Self-updatable encryption with short public parameters and its extensions

Kwangsu Lee

doi:10.1007/s10623-015-0039-9

Designs, Codes and Cryptography

April 2016, Volume 79, Issue 1, pp 121–161 | Cite as

Self-updatable encryption with short public parameters and its extensions

Authors
Authors and affiliations

Kwangsu LeeEmail author

Article

First Online: 03 February 2015

Received: 23 June 2014

Revised: 26 December 2014

Accepted: 13 January 2015

385 Downloads
5 Citations

Abstract

Cloud storage is very popular since it has many advantages, but there is a new threat to cloud storage that was not considered before. Self-updatable encryption that updates a past ciphertext to a future ciphertext by using a public key is a new cryptographic primitive introduced by Lee et al. (in: Sako K, Sarkar P (eds) Advances in cryptology—ASIACRYPT 2013, 2013) to defeat this threat, in which an adversary who obtained a past private key can still decrypt a (previously unread) past ciphertext stored in cloud storage. Additionally, an SUE scheme can be combined with an attribute-based encryption (ABE) scheme to construct a powerful revocable-storage ABE (RS-ABE) scheme introduced by Sahai et al. (in: Safavi-Naini R, Canetti R (eds) Advances in cryptology—CRYPTO 2012, 2012) that provides the key revocation and ciphertext updating functionality for cloud storage. In this paper, we propose an efficient SUE scheme and its extended schemes. First, we propose an SUE scheme with short public parameters in prime-order bilinear groups and prove its security under a $q$-type assumption. Next, we extend our SUE scheme to a time-interval SUE (TI-SUE) scheme that supports a time interval in ciphertexts. Our TI-SUE scheme has short public parameters and it is also secure under the $q$-type assumption. Finally, we propose the first large universe RS-ABE scheme with short public parameters in prime-order bilinear groups and prove its security in the selective revocation list model under a $q$-type assumption.

Keywords

Public-key encryption Self-updatable encryption Ciphertext delegation Cloud storage Bilinear maps

Mathematics Subject Classification

94A60

This is a preview of subscription content, to check access.

Notes

Acknowledgments

This work was supported by Basic Science Research Program through NRF funded by the Ministry of Education (2013R1A1A2008394) and Mid-career Researcher Program through NRF grant funded by the MEST (2010-0029121).

Appendix 1: Definition of ciphertext delegatable encryption

Ciphertext delegatable encryption (CDE) is a new type of PKE, in which a ciphertext with a label $L$ can be delegated to a new ciphertext with a label $L'$ if $L$ is a prefix of $L'$. The concept of CDE was introduced by Lee et al. [14] to construct an SUE scheme. The formal syntax of CDE is described as follows:

Definition 8

(Ciphertext Delegatable Encryption) A ciphertext delegatable encryption (CDE) scheme for the set $\mathcal {L}$ of labels consists of seven PPT algorithms Init, Setup, GenKey, Encrypt, DelegateCT, RandCT, and Decrypt, which are defined as follows:

Init($1^\lambda $) The initialization algorithm takes as input a security parameter $1^\lambda $, and it outputs a group description string $GDS$.
Setup($GDS, l$) The setup algorithm takes as input a group description string $GDS$ and the maximum length $l$ of the label strings, and it outputs a master key $MK$ and public parameters $PP$.
GenKey($L, MK, PP$) The key generation algorithm takes as input a label string $L \in \{0,1\}^n$ with $n \le l$, the master key $MK$, and the public parameters $PP$, and it outputs a private key $SK_L$.
Encrypt($L, PP$) The encryption algorithm takes as input a label string $L \in \{0,1\}^d$ with $d \le l$ and the public parameters $PP$, and it outputs a ciphertext header $CH_L$ and a session key $EK$.
DelegateCT($CH_L, c, PP$) The ciphertext delegation algorithm takes as input a ciphertext header $CH_L$ for a label string $L \in \{0,1\}^d$ with $d < l$, a bit value $c \in \{0,1\}$, and the public parameters $PP$, and it outputs a delegated ciphertext header $CH_{L'}$ for the label string $L' = L\Vert c$.
RandCT($CH_L, PP$) The ciphertext randomization algorithm takes as input a ciphertext header $CH_L$ for a label string $L \in \{0,1\}^d$ with $d < l$ and the public parameters $PP$, and it outputs a re-randomized ciphertext header $CH'_L$ and a partial session key $EK'$.
Decrypt($CH_L, SK_{L'}, PP$) The decryption algorithm takes as input a ciphertext header $CH_L$, a private key $SK_{L'}$, and the public parameters $PP$, and it outputs a session key $EK$ or the distinguished symbol $\perp $.

The correctness of CDE is defined as follows: For all $MK, PP$ generated by Setup, any $SK_{L'}$ generated by ${\mathbf{{GenKey} }}$, any $CH_L$ and $EK$ generated by ${\mathbf{{Encrypt} }}$ or ${\mathbf{{DelegateCT} }}$, it is required that:

If $L$ is a prefix of $L'$, then ${\mathbf{{Decrypt} }} (CH_L, SK_{L'}, PP) = EK$.
If $L$ is not a prefix of $L'$, then ${\mathbf{{Decrypt} }} (CH_L, SK_{L'}, PP) = \perp $ with all but negligible probability.

Additionally, it requires that the ciphertext distribution of RandCT is statistically equal to that of Encrypt.

The security model of CDE was introduced by Lee et al. [14] and we follow the selective security model version of their security definition. The security is defined as follows:

Definition 9

(Selective Security) The selective security of CDE is defined in terms of the indistinguishability under chosen plaintext attacks (IND-CPA). The security game is defined as the following experiment between a challenger $\mathcal {C}$ and a probabilistic polynomial-time (PPT) adversary $\mathcal {A}$:

1.

Init: $\mathcal {A}$ initially submits a challenge label string $L^*$.
2.

Setup: $\mathcal {C}$ generates a master key $MK$ and public parameters $PP$ by running ${\mathbf{{Init} }}$ and ${\mathbf{{Setup} }}$, and it gives $PP$ to $\mathcal {A}$.
3.

Query 1: $\mathcal {A}$ may adaptively request a polynomial number of private keys for label strings $L_1, \ldots , L_{q'}$, and $\mathcal {C}$ gives the corresponding private keys $SK_{L_1}, \ldots , SK_{L_{q'}}$ to $\mathcal {A}$ by running ${\mathbf{{GenKey} }} (L_i, MK, PP)$ with the following restriction: For any label string $L_i$ of private key queries, it is required that $L^*$ is not a prefix of $L_i$. initially submits a challeng
4.

Challenge: $\mathcal {C}$ chooses a random bit $b \in \{0,1\}$ and computes a ciphertext header $CH^*$ and a session key $EK^*$ by running ${\mathbf{{Encrypt} }}(L^*, PP)$. If $b=0$, then it gives $CH^*$ and $EK^*$ to $\mathcal {A}$. Otherwise, it gives $CH^*$ and a random session key to $\mathcal {A}$.
5.

Query 2: $\mathcal {A}$ may continue to request private keys for additional label strings $L_{q' + 1}, \ldots , L_q$ subject to the same restriction as before, and $\mathcal {C}$ gives the corresponding private keys to $\mathcal {A}$.
6.

Guess: Finally $\mathcal {A}$ outputs a bit $b'$.

The advantage of $\mathcal {A}$ is defined as $\mathbf Adv _{\mathcal {A}}^{CDE} (\lambda ) = \big | \Pr [\mu = \mu '] - \frac{1}{2} \big |$ where the probability is taken over all the randomness of the game. A CDE scheme is selectively secure under chosen plaintext attacks if for all PPT adversaries $\mathcal {A}$, the advantage of $\mathcal {A}$ in the above game is negligible in the security parameter $\lambda $.

We can also define the full model that is stronger than the selective model of CDE. In the full model, an adversary submits a label string $L^*$ at the challenge step instead of the init step.

Appendix 2: SUE under standard assumptions

In this section, we propose an SUE scheme with shorter public parameters and prove its selective security under the standard assumption.

Construction

To devise an SUE scheme under the standard assumption, we modify the SUE scheme in Sect. 3 by slightly increasing the number of group elements in public parameters. In the security proof of Sect. 3, we can program multiple challenge labels to short public parameters by the help of the $q$-type assumption, but we cannot use this programming technique in the standard assumption. However, the number of group elements in public parameters is just proportional to the depth of a binary tree since the challenge labels is just proportional to the depth of the tree. Note that this SUE scheme has shorter public parameters compared with the SUE scheme of Lee et al. [14] in prime-order bilinear groups.

Our CDE scheme is described as follows:

CDE.Init($1^{\lambda }$): This algorithm takes as input a security parameter $1^{\lambda }$. It generates bilinear groups $\mathbb {G}, \mathbb {G}_T$ of prime order $p$. Let $g$ be the generator of $\mathbb {G}$. It outputs a group description string as $GDS = \big ( (p, \mathbb {G}, \mathbb {G}_T, e),~ g \big )$.
CDE.Setup($GDS, l$): This algorithm takes as input the string $GDS$ and the maximum length $l$ of label strings. It chooses random elements $w, v, u, \{ h_{i,0}, h_{i,1} \}_{i=1}^l \in \mathbb {G}$ and a random exponent $\beta \in \mathbb {Z}_p$. We define $F_{i,b}(L) = u^L h_{i,b}$ where $i \in [l]$ and $b \in \{0,1\}$. It outputs the master key $MK = \beta $ and the public parameters as
$$\begin{aligned} PP = \Big ( (p, \mathbb {G}, \mathbb {G}_T, e),~ g,~ w,~ v,~ u,~ \{ h_{i,0}, h_{i,1} \}_{i=1}^l,~ \Lambda = e(g,g)^{\beta } \Big ). \end{aligned}$$
CDE.GenKey($L, MK, PP$): This algorithm takes as input a label string $L \in \{0,1\}^n$ where $n \le l$, the master key $MK$, and the public parameters $PP$. It selects random exponents $r, r_1, \ldots , r_n \in \mathbb {Z}_p$ and outputs a private key that implicitly includes $L$ as
$$\begin{aligned} SK_{L} = \Big ( K_0 = g^{\beta } w^{r},~ K_1 = g^{-r},~ \big \{ K_{i,1} = v^r F_{i,L[i]}(L|_i)^{r_i},~ K_{i,2} = g^{-r_i} \big \}_{i=1}^n \Big ). \end{aligned}$$
CDE.Encrypt($L, t, \mathbf {s}, PP$): This algorithm takes as input a label string $L \in \{0,1\}^d$ where $d \le l$, a random exponent $t \in \mathbb {Z}_p$, a vector $\mathbf {s} = (s_1, \ldots , s_d) \in \mathbb {Z}_p^d$ of random exponents, and the public parameters $PP$. It outputs a ciphertext header that implicitly includes $L$ as
$$\begin{aligned} CH_{L} = \Big ( C_0 = g^t,~ C_1 = w^t \prod _{i=1}^d v^{s_i},~ \big \{ C_{i,1} = g^{s_i},~ C_{i,2} = F_{i,L[i]}(L|_i)^{s_i} \big \}_{i=1}^d \Big ). \end{aligned}$$
and a session key as $EK = \Lambda ^t$.
CDE.DelegateCT($CH_L, c, PP$): This algorithm takes as input a ciphertext header $CH_L = ( C_0, C_1, \{ C_{i,1}, C_{i,2} \} )$ for a label string $L \in \{0,1\}^d$ where $d < l$, a bit value $c \in \{0,1\}$, and the public parameters $PP$. It selects a random exponent $s_{d+1} \in \mathbb {Z}_p$ and outputs a delegated ciphertext header for a new label string $L' = L\Vert c$ as
$$\begin{aligned} CH_{L'}&= \Big ( C'_0 = C_0,~ C'_1 = C_1 \cdot v^{s_{d+1}},~ \big \{ C'_{i,1} = C_{i,1},~ C'_{i,2} = C_{i,2} \big \}_{i=1}^{d},\\&\quad C'_{d+1,1} = g^{s_{d+1}},~ C'_{d+1,2} = F_{d+1,c}(L')^{s_{d+1}} \Big ). \end{aligned}$$
CDE.RandCT($CH_L, t', \mathbf {s}', PP$): This algorithm takes as input a ciphertext header $CH_L = (C_0, C_1, \{ C_{i,1}, C_{i,2} \})$ for a label string $L \in \{0,1\}^d$ where $d \le l$, a random exponent $t' \in \mathbb {Z}_p$, a vector $\mathbf {s}' = (s'_1, \ldots , s'_d) \in \mathbb {Z}_p^d$ of random exponents, and the public parameters $PP$. It outputs a re-randomized ciphertext header as
$$\begin{aligned} CH'_{L}&= \Big ( C'_0 = C_0 \cdot g^{t'},~ C'_1 = C_1 \cdot w^{t'} \prod _{i=1}^d v^{s'_i},\\&\qquad \,\,\,\big \{ C'_{i,1} = C_{i,1} \cdot g^{s'_i}, C'_{i,2} = C_{i,2} \cdot F_{i,L[i]}(L|_i)^{s'_i} \big \}_{i=1}^d \Big ). \end{aligned}$$
and a partial session key as $EK' = \Lambda ^{t'}$ that will be multiplied with the session key $EK$ of $CH_L$.
CDE.Decrypt($CH_L, SK_{L'}, PP$): This algorithm takes as input a ciphertext header $CH_L$ for a label string $L \in \{0,1\}^d$, a private key $SK_{L'} = (K_0, K_1, \{ K_{i,1}, K_{i,2} \}_{i=1}^n )$ for a label string $L' \in \{0,1\}^n$ where $d \le n \le l$, and the public parameters $PP$. If $L$ is a prefix of $L'$, then it derives $CH'_{L'} = ( C'_0, C'_1, \{ C'_{i,1}, C'_{i,2} \}_{i=1}^n )$ by iteratively running ${\mathbf{{DelegateCT} }}$ and outputs a session key as
$$\begin{aligned} EK = e(C'_0, K_0) \cdot e(C'_1, K_1) \cdot \prod _{i=1}^n \Big ( e(C'_{i,1}, K_{i,1}) \cdot e(C'_{i,2}, K_{i,2}) \Big ) \end{aligned}$$
Otherwise, it outputs $\perp $. The description of our SUE scheme is almost the same as that of Sect. 3. We omit the description of the SUE scheme.

Security analysis

To prove the security of above SUE scheme, we use the partitioning method. In the preparation of public parameters, a simulator can program only one challenge label to one element. The detailed description of the security proof is given as follows:

Theorem 13

The above SUE scheme is selectively secure under chosen plaintext attacks if the DBDH assumption holds. That is, for any PPT adversary $\mathcal {A}$, we have that $\mathbf Adv _{\mathcal {A}}^{SUE}(\lambda ) \le \mathbf Adv _{\mathcal {B}}^{DBDH}(\lambda )$.

Proof

Suppose there exists an adversary $\mathcal {A}$ that attacks the above SUE scheme with a non-negligible advantage. A simulator $\mathcal {B}$ that solves the DBDH assumption using $\mathcal {A}$ is given: a challenge tuple $D = ((p, \mathbb {G}, \mathbb {G}_T, e), g, g^a, g^b, g^c)$ and $Z$ where $Z = Z_0 = e(g,g)^{abc}$ or $Z = Z_1 = e(g,g)^d$. Then $\mathcal {B}$ that interacts with $\mathcal {A}$ is described as follows:

Init: $\mathcal {A}$ initially submits a challenge time $T^*$. $\mathcal {B}$ first obtains a challenge label $L^*$ that is associated with the challenge time $T^*$ by computing $L^* = \psi (T^*)$. Recall that ${\mathbf{{TimeLabels} }}(L) = \{ L \} \cup {\mathbf{{RightSibling} }}({\mathbf{{Path} }}(L)) \setminus {\mathbf{{Path} }} ({\mathbf{{Parent} }}(L))$. We define ${\mathbf{{TL} }}(L^*, i,j)$ be a function that returns a label string $L$ in ${\mathbf{{TimeLabels} }}(L^*)$ where the length of $L$ is $i$ and $L[i] = j$. Note that ${\mathbf{{TL} }}(L^*,i,j)$ return $0$ if there is no label string for $i$ and $j$.
Setup: $\mathcal {B}$ first chooses random exponents $w', v', u', \{ h'_{i,j} \}_{\forall 1 \le i \le l, \forall j \in \{0,1\}} \in \mathbb {Z}_p$. It implicitly sets $\beta = ab$ and publishes the public parameters $PP$ as
$$\begin{aligned} g,~ w&= g^a g^{w'},~ v = g^a g^{v'},~ u = g^a g^{u'},~ \big \{ h_{i,j} = \big (g^a\big )^{-{\mathbf{{TL} }}(L^*,i,j)} g^{h'_{i,j}} \big \}_{\forall 1 \le i \le l, \forall j \in \{0,1\}},\\ \Lambda&= e\big (g^a,g^b\big ). \end{aligned}$$
Query 1: $\mathcal {A}$ adaptively request a private key for a time $T$ with the restriction $T < T^*$. $\mathcal {B}$ first obtains a label string $L \in \{0,1\}^n$ by computing $\psi (T)$. Next, it selects random exponent $r', r'_1, \ldots , r'_n \in \mathbb {Z}_p$ and creates a private key by implicitly setting $r = -b + r'$, $\{ r_i = b/(L|_i - {\mathbf{{TL} }}(L^*,i,L[i])) + r'_i \}_{i=1}^n$ as
$$\begin{aligned}&K_0 = \big (g^b\big )^{-w'} w^{r'},~ K_1 = g^b g^{-r'},~ \\&\Bigg \{ K_{i,1} = \big (g^b\big )^{-v'} v^{r'} \big (g^b\big )^{\big (u' L|_i + h'_{i,L[i]}\big )/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) } F_{i,L[i]}\big (L|_i\big )^{r'_i},~ \\&~~ K_{i,2} = \big (g^b\big )^{-1/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big )} g^{-r'_i} \Bigg \}_{i=1}^n. \end{aligned}$$
Note that if $T < T^*$, then it can create a private key since ${\mathbf{{Path} }}(L) \cap {\mathbf{{TimeLabels} }}(L^*) = \emptyset $ where $L = \psi (T)$.
Challenge: To create the challenge ciphertext for the challenge time $T^*$, $\mathcal {B}$ proceeds as follows:

1.

It first sets a label $L^* \in \{0,1\}^d$ by computing $\psi (T^*)$. It chooses random exponents $s_1, \ldots , s_{d-1}, s'_d \in \mathbb {Z}_p$. It implicitly sets $t = c$, $s_d = -c + s'_d$ and creates ciphertext components $CH^{(0)}$ as
$$\begin{aligned}&C_0 = g^c,~ C_1 = \big (g^c\big )^{w'} \prod _{i=1}^{d-1} v^{s_i} \big (g^c\big )^{-v'} v^{s'_d},~ \Bigg \{ C_{i,1} = g^{s_i},~ C_{i,2} = F_{i,L^*[i]}\big (L^*|_i\big )^{s_i} \Bigg \}_{i=1}^{d-1},~ \\&C_{d,1} = \big (g^c\big )^{-1} g^{s'_d},~ C_{d,2} = \big (g^c\big )^{-\big (u' L^*|_i + h'_{i,L^*[i]}\big )} F_{d,L^*[d]}\big (L^*|_i\big )^{s'_d}. \end{aligned}$$
2.

For $1 \le j \le d$, it first sets $L^{(j)} = L^*|_{d-j}\Vert 1$ and proceeds as follows: Let $d^{(j)}$ be the length of $L^{(j)}$. If $L^{(j)} = L|_{d-j+1}$, it sets $CH^{(j)}$ as an empty one. Otherwise, it selects $s'_{d^{(j)}} \in \mathbb {Z}_p$ and creates ciphertext components $CH^{(j)}$ as
$$\begin{aligned}&C_1 = \big (g^c\big )^{w'} \prod _{i=1}^{d^{(j)}-1} v^{s_i} \big (g^c\big )^{-v'} v^{s'_{d^{(j)}}},~ \\&C_{d^{(j)},1} = \big (g^c\big )^{-1} g^{s'_{d^{(j)}}},~ C_{d^{(j)},2} = \big (g^c\big )^{-\big (u' L^{(j)} + h'_{d^{(j)},L[d^{(j)}]}\big )} F_{d^{(j)},L^{(j)}}\big (L^{(j)}\big )^{s'_{d^{(j)}}}. \end{aligned}$$
3.

It removes all empty $CH^{(j)}$ and sets $CH_T = \big ( CH^{(0)}, \ldots , CH^{(d')} \big )$ for some $d'$ that consists of non-empty $CH^{(j)}$.
4.

It sets the challenger ciphertext header as $CH_{T^*} = CH_T$ and the session key $EK = Z$. It gives $CH_{T^*}$ and $EK$ to $\mathcal {A}$.

Note that it can create the challenge ciphertext for $T^*$ since for all labels $L^{(j)}$ in the challenge ciphertext, $L^{(j)} \in {\mathbf{{TimeLabels} }}(L^*)$.

Query 2: Same as Query 1.

Guess: $\mathcal {A}$ outputs a guess $\mu '$. $\mathcal {B}$ also outputs $\mu '$.

To finish the proof, we should show that the simulation is correct. The private key is correctly distributed as

$$\begin{aligned} K_0&= g^{\beta } w^r = g^{ab} \big (g^a g^{w'}\big )^{-b + r'} = \big (g^b\big )^{-w'} w^{r'},~ \\ K_1&= g^{-r} = g^{b - r'} = g^b g^{-r'},~ \\ K_{i,1}&= v^r F_{i,L[i]}(L|_i)^{r_i} = \big (g^a g^{v'}\big )^{-b + r'} \big ( \big (g^a\big )^{L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )} g^{u' L|_i + h'_{i,L[i]}} \big )^{b/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) + r'_i} \\&= \big (g^b\big )^{-v'} v^{r'} \big (g^b\big )^{\big (u' L|_i + h'_{i,L[i]}\big )/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) } F_{i,L[i]}\big (L|_i\big )^{r'_i},~ \\ K_{i,2}&= g^{-r_i} = g^{-b/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big ) - r'_i} = \big (g^b\big )^{-1/\big (L|_i - {\mathbf{{TL} }}\big (L^*,i,L[i]\big )\big )} g^{-r'_i}. \end{aligned}$$

Note that the term $g^{ab}$ of $K_{i,1}$ that is not given in the assumption is cancelled since $L|_i - {\mathbf{{TL} }}(L^*,i,L[i]) \ne 0$.

The challenge ciphertext component $CH^{(j)}$ is also correctly distributed as

$$\begin{aligned} C_1 \!&=\! w^t \prod _{i=1}^{d^{(j)}} v^{s_i} \!=\! \big (g^a g^{w'}\big )^c \prod _{i=1}^{d^{(j)}-1} v^{s_i} \cdot \big (g^a g^{v'}\big )^{-c + s'_{d^{(j)}}} \!=\! \big (g^c\big )^{w'} \prod _{i=1}^{d^{(j)}-1} v^{s_i} \cdot \big (g^c\big )^{-v'} v^{s'_{d^{(j)}}},~ \\ C_{d^{(j)},1}&= g^{s_{d^{(j)}}} = g^{-c + s'_{d^{(j)}}} = \big (g^c\big )^{-1} g^{s'_{d^{(j)}}},~ \\ C_{d^{(j)},2}&= F_{d^{(j)},L^*[d^{(j)}]}\big (L^{(j)}\big )^{s_{d^{(j)}}} = \Big ( \big (g^a\big )^{L^{(j)} - {\mathbf{{TL} }}\big (L^*,d^{(j)},L[d^{(j)}]\big )} g^{u' L^{(j)} + h'_{d^{(j)},L\big [d^{(j)}\big ]}} \Big )^{-c + s'_{d^{(j)}}} \\&= \big (g^c\big )^{-\big (u' L^{(j)} + h'_{d^{(j)},L[d^{(j)}]}\big )} F_{d^{(j)},L^{(j)}}\big (L^{(j)}\big )^{s'_{d^{(j)}}}. \end{aligned}$$

Note that the term $g^{ac}$ of $C_1$ is cancelled and the term $g^{ac}$ of $C_{d^{(j)},2}$ is not needed since $L^{(j)} = {\mathbf{{TL} }}(L^*, d^{(j)}, L[d^{(j)}])$. This completes our proof. $\square $

References

1.
Boldyreva A., Goyal V., Kumar V.: Identity-based encryption with efficient revocation. In: Ning P., Syverson P.F., Jha S. (eds.) ACM Conference on Computer and Communications Security, pp. 417–426. ACM, New York (2008).Google Scholar
2.
Boneh D., Boyen X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin C., Camenisch J. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)Google Scholar
3.
Boneh D., Franklin M.K.: Identity-based encryption from the weil pairing. In: Kilian J. (ed.) Advances in Cryptology—CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139, pp. 213–229. Springer, Heidelberg (2001).Google Scholar
4.
Boneh D., Waters B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan S.P. (ed.) Theory of Cryptography—TCC 2007. Lecture Notes in Computer Science, vol. 4392, pp. 535–554. Springer, Heidelberg (2007).Google Scholar
5.
Boneh D., Boyen X., Goh E.J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 440–456. Springer, Heidelberg (2005).Google Scholar
6.
Boneh D., Sahai A., Waters B.: Functional encryption: definitions and challenges. In: Ishai Y. (ed.) Theory of Cryptography—TCC 2011. Lecture Notes in Computer Science, vol. 6597, pp. 253–273. Springer, Heidelberg (2011).Google Scholar
7.
Canetti R., Halevi S., Katz J.: A forward-secure public-key encryption scheme. In: Biham E. (ed.) Advances in Cryptology—EUROCRYPT 2003. Lecture Notes in Computer Science, vol. 2656, pp. 255–271. Springer, Heidelberg (2003).Google Scholar
8.
Datta P., Dutta R., Mukhopadhyay S.: Fully secure self-updatable encryption in prime order bilinear groups. In: Chow S.S.M., Camenisch J., Hui L.C.K., Yiu S. (eds.) Information Security—ISC 2014. Lecture Notes in Computer Science, vol. 8783, pp. 1–18. Springer, Heildelberg (2014).Google Scholar
9.
Dodis Y., Katz J., Xu S., Yung M.: Key-insulated public key cryptosystems. In: Knudsen L.R. (ed.) Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 65–82. Springer, Heidelberg (2002).Google Scholar
10.
Dodis Y., Franklin M.K., Katz J., Miyaji A., Yung M.: Intrusion-resilient public-key encryption. In: Joye M. (ed.) Topics in Cryptology—CT-RSA 2003. Lecture Notes in Computer Science, vol. 2612, pp. 19–32. Springer, Heidelberg (2003).Google Scholar
11.
Gentry C., Silverberg A.: Hierarchical id-based cryptography. In: Zheng Y. (ed.) Advances in Cryptology—ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 548–566. Springer, Heidelberg (2002).Google Scholar
12.
Goyal V., Pandey O., Sahai A., Waters B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels A., Wright R.N., di Vimercati S.D.C. (eds.) ACM Conference on Computer and Communications Security, pp. 89–98. ACM, New York (2006).Google Scholar
13.
Kasamatsu K., Matsuda T., Emura K., Attrapadung N., Hanaoka G., Imai H.: Time-specific encryption from forward-secure encryption. In: Visconti I., Prisco R.D. (eds.) Security and Cryptography for Networks—SCN 2012. Lecture Notes in Computer Science, vol. 7485, pp. 184–204. Springer, Heidelberg (2012).Google Scholar
14.
Lee K., Choi S.G., Lee D.H., Park J.H., Yung M.: Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. In: Sako K., Sarkar P. (eds.) Advances in Cryptology—ASIACRYPT 2013. Lecture Notes in Computer Science, vol. 8269, pp. 235–254. Springer, Heidelberg (2013).Google Scholar
15.
Lee K., Lee D.H., Park J.H.: Efficient revocable identity-based encryption via subset difference methods. Cryptology ePrint Archive, Report 2014/132 (2014). http://eprint.iacr.org/2014/132. Accessed 31 May 2014.
16.
Lewko A.B., Sahai A., Waters B.: Revocation systems with very small private keys. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–285. IEEE Computer Society, Washington (2010).Google Scholar
17.
Libert B., Vergnaud D.: Adaptive-ID secure revocable identity-based encryption. In: Fischlin M. (ed.) Topics in Cryptology—CT-RSA 2009. Lecture Notes in Computer Science, vol. 5473, pp. 1–15. Springer, Heidelberg (2009).Google Scholar
18.
Naor D., Naor M., Lotspiech J.: Revocation and tracing schemes for stateless receivers. In: Kilian J. (ed.) Advances in Cryptology—CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139, pp. 41–62. Springer, Heidelberg (2001).Google Scholar
19.
Park S., Lee K., Lee D.H.: New constructions of revocable identity-based encryption from multilinear maps. Cryptology ePrint Archive, Report 2013/880 (2013). http://eprint.iacr.org/2013/880. Accessed 31 May 2014.
20.
Paterson K.G., Quaglia E.A.: Time-specific encryption. In: Garay J.A., Prisco R.D. (eds.) Security and Cryptography for Networks—SCN 2010. Lecture Notes in Computer Science, vol. 6280, pp. 1–16. Springer, Heidelberg (2010).Google Scholar
21.
Rivest R.L., Shamir A., Wagner D.A.: Time-lock puzzles and timed-release crypto. Technical Report MIT/LCS/TR-684 (1996).Google Scholar
22.
Rouselakis Y., Waters B.: Practical constructions and new proof methods for large universe attribute-based encryption. In: Sadeghi A.R., Gligor V.D., Yung M. (eds.) ACM Conference on Computer and Communications Security, pp. 463–474, ACM, New York (2013).Google Scholar
23.
Sahai A., Seyalioglu H., Waters B.: Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology—CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, pp. 199–217. Springer, Heidelberg (2012).Google Scholar
24.
Seo J.H., Emura K.: Efficient delegation of key generation and revocation functionalities in identity-based encryption. In: Dawson E. (ed.) Topics in Cryptology—CT-RSA 2013. Lecture Notes in Computer Science, vol. 7779, pp. 343–358. Springer, Heidelberg (2013).Google Scholar
25.
Seo J.H., Emura K.: Revocable identity-based encryption revisited: security model and construction. In: Kurosawa K., Hanaoka G. (eds.) PKC 2013. Lecture Notes in Computer Science, vol. 7778, pp. 216–234. Springer, Heidelberg (2013)Google Scholar
26.
Waters B.: Efficient identity-based encryption without random oracles. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 114–127. Springer, Heidelberg (2005).Google Scholar
27.
Waters B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi S. (ed.) Advances in Cryptology—CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)Google Scholar
28.
Waters B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) Public Key Cryptography—PKC 2011. Lecture Notes in Computer Science, vol. 6571, pp. 53–70. Springer, Heidelberg (2011).Google Scholar

Copyright information

Authors and Affiliations

Kwangsu Lee
- 1
Email author

1.Korea UniversitySeoulKorea

Self-updatable encryption with short public parameters and its extensions

Abstract

Keywords

Mathematics Subject Classification

Notes

Acknowledgments

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite article