Conclusions

In this chapter, we have proposed a method to sign a sequence of digital docu-ments by using a variant of signature with message recovery originally proposed by Bellare et al. [89] as the signature primitive. We defined the security model for the signature scheme, and showed that the scheme is secure in the model. The advantages of our method are:

1. Our signature scheme can verify the authenticity and also the order of each member of the documents.

2. During the verification of a signature, the scheme does not require access to all members of the documents.

3. The signature size is smaller than signing each member of the sequence using the standard RSA signature.

Proxy Re-encryption for

Symmetric Key Cryptography

6.1 Introduction

Cryptography is about the art and science to conceal the meaning of a text. A main technique in cryptography is encryption, which is used to transform the text (normally called the plaintext) into an unintelligent form (the ciphertext). The ciphertext can be securely transmitted in an insecure channel because an attacker who intercepts the ciphertext cannot infer anything about the text without having a secret decryption key. The encryption technique is also useful to secure data at rest, for example to protect the data at the local database or at an online database (the cloud). Any attacker who successfully bypass the security of the local or the online database cannot access the text without having access the decryption key.

Encryption schemes can be classified based on the keys used for encryption and decryption. Symmetric encryptions use exactly the same key for encryption and decryption while asymmetric encryptions use a pair of public and private keys.

Symmetric encryptions are generally faster than asymmetric ones but we need to assume the decryption keys are securely transferred to the recipients.

Many symmetric encryption schemes have been proposed and most of the schemes are getting better in hiding the relationships between the plaintext, the key, and also the ciphertext. The existence of a function that can meaningfully alter the ciphertext (i.e., malleability) is generally regarded as a bad characteristics of a

127

secure cryptosystem. However, in some situations we need to have a symmetric encryption scheme whose ciphertext can be efficiently transformed in a meaningful way. We show the applications of those symmetric encryption schemes in the local and online encrypted database as follows.

1. Fast key update in an encrypted local database. A user encrypts the local files or databases for better security measures. The problem is when the key is unintentionally leaked, the user needs to change the encryption key. With the current fast hardware, the user may use a simple method:

decrypt-and-then-encrypt approach, by first decrypting the data with the old (leaked) key and then encrypting with a new key. However, if we need to re-encrypt a large size of data, it is desirable to have a faster method than executing these two costly computations (decrypt and encrypt).

2. Key update in an encrypted outsourced database. Recently, the cloud model (i.e., data as service model) has been implemented by many Internet companies. The data owner can store the data in the cloud and access the data from anywhere at anytime. However, without additional security mechanisms, an attacker (who breaks the security of the server) and also the company itself can do anything to the data: accessing, updating or removing the data. A promising solution is by encrypting the data before storing the data in the server, so that the access to the data is fully controlled by the data owner.

By encrypting the data, we can also implement encryption-based access control, where access to the data is granted by providing the decryption key. The problem is when the data owner needs to securely revoke an access, the data owner also needs to update the encryption key. Using a simple solution (decrypt-and-then-encrypt), re-encryption is a costly computation, because the data owner needs to download the data, decrypt the data and encrypt with the new key and then re-upload the data to the database. A promising solution is by securely delegating a re-encryption mechanism to a semi-trusted proxy in the server.

6.1.1 Security Model

We are concerned about an encryption scheme that can be used to encrypt the data as the other encryption modes (i.e., CBC, CTR). The typical usage is that

the data owner encrypts the data and stores the data in a storage that can be accessed by some other users or malicious attackers. Our proposed scheme can be used to encrypt the data with some special features:

1. The encryption key can be updated directly, without having to decrypt the data with the previous key and encrypt with the new key.

2. The data owner can delegate the re-encryption process to a semi-trusted proxy (for example a cloud server) while the proxy is not allowed to access the decrypted form (plaintext). The semi-trusted proxy is a proxy which follows the algorithm correctly but we do not allow the proxy to access the sensitive data. An online database server may act as a proxy where the data owner may ask the proxy to update the key by sending the re-encryption key to the proxy.

In this usage model, we identify three types of attackers who has interest in at-tacking the encryption scheme.

1. The outsiders. In term of encryption security model, the outsiders are the normal attackers. The outsiders do not have access to any encryption keys.

In the Chosen Plaintext Attack (CPA) model, we provide the outsiders an encryption oracle that can be used to collect the pair of chosen plaintexts/-ciphertexts before playing the indistinguishability game where the attackers should distinguish ciphertexts produced by some chosen plaintexts but not yet queried to the encryption oracle.

2. The previous users. In our model, the previous users are the most powerful attackers, because the previous users have access to at least one encryption key before re-encryption. In the re-encryption process, the data (plaintext) are not updated, so that we also need to assume that the previous users may have access to all existing plaintexts (by storing the decrypted data from the previous accesses). The only restriction to the previous users is that they do not have access to the current encryption and the re-encryption keys.

3. The proxy. The main feature of the encryption scheme is that we can delegate the re-encryption process (key update) to a semi-trusted proxy, but the proxy is not allowed to access to the encryption key. To re-encrypt the

data, the proxy should have access to the re-encryption keys. So, the proxy is more powerful than the outsiders (because it has more information – the re-encryption keys), but it is less powerful than the previous users.

6.1.2 Contributions

Our main contribution is: we propose a secure symmetric encryption scheme that supports fast key update and proxy re-encryption. The idea of our scheme is by first transforming the plaintext using an All or Nothing Transform (AONT) and exploits some of its characteristics to implement efficient and secure proxy re-encryptions scheme¹. We prove the security of the scheme under the chosen plaintext attack security model. We also show that the scheme is more efficient than decrypt-and-then-encrypt method.