Proxy Re-Encryption Scheme for Decentralized Storage Networks
Abstract
:1. Introduction
- No new ciphertext is generated for the permission grant in a decentralized storage network. It brings down the cost for proof-of-replication in a permission-less decentralized storage network.
- The collusion-resilience scheme in group algebra requires only one key pair.
2. Related Work
2.1. Decentralized Storage Network
2.2. Proxy Re-Encryption and Proof-of-Replication
3. Preliminaries
3.1. Outsourcing Attack and Proof-of-Replication
3.2. Public Key Encryption
3.3. Proxy Re-Encryption
- Uncorrupted key generation query: The challenger computes , and sends the to the adversary .
- Corrupted key generation query: The challenger computes , and sends the to the adversary .
- Re-encryption key generation query: The challenger computes, and sends the to the adversary . Here, and must be from different key pairs. This query allows any key pair except that cannot know the value of .
- Re-encryption query: The challenger computes , and sends the ciphertext to the adversary .
- Decryption query: The challenger computes , and sends the cleartext m to the adversary . Here, cannot be or .
- Uncorrupted key generation query: The challenger responses are the same as in Phase 1.
- Corrupted key generation query: The challenger responses are the same as in Phase 1.
- Re-encryption key generation query: The challenger responses are the same as in Phase 1.
- Re-encryption query: The challenger responses are the same as in Phase 1.
- Decryption query: The challenger responses are the same as in Phase 1, except that and , or and .
3.4. Complexity Assumptions
4. Proxy Re-Encryption Scheme
4.1. Features
4.2. Proposed Scheme
4.3. Security Analysis
- queries. With the parameters , if this query exists in the as a tuple , output the value d as the result to adversary . Otherwise, choose and add the tuple to the hash list , and respond with to adversary .
- queries. With the parameters , if this query exists in the as a tuple , output the value v as the result to adversary . Otherwise, choose and add the tuple to the hash list , and respond with to adversary .
- queries. With the parameters , if this query exists in the as a tuple , output the value as the result to adversary . Otherwise, choose and add the tuple to the hash list , and respond with to adversary .
- queries. With the parameters , if this query exists in the as a tuple , output the value as the result to adversary . Otherwise, choose and add the tuple to the hash list , and respond with to adversary .
- Uncorrupted key generation query . If the tuple is not in the hash list , the algorithm chooses ; add the tuple to the hash list . Respond with to adversary .
- Corrupted key generation query . If the tuple is not in the hash list , the algorithm chooses ; add the tuple to the hash list . Respond with to adversary .
- Re-encryption key generation query . The re-key generation is from Alice’s secret key and Bob’s public key; both key pairs can be uncorrupted or corrupted. It is because in the re-encryption from to , ciphertexts can be decrypted by either or .In the case algorithm, recovers from or . Then, algorithm generates re-key . The tuple is added to the . Then, the is returned to adversary .For the challenge purpose, both and should be uncorrupted.
- Re-Encryption query . Given and : If , it outputs ⊥. Otherwise, the algorithm returns the re-encrypted ciphertext to adversary .
- Decryption query . The algorithm recovers from or . Run . If , give m back to the adversary, otherwise it outputs ⊥.
- Recovers from and let .
- Let , so that . We can obtain as . Then, .
- As defined, choose and .
- Return as the challenged ciphertext to adversary .
5. Experiment
5.1. Schemes Comparison
5.2. Practical Implementation
5.3. Performance Comparison
5.4. Performance on the Embedded Device
6. Evaluation
6.1. Remove Access or Corrupted Ciphertext
6.2. Search with PRE
6.3. Applications with PRE
7. Conclusions
8. Future Work
Author Contributions
Funding
Conflicts of Interest
Glossaries
The public key is a part of the key pair. The is a big integer internally. | |
The secret key is a part of the key pair. The is a generator of a multiplicative group or the generator point in ECC. | |
The re-key is from the concept of proxy re-encryption, which converts the ciphertext encrypted by Alice’s to a new ciphertext which can be decrypted with Bob’s . | |
The is generated under Alice’s permission. It requires Alice’s and Bob’s to generate . | |
M | is the message space that contains all the combinations of message m. |
m | is the clear message which will be encrypted. It is represented in binary in length l. In our scheme, we have . |
w | is the random bits of length generated when encrypting message m. This provides CPA-level security that the same message will output different ciphertext under multiple times of encryption. |
l | is the message length in bits. We have , where is the length of m and is the length of w. |
c | is the ciphertext. In proxy re-encryption, beside encryption and decryption, the ciphertext can be transfered to another ciphertext with the under Alice(A)’s permission grant. |
d | is the hash value generated by user Alice’s secret key and the random integer r. d is an important value during the calculation which needs to be discarded to keep the ciphertext safe. Otherwise, can be used for decryption without a secret key. |
D | is the first element of the ciphertext. When decrypting, will be calculated from D with , and when re-encrypting, is applied to to obtain as . |
r | is the second element of the ciphertext. The random r makes sure the value d is random. |
E | is a part of the ciphertext. E is calculated from m and w. It is a signature used for satisfying the CCA security. This signature will be checked after decryption by the user to verify m. |
F | is a part of the ciphertext. The concatenation of message m and w is hidden in F. Value is required for encryption or decryption. |
v | is a random value used in the Schnorr signature. It is an internal value, which needs to be discarded to keep the secret key safe in s. |
V | is a part of the ciphertext. Together with s and , it performs the Schnorr signature check before re-encryption. |
s | is used for Schnorr’s signature to verify the identity of who encrypts the ciphertext. s is hiding in to stay safe. Even if m is too long and split into , the v and s only need to generate once. |
S | is the last element of the ciphertext. It is a value for Schnorr’s signature. This signature will be checked before re-encrypting c by the proxy. |
H | is the hash function. The hash function is a one-way function, which is easy to calculate the function’s output from the input value, but it is hard to obtain the input from the given output. |
In our scheme, we have , and , which take different types of input and return different outputs. , , , . | |
In practice, those H functions can use any standard hash function such as sha2 or blake2b with data type converting between bytes and integer. | |
CDH | is computational Diffie–Hellman (CDH) assumption. The CDH problem in group is, given a tuple with unknown , to compute . |
mCDH | is the modified computational Diffie–Hellman (mCDH) assumption. Given a tuple with unknown , it is hard to compute . |
g | In our PRE scheme, g stands for the generator of the multiplicative group. |
In our PRE scheme, stands for the generator point of the group of the elliptic curve (ECC). | |
is the non-negative integer set less than a prime integer p, and p is the prime order of a cyclic multiplicative group. | |
Adversary | is an efficient adversary who attempts to solve the problem in the security game. Adversary issues the queries to the challenger , and the challenger responds. |
Algorithm | is an algorithm which can break the mCDH problem. In a security reduction, adversary transforms the existing problem to the mCDH problem, which algorithm can solve, to show the hardness of security. |
Challenger | is the role in the security game that responds to adversary ’s queries following CCA-secure rules. |
is a hash list used to simulate the random oracle behavior. The algorithm maintains two hash list , and , answering the adversary ’s queries. | |
is a hash list used to simulate the random oracle behavior. Algorithm has four lists , , , and , answering the adversary ’s queries. |
References
- Benet, J.; Dalrymple, D.; Greco, N. Proof of Replication; Protocol Labs: San Francisco, CA, USA, 2017. [Google Scholar]
- Fisch, B. PoReps: Proofs of Space on Useful Data; Protocol Labs: San Francisco, CA, USA, 2018. [Google Scholar]
- Fisch, B.; Bonneau, J.; Greco, N.; Benet, J. Scaling proof-of-replication for Filecoin Mining; Protocol Labs: San Francisco, CA, USA, 2018. [Google Scholar]
- Kan, J. Economic Proof of Work. In Cryptology ePrint Archive; Report 2020/1117; Springer: Berlin/Heidelberg, Germany, 2020. [Google Scholar]
- Blaze, M.; Bleumer, G.; Strauss, M.J. Divertible protocols and atomic proxy cryptography. In Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1998; pp. 127–144. [Google Scholar]
- Elgamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 1985, 31, 469–472. [Google Scholar] [CrossRef]
- Weng, J.; Deng, R.H.; Liu, S.; Chen, K. Chosen-ciphertext secure bidirectional proxy re-encryption schemes without pairings. Inf. Sci. 2010, 180, 5077–5089. [Google Scholar] [CrossRef]
- Ran, C.; Susan, H. Chosen-ciphertext secure proxy reencryption. In Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 2 November–31 October 2007; pp. 185–194. [Google Scholar]
- Benoît, L.; Damien, V. Unidirectional chosen-ciphertext secure proxy re-encryption. Information Theory. IEEE Trans. 2011, 57, 1786–1802. [Google Scholar]
- Chu, C.-K.; Tzeng, W.-G. Identity-Based proxy re-encryption without Random Oracles; Springer: Berlin/Heidelberg, Germany, 2007. [Google Scholar]
- Toshihiko, M. Proxy re-encryption systems for identity-based encryption. In Pairing-Based Cryptography–Pairing 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 247–267. [Google Scholar]
- Giuseppe, A.; Karyn, B.; Susan, H. Key-Private proxy re-encryption; Springer: Berlin/Heidelberg, Germany, 2009. [Google Scholar]
- Elena Kirshanova. Proxy re-encryption from lattices. In Public-Key Cryptography–PKC 2014; Springer: Berlin/Heidelberg, Germany, 2004; pp. 77–94. [Google Scholar]
- Satoshi, N. Bitcoin: A peer-to-peer electronic cash system. Decentralized Bus. Rev. 2008, 21260. [Google Scholar]
- Dwork, C.; Naor, M. Pricing via Processing or Combatting Junk Mail. In International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1992. [Google Scholar]
- Ivan, A.; Dodis, Y. Proxy Cryptography Revisited. In Network and Distributed System Security Symposium; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar]
- Nuez, D.; Agudo, I.; Lopez, J. proxy re-encryption. J. Netw. Comput. Appl. 2017, 87, 193–209. [Google Scholar] [CrossRef]
- Ateniese, G.; Fu, K.; Green, M.; Hohenberger, S. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 2006, 9, 1–30. [Google Scholar] [CrossRef]
- Green, M.; Ateniese, G. Identity-Based Proxy Re-encryption. In Applied Cryptography and Network Security; Springer: Berlin/Heidelberg, Germany, 2007; pp. 288–306. [Google Scholar]
- Keita, X.; Keisuke, T. Proxy re-encryption based on learning with errors. In Proceedings of the 2010 Symposium on Cryptography and Information Security, Amalfi, Italy, 13–15 September 2010. [Google Scholar]
- Yoshinori, A.; Xavier, B.; Le Trieu, P.; Lihua, W. Keyprivate proxy re-encryption under LWE. In Progress in Cryptology–INDOCRYPT 2013; Springer: Cham, Switzerland, 2013; pp. 1–18. [Google Scholar]
- David, N.; Isaac, A.; Javier, L. NTRUReEncrypt: An efficient proxy re-encryption scheme based on NTRU. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, New York, NY, USA, 14–17 April 2015; pp. 179–189. [Google Scholar]
- Bao, F.; Deng, R.H.; Zhu, H. Variations of Diffie-Hellman Problem. In International Conference on Information and Communication Security; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar]
- Libert, B.; Vergnaud, D. Multi-use unidirectional proxy re-signatures. In Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 27–31 October 2008. [Google Scholar]
- Schnorr, C. Efficient Identification and Signatures for Smart Cards. In International Cryptology Conference; Springer: New York, NY, USA, 1989. [Google Scholar]
- Shao, J.; Cao, Z. CCA-Secure Proxy Re-encryption without Pairings. In Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2009; pp. 357–376. [Google Scholar]
- Derler, D.; Krenn, S.; Lorünser, T.; Ramacher, S.; Slamanig, D.; Striecks, C. Revisiting Proxy Re-encryption: Forward Secrecy, Improved Security, and Applications. In Proceedings of the Public-Key Cryptography, Rio de Janeiro, Brazil, 25–29 March 2018; pp. 219–250. [Google Scholar]
- Boneh, D. Public Key Encryption with Keyword Search; Springer: Berlin/Heidelberg, Germany, 2004. [Google Scholar]
- Kamara, S.; Lauter, K.E. Cryptographic Cloud Storage; Financial Cryptography; Springer: Berlin/Heidelberg, Germany, 2010. [Google Scholar]
- Van Dijk, M.; Gentry, C.; Halevi, S.; Vaikuntanathan, V. Fully homomorphic encryption over the integers. In Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2010. [Google Scholar]
Schemes | Shao09 | WDLC10 | Ours | |
---|---|---|---|---|
Compute Cost | ReKenGen | |||
Enc | ||||
Dec | ||||
ReEnc | ||||
Ciphertext Size | 1st level | |||
2nd level | ||||
Security | Security Level | collusion resistant, CCA | collusion resistant, CCA | collusion resistant, CCA |
Standard model | Yes | Yes | Yes | |
Underlying Assumptions | DDH | CDH | CDH |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kan, J.; Zhang, J.; Liu, D.; Huang, X. Proxy Re-Encryption Scheme for Decentralized Storage Networks. Appl. Sci. 2022, 12, 4260. https://doi.org/10.3390/app12094260
Kan J, Zhang J, Liu D, Huang X. Proxy Re-Encryption Scheme for Decentralized Storage Networks. Applied Sciences. 2022; 12(9):4260. https://doi.org/10.3390/app12094260
Chicago/Turabian StyleKan, Jia, Jie Zhang, Dawei Liu, and Xin Huang. 2022. "Proxy Re-Encryption Scheme for Decentralized Storage Networks" Applied Sciences 12, no. 9: 4260. https://doi.org/10.3390/app12094260
APA StyleKan, J., Zhang, J., Liu, D., & Huang, X. (2022). Proxy Re-Encryption Scheme for Decentralized Storage Networks. Applied Sciences, 12(9), 4260. https://doi.org/10.3390/app12094260