Professional Documents
Culture Documents
An Efficient Certificateless Encryption For Secure Data Sharing I
An Efficient Certificateless Encryption For Secure Data Sharing I
Purdue e-Pubs
Cyber Center Publications Cyber Center
9-2014
Xiaoyu Ding
Purdue University, West Lafayette, IN, USA, ding55@purdue.edu
Elisa Bertino
Purdue University, bertino@cs.purdue.edu
Seo, Seung-Hyun; Mohamed Nabeel, Mohamed Yoosuf; Ding, Xiaoyu; and Bertino, Elisa, "An Efficient Certificateless Encryption for
Secure Data Sharing in Public Clouds" (2014). Cyber Center Publications. Paper 621.
http://dx.doi.org/10.1109/TKDE.2013.138
This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact epubs@purdue.edu for
additional information.
IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 26, NO. 9, SEPTEMBER 2014 2107
Abstract—We propose a mediated certificateless encryption scheme without pairing operations for securely sharing sensitive
information in public clouds. Mediated certificateless public key encryption (mCL-PKE) solves the key escrow problem in identity
based encryption and certificate revocation problem in public key cryptography. However, existing mCL-PKE schemes are either
inefficient because of the use of expensive pairing operations or vulnerable against partial decryption attacks. In order to address the
performance and security issues, in this paper, we first propose a mCL-PKE scheme without using pairing operations. We apply our
mCL-PKE scheme to construct a practical solution to the problem of sharing sensitive information in public clouds. The cloud is
employed as a secure storage as well as a key generation center. In our system, the data owner encrypts the sensitive data using the
cloud generated users’ public keys based on its access control policies and uploads the encrypted data to the cloud. Upon successful
authorization, the cloud partially decrypts the encrypted data for the users. The users subsequently fully decrypt the partially
decrypted data using their private keys. The confidentiality of the content and the keys is preserved with respect to the cloud, because
the cloud cannot fully decrypt the information. We also propose an extension to the above approach to improve the efficiency of
encryption at the data owner. We implement our mCL-PKE scheme and the overall cloud based system, and evaluate its security and
performance. Our results show that our schemes are efficient and practical.
1 I NTRODUCTION
Our main contributions are summarized as follows: either a ciphertext CID or a special symbol ⊥ meaning an
encryption failure. Any entity can run this algorithm.
• We propose a new mCL-PKE scheme. We present • SEM-Decrypt: It takes params, a SEM-key, and a
the formal security model and provide the secu- ciphertext CID as input, and then returns either a partial
rity proof. Since our mCL-PKE scheme does not decrypted message CID for the user or a special symbol ⊥
depend on the pairing-based operation, it reduces meaning an decryption failure. Only the SEM runs this
the computational overhead. Moreover, we intro- algorithm using SEM-key.
duce an extension of mCL-PKE scheme to efficiently • USER-Decrypt: It takes params, a user’s private key
encrypt data for multiple users. SKID , the partial decrypted message CID by the SEM as
• We propose a novel approach to securely share data input and returns either a fully decrypted message M or
in a public cloud. Unlike conventional approaches, a special symbol ⊥ meaning an decryption failure. Only
the KGC only needs to be semi-trusted and can the user can run this algorithm using its own private key
reside in the public cloud, because our mCL- and the partial decrypted message by the SEM.
PKE scheme does not suffer from the key escrow
problem. Definition 2. The Computational Diffie-Hellman (CDH)
• We have implemented our mCL-PKE scheme and the problem is defined as follows: Let p and q be primes such
extension to evaluate the performance. The experi- that q|(p − 1). Let g be a generator of Z∗p . Let A be an
mental result shows that our mCL-PKE scheme can adversary. A tries to solve the following problem: Given
be realistically applied in a public cloud for secure (g, ga , gb ) for uniformly chosen a, b, c ∈ Z∗q , compute k = gab .
data sharing. We define A’s advantage in solving the CDH problem by
The remainder of this paper is organized as follows: Adv(A)=Pr[A(g, ga , gb ) = gab ].
Section 2 introduces our mCL-PKE scheme without pairing,
and presents a security model and security proof. Section 3
2.2 Security Model of Mediated CL-PKE
proposes an approach for secure sharing data in public
In general, in order to construct the security model of a
clouds. Section 4 proposes the extended scheme for secure
mediated CL-PKE scheme [9], we must consider two types
cloud storage. Section 5 shows the performance evaluation.
of adversaries: Type I adversary AI and Type II adver-
Section 6 discusses related works and Section 7 concludes
sary AII . A type I adversary AI means a normal third
the paper.
party attacker which does not know the master key, but
2 M CL-PKE S CHEME WITHOUT PAIRINGS can replace public keys of users. That is, AI does not have
access to the master key, but is able to choose any public
In this section, we present the mediated Certificateless key to be used for the challenge ciphertext. A type II adver-
Public Key Encryption (mCL-PKE) scheme and its security sary AII is a malicious KGC which has the master key, but
model. Then, we prove the formal security of mCL-PKE is unable to replace public keys of users. That is, AII can
scheme. have access to the master key, but can use only a registered
public key for the challenge ciphertext. We do not need to
2.1 Definitions consider a malicious SEM explicitly, because it is weaker
Definition 1. The mediated certificateless public key than AII .
encryption scheme is a 7-tuple mCL-PKE=(SetUp, In order to describe the security of the mediated CL-PKE
SetPrivateKey, SetPublicKey, SEM-KeyExtract, Encrypt, scheme, we consider a formal game where the adversary
SEM-Decrypt, USER-Decrypt). The description of each A interacting with their Challenger as follows. The adver-
algorithm is as follows. sary A can be either AI or AII . The Challenger should
keep a history of query-answer while interacting with the
• SetUp: It takes a security parameter k as input and adversaries.
returns system parameters params and a secret master
key mk. We assume that params are publicly available A Formal Game for an adversary A
to all users. • SetUp: The Challenger runs SetUp by taking a
• SetPrivateKey: It takes params and ID as input and security parameter k as input in order to return sys-
outputs the user’s (the owner of ID) secret value SKID . tem parameters params and a master key mk. The
Each user runs this algorithm. Challenger gives params to the adversary A and
• SetPublicKey: It takes params and a user’s secret value keeps mk secret.
SKID as input and returns the user’s public key PKID . • Phase 1: The adversary A can adaptively make var-
• SEM-KeyExtract: Each user registers its own identity ious queries and the Challenger can respond to the
and public key to the KGC. After the KGC verifies the queries as follows:
user’s knowledge of the private key corresponding to its
public key, the KGC takes params, mk and user identity – SEM-key for ID Extraction: The Challenger
ID as input and generates a SEM-key corresponding to ID runs SEM-KeyExtract to generate the SEM-key
required during decryption time by the SEM. The KGC d0 using an identity ID and params as the
runs this algorithm for each user, and we assume that the input.
SEM-key is distributed securely to the SEM. – Public Key Request for ID: The Challenger runs
• Encrypt: It takes params, a user’s identity ID, a user’s SetPrivateKey to generate SKID , and then runs
public key PKID , and a message M as inputs and returns SetPublicKey to generate the public key PKID
2110 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 26, NO. 9, SEPTEMBER 2014
using ID, SKID and params as the input. It 2.3 Basic Algorithm
returns PKID to A. • SetUp:
– Public Key Replacement: The adversary A can KGC takes as input a security parameter k to gen-
repeatedly replace the public key for any iden- erate two primes p and q such that q|p − 1. It then
tity with any value of its choice. The SEM- performs the following steps:
key is also updated if the Challenger bundles
the public key with the identity for SEM- 1) Pick a generator g of Z∗p with order q.
key creation. The replaced public key will be 2) Select x ∈ Z∗q uniformly at random and com-
used in the rest of the game unless replaced pute y = gx .
again. 3) Choose cryptographic hash functions
– Private Key Extraction for ID: The Challenger H1 :{0, 1}∗ ×Z∗p → Z∗q , H2 :{0, 1}∗ ×Z∗p ×Z∗p → Z∗q ,
runs SetPrivateKey to generate SKID using ID H3 :{0, 1}∗ → Z∗q , H4 :Z∗p → {0, 1}n+k0 ,
as the input. It returns SKID to A. However, H5 :Z∗p → {0, 1}n+k0 , and H6 :Z∗p × {0, 1}n+k0 ×
if the public key of ID has been already Z∗p × {0, 1}n+k0 → Z∗q , where n, k0 are the
replaced by the adversary A, this query is bit-length of a plaintext and a random bit
disallowed. string, respectively.
– SEM-Decryption: The adversary provides The system parameters params are (p, q, n, k0 , g,
an identity ID and a ciphertext CID . The y, H1 , H2 , H3 , H4 , H5 , H6 ). The master key of KGC
Challenger responds with the partial decryp- is x. The plaintext space is M = {0, 1}n and the
tion CID under the SEM-key d0 that is ciphertext space is C = Z∗p × {0, 1}n+k0 × Z∗q .
associated with the identity ID. • SetPrivateKey:
– USER-Decryption: The adversary provides The entity A chooses zA ∈ Z∗q uniformly at random
an identity ID and a ciphertext CID . The as the private key of A.
Challenger responds with the decryption of • SetPublicKey:
CID under the private key SKID that is asso- The entity A computes UA = gzA .
ciated with the identity ID. • SEM-KeyExtract:
KGC selects s0 , s1 ∈ Z∗q and computes w0 = gs0 ,
• Challenge Phase: Once A determines that Phase 1 w1 = gs1 , d0 = s0 + xH1 (IDA , w0 ), d1 = s1 +
is over, it outputs a challenge identity ID∗ and a xH2 (IDA , w0 , w1 ). KGC sets d0 as the SEM-key for
pair of plaintext (M0 , M1 ) with an equal length. In A. After A proves the knowledge of the secret value
case that A is a AI , it chooses a public key of iden- zA such that UA = gzA , KGC sets (UA , w0 , w1 , d1 ) as
tity ID∗ , PKID∗ by using the Public Key Replacement the A’s public keys.
query. For the identity ID∗ , AI cannot ask both the • Encrypt:
SEM-Key Extraction query and Private Key Extraction To encrypt a plaintext M ∈ {0, 1}n for the entity A
query. If A is a AII , the public key of identity ID∗ with identity IDA and public keys (UA , w0 , w1 , d1 ), it
cannot be replaced. For the identity ID∗ , AII can- performs the following steps:
not ask Private Key Extraction query. The Challenger
picks β ∈R {0, 1} and creates a target ciphertext CID∗ 1) Check whether gd1 = w1 · yH2 (IDA ,w0 ,w1 ) .
which is the encryption of Mβ under the public key If the checking result is not valid, encryption
of ID∗ . In case of AI , the public key of ID∗ is PKID∗ . algorithm must be aborted.
Otherwise, the public key of ID∗ is the original one. 2) Choose σ ∈ {0, 1}k0 and
The Challenger returns CID∗ to A. compute r = H3 (M, σ, IDA , UA ).
• Phase 2: A continues to issue more queries, but 3) Compute C1 = gr .
it cannot issue both the SEM-Key Extraction query 4) Compute C2 = (M||σ ) ⊕ H4 UA r ⊕ H5 wr0 ·
and Private Key Extraction query for the ID∗ . If yH1 (IDA ,w0 )·r .
AI has requested the private key corresponding to 5) Compute C3 r
the public key PKID∗ , then it cannot make a SEM- C3 = H6 UA , (M||σ ) ⊕ H4 UA , C1 , C2 .
Decrypt query for CID∗ . On the other hand, if AII Output the ciphertext C = (C1 , C2 , C3 ).
has requested the SEM-key corresponding to ID∗ , it In Step 1, an entity who wants to encrypt a message
cannot make a USER-Decrypt query for CID∗ where can verify the validity of receiver’s public key. From
CID∗ is the result of SEM-Decrypt query for CID∗ . Step 2 to Step 5 are the process of encryption.
• Guess: A outputs its guess bit β ∈R {0, 1}. • SEM-Decrypt:
Given the ciphertext C = (C1 , C2 , C3 ), a IDA , A’s pub-
In case of β = β, A wins.
We define A ’s advantage
lic keys (UA , w0 , w1 , d1 ), SEM performs the following
in the above game by 2 × Pr[β = β] − 12 , i ∈ {I, II}. A steps using the SEM-key d0 :
mediated CL-PKE scheme is IND-CCA secure if there is no
probabilistic polynomial-time adversary in the above games 1) Check that IDA is a legitimate user whose key
with non-negligible advantage in the security parameter has not been revoked.
k. The security of our mediated certificateless public key 2) Compute C1 d0 .
encryption scheme is based on the assumed intractability C1 d0 = gr·d0 = gr·(s0 +xH1 (IDA ,w0 ))
of the CDH problem. = gr·s0 · gr·xH1 (IDA ,w0 ) = w0 r · yr·H1 (IDA ,w0 ) .
SEO ET AL.: AN EFFICIENT CERTIFICATELESS ENCRYPTION FOR SECURE DATA SHARING IN PUBLIC CLOUDS 2111
d
3) Compute C2 ⊕ H5 C10 . for any (0 ≤ δ ≤ ε), there exists either an algorithm
B to
d solve the CDH problem with advantage ≥ q15 Pr AskH5∗ ≥
C2 ⊕ H5 C10
a Public Key Replacement, a SEM-Decryption or a USER- SEM-Decryption queries: AI can request B to decrypt
Decryption query. partially ciphertext C for IDi . B searches the public key list
Public Key Request: B maintains a public key list for a tuple IDi , (Ui , w0i , w1i , d1i ), coin. Then B responds as
IDi , (Ui , w0i , w1i , d1i ), coin. On receiving such a query on follows:
IDi , B responds as follows:
1) If the public key has not been replaced and coin = 0,
1) If there is a tuple IDi , (Ui , w0i , w1i , d1i ), coin on the
list, B returns (Ui , w0i , w1i , d1i ). • B searches the partial key list for a tuple
2) Otherwise, B picks coin ∈ {0, 1} with Pr[coin = 0] = IDi , d0i , (w0i , w1i , d1i ).
d
γ (γ will be determined in the Guess). • B computes C1 d0i and C2 ⊕ H5 (C10i )
• B checks whether C3 = H6 (Ui , C2 ⊕
• In case of coin = 0, choose d0i , d1i , e0i , e1i , d
H5 (C10i ), C1 , C2 ). If it is valid, B returns C2 =
zi ∈R Z∗q , compute w0i = gd0i y−e0i , w1i = d
C2 ⊕ H5 (C10i ). Otherwise, B outputs ⊥.
gd1i y−e1i , Ui = gzi . (Check the H1 list and if
there is a tuple (IDi , w0i ), e0 , select again 2) Otherwise, B searches the H3 list for a tuple
d0i , e0i ∈R Z∗q ; Check the H2 list and if (Mi , σi , IDi , Ui ), ri , where C1 = gri ,
r
there is a tuple (IDi , w0i , w1i ), e1 , select C2 = (Mi ||σi ) ⊕ H4 Ui ri ⊕ H5 w0ii · yH1 (IDi ,w0i )·ri and
again d1i , e1i ∈R Z∗q .) Add (IDi , w0i ), e0i r
C3 = H6 Ui , (Mi ||σi ) ⊕ H4 Ui i , C1 , C2 . B returns
to the H1 list, (IDi , w0i , w1i ), e1i to the H2
the corresponding C2 = (Mi ||σi ) ⊕ H4 (Ui ri ) if such a
list, IDi , d0i , (w0i , w1i , d1i ) to the partial key tuple exists. Otherwise, B outputs ⊥.
list, IDi , zi to the private key list and
IDi , (Ui , w0i , w1i , d1i ) to the public key list. USER-Decryption queries: This query should be per-
Return (Ui , w0i , w1i , d1i ) as answer. formed after SEM-Decryption query performing. AI can
• In case of coin = 1, choose s0i , d1i , e1i , zi ∈R Z∗q , request B to perform User-decryption for C1 , C2 . B searches
compute w0i = gs0i , w1i = gd1i y−e1i , Ui = gzi . the public key list for a tuple IDi , (Ui , w0i , w1i , d1i ), coin.
(Check the H2 list and if there is a tuple Then B responds as follows:
(IDi , w0i , w1i ), e1 , select again d1i , e1i ∈R Z∗q .) 1) If the public key has not been replaced and coin = 0,
Add (IDi , w0i , w1i ), e1i to the H2 list and
IDi , (Ui , w0i , w1i , d1i ), s0i , coin to the public • B searches private key list of tuples IDi , zi .
key list. Return (Ui , w0i , w1i , d1i ) as answer. • B computes C1 zi and H4 (C1 zi ).
• B parses M and σ from M ||σ = H4 (C1 zi ) ⊕
SEM-Key Extraction: B maintains a partial key list of
C2 .
tuples IDi , d0i , (w0i , w1i , d1i ). On receiving such a query on
• B computes r = H3 (M ||σ ||IDi ||Ui ) and gr .
IDi , B responds as follows:
• B checks whether g = C1 . If g = C1 , it
r r
1) If a tuple IDi , d0i , (w0i , w1i , d1i ) exists on the list, B returns M = M. Otherwise, B outputs ⊥.
returns d0i as the SEM-key and (w0i , w1i , d1i ) as the
partial public key. 2) Otherwise, B searches the H3 list for a tuple
Otherwise, B runs the simulation algorithm for (Mi , σi , IDi , Ui ), ri , where C1 = gri ,
2) r
public key request by using IDi as input. C2 = (Mi ||σi ) ⊕ H4 Ui ri ⊕ H5 w0ii · yH1 (IDi ,w0i )·ri
ri
and C3 = H6 Ui , (Mi ||σi ) ⊕ H4 Ui , C1 , C2 . B
• In case of coin = 0, B searches the partial
returns the corresponding Mi if such a tuple exists.
key list of the form IDi , d0i , (w0i , w1i , d1i ) and
Otherwise, B outputs ⊥.
returns d0i as the SEM-key.
Challenge Phase: AI outputs ID∗ and two messages
• In case of coin = 1, B aborts.
M0 , M1 on which it wishes to be challenged. On receiv-
∗
Private Key Extraction: B maintains a private key list ing ID ∗, B ∗ searches the public key list for the tuple
of tuples IDi , zi . On receiving such a query on IDi , B ID , U , w0 , w∗1 , d∗1 , coin. Then B responds as follows:
∗
responds as follows:
1) If coin = 0, B aborts the game.
1) If a tuple IDi , zi exists on the list, B returns zi as
2) Otherwise, B performs the following actions:
the private key.
2) Otherwise, B runs the simulation algorithm for
• B picks σ ∗ ∈R {0, 1}k0 , β ∈R {0, 1} and
public key request by using IDi as input.
C∗2 , C∗3 ∈R {0, 1}n+k0 .
• B sets C∗1 = gb , e∗0 = H1 (ID∗ , w∗0 ), b = H3 (M β,
• In case of coin = 0, B searches the partial key ∗b
∗ ∗ ∗ ∗b e∗0 b
list IDi , zi and returns zi as the private key. σ , ID , U ), c = H4 U , H5 w0 · y =
• In case of coin = 1, B aborts. C∗2 ⊕ (Mβ||σ ∗ ) ⊕ c and H6 U∗ || Mβ ||σ ∗
⊕c||C∗1 ||C∗2 = C∗3 .
Public Key Replacement: AI can replace the pub-
• B outputs C∗1 , C∗2 , C∗3 as the challenge cipher-
lic key of any user IDi , (Ui , w0i , w1i ,d1i ) with any text. According to the above construction,
value Ui , w0i , w1i , d1i of its choice. If w0i, w1i , d1i
= ∗
C∗2 = (Mβ ||σ ∗ ) ⊕ H4 U∗b ⊕ H5 w∗b · y e0 b =
(w0i , w1i , d1i ) but it satisfies gd1i = w1i · yH2 IDi ,w0i ,w1i , B ∗ 0
∗
aborts. Otherwise, B records the change. (Mβ ||σ ∗ ) ⊕ H4 (U∗b ) ⊕ H5 gbs0 · gabe0 .
SEO ET AL.: AN EFFICIENT CERTIFICATELESS ENCRYPTION FOR SECURE DATA SHARING IN PUBLIC CLOUDS 2113
Phase 2: B continues to respond to AI ’s requests in the 1 1 (1 − δ)qpubR q6 q4
≥ Pr Ask H∗5 ≥ − − k
same way as it did in Phase 1. AI cannot make a SEM- q5 q5 e(qsem + qpri + 1) 2k0 20
Key Extraction query or a Private Key Extraction query
on q3 q D + qD U
ID∗ . For the combination of ID∗ and U∗ , w∗0 , w∗1 , d∗1 used − k − S .
20 q
to encrypt Mβ , AI should not make decryption query on
C∗1 , C∗2 , C∗3 . The running time of the B who is the CDH attacker
Guess: Eventually, AI outputs its guess. B chooses is bounded by T = max{t + (q1 + q2 + q3 + q4 + q5 +
a random pair B, h from the H5 list and outputs q6 )O(1) + (qpub + qpubR + qDS + qDU )(5texp + O(1)), cq2 t/},
1∗
e where texp denotes the time for computing exponentiation
B
bs ∗
0
= gab as the solution to the CDH problem. in Z∗p , and c is constant greater than 120,686 assuming that
g 0
Analysis. First of all, we evaluate the simulation of the ≥ 10(qsem + 1)(qsem + q2 )/q. This estimation is from the
random oracles given above. It is evident that the simula- result of [21].
tions of H1 and H2 are perfect through the constructions Lemma 2. Suppose that the hash functions Hi (i = 1, 2, 3,
of H1 and H2 . Moreover, as long as AI does not query 4, 5, 6) are random oracles and there exists a Type II IND-
e∗0 b
(Mβ , σ ∗ , ID∗ , U∗ ) to H3 nor U∗b to H4 nor w∗b 0 ·y to H5 CCA adversary AII against the mCL-PKE scheme with
nor U∗ ||(Mβ ||σ ∗ ) ⊕ c||C∗1 ||C∗2 to H6 , the simulations of H3 , advantage ε when running in time t, making qpub pub-
H4 , H5 and H6 are perfect. Let AskH3∗ denote the event that lic key requests queries, qsem SEM-key extraction queries,
(Mβ , σ ∗ , ID∗ , U∗ ) has been queried to H3 , AskH4∗ denote the qpri private key extraction queries, qpubR public key replace-
event that U∗b has been queried to H4 , AskH5∗ denote the ment queries, qDS SEM decryption queries, qDU USER
e∗0 b
event that w∗b 0 · y has been queried to H5 and AskH6∗ decryption queries and qi random oracle queries to Hi
denote the event that U∗ ||(Mβ ||σ ∗ ) ⊕ c||C∗1 ||C∗2 has been (1 ≤ i ≤ 6). Then, there exists an algorithm B to solve
queried to H6 . the CDH problem with advantage ≥ q14 Pr AskH4∗ ≥
qDS +qDU
The simulated challenge ciphertext is identically dis- 1 q6 q5 q3
tributed as the real one, because H3 , H4 , H5 and H6 are q4 e(qpri +1) − 2k0 − 2k0 − 2k0 − q running in time
random oracles. Now we evaluate the simulation of the T < t + (q1 + q2 + q3 + q4 + q5 + q6 )O(1) + (qpub + qDS +
decryption oracle. As to the simulation of decryption qDU )(4texp +O(1)), where texp denotes the time for computing
oracle, B will wrongly reject a valid ciphertext during exponentiation in Z∗p .
qDS +qDU
the simulation with probability smaller than . Proof. Let AII be a Type II IND-CCA adversary against
q
qDS +qDU the mCL-PKE scheme. By using AII , we show how
That is, Pr[DecErr] ≤ , where DecErr denotes
q to construct an algorithm B to solve the CDH prob-
the event that B rejects a valid ciphertext during the
lem.
a Suppose
that B is given a random instance
simulation.
g, g , gb of the CDH problem. B chooses x ∈R
Let E = (AskH6∗ ∨ AskH5∗ ∨ AskH4∗ ∨ AskH3∗ ∨
Z∗q , computes y = gx and simulates the SetUp
DecErr)|¬Abort. If E does not happen during the simula-
algorithm of the mCL-PKE scheme by supplying
tion, B will not gain any advantage greater than 1/2 to
AII with (p, q, n, k0 , g, y, H1 , H2 , H3 , H4 , H5 , H6 ), where
guess β, because of the randomness of the output of H5 .
H1 , H2 , H3 , H4 , H5 , H6 are random oracles controlled by
In other words, Pr[β = β|¬E] ≤ 1/2. We obtain Pr[β =
B. B can simulate the Challenger’s execution of each
β] = Pr[β = β|¬E]Pr[¬E] + Pr[β = β|E]Pr[E] ≤ 12 Pr[¬E] +
phase of Game. AII may make queries to Hi (1 ≤ i ≤ 6)
Pr[E] = 12 + 12 Pr[E]. at any time during its attack and B responds as follows:
By definition of , we have ≤ 2 Pr[β = β] − 12 ≤ H1 queries: B maintains a H1 list of tuples
Pr[AskH6∗ ]+Pr[AskH5∗ ]+Pr[AskH4∗ ]+Pr[AskH3∗ ]+Pr[DecErr] (IDi , w0i ), e0i . On receiving a query on (IDi , w0i ), B does
Pr[E] ≤ Pr[¬Abort] .
the following:
The probability that B does not abort during the simula-
tion is given by γ qsem +qpri (1 − γ )(1 − δ)qpubR . This probability 1) If (IDi , w0i ), e0i is on the H1 list, B returns e0i .
is maximized at γ = 1 − qsem +q1 +1 . Therefore, we have 2) Otherwise, B chooses e0i ∈R Z∗q , adds (IDi , w0i ), e0i
pri
qpubR
to the H1 list and returns e0i .
Pr[¬Abort] ≥ e(q(1−δ)
sem +qpri +1)
, where e denotes the base of the
H2 queries: B maintains a H2 list of tuples (IDi , w0i ,
natural logarithm. w1i ), e1i . On receiving a query on (IDi , w0i , w1i ), B first
Hence, we ∗ ≥ Pr
obtain the following
Pr AskH 5 checks if (IDi , w0i , w1i ), e1i is on the H2 list, return e1i .
[¬Abort]−Pr AskH6∗ −Pr AskH4∗ −Pr AskH3∗ −Pr[DecErr] Otherwise, B picks e1i ∈R Z∗q , adds (IDi , w0i , w1i ), e1i to
the H2 and returns e1i .
(1 − δ)qpubR q6 q4 q3 q D + qD U H3 queries: B maintains a H3 list of tuples (Mi , σi , IDi ,
≥ − k − k − k − S . Ui ), ri . On receiving a query on (Mi , σi , IDi , Ui ), B first
e(qsem + qpri + 1) 2 0 2 0 2 0 q
checks if (Mi , σi , IDi , Ui ), ri is on the H3 list, return ri .
Otherwise, B picks ri ∈R Z∗q and returns ri .
If AskH5∗ happens, then AI will be able to distinguish the H4 queries: B maintains a H4 list of tuples A, h1 . On
simulation from the real one. AI can tell that the challenge receiving a query on A, B first checks if A, h1 is on the
e∗0 b
ciphertext C∗ by the simulation is invalid. H5 w∗b 0 · y H4 list, return h1 . Otherwise, B picks h1 ∈R {0, 1}n+k0 ,
has been recorded on the H5 list. Then, B wins if it chooses adds A, h1 to the H4 and returns h1 .
the correct element from the H5 list. Therefore, we obtain H5 queries: B maintains a H5 list of tuples B, h2 . On
the advantage for B to solve the CDH problem. receiving a query on A, B first checks if B, h2 is on the
2114 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 26, NO. 9, SEPTEMBER 2014
H5 list, return h2 . Otherwise, B picks h2 ∈R {0, 1}n+k0 , USER-Decryption queries: This query should be per-
adds B, h2 to the H5 list and returns h2 . formed after SEM-Decryption query performing. AII
H6 queries: B maintains a H6 list of tuples can request B to perform User-decryption for C1 , C2 for
(Ui , C, D, E), h3 . On receiving a query on (Ui , C, D, E), IDi . B searches the public key list taking IDi as input
B first checks if (Ui , C, D, E), h3 is on the H6 list, return to get IDi , (Ui , w0i , w1i , d1i ), zi , coin. Then B responds as
h3 . Otherwise, B picks h3 ∈R {0, 1}n+k0 and returns h3 . follows:
Phase 1: AII launches Phase 1 of its attack by making
1) If coin = 0,
a series of requests, each of which is either a Public Key
Request, a Private Key Extraction, a SEM-Decryption or • B searches private key list of tuples IDi , zi .
a USER-Decryption query. • B computes C1 zi and H4 (C1 zi ).
Compute SEM-Key: AII computes the SEM-key d0i • Bparses M and σ fromM ||σ = H4 (C1 zi )⊕C2 .
and the partial public key (w0i , w1i , d1i ) for IDi , B keeps • B computes r = H3 (M ||σ ||IDi ||Ui ), gr .
IDi , d0i , (w0i , w1i , d1i ) to the partial key list. • B checks if gr = C1 , it returns M = M.
Public Key Request: B maintains a public key list of Otherwise, B outputs ⊥.
tuples IDi , (Ui , w0i , w1i , d1i ), coin. On receiving a query
2) Otherwise, B searches the H3 list for
on IDi , B responds as follows:
(Mi , σi , IDi , Ui ), ri satisfying C1 = gri , C2 =
r
1) If IDi , (Ui , w0i , w1i , d1i ), coin is on the public key (Mi ||σi ) ⊕ H4 Ui ri ⊕ H5 w0ii · yH1 (IDi ,w0i )·ri and
list, B returns (Ui , w0i , w1i , d1i ). ri
C3 = H6 (Ui , (Mi ||σi ) ⊕ H4 Ui , C1 , C2 ). B returns
2) Otherwise, B picks coin ∈ {0, 1} with Pr[coin = 0] = the corresponding Mi if such a tuple exists.
γ (γ will be determined later). Otherwise, outputs ⊥.
• In case of coin = 0, B chooses zi ∈R Z∗q , com- Challenge Phase: AII outputs ID∗ and M0 , M1 on
pute Ui = gzi . Then, it searches the partial key which it wishes to be challenged. B runs the simulation
list to get the partial public key (w0i , w1i , d1i ), algorithm for public key request taking ID∗ as input to
adds IDi , (Ui , w0i , w1i , d1i ), zi , coin to the get ID∗ , U∗ , w∗0 , w∗1 , d∗1 , zi , coin. Then B performs as
public key list and returns (Ui , w0i , w1i , d1i ). follows:
• In case of coin = 1, B sets Ui = ga . 1) If coin = 0, B aborts the game.
Then, it searches the partial key list to get 2) Otherwise, B performs the following actions:
the partial public key (w0i , w1i , d1i ), adds
IDi , (Ui , w0i , w1i , d1i ), ?, coin to the public key • B picks σ ∗ ∈R {0, 1}k0 , β ∈R {0, 1} and
list and returns (Ui , w0i , w1i , d1i ). C∗2 , C∗3 ∈R {0, 1}n+k0 .
• B sets C∗1 = gb , e∗0 = H1 (ID∗ , w∗0 ), b =
Private Key Extraction: B maintains a private key H3 (Mβ , σ ∗ , ID∗ , U∗ ), c = H4 (U∗b ), H5 (w∗b 0 ·
∗
list of tuples IDi , zi . On receiving a query on IDi , B ye0 b ) = C∗2 ⊕ (Mβ ||σ ∗ ) ⊕ c and H6 (U∗ ||
responds as follows: (Mβ ||σ ∗ ) ⊕ c||C∗1 ||C∗2 ) = C∗3 .
1) If IDi , zi exists on the private key list, B returns zi . • B outputs C∗1 , C∗2 , C∗3 as the challenge cipher-
2) Otherwise, B runs the simulation algorithm for pub- text. According to the above construction,
∗
lic key request by using IDi as input in order to get C∗2 = (Mβ ||σ ∗ ) ⊕ H4 (U∗b ) ⊕ H5 w∗b · y e0 b =
a tuple IDi , (Ui , w0i , w1i , d1i ), zi , coin. 0
e∗0 b
(Mβ ||σ ∗ ) ⊕ H4 (gab ) ⊕ H5 w∗b 0 ·y
• In case of coin = 0, B returns zi .
Phase 2: B continues to respond to AII ’s requests in
• In case of coin = 1, B aborts.
the same way as it did in Phase 1. AII cannot make a
SEM-Decryption queries: AII can request B to Private Key Extraction queries on ID∗ . For ID∗ , if any
decrypt partially C = (C1 , C2 , C3 ) for IDi . B runs the decryption query is equal to the challenge ciphertext
simulation algorithm for public key request taking IDi C∗1 , C∗2 , C∗3 , then B aborts.
as input to get IDi , (Ui , w0i , w1i , d1i ), zi , coin. Then, B Guess: Eventually, AII outputs its guess. B chooses
performs the following: a random
pair A, h from the H4 list and outputs
U∗b = gab as the solution to the CDH problem.
1) If coin = 0, B searches the partial key list and the Analysis. First of all, we evaluate the simulation of
private key list for a tuple IDi , (d0i , zi ). Then, it the random oracles given above. It is evident that the
d
computes C1 d0i and C2 ⊕H4 C10i . B checks whether simulations of H1 and H2 are perfect through the con-
d structions of H1 and H2 . Moreover, as long as AII does
C3 = H6 (Ui , C2 ⊕ H4 C10i , C1 , C2 ). If it is valid, B
not query (Mβ , σ ∗ , ID∗ , U∗ ) to H3 nor U∗b to H4 nor
d
returns C2 = C2 ⊕H4 C10i . Otherwise, B outputs ⊥. e∗0 b
w∗b
0 ·y to H5 nor U∗ ||(Mβ ||σ ∗ ) ⊕ c||C∗1 ||C∗2 to H6 , the
2) Otherwise, B searches the H3 list for a tuple simulations of H3 , H4 , H5 and H6 are perfect.
(Mi , σi , IDi , U
i ),rri satisfying 1 = g
ri H C(ID , C2 =
ri Let AskH3∗ denote the event that (Mβ , σ ∗ , ID∗ , U∗ ) has
(Mi ||σi ) ⊕ H4 Ui ⊕ H5 w0i · y
i 1 ,w )·r
i 0i i and C =
3 been queried to H3 , AskH4∗ denote the event that U∗b has
e∗0 b
been queried to H4 , AskH5∗ denote the event that w∗b
r
H6 (Ui , (Mi ||σi ) ⊕ H4 (Ui i ), C1 , C2 ). B returns the cor- 0 ·y
responding C2 = (Mi ||σi ) ⊕ H4 (Ui ri ) if such a tuple has been queried to H5 and AskH6∗ denote the event that
exists. Otherwise, B outputs ⊥. U∗ ||(Mβ ||σ ∗ ) ⊕ c||C∗1 ||C∗2 has been queried to H6 .
SEO ET AL.: AN EFFICIENT CERTIFICATELESS ENCRYPTION FOR SECURE DATA SHARING IN PUBLIC CLOUDS 2115
on the field of the hash function output, we break the input for message sizes above 16K bytes. A similar observation is
into multiple blocks, and the block number is dynamically made for the decryption algorithm, as shown in Fig. 9. This
adjusted. For each block, we execute SHA1, convert the observation is consistent with the fact that our scheme uses
output into decimal numbers, say a1 , a2 , . . . , an . If the out- an efficient hash function and XOR operations to perform
put field is Z∗q , then we compute (a1 ||a2 ||a3 || · · · ||an ) mod q, encryption and decryption whereas their scheme uses more
where || denotes the concatenation operation, to get the expensive constructs.
final result of the hash function. This operation is very effi-
cient even if other hash functions are used. According to
our experimental results, it takes less than 1 ms to do this
6 R ELATED W ORK
operation for a message of size 16KB. 6.1 Security Mediated CL-PKE
Fig. 6 shows the time required to perform the encryption In 2003, Al-Riyami and Paterson [2] introduced a
operation in the mCL-PKE scheme for different message Certificateless Public Key Cryptography (CL-PKC). Since
sizes. Since our scheme does not use pairing operations, each user holds a combination of KGC produced par-
it performs encryption efficiently. As can be seen from the tial private key and an additional user-chosen secret, the
graph, the encryption time increases linearly as the mes- key escrow problem can be resolved. As the structure of
sage size increases. As the bit length of q increases, the CL-PKC guarantees the validity of the user’s public key
cost increases non-linearly since the encryption algorithm without the certificate, it removes the certificate manage-
performs exponentiation operations. A similar observation ment problem. Since the advent of CL-PKC [2], many
applies to the the SEM decryption and user decryption. CL-PKE schemes have been proposed based on bilinear
We also implemented the improved scheme where the pairings. The computational cost required for pairing is still
data owner performs only one encryption per data item considerably high compared to standard operations such
and creates a set of intermediate keys that allows autho- as modular exponentiation in finite fields. To improve effi-
rized users to decrypt the data, as described in Section 4. ciency, Sun et al. [25] presented a strongly secure CL-PKE
In Fig. 7, we compare the time to perform encryption and without pairing operations. However, previous CL-PKE
decryption in the basic scheme and the improved scheme as schemes could not solve the key revocation problem. In
the number of users who can access the same data increases public key cryptography, we should consider scenarios
from 10 to 50. We fixed the length of q to 1, 024 bits and where some private keys are compromised. If the private
the message size to 16KB. It is evident from the graph that keys are compromised, then it is no longer secure to use
as more users are allowed to access the same data item, the corresponding public keys. To address this problem,
the better the improved scheme performs compared to the Boneh et al. [6] proposed the concept of mediated cryptog-
basic scheme. The cost of the basic scheme is high since the raphy to support immediate revocation. The basic concept
encryption algorithm is executed for each user. of the mediated cryptography is to utilize a security medi-
Finally we implemented Lei et al. [16]’s CL-PRE scheme ator (SEM) which can control security capabilities for every
based on pairing. According to the results reported in their transaction. Once the SEM is notified that a user’s public
paper, proxy-encryption takes 7-8ms to encrypt a message key should be revoked, it can immediately stop the user’s
with length 3K bits. We reimplemented their scheme using participation in a transaction. Chow et al. [9] introduced
the PBC-library [17]. Our implementation of their scheme the notion of security-mediated certificateless cryptogra-
is actually more efficient and the time for encrypting a phy and presented a mediated CL-PKE relying on pairing
message of 8K Bytes is about 3ms. We then compared operations. Yang et al. [26] first proposed a mediated CL-
our scheme with their scheme for encryption. Even with PKE without pairings. Unfortunately, Yang et al.’s scheme
the improved implementation, as shown in Fig. 8, our was found to be insecure against partial decryption attack,
encryption algorithm is more efficient than their algorithm since their security model did not consider the capabilities
of the adversary in requesting partial decryptions. Thus, a by combining oblivious transfer and anonymous creden-
secure mediated CL-PKE without pairings is needed. Our tials. The goal of such work is similar to ours but we
proposed pairing-free mediated CL-PKE scheme is secure identify the following limitations. Each transfer protocol
against the partial decryption attack. allows one to access only one record from the database,
whereas our approach does not have any limitation on
6.2 Functional Encryption the number of records that can be accessed at once since
Functional encryption allows one to encode an arbitrary we separate the access control from the authorization. Yu
complex access control policy with the encrypted message. et al. [27] proposed an approach based on ABE utiliz-
The message can then be decrypted only by the users ing PRE (Proxy Re-Encryption) to handle the revocation
satisfying the encoded policy. In predicate encryption with problem of ABE. The approach still does not solve the
public index, the policy under which the encryption is key escrow and revocation problems. Further, it is based
performed is public. Unlike public key cryptosystems, the on pairing based cryptography whereas we avoid pairing
public key is not a random string but some publicly known operations.
values such as ID that bind to users. Attribute based Recently, Lei et al. [16] proposed the CL-PRE
encryption (ABE) introduced by Sahai and Waters [22] is a (Certificateless Proxy Re-Encryption) scheme for pub-
more expressive predicate encryption with a public index. lic cloud computing environments. While Lei et al.’s
It can be considered as a generalization of IBE. In ABE, CL-PRE scheme solves the key escrow problem and
the public keys of a user are described by a set of identity certificate management, it utilizes expensive pairing oper-
attributes the user has. Key Policy ABE (KP-ABE) [13] and ations. Further, their scheme only achieves CPA (Chosen
Ciphertext Policy ABE (CP-ABE) [5] are two popular exten- Plaintext Attack) security which is not sufficient to protect
sions of ABE. An ABE based approach supports expressive real-world applications. They do not establish a strong
Access Control Policies (ACPS). However, such approach security model with two types of adversaries. In CPA, the
suffers from some major drawbacks. Whenever the group ability of the adversary is limited to obtaining ciphertexts
dynamic changes, the rekeying operation requires to update of plaintexts of their choice. Therefore CPA is too weak
the private keys given to existing members in order to pro- to be considered viable for real-world applications. In
vide backward/forward secrecy. Further, the ABE scheme contrast with Lei et al.’s scheme, our proposed scheme
suffers from the key escrow problem. Predicate encryption achieves CCA (Chosen Ciphertext Attack) security. Under
schemes without public index such as Anonymous IBE [1], CCA, the ability of an adversary is more powerful than
[14], Hidden Vector Encryption [7], and Inner product pred- the ability of the adversary under CPA. In addition to the
icate [15] preserve the privacy of the access control policies. public key, the adversary under CCA is given access to a
Even though they preserve the privacy of the policy, they “decryption oracle" which decrypts arbitrary ciphertexts at
have limited expressibility compared to the former schemes the adversary’s request, returning the plaintext. Moreover,
and also suffer from the same limitations as the former our scheme does not utilize bilinear pairings to improve
schemes. efficiency.
[3] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Seung-Hyun Seo is a Post-Doctoral Researcher
among notions of security for public-key encryption schemes,” of computer science at Purdue University since
in Proc. Crypto ’98, H. Krawczyk Ed. Springer-Verlag, LNCS 2012 and has been a Senior Researcher at
1462. KISA (Korea Internet and Security Agency)
[4] E. Bertino and E. Ferrari. “Secure and selective dissemination of since 2010. Before joining KISA, she was a
XML documents,” ACM TISSEC, vol. 5, no. 3, pp. 290–331, 2002. Researcher for 3 years with FSA (Financial
[5] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy Security Agency), Korea. She received the BS,
attribute-based encryption,” in Proc. 2007 IEEE Symp. SP, MS, and PhD degrees from Ewha Womans
Taormina, Italy, pp. 321–334. University, Korea in 2000, 2002, and 2006,
[6] D. Boneh, X. Ding, and G. Tsudik, “Fine-grained control of respectively. Her current research interests
security capabilities,” ACM Trans. Internet Technol., vol. 4, no. 1, include cryptography, mobile security, secure
pp. 60–82, Feb. 2004. cloud computing, and malicious code analysis. She is a member of the
[7] D. Boneh and B. Waters, “Conjunctive, subset, and range IEEE.
queries on encrypted data,” in Proc. 4th TCC, Amsterdam, The
Netherlands, 2007, pp. 535–554.
[8] J. Camenisch, M. Dubovitskaya, and G. Neven, “Oblivious trans-
fer with access control,” in Proc. 16th ACM Conf. CCS, New York,
NY, USA, 2009, pp. 131–140.
[9] S. S. M. Chow, C. Boyd, and J. M. G. Nieto, “Security-
mediated certificateless cryptography,” in Proc. 9th Int.
Conf. Theory Practice PKC, New York, NY, USA, 2006, Mohamed Nabeel is a Post-Doctoral
pp. 508–524. Researcher of computer science at Purdue
[10] S. Coull, M. Green, and S. Hohenberger, “Controlling access to University and a Fulbright Alumnus from Sri
an oblivious database using stateful anonymous credentials,” in Lanka. He received the PhD degree in 2012
Irvine: Proc. 12th Int. Conf. Practice and Theory in PKC, Chicago, IL, from Purdue University. His current research
USA, 2009, pp. 501–520. interests include distributed systems security
[11] I. Dropbox. Dropbox [Online]. Available: and applied cryptography. He is a member of the
https://www.dropbox.com/ IEEE.
[12] The gnu multiple precision arithmetic library [Online]. Available:
http://gmplib.org/
[13] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based
encryption for fine-grained access control of encrypted data,”
in Proc. 13th ACM Conf. CCS, New York, NY, USA, 2006,
pp. 89–98.
[14] C. Gu, Y. Zhu, and H. Pan, “Information security and cryptology,”
in 4th Int. Conf. Inscrypt, Beijing, China, 2008, pp. 372–383.
[15] J. Katz, A. Sahai, and B. Waters, “Predicate encryption Xiaoyu Ding is a PhD candidate in the
supporting disjunctions, polynomial equations, and inner Department of Computer Science, Purdue
products,” in Proc. EUROCRYPT, Berlin, Germany, 2008. University, West Lafayette, IN, USA. He received
pp. 146–162. the BE degree from Wuhan University, China in
[16] X. W. Lei Xu and X. Zhang, “CL-PKE: A certificateless proxy re- 2011. He joined the Department of Computer
encryption scheme for secure data sharing with public cloud,” in Science at Purdue University in 2011. His cur-
ACM Symp. Inform. Comput. Commun. Security, 2012. rent research interests include cryptography and
[17] B. Lynn. Pairing-based cryptography [Online]. Available: access control. He is a student member of the
http://crypto.stanford.edu/pbc IEEE.
[18] Microsoft Co. Ltd. Microsoft skydrive [Online]. Available:
https://skydrive.live.com/
[19] G. Miklau and D. Suciu, “Controlling access to published data
using cryptography,” in Proc. 29th Int. Conf. VLDB, Berlin,
Germany, 2003, pp. 898–909.
[20] M. Nabeel, N. Shang, and E. Bertino, “Privacy preserving policy
based content sharing in public clouds,” IEEE Trans. Knowl. Data
Eng., vol. 25, no. 11, pp. 2602–2614, Sept. 2012.
[21] D. Pointcheval and J. Stern, “Security arguments for digital Elisa Bertino is a Professor of computer science
signatures and blind signatures,” J. Cryptology, vol. 13, no. 3, at Purdue University and serves as Director of
pp. 361–396, 2000. Purdue Cyber Center (Discovery Park) and as
[22] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” LNCS Research Director of CERIAS. Previously, she
3494 in Proc. EUROCRYPT, Aarhus, Denmark, 2005, pp. 457–473. was a Faculty Member with the Department of
[23] N. Shang, M. Nabeel, F. Paci, and E. Bertino,“A privacy- Computer Science and Communication in the
preserving approach to policy-based content dissemination,” in University of Milan. Her current research inter-
Proc. 2010 IEEE 26th ICDE, Long Beach, CA, USA, pp. 944–955. ests include security, privacy, digital identity man-
[24] V. Shoup. NTL library for doing number theory [Online]. Available: agement systems, database systems, distributed
http://www.shoup.net/ntl/. systems, and multimedia systems. She is a fel-
[25] Y. Sun, F. Zhang, and J. Baek, “Strongly secure certificateless pub- low of the IEEE and ACM. She received the
lic key encryption without pairing,” in Proc. 6th Int. Conf. CANS, 2002 IEEE Computer Society Technical Achievement Award for out-
Singapore, 2007, pp. 194–208. standing contributions to database systems and database security and
[26] C. Yang, F. Wang, and X. Wang,“Efficient mediated certificates advanced data management systems and the 2005 IEEE Computer
public key encryption scheme without pairings,” in AINAW, Society Tsutomu Kanai Award for pioneering and innovative research
Niagara Falls, ON, May. 2007, pp. 109–112. contributions to secure distributed systems.
[27] S. Yu, C. Wang, K. Ren, and W. Lou,“Attribute based data sharing
with attribute revocation,” in Proc. 5th ASIACCS, New York, NY, For more information on this or any other computing topic,
USA, 2010, pp. 261–270. please visit our Digital Library at www.computer.org/publications/dlib.