Selective End-To-End Data-Sharing in the Cloud

Abstract

Cloud-based services enable easy-to-use data-sharing between multiple parties, and, therefore, have been widely adopted over the last decade. Storage services by large cloud providers such as Dropbox or Google Drive as well as federated solutions such as Nextcloud have amassed millions of users. Nevertheless, privacy challenges hamper the adoption of such services for sensitive data: Firstly, rather than exposing their private data to a cloud service, users desire end-to-end confidentiality of the shared files without sacrificing usability, e.g., without repeatedly encrypting when sharing the same data set with multiple receivers. Secondly, only being able to expose complete (authenticated) files may force users to expose overmuch information. The receivers, as well as the requirements, might be unknown at issue-time, and thus the issued data set does not exactly match those requirements. This mismatch can be bridged by enabling cloud services to selectively disclose only relevant parts of a file without breaking the parts’ authenticity. While both challenges have been solved individually, it is not trivial to combine these solutions and maintain their security intentions.

In this paper, we tackle this issue and introduce selective end-to-end data-sharing by combining ideas from proxy re-encryption and redactable signature schemes. Proxy re-encryption provides us with the basis for end-to-end encrypted data-sharing, while redactable signatures enable to redact parts and selectively disclose only the remaining still authenticated parts. We overcome the issues encountered when naively combining these two concepts, introduce a security model, and present a modular instantiation together with implementations based on a selection of various building blocks. We conclude with an extensive performance evaluation of our instantiation.

S. Ramacher—Work done while the author was with Graz University of Technology.

A Proof of Theorem 1

We prove Theorem 1 by proving Lemma 1–4 to show the properties unforgeability, proxy privacy, receiver privacy, and, finally, transparency. For proofs using a sequence of games, we denote the event that an adversary wins game i by \(S_i\).

Lemma 1

If \(\mathsf {RSS}\) is unforgeable and \(\mathsf {C}\) is binding, then Scheme 1 is unforgeable.

Proof

We prove this lemma using a sequence of games.

• Game 0: The original \(\mathsf {SEEDS}\) unforgeability game.

• Game 1: We adapt Game 0 to also abort when the signatures were generated by \(\mathtt {SIG} \).

  

• Transition \(0 \Rightarrow 1\): Game 1 behaves the same as Game 0 unless \(\mathcal {A} \) returned a valid pair \((m, \sigma )\) where the included \(\mathsf {RSS} \) signature \(\hat{\sigma }\) on \(\{C \}\mathord {\cup }c \) was generated by \(\mathtt {SIG}\). We denote this failure event as F, thus \(\left| \Pr [S_0] - \Pr [S_1] \right| \le \Pr [F]\). In this case, since \(C \), \(c \), and \(\hat{\sigma }\) are fixed, two different messages can only be obtained, by decrypting with different keys \(k_1\) and \(k_2\). From the fixed \(C \), different keys can only be recovered with different opening informations \(O _1\) and \(O _2\). To achieve this, the adversary would have to break the binding property of \(\mathsf {C}\), therefore \(\Pr [F] = \epsilon _{\mathsf {C}}^{Bind}(\kappa )\).

Finally, we build an efficient adversary \(\mathcal {B} \) from an adversary \(\mathcal {A} \) winning Game 1 for the unforgeability of \(\mathsf {RSS}\) in \(\mathcal {R} _{\mathsf {RSS}}^{Unf}\rightarrow {G_1}\). We can simulate \(\mathtt {SIG} \) except for \(i = 0\), where we obtain the \(\mathsf {RSS}\) signatures using its signing oracle. Note that all values are consistently distributed. Now, if we obtain a forgery (\(m, \sigma )\) from \(\mathcal {A} \), then parse \(\sigma \) as \((O, C, c, \hat{\sigma })\) and forward \(\{ C \} \cup c, \hat{\sigma }\) as a forgery. Therefore, \(\Pr [S_1] = \epsilon _{\mathsf {RSS}}^{Unf}(\kappa )\), resulting in \(\Pr [S_0] = \epsilon _{\mathsf {C}}^{Bind}(\kappa ) + \epsilon _{\mathsf {RSS}}^{Unf}(\kappa ) \), which is negligible.

Lemma 2

If the \(\mathsf {PRE}\) is IND-RCCA-2 secure, \(\mathsf {C}\) is hiding, \(\mathsf {S}\) is IND-CPA secure, and \(\mathsf {RSS}\) is unforgeable, then Scheme 1 is proxy private.

Proof

We prove proxy privacy using a sequence of games.

• Game 0: The original \(\mathsf {SEEDS}\) proxy privacy game.

• Game 1: We restrict the decryption oracles to ciphertexts that contain messages signed by the signature oracle. Therefore, we adapt \(\mathtt {SE} \) as \(\mathtt {SIG} \) in Lemma 1 to track the generated commitments, . Also, we adapt \(\mathtt {D} \) to and .

• Transition \(0 \Rightarrow 1\): The two games proceed identically unless the adversary submits a valid signature to \(\mathtt {D}\). In that case the adversary produced a forgery, i.e. \(|\Pr [S_0] - \Pr [S_1]| \le \epsilon ^{Unf}_{\mathsf {SEEDS}}(\kappa )\).

• Game 2: In the used \(\mathsf {Encrypt}\) algorithm, we replace the opening information with a random r from the same domain, and simulate the oracles accordingly:

  

  

• Transition \(1 \Rightarrow 2\): From a distinguisher \(\mathcal {D}^{1 \rightarrow 2}\), we build an IND-RCCA-2 adversary against the \(\mathsf {PRE}\) scheme. Indeed, let \(\mathcal {C}\) be an IND-RCCA-2 challenger. We modify \(\mathsf {Encrypt}\) in the following way: Simulate everything honestly, but sample uniformly at random from the domain of openings of \(\mathsf {C}\) and run , where \(c \leftarrow \mathcal {C}(m_0, m_1)\) denotes a challenge ciphertext with respect to \(m_0\) and \(m_1\). The \(\mathtt {RE} \) oracle calls the challenger’s \(\mathtt {RE} \) oracle instead of \(\mathsf {PRE}.\mathsf {ReEnc} \). Consequently, \(|\Pr [S_1] - \Pr [S_2]| \le \epsilon ^{IND-RCCA-2}_{\mathsf {PRE}}(\kappa )\).

• Game 3: For the signature contained in the challenge ciphertext, we commit to a random value, i.e., we set and .

• Transition \(2 \Rightarrow 3\): From a distinguisher \(\mathcal {D}^{2 \rightarrow 3}\), we obtain a hiding adversary against \(\mathsf {C} \). Let \(\mathcal {C}\) be a hiding challenger. We modify \(\mathsf {Sign}\) in the following way: Simulate everything honestly, but choose uniformly at random from the same domain as the \(\mathsf {S}\) keys and run , where \(C \leftarrow \mathcal {C}(m_0, m_1)\) denotes a challenge commitment with respect to \(m_0\) and \(m_1\). Therefore, \(|\Pr [S_2] - \Pr [S_3]| \le \epsilon ^{Hide}_{\mathsf {C}}(\kappa )\).

• Game 4: In the challenge ciphertext, we replace the message parts with random values drawn from an identical domain with the same corresponding lengths, i.e. and .

• Transition \(3 \Rightarrow 4\): A distinguisher \(\mathcal {D}^{3 \rightarrow 4}\) is a (hybrid) IND-CPA adversary against \(\mathsf {S}\). Let \(\mathcal {C}\) be an IND-CPA challenger. We modify \(\mathsf {Sign}\) in the following way: Simulate everything honestly, but for each message part choose uniformly at random from the message space and run , where \(c \leftarrow \mathcal {C}(m_0, m_1)\) denotes a challenge ciphertext with respect to \(m_0\) and \(m_1\). Therefore, \(|\Pr [S_4] - \Pr [S_3]| \le |m | \cdot \epsilon ^{IND-CPA}_{\mathsf {S}}(\kappa )\), with \(|m |\) polynomial in the security parameter \(\kappa \).

Finally, we have that , since the adversary now cannot do better than guessing. Combining the claims, we see that the following is negligible:

Lemma 3

If \(\mathsf {RSS}\) is private, then Scheme 1 is receiver private.

Proof

Assuming there is an efficient adversary \(\mathcal {A} \) against the receiver privacy of Scheme 1, we build an adversary \(\mathcal {B} \) against the privacy of \(\mathsf {RSS} \):

The reduction extends the \(\mathsf {RSS} \) public key to a \(\mathsf {SEEDS} \) public key, and forwards it to \(\mathcal {A} \). The oracle \(\mathtt {LoRRedact}\) sets up everything honestly and obtains signatures from \(\mathtt {LoRRedact}\) of \(\mathsf {RSS}\). All values are distributed consistently, and \(\mathcal {B}\) wins the privacy experiment of \(\mathsf {RSS}\) with the same probability as \(\mathcal {A} \) breaks the \(\mathsf {SEEDS}\) receiver privacy of Scheme 1.

Lemma 4

If \(\mathsf {RSS}\) is transparent, then Scheme 1 is transparent.

Proof

Assuming there is an efficient adversary \(\mathcal {A} \) against the transparency of Scheme 1, we construct an adversary \(\mathcal {B} \) against the transparency of the RSS:

The reduction extends the RSS public key to a \(\mathsf {SEEDS} \) public key honestly, and forwards it together with the secret encryption key to \(\mathcal {A} \). Similarly, \(\mathtt {RedactOrNot}\) sets up everything honestly and queries the RSS oracle \(\mathcal {O} ^{Sign/Redact}\) to obtain the signature. Finally, it outputs a consistent ciphertext, hence, \(\mathcal {B} \) wins with the same probability as \(\mathcal {A} \).