the cloud provider than encrypting all data deterministically, because the RND encryption is only adjusted to DET encryption, if necessary to process a query.
In view of this context, and as introduced above, implementations of the present disclosure provide a joint protocol for rekeying (re-encrypting) encrypted data. To illustrate implementations, the example data column described above (encrypted and outsourced in the cloud) can be considered, for which the data owner wants to rekey (re-encrypt) the data column. In accordance with the present disclosure, re-encryption is executed by two non-colluding cloud providers.
In some implementations, if the data column is encrypted with RND encryption, the re-encryption revokes the current RND encryption key (the old encryption key) and establishes a new encryption key, while preserving the RND encryption. In addition, the re-encryption also adapts the key of the deterministic encryption. In this manner, a current DET encryption key is replaced with a new DET encryption key, which is used in the event that the RND encryption is subsequently adjusted to DET encryption (subsequent to the re-encryption). If the data column is already adjusted from RND encryption to DET encryption (i.e., the RND encryption layer has been removed and the data column is encrypted with DET encryption), the re-encryption revokes the current DET encryption key and establishes a new DET encryption key, while preserving the DET encryption. In some implementations, the re-encryption is unidirectional, such that the re-encryption—either RND or DET—cannot be reverted even though the cloud provider has performed the rekeying in the other direction. This unidirectionality is achieved by computing the re-encryption as a joint protocol between two, non-colluding service providers, as described in further detail herein.
In further detail, and in some implementations, an adjustable PRE scheme is provided as a tuple of multiple functions: a parameter generation function (ParamGen), a key generation function (KeyGen), an encryption function (Enc), a token function (Token), a re-encryption function (ReEnc), and an adjustment function (Adj), where λ is the security parameter. In some examples, the ParamGen takes the security parameter λ as input and outputs system parameters params. In some examples, the KeyGen function takes the security parameter λ as input and outputs a secret key K. In some examples, the Enc function takes the system parameters params, the secret key K, and a message m (cleartext) as input, and provides a ciphertext C as output. In some examples, the Adj function takes the system parameters params, (part of) the secret key K, and a ciphertext C encrypted with a first encryption scheme (e.g., RND encryption) as input, and outputs a ciphertext C adjusted to a second encryption (e.g., DET encryption). In some examples, the Token function takes the system parameters params and secret keys K and K′ as input, and outputs tokens TA, TB. In some examples, the ReEnc function takes the system parameters params, the ciphertext C, and the tokens TA, TB as input, and outputs either a randomized or deterministic ciphertext C re-encrypted with secret key K′, depending on the input ciphertext C (e.g., whether the input ciphertext C is encrypted with RND encryption or DET encryption). In some implementations, a state σ indicates whether RND encryption or DET encryption is used. In some examples, σ=T, if a RND encryption is used, and σ=⊥, if DET encryption is used.
In some examples, a chosen plaintext attack (IND-CPA) models a threat, in which an adversary eavesdrops on the conversation between a sender and a receiver. This captures the notion of the honest-but-curious cloud provider that has access to the outsourced database and learns the encrypted data, but does not manipulate either.
In view of this, an example security game between an adversary and a challenger for security parameter λ can be considered. In the example security game, it is assumed that the adversary is able to break the encryption scheme, and the adversary is used as a solver to help solve a problem posed by the challenger. The problem relies on an assumption that is intended to be difficult to solve.
Setup: The challenger takes security parameter λ and runs the ParamGen and the KeyGen algorithms. The challenger sends the system parameters params to the adversary and keeps the secret key K to itself.
Phase 1: The adversary generates messages mε and asks the challenger to encrypt the messages. The challenger runs the algorithm Enc and responds with C.
Challenge: The adversary generates messages m0, m1 and sends the messages to the challenger. The challenger chooses bε{0,1} uniformly at random to select a message mb, encrypts the message as Cb, and returns Cb to the adversary.
Phase 2: The adversary generates further messages mε and asks the challenger to encrypt the messages.
Guess: The adversary outputs its guess b′ε{0,1} and wins the security game if and only if b=b′.
The advantage of the adversary in the security game is defined as:
ε=Pr[b=b′]−½
A first definition (Definition 1: IND-CPA Security) provides that the Enc function, which takes the system parameters params, the secret key K, and a message m as input, and outputs a ciphertext C, is IND-CPA secure if:
Pr[Adversarywinsthesecuritygame f or λ]≦½+negl(λ)
In some examples, a known plaintext attack (KPA) models a threat, in which an adversary eavesdrops pairs of plaintexts and ciphertexts. For example, the cloud provider has access to the outsourced database and thereby learns the ciphertexts. Furthermore, the cloud provider observes all operations executed on the outsourced database. Although the cloud provider does not necessarily learn the plaintexts, it monitors the adjustment of a randomized to a deterministic ciphertext, for example.
In view of this, another example security game between an adversary (e.g., a TSP) and a challenger (e.g., client) for security parameter λ can be considered.
Setup: The challenger takes the security parameter λ and runs the ParamGen and the KeyGen functions. The challenger sends the system parameters params to the adversary and keeps the secret key K to itself.
Phase 1: The adversary issues a number of plaintexts mi to the challenger. The challenger returns the ciphertexts Ci to the adversary.
Challenge: The adversary chooses two different plaintexts m0, m1, on which it wishes to be challenged with the constraint that they were not previously used in Phase 1. The challenger selects mb with b={0,1} uniformly at random and returns Cb to the adversary.
Guess: The adversary outputs its guess b′ for the encrypted plaintext and wins the security game if and only if b=b′.
The advantage of the adversary in the security game is defined as:
ε=Pr[b=b′]−½.
A second definition (Definition 2: KPA Security) provides that the Adj function, which takes the system parameters params, a secret key K, and a randomized ciphertext C as input, and outputs a ciphertext C, is secure in the random-oracle-model against known plaintext attacks, if:
Pr[Adversarywinsthesecuritygame f or λ]≦½+negl(λ).
In some examples, the honest-but-curious cloud provider has access to the ciphertexts and also witnesses all operations executed on the database. In particular, this holds for the re-encryption of data. Furthermore, the cloud provider might learn keys revoked by the data owner. If the re-encryption scheme were reversible, the cloud provider could reverse the re-encryption. This facilitates the cloud provider with a ciphertext encrypted with a revoked key. If this key is known by the cloud provider, the cloud provider can gain access to the plaintext. To prevent this, implementations of the present disclosure provide security against reverse PRE.
Another example security game between an adversary and a challenger for security parameter λ can be considered.
Setup: The challenger takes security parameter λ, runs the ParamGen function, and returns the system parameters params to the adversary. The challenger runs the KeyGen function and generates two keys K, K′. The challenger sends K′ to the adversary and keeps K to itself.
Phase 1: The adversary issues queries q1, . . . , qm where qi is one of the following:
Challenge: The adversary picks message {circumflex over (m)} on which it wishes to be challenged with the constraint that it was not previously used in Phase 1. The challenger encrypts message {circumflex over (m)} as ciphertext C with key K and asks the adversary for the re-encryption to ciphertext C′ under key K′.
Phase 2: The adversary issues more queries qm+1, . . . , qn of the query types described above with the constraint that it does not include {circumflex over (m)}.
Guess: The adversary outputs its guess C and wins the security game if and only if C=Ĉ.
The advantage of the adversary in the security game is defined as
ε=Pr[C=Ĉ]
A third definition (Definition 3: Non-Reverse PRE) provides that the ReEnc function, which takes the system parameters params, the tokens TA, TB, and a ciphertext C as input, and outputs a ciphertext C, is secure against reverse PRE in the random oracle model if:
Pr[Adversarywinsthesecuritygame f or λ]≦negl(λ)
Implementations of the adjustable PRE scheme of the present disclosure are described in further detail below with reference to the Decisional Diffie-Hellman Problem (DDHP), with the assumption that the DDHP is difficult to solve, and the Diffie-Hellman Inversion Problem (DHIP), with the assumption that the DHIP is difficult to solve. The DDHP in a group with order p is to distinguish whether c=ab or cε
p uniformly chosen at random given ga, gb, gcε
. The DHIP in
is the computation of
In view of the foregoing, implementations of the adjustable PRE scheme of the present disclosure are described in further detail below. More particularly, each of the above-introduced functions will be described in further detail in view of the joint protocol to compute the re-encryption in accordance with the present disclosure.
Function 1 (ParamGen): params←ParamGen(1λ)—Generate a group of order p and gε
. Define the message space as
={0,1}n and the ciphertext space as
=
×
, if the encryption is RND, and
=
, if the encryption is DET. Choose a keyed cryptographic hash function Hk: {0,1}n→
with k the key only known to the challenger. In the security analysis, Hk is referred to as a random oracle. Output the system parameters params={
,
,
, g, p, Hk}.
Function 2 (KeyGen): K←KeyGen(1λ)—Choose xεp and yε
p uniformly at random. Output K=<x, y>.
Function 3 (Enc): C←Enc(params, K, m)—Choose rεp uniformly at random. Compute c=gr and d=Hk(m)ygrx. Set a state σ=T specifying that RND encryption is used. Output ciphertext C=<T, (c,d)>.
Function 4 (Adj): C=Adj (params, x, C)—Parse C. If σ=⊥, abort, otherwise C=<T,(c,d)>. Compute:
and set σ=⊥ specifying that DET encryption is used. Output C=<⊥, {tilde over (c)}>.
Function 5 (Token): {TA, TB}=Token(params, K, K′)—Compute:
Set TA=(xA, yA) and TB=(xB, yB). Output TA, TB and distribute TA to Server A and TB to Server B.
Function 6 (ReEnc): C←ReEnc(params, C, TA, TB)—Parse C. If σ=⊥, then C=<⊥, {tilde over (c)}>. Compute:
and output C=<⊥, c′>. This is the re-encryption of a deterministic ciphertext as indicated by the state σ=⊥.
If σ=T (i.e., RND encryption), then C=<T, (c, d)>. Compute:
Output C=<T, (c′, d′)>.
This is the re-encryption of a randomized ciphertext as indicated by the state σ=T.
In accordance with the present disclosure, implementations are IND-CPA secure. More particularly, if the DDHP assumption holds, the Enc function is IND-CPA secure (Theorem 1). In some examples, Theorem 1 can be proven using the above-described security game:
Proof: Assuming that an adversary can solve the described security game correctly, and a polynomial time algorithm can be provided, which can solve the DDHP. For each instance of the DDHP (p, g, gs, gx, R=gz) with z=xs if h=0 or z chosen uniformly at random if h=1, the polynomial time algorithm uses the adversary to decide whether R=gxs or R=gz.
Setup: Receive an instance of the DDHP is received as (p, g, gs, gx, R). Choose yεp uniformly at random. Send system parameters p, g to the adversary.
Phase 1: The adversary generates arbitrary messages mε and asks for their ciphertexts C. Choose rε
p uniformly at random. Encrypt m as ciphertext C=<T, (c, d)> with c=gr and d=Hk(m)ygrx. Return C to the adversary.
Challenge: The adversary generates two messages mb with bε{0,1} and sends them to the challenger. The challenger chooses bε{0,1} uniformly at random and returns Cb=<T, (c, d)> with c=gs and d=Hk(m)yR to the adversary.
Phase 2: The adversary generates further messages mε and receives their ciphertexts C.
Guess: The adversary outputs its guess for message mb denoted as b′ε{0,1}. If b=b′, then set h′=0. If b≠b′, set h′=1.
The probability that the polynomial time algorithm solves the instance of the DDHP is:
Pr[h=h′]=P[h=0]Pr[h=h′|h=0]+Pr[h=1]Pr[h=h′|h=1]=½Pr[h′=0|h=0]+½Pr[h′=1|h=1]=½Pr[b=b′|h=0]+½Pr[b≠b′|h=1]
In the case where h=0, it is R=gxs for this instance of the DDHP. To solve this problem is identical to solve the security game. Therefore, the probability that b=b′ given h′=0 is:
Pr[b=b′|h=0]=Pr[b=b′]=½+ε
In the case where h=1, it is R=gz for this instance of the DDHP. As zεp is uniformly chosen at random and independently of g, y, m0, m1, b, it is Hk(m)R uniformly distributed in
. The random variables g, gx, gs, T, b are also jointly independent. Therefore, the system parameters g, p and the ciphertext C=<T, (c, d)> do not reveal information about b. As b is either 0 or 1, it is:
Pr[b≠b′|h=1]=½
Overall, the probability that the polynomial time algorithm solves the instance of the DDHP is:
The challenger solves the DDHP with advantage
If the DDHP assumption holds, this advantage can only be negligible. So,
and, thus also ε are negligible. Therefore, the adversary can only solve the distinguishability under chosen-plaintext attack only with a negligible advantage.
In accordance with the present disclosure, implementations are IND-KPA secure. More particularly, if the DDHP assumption holds, the Adj function is secure against known plaintext attacks in a random-oracle-model (Theorem 2). In some examples, Theorem 2 can be proven using the above-described example security game:
Proof: Assuming that an adversary can solve the described security game correctly, a polynomial time algorithm can be provided, which can solve the DDHP. For each instance of the DDHP (p, g, gs, gy, R=gz) with z=sy if h=0 or z chosen uniformly at random if h=1, the polynomial time algorithm uses the adversary to decide whether R=gsy or R=gz.
Setup: Receive an instance of the DDHP (p, g, gs, gy, R=gz). Send parameters g, p to the adversary.
Phase 1: The adversary issues a number of plaintexts mε to the challenger.
H-Queries: The challenger queries the random oracle. The random oracle maintains a list of triples <m, gt, t> with mε the queried plaintext, gtε
, and tε
p chosen uniformly at random. If this list contains plaintext m, the random oracle returns gt as Hk(m). If m is not included in the list, the random oracle picks t uniformly at random, computes gt, and adds the triple to the list. The list is accessible to the challenger.
Phase 2: The challenger computes {tilde over (c)}=Hk(m)y=(gy)t and returns C=<⊥, {tilde over (c)}> to the adversary.
Challenge: The adversary chooses two different plaintexts m0, m1, on which it wishes to be challenged with the constraint that they were not previously used in Phase 1. The challenger picks mb with b={0,1} uniformly at random and issues mb to the random oracle. The random oracle includes <mb, gs, Ø> in the list. The challenger returns C=<⊥, {tilde over (c)}> with {tilde over (c)}=R to the adversary.
Guess: The adversary outputs its guess for the encrypted plaintext denoted as b′ε{0,1}. If b=b′, then set h′=0. If b≠b′, set h′=1.
The probability that the polynomial time algorithm solves the instance of the DDHP is:
Pr[h=h′]=½Pr[b=b′|h=0]+½Pr[b≠b′|h=1]
In the case where h=0, it is R=gsy for this instance of the DDHP. To solve this problem is identical to solve the defined security game. Therefore, the probability that b=b′ given h′=0 is:
Pr[b=b′|h=0]=Pr[b=b′]=½+ε
In the case where h=1, it is R=gz for this instance of the DDHP. Because zεp is chosen uniformly at random and independently of g, s, y, m0, m1, b, it is gz uniformly distributed in
. The random variables g, gy, gt, b are also jointly independent. Therefore, the system parameters g, p and the ciphertext C=<⊥, {tilde over (c)}> do not reveal information about b. As b is either 0 or 1, it is:
Pr[b≠b′|h=1]=½
Overall, the probability that the polynomial time algorithm solves the instance of the DDHP is:
The polynomial time algorithm solves the DDHP with advantage
If the DDHP assumption holds, this advantage can only be negligible. Consequently,
and, thus also ε are negligible. Therefore, the adversary can only solve the distinguishability under known-plaintext attack with a negligible advantage.
In accordance with the present disclosure, implementations are unidirectional (i.e., non-reversible PRE is provided). More particularly, if the DHIP assumption holds, the PRE scheme of the present disclosure is unidirectional in a random-oracle-model (Theorem 3). In some examples, Theorem 3 can be proven using the above-described example security game:
Proof: Assuming that an adversary can solve the described security game correctly, a polynomial time algorithm can be provided, which can solve the DHIP. For each instance of the DHIP (p, g, ga), the polynomial time algorithm uses the adversary to compute
Setup: Receive an instance of the DHIP as (p, g, ga). Choose x, x′, y′εp uniformly at random. Send system parameters p, g and key K′=<x′, y′> to the adversary. The challenger keeps key K=<x, •> to itself.
Phase 1: The adversary submits the described queries to the challenger. That is, the adversary issues queries q1, . . . , qm where qi is one of the following:
Challenge: The adversary picks a plaintext {circumflex over (m)}ε, on which it wishes to be challenged with the constraint that the plaintext was not previously used in Phase 1, and sends it to the challenger. The challenger queries the random oracle. Given the constraint, {circumflex over (m)} is not included in the list maintained by the random oracle and the random oracle adds an entry <{circumflex over (m)}, Ø, Ø> to the list. The challenger chooses r, sε
p uniformly at random and computes Ĉ=<T, (ĉ, {circumflex over (d)})> as:
ĉ=gr and {circumflex over (d)}=gsgrx=gsgrx
and asks the adversary to re-encrypt the ciphertext C encrypted with key K=<x, •> to ciphertext Ĉ′ encrypted with key K′=<x′, y′>.
Phase 2: The adversary submits further queries to the challenger.
Guess: The adversary returns its guess Ĉ′=<T, (ĉ′, {circumflex over (d)}′)> for the re-encrypted challenge ciphertext. If it is a correct guess, then:
The challenger computes:
The probability that the polynomial time algorithm solves the DHIP is the same as the advantage of the adversary in the security game, which is:
Pr[C=Ĉ]=ε
If the DHIP assumption holds, this advantage can only be negligible. Therefore, the adversary can only achieve the reverse proxy re-encryption attack with a negligible advantage.
Re-encryption tokens (TA, TB) are determined (302). For example, the client determines the re-encryption tokens (TA, TB) based on params, the current encryption key K, and the new encryption key K′ by executing the Token function, described above. The re-encryption tokens are transmitted (304). For example, the client transmits TA to Server A and transmits TB to Server B.
A re-encryption token is received (306). For example, Server A receives TA and Server B receives TB. On or more intermediate re-encryption values are determined (308). For example, and with reference to Server A, an intermediate re-encrypted value ĉy
The one or more intermediate re-encryption values are received (312). For example, Server A receives the one or more intermediate encryption values sent from Server B, and Server B receives the one or more intermediate encryption values sent from Server A. One or more re-encrypted values are provided (314). For example, Server A provides the re-encrypted value c′ based on the one or more intermediate re-encryption values, if the encrypted data that is to be re-encrypted is encrypted with DET encryption; or Server A provides the re-encrypted values c′, d′ based on the one or more intermediate re-encryption values, if the encrypted data that is to be re-encrypted is encrypted with RND encryption. As another example, Server B provides the re-encrypted value c′ based on the one or more intermediate re-encryption values, if the encrypted data that is to be re-encrypted is encrypted with DET encryption; or Server B provides the re-encrypted values c′, d′ based on the one or more intermediate re-encryption values, if the encrypted data that is to be re-encrypted is encrypted with RND encryption.
The one or more re-encrypted values are stored (316). For example, Server A stores the re-encrypted value c′ in the first database, if the encrypted data that is to be re-encrypted is encrypted with DET encryption; or Server A stores the re-encrypted values c′, d′ in the first database, if the encrypted data that is to be re-encrypted is encrypted with RND encryption. As another example, Server B stores the re-encrypted value c′ in the second database, if the encrypted data that is to be re-encrypted is encrypted with DET encryption; or Server B stores the re-encrypted values c′, d′ in the second database, if the encrypted data that is to be re-encrypted is encrypted with RND encryption.
Referring now to
The memory 420 stores information within the system 400. In one implementation, the memory 420 is a computer-readable medium. In one implementation, the memory 420 is a volatile memory unit. In another implementation, the memory 420 is a non-volatile memory unit. The storage device 430 is capable of providing mass storage for the system 400. In one implementation, the storage device 430 is a computer-readable medium. In various different implementations, the storage device 430 may be a floppy disk device, a hard disk device, an optical disk device, or a tape device. The input/output device 440 provides input/output operations for the system 400. In one implementation, the input/output device 440 includes a keyboard and/or pointing device. In another implementation, the input/output device 440 includes a display unit for displaying graphical user interfaces.
The features described can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. The apparatus can be implemented in a computer program product tangibly embodied in an information carrier, e.g., in a machine-readable storage device, for execution by a programmable processor; and method steps can be performed by a programmable processor executing a program of instructions to perform functions of the described implementations by operating on input data and generating output. The described features can be implemented advantageously in one or more computer programs that are executable on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device. A computer program is a set of instructions that can be used, directly or indirectly, in a computer to perform a certain activity or bring about a certain result. A computer program can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
Suitable processors for the execution of a program of instructions include, by way of example, both general and special purpose microprocessors, and the sole processor or one of multiple processors of any kind of computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. Elements of a computer can include a processor for executing instructions and one or more memories for storing instructions and data. Generally, a computer can also include, or be operatively coupled to communicate with, one or more mass storage devices for storing data files; such devices include magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and optical disks. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, ASICs (application-specific integrated circuits).
To provide for interaction with a user, the features can be implemented on a computer having a display device such as a CRT (cathode ray tube) or LCD (liquid crystal display) monitor for displaying information to the user and a keyboard and a pointing device such as a mouse or a trackball by which the user can provide input to the computer.
The features can be implemented in a computer system that includes a back-end component, such as a data server, or that includes a middleware component, such as an application server or an Internet server, or that includes a front-end component, such as a client computer having a graphical user interface or an Internet browser, or any combination of them. The components of the system can be connected by any form or medium of digital data communication such as a communication network. Examples of communication networks include, e.g., a LAN, a WAN, and the computers and networks forming the Internet.
The computer system can include clients and servers. A client and server are generally remote from each other and typically interact through a network, such as the described one. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
In addition, the logic flows depicted in the FIGS. do not require the particular order shown, or sequential order, to achieve desirable results. In addition, other steps may be provided, or steps may be eliminated, from the described flows, and other components may be added to, or removed from, the described systems. Accordingly, other implementations are within the scope of the following claims.
A number of implementations of the present disclosure have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the present disclosure. Accordingly, other implementations are within the scope of the following claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5572673 | Shurts | Nov 1996 | A |
| 6038563 | Bapat et al. | Mar 2000 | A |
| 6487552 | Lei et al. | Nov 2002 | B1 |
| 7743069 | Chitkara et al. | Jun 2010 | B2 |
| 7844829 | Meenakshisundaram | Nov 2010 | B2 |
| 7995750 | Kerschbaum et al. | Aug 2011 | B2 |
| 8873754 | Xu | Oct 2014 | B2 |
| 20030046572 | Newman et al. | Mar 2003 | A1 |
| 20040139043 | Lei et al. | Jul 2004 | A1 |
| 20040243816 | Hacigumus et al. | Dec 2004 | A1 |
| 20080033960 | Banks et al. | Feb 2008 | A1 |
| 20120330925 | Ramamurthy et al. | Dec 2012 | A1 |
| 20130191650 | Balakrishnan et al. | Jul 2013 | A1 |
| 20130246813 | Mori et al. | Sep 2013 | A1 |
| 20130262863 | Yoshino et al. | Oct 2013 | A1 |
| 20140006773 | Chazalet | Jan 2014 | A1 |
| 20140101438 | Elovici et al. | Apr 2014 | A1 |
| Entry |
|---|
| Mihir Bellare, “Deterministic and efficiently searchable encryption”, 2007 , pp. 535-552. |
| Number | Date | Country | |
|---|---|---|---|
| 20160182467 A1 | Jun 2016 | US |
