Unconditionally Secure Revocable Storage: Tight Bounds, Optimal Construction, and Robustness

Abstract

Data stored in cloud storage sometimes requires long-term security due to its sensitivity (e.g., genome data), and therefore, it also requires flexible access control for handling entities who can use the data. Broadcast encryption can partially provide such flexibility by specifying privileged receivers so that only they can decrypt a ciphertext. However, once privileged receivers are specified, they can be no longer dynamically added and/or removed. In this paper, we propose a new type of broadcast encryption which provides long-term security and appropriate access control, which we call unconditionally secure revocable-storage broadcast encryption (RS-BE). In RS-BE, privileged receivers of a ciphertext can be dynamically updated without revealing any information on the underlying plaintext. Specifically, we define a model and security of RS-BE, and derive tight lower bounds on sizes of secret keys required for a one-time secure RS-BE scheme when the ciphertext size is equal to the plaintext size. Our lower bounds can be applied to traditional broadcast encryption. We then construct a one-time secure RS-BE scheme with a trade-off between sizes of ciphertexts and secret keys, and our construction for the smallest ciphertext size meets all bounds with equalities. Furthermore, to detect an improper update, we consider security against modification attacks to a ciphertext, and present a concrete construction secure against this type of attacks.

Appendices

Appendix

A Shannon Entropy

We briefly describe Shannon entropy. For details, see [17, 19] for the excellent instruction. Let X and Y be random variables which take values in sets \({\mathcal {X}}\) and \({\mathcal {Y}}\), respectively.

Definition 7

(Shannon Entropy [40]). Shannon entropy H(X) is defined by

$$\begin{aligned} H(X):=-\sum _{x\in {\mathcal {X}}}\Pr (X=x)\log \Pr (X=x). \end{aligned}$$

Furthermore, the joint entropy H(X, Y) and conditional entropy H(X|Y) of a pair of random variables (X, Y) with a joint probability distribution \(P_{XY}\) are defined by

$$\begin{aligned}&H(X,Y):=-\sum _{x\in {\mathcal {X}}}\sum _{y\in {\mathcal {Y}}}\Pr (X=x,Y=y)\log \Pr (X=x,Y=y),\\&H(X | Y):=\sum _{y\in {\mathcal {Y}}}\Pr (Y=y)H(X | Y=y), \end{aligned}$$

respectively. Moreover, mutual information is also defined by

$$\begin{aligned} I(X;Y):=H(X)-H(X|Y)=H(Y)-H(Y|X). \end{aligned}$$

The following properties of Shannon entropy are used in this paper (for details, see [17, 19]):

• For a random variable X, it holds that \(\log |{\mathcal {X}}|\ge H(X) \ge 0\), where the first equality holds if and only if a probability distribution of \({\mathcal {X}}\) is uniform, and the second equality holds if and only if there exists some \(x\in {\mathcal {X}}\) such that \(\Pr (X=x)=1\).

• It holds that \(H(X,Y)=H(X)+H(Y| X)=H(Y)+H(X | Y)\). More generally, it holds that \(H(X_1,X_2,\ldots ,X_n)=\sum _{i=1}^{n}H(X_i | X_1,\ldots ,X_{i-1})\).

• For two random variables X and Y, it hold that \(H(X)\ge H(X | Y)\), where equality holds if and only if X and Y are independent.

• It holds that \(I(X;Y) \ge 0\), where the equality holds if and only if X and Y are independent of each other.

B Collusion-Resistant RS-BE Scheme

We consider security against collusion of at most \(\omega \) colluders and a storage manager. Intuitively, if a storage manager can change any privileged set of a ciphertext into any privileged set by using his maintenance key mk, we cannot achieve RS-BE secure against collusion of a set of colluders and the storage manager. Therefore, here we simply set the following transformation rule for mk: For any \({\mathcal {S}}, {\mathcal {S}}'\subset {\mathcal {U}}\), \(\textit{Upd}(mk,c_{{\mathcal {S}}},{\mathcal {S}},{\mathcal {S}}')\) outputs an updated ciphertext \(c_{{\mathcal {S}}'}\) if \({\mathcal {S}}'\subset {\mathcal {S}}\) holds, otherwise it outputs \(\bot \). Namely, we only consider dynamic revocation of users.

We define collusion-resistant security as follows.

Definition 8

(Collusion-Resistant RS-BE). Let \({\varPi }\) be an RS-BE scheme. \({\varPi }\) is said to be collusion-resistantly \((\le n,\le \omega )\)-one-time secure if the following conditions are satisfied: For any privileged set \({\mathcal {S}}\subset {\mathcal {U}}\), and any set of colluders \({\mathcal {W}}\subset {\mathcal {U}}\) such that \({\mathcal {S}}\cap {\mathcal {W}}=\emptyset \) and \(|{\mathcal {W}}|\le \omega \), it holds that

$$\begin{aligned} H(M\mid C_{{\mathcal {S}}},DK_{{\mathcal {W}}},MK)=H(M). \end{aligned}$$

A construction which satisfies Definition 8 is as follows.

1. 1.

   \((ek,mk,dk_1,\ldots ,dk_n)\leftarrow \textit{Setup}()\): Let q be a prime power such that \(q>n\), and \({\mathbb {F}}_q\) be a finite field with q elements. It chooses n polynomials \(f^{(h)}(x):=\sum ^{\omega }_{i=0}a_ix^i \ (h=1,\ldots ,n)\) over \({\mathbb {F}}_q\) uniformly at random, and computes \(n-1\) polynomials \(g^{(\ell )}(x):=f^{(\ell )}(x)-f^{(\ell -1)}(x) \ (2\le \ell \le n)\). Then, it outputs \(ek:=f^{(1)}(x)\), \(dk_i:=(f^{(1)}(i),\ldots ,f^{(n)}(i)) \ (1\le i\le n)\), and \(mk:=(g^{(2)}(x),\ldots ,g^{(n)}(x))\).

2. 2.

   \(c_{{\mathcal {S}}}\leftarrow \textit{Enc}(ek,m, {\mathcal {S}})\): Let \({\mathcal {S}}=\{U_{i_1},\ldots ,U_{i_k}\} \ (1\le k \le n)\) be a privileged set. For every \(U_{i_j}\), it computes \(c^{(1)}_{i_j}:=m+f^{(1)}(i_j)\), and sets a counter \(t:=1\). Finally, it outputs \(c_{{\mathcal {S}}}:=(t, c^{(t)}_{i_1},\ldots ,c^{(t)}_{i_k})\).

3. 3.

   m or \(\bot \leftarrow \textit{Dec}(dk_i,c_{{\mathcal {S}}},{\mathcal {S}},U_i)\): If \(U_i\in {\mathcal {S}}\), it computes \(m=c^{(t)}_{i}-f^{(t)}(i)\) and outputs it. Otherwise, it outputs \(\bot \).

4. 4.

   \(c_{{\mathcal {S}}'}\) or \(\bot \leftarrow \textit{Upd}(mk, c_{{\mathcal {S}}}, {\mathcal {S}},{\mathcal {S}}')\): Let \({\mathcal {S}}'=\{U_{i_1},\ldots ,U_{i_k}\}\). If \({\mathcal {S}}'\subset {\mathcal {S}}\) does not hold, it outputs \(\bot \). Otherwise, for every \(U_{i_j}\in {\mathcal {S}}'\subset {\mathcal {S}}\), it computes \(c^{(t+1)}_i:=c^{(t)}_{i_j}+g^{(t+1)}(i_j) \ (1\le j \le k)\). Finally, it sets \(t:=t+1\) and outputs \(c_{{\mathcal {S}}'}:=(t, c^{(t)}_{i_1},\ldots ,c^{(t)}_{i_k})\).

Proposition 4

The resulting RS-BE scheme \({\varPi }\) by the above construction is collusion-resistantly \((\le n,\le \omega )\)-one-time secure.

Proof

It is not so difficult to prove this proposition. Without loss of generality, we consider that \({\mathcal {W}}:=\{U_1,\ldots ,U_{\omega }\}\) is a set of colluders and \({\mathcal {S}}:=\{U_{\omega +1}\ldots ,U_n\}\) is a privileged set. Consider the case that the set of colluders \({\mathcal {W}}\) and the storage manager will guess \(k_{{\mathcal {S}}}\) to obtain the plaintext m by the using their secret keys. Since each degree of x of \(f^{(h)}(x) \ (1 \le h \le n)\) is at most \(\omega \), at most \(\omega \) colluders cannot obtain \(f^{(h)}(x)\) from \(f^{(h)}(1),\ldots ,f^{(h)}(\omega ) \ (1 \le h \le n)\). Hence, they cannot obtain any information on \(f^{(h)}(x) \ (1 \le h \le n)\) even if they have \(g^{(\ell )}(x) \ (2\le \ell \le n)\). Hence, for any \({\mathcal {S}}\subset {\mathcal {U}}\), and any \({\mathcal {W}}\subset {\mathcal {U}}\) such that \({\mathcal {S}}\cap {\mathcal {W}}=\emptyset \) and \(|{\mathcal {W}}|\le \omega \), \(H(M\mid C_{{\mathcal {S}}},DK_{{\mathcal {W}}},MK)=H(M)\).    \(\square \)

C Construction for Arbitrary Plaintext Sizes and Number of Users

We show how we construct an \((\le n, \le \omega ; \delta )\)-one-time secure RS-BE scheme for arbitrary \(|{\mathcal {M}}|\) and n, even when \(|{\mathcal {M}}|\le n\), where n is the number of users. We first consider an instantiation of an \((\le n, \le \omega ; \delta )\)-one-time secure BE scheme by the Fiat–Naor KPS [21]. Since the Fiat–Naor KPS was combinatorially designed by not using polynomials, the construction works even when \(q \le n\). We can then propose the Upd algorithm by modifying the construction. Note that the sizes of secret keys (in particular, encryption and maintenance keys) of this construction are larger than those of our construction in Sect. 4 when \(\delta > \omega \).

The detailed construction of an \((\le n, \le \omega )\)-one-time secure RS-BE scheme \({\varPi }=(\textit{Setup}, \textit{Enc}, \textit{Dec},\) \(\textit{Upd})\) is as follows.

1. 1.

   \((ek,mk,dk_1,\ldots ,dk_n)\leftarrow \textit{Setup}()\): Let \({\mathbb {F}}_q\) be a finite field with q elements, where q is a prime power. Let \(a:=\lfloor n / \delta \rfloor \), \(\delta _2:=n \bmod \delta \), and \(\delta _1:=\delta -\delta _2\). Without loss of generality, let \({\mathcal {U}}_{j}:=\{ U_{1}^{(j)}, \ldots ,U_{a}^{(j)} \} = \{U_{(j-1)a+1},\ldots ,U_{ja}\}\) for \(j\in \{1,2,\ldots ,\delta _1\}\) and \({\mathcal {U}}_{j}:=\{ U_{1}^{(j)}, \ldots , U_{a+1}^{(j)} \} = \{U_{\delta _1a+(j-\delta _1-1)(a+1)+1},\) \(\ldots ,U_{\delta _1a+(j-\delta _1)(a+1)}\}\) for \(j\in \{\delta _1+1,\delta _1+2,\ldots ,\delta \}\). Define the following families of subsets:

   $$\begin{aligned}&{\mathscr {W}}_j:=\{{\mathcal {W}} \subset {\mathcal {U}}_j \mid |{\mathcal {W}}|\le \omega _j \}, \\&{\mathscr {W}}_j^{(i)}:=\{{\mathcal {W}} \subset {\mathcal {U}}_j \mid {\mathcal {W}}\in {\mathscr {W}}_j \wedge U_i \notin {\mathcal {W}}\}, \\&{\mathscr {W}}_j({\mathcal {S}}\subset {\mathcal {U}}_j):=\{{\mathcal {W}} \in {\mathscr {W}}_j \mid |{\mathcal {W}}| = \min \{ {\tilde{\omega }}, |{\mathcal {U}}_j|-|{\mathcal {S}}| \} \}, \end{aligned}$$

   where \(\omega _j:=\min \{a-1,\omega \}\) for \(1 \le j \le \delta _1\) and \(\omega _j:=\min \{a,\omega \}\) for \(\delta _1+1 \le j \le \delta \). Choose \(R\in {\mathbb {F}}_q\) uniformly at random. Then, for each \({\mathcal {U}}_j \ (1 \le j \le \delta )\), compute as follows. For \(\emptyset _j := \emptyset \in {\mathscr {W}}_j\), choose \(r'_{\emptyset _j}\in {\mathbb {F}}_q\) uniformly at random, and compute \(r_{\emptyset _j} := R + r'_{\emptyset _j}\). For every \({\mathcal {W}}\in {\mathscr {W}}_j\setminus \{\emptyset \}\), choose \(r_{{\mathcal {W}}} \in {\mathbb {F}}_q\) uniformly at random. Set \(ek:=\{ r_{\mathcal {W}}\mid {\mathcal {W}}\in {\mathscr {W}}_j \}_{j=1}^{\delta }\), \(mk:=\{ r'_{\emptyset _1},r'_{\emptyset _2},\ldots ,r'_{\emptyset _\delta }\} \cup \{ r_{\mathcal {W}}\mid {\mathcal {W}}\in {\mathscr {W}}_j \setminus \{\emptyset \} \}_{j=1}^{\delta }\). For every \(U_h = U_{i}^{(j)}\), set \(dk_h=dk_i^{(j)}:=\{ r_{\mathcal {W}}\mid {\mathcal {W}}\in {\mathscr {W}}_j^{(i)} \}\). Output \((ek, mk, dk_1,\ldots ,dk_n)\).

2. 2.

   \(c_{{\mathcal {S}}}\leftarrow \textit{Enc}(ek,m, {\mathcal {S}})\): Let \({\mathcal {S}}_j := {\mathcal {S}}\cup {\mathcal {U}}_j\). For every \({\mathcal {S}}_j\), compute

   $$\begin{aligned} c_j := m + r_{\emptyset _j}+\sum _{{\mathcal {W}}\in {\mathscr {W}}_j({\mathcal {S}}_j)}r_{{\mathcal {W}}}, \end{aligned}$$

   unless \({\mathcal {S}}_j = \emptyset \). Output \(c_{\mathcal {S}}:=\{c_j\}_{{\mathcal {S}}_j\ne \emptyset }\).

3. 3.

   m or \(\bot \leftarrow \textit{Dec}(dk_h,c_{{\mathcal {S}}},{\mathcal {S}},U_h)\): If \(U_h\notin {\mathcal {S}}\), output \(\bot \). Otherwise, suppose that \(U_h = U_i^{(j)} \in {\mathcal {U}}_j\). Output \(m= c_j -r_{\emptyset _j}-\sum _{{\mathcal {W}}\in {\mathscr {W}}_j({\mathcal {S}}_j)} r_{{\mathcal {W}}}\).

4. 4.

   \(c_{{\mathcal {S}}'}\) or \(\bot \leftarrow \textit{Upd}(mk, c_{{\mathcal {S}}}, {\mathcal {S}},{\mathcal {S}}')\): Let \({\mathcal {S}}_i := {\mathcal {S}}\cup {\mathcal {U}}_i\) and \({\mathcal {S}}'_j := {\mathcal {S}}' \cup {\mathcal {U}}_j\). Without loss of generality, choose some \(c_i \in c_{{\mathcal {S}}}\). Compute \(c_{\emptyset }:=c_i - r'_{\emptyset _i} - \sum _{{\mathcal {W}}\in {\mathscr {W}}_i({\mathcal {S}}_i)} r_{{\mathcal {W}}}=m+R\), where \(\emptyset _i:=\emptyset \in {\mathscr {W}}_i\). For every \({\mathcal {S}}'_j\), compute

   $$\begin{aligned} c'_j := c_{\emptyset } + r'_{\emptyset _j} + \sum _{{\mathcal {W}}\in {\mathscr {W}}_j({\mathcal {S}}'_j)}r_{{\mathcal {W}}}, \end{aligned}$$

   unless \({\mathcal {S}}'_j = \emptyset \), , where \(\emptyset _j\in {\mathscr {W}}_j\). Output \(c_{{\mathcal {S}}'}:=\{c'_j\}_{{\mathcal {S}}'_j\ne \emptyset }\).

Proposition 5

The resulting RS-BE scheme \({\varPi }\) is \((\le n,\le \omega ; \delta )\)-one-time secure. In particular, \({\varPi }\) is optimal when \(\delta \)=1.

Proof

(Sketch). We here give a sketch since it is not so difficult to prove. Without loss of generality, we consider \({\mathcal {S}}:=\{U_{1},U_{2},\ldots ,U_{n-\omega } \}\) and \({\mathcal {W}}:=\{ U_{n-\omega +1},\) \(U_{n-\omega +2}, \ldots , U_n \}\). Let \({\mathcal {S}}_j:={\mathcal {S}}\cap {\mathcal {U}}_j\) and \({\mathcal {W}}_j:={\mathcal {U}}_j\setminus {\mathcal {S}}_j\). As in [21], it is obvious that each \({\mathcal {W}}_j\) does not have at least one randomness \(r_{{\mathcal {W}}_j}\). Therefore, \({\mathcal {W}}\) cannot obtain any information on m. Furthermore, SM cannot also get any information on m since he does not know R.    \(\square \)