Applicability to NTRUReEncrypt

At the beginning of this section, we mentioned that our original motivation for this contribution was to improve the security notion of the schemes we proposed

in the first half of this chapter. Our results are mixed: although our proposed transformations can be applied to a wide range of PRE schemes, unfortunately, they cannot be applied to our NTRU-based schemes.

The application to NTRUReEncrypt is out of scope since this scheme is not prov- ably secure, while all our proposals require the original scheme to fulfill some pre- determined security notion. In contrast, the second variant PS-NTRUReEncrypt was, indeed, proven CPA-secure under the LWE assumption.

However, it is easy to see that PS-NTRUReEncrypt does not fulfill the perfect key switching property, so it is not possible to directly apply our variant of Fujisaki- Okamoto. With respect to our REACT and GEM proposals, recall that they require the scheme to be OW-PCA, which means that the adversary should not be able to break the one-wayness even if he has access to a plaintext checking oracle. In practice, this oracle is usually implemented as a decisional oracle of the corresponding hard problem, thus forcing the scheme to rely on a gap variant of the original problem. This represents a unavoidable obstacle, since the decisional and computational version of LWE are equivalent, as pointed out by Peikert in [146], which negates the possibility of defining a gap problem for LWE. This problem affects several schemes, such as [47, 46, 48] and our proposal PS-NTRUReEncrypt, so they cannot achieve OW-PCA security.

5.2.8

Summary

In this section we analyze the integration of generic transformations to proxy re-encryption and find both positive and negative results. On the one hand, we first describe why it is not possible to directly integrate known transformations, such as Fujisaki-Okamoto and REACT, with weakly-secure PRE schemes due to general obstacles coming from the constructions and the security models, and we show twelve PRE schemes that are flawed as a consequence of these problems. These transformations are artifacts conceived for securing public-key encryption schemes, and cannot be used as is for proxy re-encryption due to the special nature of the re-encryption capability. On the other hand, we also show that, under some assumptions that include the satisfaction of a new property of PRE called “perfect key-switching”, the Fujisaki-Okamoto transformation can be used to generically bootstrap a weak notion of security (IND-CCA0,1) into a much stronger notion (IND-CCA2,1), in the random oracle model. However, to achieve full CCA-security (i.e., IND-CCA2,2), it appears to be necessary to apply ad- hoc modifications. For illustrating our proposal we present a PRE scheme that satisfies the conditions for applying the Fujisaki-Okamoto extension and show the resulting scheme after the transformation.

Other generic transformations for public-key encryption are also discussed for its application in proxy re-encryption. We show how the REACT and GEM transformations [18, 29] can be modified to support re-encryptions. Since the perfect key-switching property is no longer required, these proposals are poten- tially applicable to a wider class of schemes, which makes them very attractive. In addition, they are more efficient than the Fujisaki-Okamoto transformation, since they do not require to reconstruct the ciphertext during decryption. The resulting transformations seem to achieve an intermediate notion between Re- playable CCA (RCCA) and IND-CCA2,1, although it is an open issue to analyze these security definitions in detail, in order to provide a complete proof of the security of these constructions. This is left as future work.

Other future lines of research include working towards concrete estimations of the obtained security level of the extended Fujisaki-Okamoto transformation. Finally, the transformations discussed here are all defined for the random oracle model. It is an open problem to devise generic transformations that are valid in the standard model.

Applications of Proxy

Re-Encryption

The final part of this thesis is devoted to concrete applications of proxy re- encryption. In the introduction of this thesis we presented the secure data sharing scenario as our motivating starting point. Section 3 further discusses this scenario, as it is often addressed in the applications of PRE in the current scientific litera- ture. This fact is in line with one of the research postulates of this thesis, namely, that PRE is a suitable tool within solutions to the secure data sharing scenario. The applications presented in this chapter can be seen as particular instantiations of this generic setting, all of them solved using proxy re-encryption.

The first application is a privacy-preserving model for Identity Management as a Service, called BlindIdM. In this model, identity information is stored encrypted at cloud identity providers and processed in a blind manner, which removes the necessity of trusting that the cloud identity provider will not read the data. One of the prime aspects of this model is that it is integrated to standard identity management protocols, in particular with the SAML 2.0 framework.

The second application is inspired by one of the application use cases discussed in the introduction to this thesis: the case of Big Data Analytics in the cloud. We show here a cryptographically-enforced access control system for Hadoop, which is one of the most prominent Big Data Analytics frameworks in use nowadays. In this system, the data is in encrypted form and the owner can delegate access rights to computing clusters in the cloud for processing.

These two applications are obvious instances of the generic secure data sharing scenario: encrypted information is stored and managed by a semitrusted cloud provider. In contrast, the third application is a less evident instantiation, since

it describes the construction of an escrowed decryption system using proxy re- encryption. The basic idea is to use the conventional PKE-based functions of the PRE scheme as a regular PKE scheme, and to use the re-encryption function to define an escrowed decryption capability. A differential aspect of this proposal is that this capability is distributed among a set of trusted parties called escrow custodians, which can respond to petitions from escrow authorities (e.g., the government) by re-encrypting ciphertexts; only if all of the custodians participate in this process, the escrow authority can achieve the escrow decryption.

6.1

BlindIdM: Privacy Preserving Identity Man-

agement as a Service

6.1.1

Introduction

Cloud computing has recently burst onto the technology and business scenes, promising great technical and economic advantages. One of the principal bene- fits of cloud computing is that it represents a model of utility computing, capa- ble of offering on-demand provisioning of computing resources, such as storage, processing and networking. This provision of resources is metered for billing purposes, making a “pay-as-you-go” model possible that permits companies and organizations to transform capital expenditures, such as acquisition of specific hardware, into operational expenditures; this paradigm can be contrasted with previous models, based on the acquisition of equipment and software licences. The main benefits that organisations expect from adopting the cloud computing paradigm are an improved flexibility and scalability of their IT services, as well as the resulting cost savings from the outsourcing of such services [1].

Within the internal processes of most organizations, identity management stands out for its ubiquitous nature, as it plays a key role in authentication and ac- cess control. However, it also introduces an overhead in cost and time, and in most cases, specialized applications and personnel are required for setting up and integrating identity management systems, as well as for managing identity infor- mation. As has already happened for other kinds of services, the cloud paradigm represents an innovative opportunity to externalize the identity management pro- cesses, offering what has been called Identity Management as a Service (IDaaS ) [147]. Identity Management as a Service is the cloud industry’s response to the problem of identity management within companies and organizations, allowing them to outsource the identity management service from their internal infras- tructures and deploy it in the cloud provider. In other words, it permits moving

identity management from an on-premise delivery model to an on-demand model. Additionally, IDaaS opens up a new business opportunity for cloud providers and vendors, broadening their service offering.

As described in the introduction of this thesis, the advent of cloud computing has raised great expectations regarding efficiency, cost reduction and simplifica- tion of business processes, but at the same time has also increased security and privacy risks. This very same conflict also applies to the IDaaS case: although it offers organizations a great opportunity to cut capital costs (as well as some op- erational ones, such as specialized personnel), it also introduces a variant of one of the classic problems of cloud computing: the loss of control over outsourced data, which in this case is information about users’ identity. For instance, ac- cording to a recent survey from Cisco to IT specialists and decision makers [148], data protection is regarded as the top barrier that impedes the migration to the cloud.

The principal motivation behind this contribution is putting the identity provider into the cloud landscape, where data storage and processing could be offered by possibly untrusted cloud providers, but still offer an identity management ser- vice that guarantees user’s privacy and control. To this end, we define BlindIdM, a privacy-preserving IDaaS model where identity information is stored and pro- cessed in a blind manner, removing the necessity of trusting that the cloud identity provider will not read the data. Such a concept is a novel contribution to both the field of identity management and privacy-enhanced technologies. Our model, which uses the standard SAML 2.0 as the underlying identity management proto- col, applies proxy re-encryption techniques to achieve end-to-end confidentiality of the identity information, while allowing the cloud to provide an identity ser- vice. This can be seen as an instantiation of the secure data sharing scenario, applied to the problem of outsourcing the identity management service.