KAPRE: Key-aggregate proxy re-encryption for secure and flexible data sharing in cloud storage

Abstract

Key-aggregate cryptosystems (KAC) have attracted significant attention from the research community because of their elegance and efficiency in enforcing predefined access control policies for outsourced data. The data owner computes a constant-size aggregate key that is capable of decrypting a subset of outsourced data items. Based on the access control policy, the data owner securely transmits the aggregate key to a user authorized for the corresponding subset of data items. For practical access control scenarios, a KAC needs to satisfy additional flexibility requirements. We propose a practically motivated, novel cryptographic primitive called key-aggregate proxy re-encryption that allows temporary delegation of decryption capabilities of an aggregate key to one or more other aggregate keys without carrying out any secure transmissions. The existing key-aggregate cryptosystems face two important issues in highly dynamic environments, namely the non-revocability of aggregate keys and the need to securely transmit the aggregate key(s) to enhance the access capabilities of the user(s). The proposed key-aggregate proxy re-encryption is a significant enhancement to the existing KACs in that it features temporary delegation of decryption capabilities without needing any secure transmissions for carrying out or revoking the temporary delegation(s). We propose two variants of key-aggregate proxy re-encryption. The first variant delegates decryption capabilities of an aggregate key to a set of aggregate keys and the second variant delegates decryption capabilities of one aggregate key to another unique aggregate key. We present formal security definitions of both the proposed variants of key-aggregate proxy re-encryption under chosen-plaintext and chosen-ciphertext attacks. We present concrete constructions for both the variants of key-aggregate proxy re-encryption and formally prove the chosen-ciphertext security in the random oracle model. Also, we show that both of our constructions satisfy the temporary delegation property. Finally, we analyze the performance of our key-aggregate proxy re-encryption schemes to confirm their practical applicability.