In this chapter, we have begun by introducing the practical motivation of this thesis, which is the protection of sensitive data in outsourced environments, such as the cloud. We have seen that this scenario poses several challenges from the point of view of privacy and security, and we have briefly explained the usual countermeasures. After this, our conclusion is that it is necessary to devise more advanced safeguards, based on the use of cryptographic mechanisms, in order to protect the confidentiality of sensitive data against a broader class of threats. This have led us to defend the use of proxy re-encryption as a prime example of such cryptographic mechanisms, which constitutes a central research postulate of this thesis. In this chapter, we have also given a brief overview of what is proxy re-encryption and described the main challenges associated to this cryptosystem.
Before proceeding, Chapter 2 overviews basic concepts and definitions that are used in this thesis. As a substantial part of this thesis is heavily based on provable security, we here provide a general review of this area of cryptography.
Once the essential foundations have been established, it is necessary to study the state of current research, in order to broaden our understanding of proxy re-encryption, and consequently, identify research gaps. Chapter 3 presents an analysis of the state of the art of this type of cryptosystem, not only from the perspective of specific constructions, but also applications. Firstly, we survey the main proxy re-encryption schemes so far, and provide a detailed analysis of their characteristics. In line with the goal of fostering the design of efficient systems, we also study the performance of selected schemes, both theoretically and empirically. Secondly, we review applications of proxy re-encryption, with a special focus on data sharing in the cloud. In this part we analyze in more detail our research postulate – that proxy re-encryption constitutes a feasible solution for this scenario, both from the functional and efficiency perspectives.
In Chapter 4 we study the conventional security definitions for proxy re-encryption schemes, which are based on those inherited from public key encryption (PKE). One of the principal building blocks of these security definitions is the attack model, which defines the capabilities of an adversary in a security game. PRE is inherently more complex than PKE, but attack models for PRE have not been developed further. To this respect, we define a parametric family of attack mod- els for PRE, based on the availability of both the decryption and re-encryption oracles during the security game, that enables the definition of a set of intermedi- ate security notions. We analyze some relations among these notions of security, and in particular, the separations that arise when the re-encryption oracle leaks
re-encryption keys. In addition, we discuss which of these security notions repre- sent meaningful adversarial models for PRE. Finally, we show how a recent PRE scheme is based on a security model that does not capture chosen-ciphertext at- tacks through re-encryption, and for which we describe an attack under a more realistic security notion. This attack emphasizes the fact that PRE schemes that leak re-encryption keys cannot achieve strong security notions.
Chapter 5 presents new proxy re-encryption constructions, consisting of two sep- arate contributions. First, we explore the use of lattice-based cryptography for constructing more efficient PRE schemes. In this chapter, we present NTRUReEn- crypt, a new bidirectional and multihop proxy re-encryption scheme based on NTRU [16], a widely known lattice-based cryptosystem. We give two versions of our scheme: the first one is based on the conventional NTRU encryption scheme and, although it lacks a security proof, remains as efficient as its predecessor; the second one is a provably-secure variant that is safe against chosen-plaintext attacks. For the second part, we focus on the construction of more secure PRE schemes by means of generic transformations. To this end, we study the adapta- tion of conventional generic transformations, such as Fujisaki-Okamoto [17] and REACT [18], originally designed to achieve CCA-security. We show that a direct and naive application of these transformations leads to flawed schemes, and give several failed examples from the literature. In addition, we propose an exten- sion of the Fujisaki-Okamoto transformation for PRE, which achieves a weaker form of CCA-security in the random oracle model, and identify the conditions for applying it.
Chapter 6 is devoted to new applications of proxy re-encryption, with a clear focus on the secure data sharing scenario. As described in this introduction, this scenario can be seen as a generalization of different application use cases. In this chapter, we describe the integration of PRE within some of these use cases. Our first proposal is BlindIdM, a model for privacy-preserving Identity Management as a Service, with the intention of enabling organizations to outsource their identity management to the cloud in a secure way, without the cloud provider being able to read the identity information. We show how PRE can be integrated to SAML 2.0, a standard identity management protocol [19], as an example of instantiation of the BlindIdM model. A second proposal is presented next, this time focusing on the Big Data Analytics use case, as introduced in Section 1.1.1. We describe an extension to the Apache Hadoop system [20] where stored data is always encrypted and encryption keys do not need to be shared between different data sources; the use of proxy re-encryption allows stored data to be re-encrypted into ciphered data that the cluster nodes can decrypt with their own keys when a job is submitted. The last application we present differs from the others, as it is not
directly related to the cloud data sharing scenario. In Section 6.3 we describe an escrowed encryption system based on proxy re-encryption. The goal of this system is to serve as a typical public-key encryption scheme, but at the same time, the decryption procedure is escrowed by means of proxy re-encryption; a key aspect of this proposal is that the escrowed decryption can only be achieved with the collaboration of a set of trusted custodians, which are specialized entities chosen by the users.
Finally, Chapter 7 summarizes the contributions of this thesis and describes lines of future work and open research problems.