Abstract
Data stored in cloud storage sometimes requires long-term security due to its sensitivity (e.g., genome data), and therefore, it also requires flexible access control for handling entities who can use the data. Broadcast encryption can partially provide such flexibility by specifying privileged receivers so that only they can decrypt a ciphertext. However, once privileged receivers are specified, they can be no longer dynamically added and/or removed. In this paper, we propose a new type of broadcast encryption which provides long-term security and appropriate access control, which we call unconditionally secure revocable-storage broadcast encryption (RS-BE). In RS-BE, privileged receivers of a ciphertext can be dynamically updated without revealing any information on the underlying plaintext. Specifically, we define a model and security of RS-BE, and derive tight lower bounds on sizes of secret keys required for a one-time secure RS-BE scheme when the ciphertext size is equal to the plaintext size. Our lower bounds can be applied to traditional broadcast encryption. We then construct a one-time secure RS-BE scheme with a trade-off between sizes of ciphertexts and secret keys, and our construction for the smallest ciphertext size meets all bounds with equalities. Furthermore, to detect an improper update, we consider security against modification attacks to a ciphertext, and present a concrete construction secure against this type of attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More precisely, a description of \({\mathcal {S}}\) is needed to decrypt and update the ciphertext. For simplicity, we assume that all entities share the information of \({\mathcal {S}}\) since there are various ways of sharing the information (e.g., it can be sent to users using the broadcast channel, or stored on a publicly accessible authenticated bulletin board).
- 2.
We also discuss an RS-BE scheme secure against collusion of at most \(\omega \) colluders and the storage manager under a restricted transformation rule of the storage manager’s key in Appendix B.
- 3.
For example, when \(n=8\) and \(\delta =3\), then \({\mathcal {U}}_1:=\{ U_{1}^{(1)},U_{2}^{(1)} \}=\{U_1,U_2\}\), \({\mathcal {U}}_2:=\{ U_{1}^{(2)},U_{2}^{(2)},U_{3}^{(2)}\}=\{U_3,U_4,U_5\}\), and \({\mathcal {U}}_3:=\{ U_{1}^{(3)},U_{2}^{(3)},U_{3}^{(3)}\}=\{U_6,U_7,U_8\}\).
- 4.
For readability, we consider \(1,2,\ldots ,\delta \) denote elements of \({\mathbb {F}}_q\).
References
Ateniese, G., Burns, R., Curtmola, R., Herring, J., Khan, O., Kissner, L., Peterson, Z., Song, D.: Remote data checking using provable data possession. ACM Trans. Inf. Syst. Secur. 14(1), 12:1–12:34 (2011)
Ateniese, G., De Santis, A., Ferrara, A.L., Masucci, B.: Provably-secure time-bound hierarchical key assignment schemes. In: The 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 288–297. ACM, New York (2006)
Ateniese, G., De Santis, A., Ferrara, A.L., Masucci, B.: Provably-secure time-bound hierarchical key assignment schemes. J. Cryptol. 25(2), 243–270 (2012)
Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10868-6_17
Ayday, E., De Cristofaro, E., Hubaux, J., Tsudik, G.: The chills and thrills of whole genome sequencing. Computer PP(99), 1 (2013)
Ayday, E., De Cristofaro, E., Hubaux, J.P., Tsudik, G.: Whole genome sequencing: revolutionary medicine or privacy nightmare? Computer 48(2), 58–66 (2015)
Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management - part 1: General (revision 3). NIST Special Publication 800-57, July 2012
Berkovits, S.: How to broadcast a secret. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 535–541. Springer, Heidelberg (1991). doi:10.1007/3-540-46416-6_50
Blom, R.: An optimal class of symmetric key generation systems. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 335–338. Springer, Heidelberg (1985). doi:10.1007/3-540-39757-4_22
Blundo, C., Cresti, A., Santis, A., Vaccaro, U.: Fully dynamic secret sharing schemes. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 110–125. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_10
Blundo, C., Cresti, A.: Space requirements for broadcast encryption. In: Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 287–298. Springer, Heidelberg (1995). doi:10.1007/BFb0053444
Blundo, C., Mattos, L.A.F., Stinson, D.R.: Trade-offs between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 387–400. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_29
Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 417–426. ACM, New York (2008)
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). doi:10.1007/11535218_16
Canetti, R., Gennaro, R., Herzberg, A.: Proactive security: long-term protection against break-ins. CryptoBytes 3, 1–8 (1997)
Chen, H., Ling, S., Padró, C., Wang, H., Xing, C.: Key predistribution schemes and one-time broadcast encryption schemes from algebraic geometry codes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 263–277. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10868-6_16
Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley-Interscience, Hoboken (2006)
Cramer, R., Dodis, Y., Fehr, S., Padró, C., Wichs, D.: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 471–488. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78967-3_27
Csiszár, I., Koerner, J.: Information Theory: Coding Theorems for Discrete Memoryless Systems, 2nd edn. Cambridge University Press, Cambridge (2011)
Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003). doi:10.1007/978-3-540-44993-5_5
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_40
Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with Short Ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_10
Halevi, S., Harnik, D., Pinkas, B., Shulman-Peleg, A.: Proofs of ownership in remote storage systems. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 491–500. ACM, New York (2011)
Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_27
Kamara, S., Lauter, K.: Cryptographic cloud storage. In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010. LNCS, vol. 6054, pp. 136–149. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14992-4_13
Kurosawa, K., Yoshida, T., Desmedt, Y., Burmester, M.: Some bounds and a construction for secure broadcast encryption. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 420–433. Springer, Heidelberg (1998). doi:10.1007/3-540-49649-1_33
Liu, J., Wang, H., Xian, M., Huang, K.: A secure and efficient scheme for cloud storage against eavesdropper. In: Qing, S., Zhou, J., Liu, D. (eds.) ICICS 2013. LNCS, vol. 8233, pp. 75–89. Springer, Heidelberg (2013). doi:10.1007/978-3-319-02726-5_6
Liu, Z., Li, J., Chen, X., Yang, J., Jia, C.: TMDS: thin-model data sharing scheme supporting keyword search in cloud storage. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 115–130. Springer, Heidelberg (2014). doi:10.1007/978-3-319-08344-5_8
Luby, M., Staddon, J.: Combinatorial bounds for broadcast encryption. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 512–526. Springer, Heidelberg (1998). doi:10.1007/BFb0054150
Matsumoto, T., Imai, H.: On the key predistribution system: a practical solution to the key distribution problem. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 185–193. Springer, Heidelberg (1988). doi:10.1007/3-540-48184-2_14
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_3
Nikov, V., Nikova, S.: On proactive secret sharing schemes. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 308–325. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30564-4_22
Padró, C., Gracia, I., Martín, S.: Improving the trade-off between storage and communication in broadcast encryption schemes. Discret. Appl. Math. 143(1–3), 213–220 (2004)
Padró, C., Gracia, I., Martín, S., Morillo, P.: Linear broadcast encryption schemes. Discret. Appl. Math. 128(1), 223–238 (2003)
Phan, D.H., Pointcheval, D., Strefler, M.: Security notions for broadcast encryption. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 377–394. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21554-4_22
Sahai, A., Seyalioglu, H., Waters, B.: Dynamic credentials and ciphertext delegation for attribute-based encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 199–217. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_13
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). doi:10.1007/11426639_27
Santis, A.D., Ferrara, A.L., Masucci, B.: Unconditionally secure key assignment schemes. Discret. Appl. Math. 154(2), 234–252 (2006)
Shacham, H., Waters, B.: Compact proofs of retrievability. J. Cryptol. 26(3), 442–483 (2013)
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27, 379–423, 623–656 (1948). http://cm.bell-labs.com/cm/ms/what/shannonday/shannon1948.pdf
Stanek, J., Sorniotti, A., Androulaki, E., Kencl, L.: A secure data deduplication scheme for cloud storage. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 99–118. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_8
Stinson, D.: On some methods for unconditionally secure key distribution and broadcast encryption. Des. Codes Crypt. 12(3), 215–243 (1997)
Stinson, D.R., Wei, R.: Unconditionally secure proactive secret sharing scheme with combinatorial structures. In: Heys, H., Adams, C. (eds.) SAC 1999. LNCS, vol. 1758, pp. 200–214. Springer, Heidelberg (2000). doi:10.1007/3-540-46513-8_15
The Presidential Commission for the Study of Bioethical Issues: Privacy and progress in whole genome sequencing. President’s Bioethics Commission Releases Report on Genomics and Privacy, October 2012
Watanabe, Y., Hanaoka, G., Shikata, J.: Unconditionally secure revocable storage: tight bounds, optimal construction, and robustness. Cryptology ePrint Archive, Report 2016/064 (2016). http://eprint.iacr.org/
Watanabe, Y., Shikata, J.: Constructions of unconditionally secure broadcast encryption from key predistribution systems with trade-offs between communication and storage. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 489–502. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26059-4_27
Yang, K., Jia, X., Ren, K.: Attribute-based fine-grained access control with efficient revocation in cloud storage systems. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 523–528. ACM, New York (2013)
Acknowledgments
We would like to thank the anonymous reviewers for fruitful comments, and in particular, for pointing out that an AMD-code is useful for robust constructions. We would also like to thank “Shin-Akarui-Angou-Benkyou-Kai” for their valuable comments. Yohei Watanabe is supported by JSPS Research Fellowships for Young Scientists. This work (Yohei Watanabe) was supported by Grant-in-Aid for JSPS Fellows Grant Number 25\(\cdot \)3998 and 16J10532. This work (Junji Shikata) was supported by JSPS KAKENHI Grant Number 15H02710, and it was in part conducted under the auspices of the MEXT Program for Promoting the Reform of National Universities.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Shannon Entropy
We briefly describe Shannon entropy. For details, see [17, 19] for the excellent instruction. Let X and Y be random variables which take values in sets \({\mathcal {X}}\) and \({\mathcal {Y}}\), respectively.
Definition 7
(Shannon Entropy [40]). Shannon entropy H(X) is defined by
Furthermore, the joint entropy H(X, Y) and conditional entropy H(X|Y) of a pair of random variables (X, Y) with a joint probability distribution \(P_{XY}\) are defined by
respectively. Moreover, mutual information is also defined by
The following properties of Shannon entropy are used in this paper (for details, see [17, 19]):
-
For a random variable X, it holds that \(\log |{\mathcal {X}}|\ge H(X) \ge 0\), where the first equality holds if and only if a probability distribution of \({\mathcal {X}}\) is uniform, and the second equality holds if and only if there exists some \(x\in {\mathcal {X}}\) such that \(\Pr (X=x)=1\).
-
It holds that \(H(X,Y)=H(X)+H(Y| X)=H(Y)+H(X | Y)\). More generally, it holds that \(H(X_1,X_2,\ldots ,X_n)=\sum _{i=1}^{n}H(X_i | X_1,\ldots ,X_{i-1})\).
-
For two random variables X and Y, it hold that \(H(X)\ge H(X | Y)\), where equality holds if and only if X and Y are independent.
-
It holds that \(I(X;Y) \ge 0\), where the equality holds if and only if X and Y are independent of each other.
B Collusion-Resistant RS-BE Scheme
We consider security against collusion of at most \(\omega \) colluders and a storage manager. Intuitively, if a storage manager can change any privileged set of a ciphertext into any privileged set by using his maintenance key mk, we cannot achieve RS-BE secure against collusion of a set of colluders and the storage manager. Therefore, here we simply set the following transformation rule for mk: For any \({\mathcal {S}}, {\mathcal {S}}'\subset {\mathcal {U}}\), \(\textit{Upd}(mk,c_{{\mathcal {S}}},{\mathcal {S}},{\mathcal {S}}')\) outputs an updated ciphertext \(c_{{\mathcal {S}}'}\) if \({\mathcal {S}}'\subset {\mathcal {S}}\) holds, otherwise it outputs \(\bot \). Namely, we only consider dynamic revocation of users.
We define collusion-resistant security as follows.
Definition 8
(Collusion-Resistant RS-BE). Let \({\varPi }\) be an RS-BE scheme. \({\varPi }\) is said to be collusion-resistantly \((\le n,\le \omega )\)-one-time secure if the following conditions are satisfied: For any privileged set \({\mathcal {S}}\subset {\mathcal {U}}\), and any set of colluders \({\mathcal {W}}\subset {\mathcal {U}}\) such that \({\mathcal {S}}\cap {\mathcal {W}}=\emptyset \) and \(|{\mathcal {W}}|\le \omega \), it holds that
A construction which satisfies Definition 8 is as follows.
-
1.
\((ek,mk,dk_1,\ldots ,dk_n)\leftarrow \textit{Setup}()\): Let q be a prime power such that \(q>n\), and \({\mathbb {F}}_q\) be a finite field with q elements. It chooses n polynomials \(f^{(h)}(x):=\sum ^{\omega }_{i=0}a_ix^i \ (h=1,\ldots ,n)\) over \({\mathbb {F}}_q\) uniformly at random, and computes \(n-1\) polynomials \(g^{(\ell )}(x):=f^{(\ell )}(x)-f^{(\ell -1)}(x) \ (2\le \ell \le n)\). Then, it outputs \(ek:=f^{(1)}(x)\), \(dk_i:=(f^{(1)}(i),\ldots ,f^{(n)}(i)) \ (1\le i\le n)\), and \(mk:=(g^{(2)}(x),\ldots ,g^{(n)}(x))\).
-
2.
\(c_{{\mathcal {S}}}\leftarrow \textit{Enc}(ek,m, {\mathcal {S}})\): Let \({\mathcal {S}}=\{U_{i_1},\ldots ,U_{i_k}\} \ (1\le k \le n)\) be a privileged set. For every \(U_{i_j}\), it computes \(c^{(1)}_{i_j}:=m+f^{(1)}(i_j)\), and sets a counter \(t:=1\). Finally, it outputs \(c_{{\mathcal {S}}}:=(t, c^{(t)}_{i_1},\ldots ,c^{(t)}_{i_k})\).
-
3.
m or \(\bot \leftarrow \textit{Dec}(dk_i,c_{{\mathcal {S}}},{\mathcal {S}},U_i)\): If \(U_i\in {\mathcal {S}}\), it computes \(m=c^{(t)}_{i}-f^{(t)}(i)\) and outputs it. Otherwise, it outputs \(\bot \).
-
4.
\(c_{{\mathcal {S}}'}\) or \(\bot \leftarrow \textit{Upd}(mk, c_{{\mathcal {S}}}, {\mathcal {S}},{\mathcal {S}}')\): Let \({\mathcal {S}}'=\{U_{i_1},\ldots ,U_{i_k}\}\). If \({\mathcal {S}}'\subset {\mathcal {S}}\) does not hold, it outputs \(\bot \). Otherwise, for every \(U_{i_j}\in {\mathcal {S}}'\subset {\mathcal {S}}\), it computes \(c^{(t+1)}_i:=c^{(t)}_{i_j}+g^{(t+1)}(i_j) \ (1\le j \le k)\). Finally, it sets \(t:=t+1\) and outputs \(c_{{\mathcal {S}}'}:=(t, c^{(t)}_{i_1},\ldots ,c^{(t)}_{i_k})\).
Proposition 4
The resulting RS-BE scheme \({\varPi }\) by the above construction is collusion-resistantly \((\le n,\le \omega )\)-one-time secure.
Proof
It is not so difficult to prove this proposition. Without loss of generality, we consider that \({\mathcal {W}}:=\{U_1,\ldots ,U_{\omega }\}\) is a set of colluders and \({\mathcal {S}}:=\{U_{\omega +1}\ldots ,U_n\}\) is a privileged set. Consider the case that the set of colluders \({\mathcal {W}}\) and the storage manager will guess \(k_{{\mathcal {S}}}\) to obtain the plaintext m by the using their secret keys. Since each degree of x of \(f^{(h)}(x) \ (1 \le h \le n)\) is at most \(\omega \), at most \(\omega \) colluders cannot obtain \(f^{(h)}(x)\) from \(f^{(h)}(1),\ldots ,f^{(h)}(\omega ) \ (1 \le h \le n)\). Hence, they cannot obtain any information on \(f^{(h)}(x) \ (1 \le h \le n)\) even if they have \(g^{(\ell )}(x) \ (2\le \ell \le n)\). Hence, for any \({\mathcal {S}}\subset {\mathcal {U}}\), and any \({\mathcal {W}}\subset {\mathcal {U}}\) such that \({\mathcal {S}}\cap {\mathcal {W}}=\emptyset \) and \(|{\mathcal {W}}|\le \omega \), \(H(M\mid C_{{\mathcal {S}}},DK_{{\mathcal {W}}},MK)=H(M)\). \(\square \)
C Construction for Arbitrary Plaintext Sizes and Number of Users
We show how we construct an \((\le n, \le \omega ; \delta )\)-one-time secure RS-BE scheme for arbitrary \(|{\mathcal {M}}|\) and n, even when \(|{\mathcal {M}}|\le n\), where n is the number of users. We first consider an instantiation of an \((\le n, \le \omega ; \delta )\)-one-time secure BE scheme by the Fiat–Naor KPS [21]. Since the Fiat–Naor KPS was combinatorially designed by not using polynomials, the construction works even when \(q \le n\). We can then propose the Upd algorithm by modifying the construction. Note that the sizes of secret keys (in particular, encryption and maintenance keys) of this construction are larger than those of our construction in Sect. 4 when \(\delta > \omega \).
The detailed construction of an \((\le n, \le \omega )\)-one-time secure RS-BE scheme \({\varPi }=(\textit{Setup}, \textit{Enc}, \textit{Dec},\) \(\textit{Upd})\) is as follows.
-
1.
\((ek,mk,dk_1,\ldots ,dk_n)\leftarrow \textit{Setup}()\): Let \({\mathbb {F}}_q\) be a finite field with q elements, where q is a prime power. Let \(a:=\lfloor n / \delta \rfloor \), \(\delta _2:=n \bmod \delta \), and \(\delta _1:=\delta -\delta _2\). Without loss of generality, let \({\mathcal {U}}_{j}:=\{ U_{1}^{(j)}, \ldots ,U_{a}^{(j)} \} = \{U_{(j-1)a+1},\ldots ,U_{ja}\}\) for \(j\in \{1,2,\ldots ,\delta _1\}\) and \({\mathcal {U}}_{j}:=\{ U_{1}^{(j)}, \ldots , U_{a+1}^{(j)} \} = \{U_{\delta _1a+(j-\delta _1-1)(a+1)+1},\) \(\ldots ,U_{\delta _1a+(j-\delta _1)(a+1)}\}\) for \(j\in \{\delta _1+1,\delta _1+2,\ldots ,\delta \}\). Define the following families of subsets:
$$\begin{aligned}&{\mathscr {W}}_j:=\{{\mathcal {W}} \subset {\mathcal {U}}_j \mid |{\mathcal {W}}|\le \omega _j \}, \\&{\mathscr {W}}_j^{(i)}:=\{{\mathcal {W}} \subset {\mathcal {U}}_j \mid {\mathcal {W}}\in {\mathscr {W}}_j \wedge U_i \notin {\mathcal {W}}\}, \\&{\mathscr {W}}_j({\mathcal {S}}\subset {\mathcal {U}}_j):=\{{\mathcal {W}} \in {\mathscr {W}}_j \mid |{\mathcal {W}}| = \min \{ {\tilde{\omega }}, |{\mathcal {U}}_j|-|{\mathcal {S}}| \} \}, \end{aligned}$$where \(\omega _j:=\min \{a-1,\omega \}\) for \(1 \le j \le \delta _1\) and \(\omega _j:=\min \{a,\omega \}\) for \(\delta _1+1 \le j \le \delta \). Choose \(R\in {\mathbb {F}}_q\) uniformly at random. Then, for each \({\mathcal {U}}_j \ (1 \le j \le \delta )\), compute as follows. For \(\emptyset _j := \emptyset \in {\mathscr {W}}_j\), choose \(r'_{\emptyset _j}\in {\mathbb {F}}_q\) uniformly at random, and compute \(r_{\emptyset _j} := R + r'_{\emptyset _j}\). For every \({\mathcal {W}}\in {\mathscr {W}}_j\setminus \{\emptyset \}\), choose \(r_{{\mathcal {W}}} \in {\mathbb {F}}_q\) uniformly at random. Set \(ek:=\{ r_{\mathcal {W}}\mid {\mathcal {W}}\in {\mathscr {W}}_j \}_{j=1}^{\delta }\), \(mk:=\{ r'_{\emptyset _1},r'_{\emptyset _2},\ldots ,r'_{\emptyset _\delta }\} \cup \{ r_{\mathcal {W}}\mid {\mathcal {W}}\in {\mathscr {W}}_j \setminus \{\emptyset \} \}_{j=1}^{\delta }\). For every \(U_h = U_{i}^{(j)}\), set \(dk_h=dk_i^{(j)}:=\{ r_{\mathcal {W}}\mid {\mathcal {W}}\in {\mathscr {W}}_j^{(i)} \}\). Output \((ek, mk, dk_1,\ldots ,dk_n)\).
-
2.
\(c_{{\mathcal {S}}}\leftarrow \textit{Enc}(ek,m, {\mathcal {S}})\): Let \({\mathcal {S}}_j := {\mathcal {S}}\cup {\mathcal {U}}_j\). For every \({\mathcal {S}}_j\), compute
$$\begin{aligned} c_j := m + r_{\emptyset _j}+\sum _{{\mathcal {W}}\in {\mathscr {W}}_j({\mathcal {S}}_j)}r_{{\mathcal {W}}}, \end{aligned}$$unless \({\mathcal {S}}_j = \emptyset \). Output \(c_{\mathcal {S}}:=\{c_j\}_{{\mathcal {S}}_j\ne \emptyset }\).
-
3.
m or \(\bot \leftarrow \textit{Dec}(dk_h,c_{{\mathcal {S}}},{\mathcal {S}},U_h)\): If \(U_h\notin {\mathcal {S}}\), output \(\bot \). Otherwise, suppose that \(U_h = U_i^{(j)} \in {\mathcal {U}}_j\). Output \(m= c_j -r_{\emptyset _j}-\sum _{{\mathcal {W}}\in {\mathscr {W}}_j({\mathcal {S}}_j)} r_{{\mathcal {W}}}\).
-
4.
\(c_{{\mathcal {S}}'}\) or \(\bot \leftarrow \textit{Upd}(mk, c_{{\mathcal {S}}}, {\mathcal {S}},{\mathcal {S}}')\): Let \({\mathcal {S}}_i := {\mathcal {S}}\cup {\mathcal {U}}_i\) and \({\mathcal {S}}'_j := {\mathcal {S}}' \cup {\mathcal {U}}_j\). Without loss of generality, choose some \(c_i \in c_{{\mathcal {S}}}\). Compute \(c_{\emptyset }:=c_i - r'_{\emptyset _i} - \sum _{{\mathcal {W}}\in {\mathscr {W}}_i({\mathcal {S}}_i)} r_{{\mathcal {W}}}=m+R\), where \(\emptyset _i:=\emptyset \in {\mathscr {W}}_i\). For every \({\mathcal {S}}'_j\), compute
$$\begin{aligned} c'_j := c_{\emptyset } + r'_{\emptyset _j} + \sum _{{\mathcal {W}}\in {\mathscr {W}}_j({\mathcal {S}}'_j)}r_{{\mathcal {W}}}, \end{aligned}$$unless \({\mathcal {S}}'_j = \emptyset \), , where \(\emptyset _j\in {\mathscr {W}}_j\). Output \(c_{{\mathcal {S}}'}:=\{c'_j\}_{{\mathcal {S}}'_j\ne \emptyset }\).
Proposition 5
The resulting RS-BE scheme \({\varPi }\) is \((\le n,\le \omega ; \delta )\)-one-time secure. In particular, \({\varPi }\) is optimal when \(\delta \)=1.
Proof
(Sketch). We here give a sketch since it is not so difficult to prove. Without loss of generality, we consider \({\mathcal {S}}:=\{U_{1},U_{2},\ldots ,U_{n-\omega } \}\) and \({\mathcal {W}}:=\{ U_{n-\omega +1},\) \(U_{n-\omega +2}, \ldots , U_n \}\). Let \({\mathcal {S}}_j:={\mathcal {S}}\cap {\mathcal {U}}_j\) and \({\mathcal {W}}_j:={\mathcal {U}}_j\setminus {\mathcal {S}}_j\). As in [21], it is obvious that each \({\mathcal {W}}_j\) does not have at least one randomness \(r_{{\mathcal {W}}_j}\). Therefore, \({\mathcal {W}}\) cannot obtain any information on m. Furthermore, SM cannot also get any information on m since he does not know R. \(\square \)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Watanabe, Y., Hanaoka, G., Shikata, J. (2016). Unconditionally Secure Revocable Storage: Tight Bounds, Optimal Construction, and Robustness. In: Nascimento, A., Barreto, P. (eds) Information Theoretic Security. ICITS 2016. Lecture Notes in Computer Science(), vol 10015. Springer, Cham. https://doi.org/10.1007/978-3-319-49175-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-49175-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49174-5
Online ISBN: 978-3-319-49175-2
eBook Packages: Computer ScienceComputer Science (R0)