docTwo Secure Anonymous Proxy-based Data
download 
Plainte Transcription
Two Secure Anonymous Proxy-based Data
Two Secure Anonymous Proxy-based Data Storages * Olivier Blazy1 Xavier Bultel2 Pascal Lafourcade2 Université de Limoges, Xlim, Limoges, France Clermont Université Auvergne, LIMOS, Clermont-Ferrand, France July 29, 2016 SECRYPT 2016, Lisbon * This research was conducted with the support of the “Digital Trust” Chair from the University of Auvergne Foundation. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 1 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) Bob (pkb , skb ) Proxy Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) Bob (pkb , skb ) Proxy re-key rkb→a Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) (rkb→a ) Bob Offline Proxy Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) (rkb→a ) c Bob Offline Proxy c = Epkb (m) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) (rkb→a ) c c0 c = Epkb (m) Bob Offline Proxy c 0 = RErkb→a (c) = Epka (m) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) (rkb→a ) c c0 c = Epkb (m) m = Dska (c 0 ) Bob Offline Proxy c 0 = RErkb→a (c) = Epka (m) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C Proxy Re-Encryption (PRE) Alice (pka , ska ) (rkb→a ) c c0 c = Epkb (m) m = Dska (c 0 ) Bob Offline Proxy c 0 = RErkb→a (c) = Epka (m) P learns nothing about m (IND-CPA). Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 2 / 20 C PRE History Blaze et al. (1998) First definition of PRE. Ivan et al. (2003) Formal treatment. Ateniese et al. (2006) Unidirectional PRE. Canetti et al. (2007) CCA security. Libert et al. (2007) Unidirectional + CCA. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 3 / 20 C PRE History Blaze et al. (1998) First definition of PRE. Ivan et al. (2003) Formal treatment. Ateniese et al. (2006) Unidirectional PRE. New application: encrypted storage management. Canetti et al. (2007) CCA security. Libert et al. (2007) Unidirectional + CCA. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 3 / 20 C PRE based storage Owner (pko , sko ) User (pku , sku ) Proxy Encrypted storage Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE based storage Owner (pko , sko ) re-key rko→u User (pku , sku ) Proxy Encrypted storage Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE based storage Owner Offline User (pku , sku ) rko→u Proxy Encrypted storage Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE based storage Owner Offline User (pku , sku ) file c ? rko→u Proxy file c ? Encrypted storage Check user rights Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE based storage Owner Offline User (pku , sku ) c 0 = Epku (m) m = Dsku (c 0 ) rko→u Proxy c = Epko (m) Encrypted storage c 0 = RErko→u (c) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE based storage Owner Offline User (pku , sku ) c 0 = Epku (m) m = Dsku (c 0 ) Semi-trust proxy: -No info about m -P knows U id. -P knows U rights -P knows c rko→u Proxy c = Epko (m) Encrypted storage c 0 = RErko→u (c) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE based storage Owner Offline Semi-trust proxy: -No info about m -P knows U id. -P knows U rights -P knows c Goal: more privacy! User (pku , sku ) c 0 = Epku (m) m = Dsku (c 0 ) rko→u Proxy c = Epko (m) Encrypted storage c 0 = RErko→u (c) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 4 / 20 C PRE & anonymity? Ateniese et al. (2009) Anonymous re-encryption key. Shao et al. (2012) Anonymity for recipient message. Zheng et al. (2014) Anonymous re-encryption key + CCA. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 5 / 20 C PRE & anonymity? Ateniese et al. (2009) Anonymous re-encryption key. Shao et al. (2012) Anonymity for recipient message. Zheng et al. (2014) Anonymous re-encryption key + CCA. → Only partial anonymity. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 5 / 20 C Our idea Owner (pkgi , skgi ) User Encrypted storage Proxy member of the group i Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner (pkgi , skgi ) proxy key K Member key MSKi User Encrypted storage Proxy member of the group i Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K Proxy User (MSKi ) Encrypted storage Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K Proxy User (MSKi ) file c ? Encrypted storage Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K Proxy User (MSKi ) c = Epkgi (m) Encrypted storage Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K Proxy User (MSKi ) c = Epkgi (m) Encrypted storage User knows MSKi and c Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K User (MSKi ) Encrypted storage Proxy Randomization with r MSK0i and c 0 Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K Proxy User (MSKi ) MSK0i , c 0 Encrypted storage Randomization with r MSK0i and c 0 Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline User (MSKi ) K Proxy c 00 = REK ,MSK0i (c 0 ) c 00 Encrypted storage Randomization with r MSK0i and c 0 Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline User (MSKi ) K Proxy c 00 = REK ,MSK0i (c 0 ) Encrypted storage c 00 m = Dr (c 00 ) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our idea Owner Offline K User (MSKi ) Encrypted storage ???? MSK0i and c 0 Semi-trust proxy: -No info about m -No info about U id. -No info about i -No info about c m = Dr (c 00 ) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 6 / 20 C Our contribution Two schemes: Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 7 / 20 C Our contribution Two schemes: DRAS: Direct revocation mechanism: The owner can revoke anybody anytime. Pay-per-download model. Weak anonymity. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 7 / 20 C Our contribution Two schemes: DRAS: Direct revocation mechanism: The owner can revoke anybody anytime. Pay-per-download model. Weak anonymity. IRAS: Indirect revocation mechanism: the owner can revoke users periodically. Monthly-fee model. Full anonymity. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 7 / 20 C 1 introduction 2 DRAS 3 IRAS 4 Conclusion Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 8 / 20 C DRAS P-Gen(P): generate proxy keys (PKP, SKP). G-Gen(P): generate group key (PKGj , SKGj ). Join(SKGj , WL, Ui ): generate a group member key MSKji . Encrypt(PKGj , m): encrypt m for group j. Revoke(MSKji , BL): revoke a user. Open(VIEW, WL): desanonymize a transaction. ProxyDec(Ui , P): decryption protocol between a user and the proxy. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29, Auvergne, 2016 LIMOS, 9 / 20 C DRAS Keys construction: Proxy keys (PKP, SKP) for an encryption scheme. Group key (PKG, SKG) = (g γ , γ). Member key MSK = (t, EncPKP ( γt )). Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 10 / 20 C DRAS Keys construction: Proxy keys (PKP, SKP) for an encryption scheme. Group key (PKG, SKG) = (g γ , γ). Member key MSK = (t, EncPKP ( γt )). The encryption algorithm is an ElGamal variant: Keys Secret sk = x, public pk = g x . Encryption Pick r and compute (C1 , C2 ) = (pkr , g r · m). 2 Decryption Compute m = C1/sk C1 Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 10 / 20 C DRAS: Decryption protocol C = (C1 , C2 ) = (g r ·γ , g r · m) MSK = (MSK1 , MSK2 ) = (t, EncPKP ( γt )) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 11 / 20 C DRAS: Decryption protocol C = (C1 , C2 ) = (g r ·γ , g r · m) MSK = (MSK1 , MSK2 ) = (t, EncPKP ( γt )) (PKP; MSK; C) s ← Z∗p ; B = (C1 )s $ (SKP; BL) B,MSK2 −−−−−−−−→ If MSK2 ∈ BL then abort; else w = DecSKP (MSK2 ) C2 D (1/s·t) g r ·m D ←−−−−−−−− m= = 1 g s·r ·t· s·t = Output m t D = (B)w = (C1s ) γ = g s·r ·t g r ·m gr Output VIEW = MSK2 . Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 11 / 20 C DRAS: Decryption protocol C = (C1 , C2 ) = (g r ·γ , g r · m) MSK = (MSK1 , MSK2 ) = (t, EncPKP ( γt )) (PKP; MSK; C) s ← Z∗p ; B = (C1 )s $ (SKP; BL) B,MSK2 MSK2 −−−−−−−−→ If MSK2 ∈ BL then abort; else w = DecSKP (MSK2 ) = C2 D (1/s·t) g r ·m D ←−−−−−−−− m= = 1 g s·r ·t· s·t = t γ t D = (B)w = (C1s ) γ = g s·r ·t g r ·m gr Output m Output VIEW = MSK2 . Proxy links user who uses two times the same member key Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 11 / 20 C 1 introduction 2 DRAS 3 IRAS 4 Conclusion Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 12 / 20 C ElGamal is malleable C = (g r , g x·r .m) C 0 = ((g r )s , (g x·r .m)s ) = (g (r ·s) , g (r ·s)·x · ms ). Decryption: m0 = ms = g (r ·s)·x ·(ms ) . g (r ·s) Difficult to link C and C 0 (Diffie-Hellman problem). The message m is hidden. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 13 / 20 C Indirect Revocation Anonymous Storage O-Gen(P): generate owner (PKO, SKO). P-Gen(P): generate proxy key pair (PKP, SKP). G-Gen(P): generate group key pair (PKG, SKG). Join(SKGj , SKO, PKP): generate a group member key MSK. O-Update(SKO, PKO): update (PKO, SKO). U-Update(MSKji , SKO): update MSK. Encrypt(PKGj , m): encrypt a message m. ProxyDec(Ui , P): decryption protocol between a user and the proxy. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 14 / 20 C (Simplified) IRAS parameters Keys constructions: P = (G1 , G2 , GT , g1 , g2 , e, PKE, S). Proxy keys (PKP, SKP) = (g2p , p). Group keys (PKG, SKG) = (g1γ , γ). 1/γ Member key MSK = (g2p·s , g2s · g2 ). Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 15 / 20 C (Simplified) IRAS parameters Keys constructions: P = (G1 , G2 , GT , g1 , g2 , e, PKE, S). Proxy keys (PKP, SKP) = (g2p , p). Group keys (PKG, SKG) = (g1γ , γ). 1/γ Member key MSK = (g2p·s , g2s · g2 ). The encryption algorithm is an ElGamal bilinear variant: Keys Secret sk = x, public pk = g1x . Encryption Pick r and compute (C1 , C2 ) = (pkr , e(g1 , g2 )r · m). C2 Decryption Compute m = e(C ,g )1/sk 1 2 Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 15 / 20 C (Simplified) Decryption protocol C = (C1 , C2 ) = (g1r ·γ , e(g1 , g2 )r · m) 1 MSK = (MSK1 , MSK2 ) = (g2p·s , g2s · g2γ ) Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 16 / 20 C (Simplified) Decryption protocol C = (C1 , C2 ) = (g1r ·γ , e(g1 , g2 )r · m) 1 MSK = (MSK1 , MSK2 ) = (g2p·s , g2s · g2γ ) (C; MSK) $ α, β ← Z∗p MSK0 = (MSKα1 , MSKα2 ) C10 = C1β m= C2 1 D α·β (p) C 0 ,MSK0 1 −−−− −−−−→ = e(g1 ,g2 )r ·m e(g1 ,g2 r ·α·β ) α·β D ←−−−−−−−− D = e(g1r ·γ·β , MSK02 1/p MSK0 1 ) = e(g1 , g2 )r ·α·β Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 16 / 20 C Provable IRAS Many tools to construct a provable scheme: Proof of a signature on MSK from MSK0 . Revocation: The owner updates his signing key, but does not re-sign MSK. Damgård-ElGamal (CCA1). Smooth projective hash functions. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 17 / 20 C 1 introduction 2 DRAS 3 IRAS 4 Conclusion Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 18 / 20 C DRAS Direct revocation. Simple and efficient scheme. CPA secure. Not fully anonymous. IRAS Indirect revocation. Not efficient, use complex tools to be provably secure. CPA secure. Fully anonymous. Future work Increase and simplify IRAS. Without Damgård-ElGamal and SPHF. Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 19 / 20 C Thank you for your attention. Questions? Olivier Blazy, Xavier Bultel, Pascal Lafourcade Two (Université Secure Anonymous de Limoges, Proxy-based Xlim, Limoges, DataFrance, Storages Clermont Université July 29,Auvergne, 2016 LIMOS, 20 / 20 C
