Certificateless Proxy Research Articles

Certificateless Proxy Re-encryption with Cryptographic Reverse Firewalls for Secure Cloud Data Sharing

Cloud computing has enabled data-sharing to be more convenient than ever before. However, data security is a major concern that prevents cloud computing from being widely adopted. A potential solution to secure data-sharing in cloud computing is proxy re-encryption (PRE), which allows a proxy to transform encrypted data from one key to another without accessing the plaintext. When using PRE, various challenges arise, including the leak of information by a trusted third party, collusion attacks, and issues associated with revocation. To overcome these challenges, this paper proposes a novel Certificateless Proxy Reencryption with Cryptographic Reverse Firewall for Secure Cloud Data Sharing (CLPRE-CRF). The new scheme enables secure distribution of encrypted data from a data owner to users through public clouds. Meanwhile, the CLPRE-CRF scheme can resist exfiltration of secret information and forgery of ciphertext in case the scheme is compromised. In addition, the scheme provides a flexible revocation mechanism to prevent unauthorized access to private data. The security analysis demonstrates that the CLPRE-CRF resists chosen-plaintext attacks and collusion attacks. Moreover, performance evaluation indicates that our scheme achieves a 14% and 22% reduction in computation costs during the encryption and decryption algorithms, respectively. Therefore, the proposed CLPRE-CRF scheme is well-suited for cloud computing environments.

An optimal secure and reliable certificateless proxy signature for industrial internet of things

An optimal secure and reliable certificateless proxy signature for industrial internet of things

A lattice-based efficient certificateless public key encryption for big data security in clouds

With the advancement of technology and the development of digitization, big data has become an integral component of modern society. Due to the huge volume of big data, users generally upload data to the cloud for storage and computation. Because data in the cloud is beyond the control of users, it faces threats such as data security and personal privacy leakage. To address these concerns and achieve big data security and privacy protection in clouds, data encryption is crucial. Traditional public key encryption involves complex certificate management in a public key infrastructure (PKI). Although the identity-based encryption (IBE) scheme avoids the management of public key certificates, it has issues with key escrows and identity revocation. The certificateless public key encryption (CL-PKE) not only solves the key escrows problem in IBE, but also maintains its advantage of not requiring the use of certificate in PKI, making it suitable for the security protection of big data in clouds. However, most CL-PKE schemes are constructed based on large integer factorization and discrete logarithm problems, which cannot resist quantum computing attacks. Therefore, this paper proposes an efficient lattice-based CL-PKE scheme for big data security in clouds. In addition, the proposed scheme is extended to a lattice-based certificateless proxy re-encryption scheme, facilitating secure big data sharing in clouds. The proposed CL-PKE scheme can resist attacks from both internal and external adversaries, and has been proven to be IND-CPA secure under the learning with errors (LWE) assumption. Experiments have shown that the proposed CL-PKE scheme has lower computational and communication costs. The proposed lattice-based schemes can effectively provide post quantum security for the security and privacy protection of big data in clouds.

A Comprehensive Privacy-Preserving Federated Learning Scheme With Secure Authentication and Aggregation for Internet of Medical Things.

Data mining, integration, and utilization are the inevitable trend of the Internet of Medical Things (IoMT) in the context of Big Data. With the increasing demand for data privacy, federated learning has emerged as a new paradigm, which enables distributed joint training of medical data sources without leaving the private domain. However, federated learning is suffering from security threats as the shared local model will reveal original datasets. Privacy leakage is even more fatal in healthcare because medical data contains critically sensitive information. In addition, open wireless channels are susceptible to malicious attacks. To further safeguard the privacy of IoMT, we propose a comprehensive privacy-preserving federated learning scheme with a tactful dropout handling mechanism. The proposed scheme leverages blind masking and certificateless proxy re-encryption (CL-PRE) for secure aggregation, ensuring the confidentiality of the local model and rendering the global model invisible to any parties other than clients. It also provides authentication of uploaded models while protecting identity privacy. Compared with other relevant schemes, our solution has better performance on functional features and efficiency, and is more applicable to IoMT systems with many devices.

Certificateless Proxy Signcryption in the Standard Model for a UAV Network

As we all know, the random oracle model (ROM) is a simulation of the hash function and cannot replace the actual computation of hash function and the public-key cryptography scheme, which was proved to be secure in ROM may be insecure when instantiating random oracles with concrete hash functions in practical applications. So far as we know, certificateless proxy signcryption (CLPSC) scheme’s security is only proved by applying ROM. Therefore, it is quite important to construct a CLPSC scheme in the standard model (SM). In this article, we propose the first CLPSC scheme in SM, which can achieve public verifiability and we prove that this scheme is EUF-CMA-CLPSC security and IND-CCA-CLPSC security against type I adversary <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\mathcal {A}_{I}$ </tex-math></inline-formula> and Type II adversary <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\mathcal {A}_{II}$ </tex-math></inline-formula> . Additionally, we compare our scheme’s performance with several previous schemes’ performance in terms of calculation, communication, and security. The results show that our CLPSC scheme has better security performance, which is suitable for a unmanned aerial vehicle network.

CLAP-PRE: Certificateless Autonomous Path Proxy Re-Encryption for Data Sharing in the Cloud

In e-health systems, patients encrypt their personal health data for privacy purposes and upload them to the cloud. There exists a need for sharing patient health data with doctors for healing purposes in one’s own preferred order. To achieve this fine-gained access control to delegation paths, some researchers have designed a new proxy re-encryption (PRE) scheme called autonomous path proxy re-encryption (AP-PRE), where the delegator can control the whole delegation path in a multi-hop delegation process. In this paper, we introduce a certificateless autonomous path proxy re-encryption (CLAP-PRE) using multilinear maps, which holds both the properties (i.e., certificateless, autonomous path) of certificateless encryption and autonomous path proxy re-encryption. In the proposed scheme, (a) each user has two public keys (user’s identity and traditional public key) with corresponding private keys, and (b) each ciphertext is first re-encrypted from a public key encryption (PKE) scheme to an identity-based encryption (IBE) scheme and then transformed in the IBE scheme. Our scheme is an IND-CPA secure CLAP-PRE scheme under the k-multilinear decisional Diffie–Hellman (k-MDDH) assumption in the random oracle model.

Provably Secure Certificateless Proxy Signature Scheme in the Standard Model

&lt;p&gt;Proxy signature frees the original signer from the heavy signature work. Many certificateless proxy signature (CLPS) schemes have been proposed in the last ten years. The security proofs of most known schemes are given in the random oracle model (ROM). There are only two CLPS schemes with provably security in the standard model (SM). However, in which the size of the system parameter increase linearly with the size of the user’s identity information. That increase the storage burden of the key generation center. In this paper, a new CLPS scheme is constructed and the security proofs are showed in SM. The size of system parameters and the master key are constant in the scheme. Requiring only three pairing operations, the new scheme is more efficient and suitable for mobile computing.&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt;

Confidentiality and Integrity Schemes for Multicore Shared Memory Systems

In embedded multicore shared memory systems, processing elements (PEs) are mutually untrusted since they carry different computing tasks independently. Therefore, the sharing of secret constants (SCs) between PEs, which is applied in the existing confidentiality protection schemes, will lead to the leakage of nonshared data. Besides, for integrity protection, tree construction checking over the whole counter space leads to the increase of both memory occupation and the average delay of verification. In this paper, we propose a ciphertext sharing confidentiality protection scheme based on certificateless proxy re-encryption and an integrity protection scheme based on a multigranularity scalable hash tree for secure data sharing between untrusted processing elements (SDSUP). With our schemes, the SC does not need to be shared and the scale of the checking tree is reduced, thus solving the leakage of nonshared data and reducing the high cost in integrity check. The results from the Rice Simulator for ILP Multiprocessors (RSIM) multicore simulator show that compared with the unprotected system, the performance degradation from applying the confidentiality protection scheme is 17.3% on average. Moreover, the performance degradation of the integrity protection scheme is 12.89%, which is superior to 35.36% for the bonsai Merkle tree (BMT), 29.49% for the multigrained hash tree (MGT) and 21.82% for the multigranularity incremental hash tree (MIT).

A unidirectional certificateless proxy re‐signature scheme based on lattice

AbstractAs a kind of special digital signature, proxy re‐signature is becoming more and more important in transparent certification and management of group signatures. But most existing proxy re‐signature schemes cannot resist collusion attack. So we construct a scheme by using dual modulus technology and lattice structure. Dual modulus technology can ensure that our solution can resist various collusion attacks. Lattice structure can ensure that our scheme is secure in the postquantum era. Compared with the previous scheme, our scheme is unidirectional and certificateless, is secure in the post‐quantum era, does not require key escrow, can prevent man‐in‐the‐middle attacks, and can resist collusion attacks of proxy and delegatee as well as proxy and delegator. Moreover, our scheme is unidirectional and has better privacy. Furthermore, under the random oracle model, we prove that our scheme is strong nonforgeability against external attackers and the internal key generation center.

Design and development of a secure certificateless proxy signature based (SE-CLPS) encryption scheme for cloud storage

Certificateless Public Key Cryptography (CL-PKC) scheme is a new standard that combines Identity (ID)-based cryptography and tradi- tional PKC. It yields better security than the ID-based cryptography scheme without requiring digital certificates. In the CL-PKC scheme, as the Key Generation Center (KGC) generates a public key using a partial secret key, the need for authenticating the public key by a trusted third party is avoided. Due to the lack of authentication, the public key associated with the private key of a user may be replaced by anyone. Therefore, the ciphertext cannot be decrypted accurately. To mitigate this issue, an Enhanced Certificateless Proxy Signature (E-CLPS) is proposed to offer high security guarantee and requires minimum computational cost. In this work, the Hackman tool is used for detecting the dictionary attacks in the cloud. From the experimental analysis, it is observed that the proposed E-CLPS scheme yields better Attack Detection Rate, True Positive Rate, True Negative Rate and Minimum False Positives and False Negatives than the existing schemes.

Forward secure certificateless proxy multi-signature scheme

In order to deal with key exposure problem, we introduce forward secure technique into certificateless proxy multi-signature scheme, and give the formal definition and security model of forward secure certificateless proxy multi-signature. Furthermore, we present a construction of forward secure certificateless proxy multi-signature scheme. Based on the difficulty of computational Diffie-Hellman problem, the proposed scheme is existentially unforgeable against adaptively chosen-message attacks and chosen-warrant attacks in the random oracle model. The proposed scheme does not use bilinear pairs in the key update and generation proxy signature phases, and updated proxy key is easy, thus it is more suitable for mobile environments. Our scheme has effectively dealt with the key exposure problem and certificate management problem.

Forward secure certificateless proxy multi-signature scheme

In order to deal with key exposure problem, we introduce forward secure technique into certificateless proxy multi-signature scheme, and give the formal definition and security model of forward secure certificateless proxy multi-signature. Furthermore, we present a construction of forward secure certificateless proxy multi-signature scheme. Based on the difficulty of computational Diffie-Hellman problem, the proposed scheme is existentially unforgeable against adaptively chosen-message attacks and chosen-warrant attacks in the random oracle model. The proposed scheme does not use bilinear pairs in the key update and generation proxy signature phases, and updated proxy key is easy, thus it is more suitable for mobile environments. Our scheme has effectively dealt with the key exposure problem and certificate management problem.

Improving the Security of LTE-R for High-Speed Railway: From the Access Authentication View

Security and efficiency are crucial considerations for Long Term Evolution for Railway (LTE-R) which bears real-time transmission of train control information for future high-speed railway. In this article, we first analyze the vulnerabilities of LTE-R access authentication protocol, and then propose a proxy signature based authentication scheme to enhance the security of LTE-R without sacrificing efficiency. The proposed scheme consists of three main security mechanisms: a novel Elliptic Curve Cryptosystem based Certificateless Proxy Signature (ECC-CLPS) designed for authentication security, a hash-based puzzle introduced to defend against denial of service (DoS) attack and a key pre-generation mechanism used to improve the efficiency of fast handover authentication. The security analysis and performance simulation show that our scheme has advantages over existing LTE-based authentication schemes in terms of security, functionality, computation and communication costs. Moreover, the authentication requirements for security and efficiency in different LTE-R communication scenarios are fully considered, which makes our scheme more suitable for the access authentication in the future LTE-R based high-speed railway.

Security Analysis of the First Certificateless Proxy Signature Scheme Against Malicious-But-Passive KGC Attacks

AbstractRecently, Yang et al. proposed the first certificateless proxy signature scheme against malicious-but-passive key generation center (MKGC) attacks. They proved that their scheme can resist the MKGC attacks in the standard model. In this paper, we point out that their scheme cannot achieve this security because the adversary can forge valid signatures.

Certificateless Proxy Reencryption Scheme (CPRES) Based on Hyperelliptic Curve for Access Control in Content-Centric Network (CCN)

Information-centric networking is the developing model envisioned by an increasing body of the data communication research community, which shifts the current network paradigm from host centric to data centric, well-known to information-centric networking (ICN). Further, the ICN adopts different types of architectures to extend the growth of the Internet infrastructure, e.g., name-based routing and in-network caching. As a result, the data can be easily routed and accessed within the network. However, when the producer generates contents for authentic consumers, then it is necessary for him/her to have a technique for content confidentiality, privacy, and access control. To provide the previously mentioned services, this paper presents a certificateless proxy reencryption scheme (CPRES) based on the hyperelliptic curve for access control in the content-centric network (CCN). Using certificateless PRE, the power of the key generation center (KGC) is limited to only the generation of partial keys to secure the access to the content. With the help of these partial keys, the producer further calculates keys for encryption and reencryption process. The simulation results show that the proposed scheme provides secure access to content during end-to-end communication. Moreover, the proposed CPRES scheme outperforms in terms of low computational energy and efficient utilization of communication bandwidth.

A Provably Secure Certificateless Proxy Signature Scheme Against Malicious-But-Passive KGC Attacks

AbstractIn certificateless proxy signature (CLPS), the key generation center is responsible for initializing the system parameters and can obtain the opportunity to adaptively set some trapdoors in them when wanting to launch some attacks. Until now, how to withstand the malicious-but-passive key generation center (MKGC) attacks in CLPS is still an interesting problem. In this paper, we focus on the challenging issue and introduce a CLPS scheme provably secure in the standard model. To the best of our knowledge, we are the first to demonstrate its security under MKGC attacks by adopting the technology of embedding the classic difficulty problems into the target entity public key rather than the system parameters during the security proof process.

A cloud data deduplication scheme based on certificateless proxy re-encryption

Abstract Cloud data deduplication removes redundant data blocks or files and keeps only one copy in the cloud storage server. In order to improve on security, we need to encrypt data files and blocks such that all same files and blocks are detectable based on ciphertext for deduplication. So how to detect a ciphertext to find the same files is a challenging problem. In this paper, we propose a cloud data deduplication scheme based on certificateless proxy re-encryption. It contains certificateless proxy re-encryption (CL-PRE) and proof of ownership based on certificateless signature (PoW-CLS). Compared with the existing scheme, we use certificateless cryptography to solve the problem of key escrow and avoid the situation where a key generation center (KGC) impersonates a user to decrypt the ciphertext. Our CL-PRE realizes data deduplication across users and our PoW-CLS improves the efficiency of the proof of ownership (PoW).

Construction of Certificateless Proxy Signcryption Scheme From CMGs

As a cryptography primitive for secure data transmission, certificateless proxy signcryption (CLPS) allows an original signcrypter to entrust his signing authority to a proxy signcrypter for signing specified message on his behalf. In this paper, we combine CLPS with cyclic multiplication groups (CMGs) to construct a new certificateless proxy signcryption scheme from CMGs (CMGs-CLPSS). CMGs-CLPSS will receive significant attention because it simplifies the traditional public key cryptosystem (PKC) and solves the key escrow issue suffered by identity-based public key cryptosystem (IB-PKC). In CMGs-CLPSS, an encrypted message can only be decrypted by a designated receiver who is also responsible for verifying the message; moreover, if a later dispute over repudiation occurs, the designated receiver can readily announce ordinary CLPS for public verification without any extra computation effort. CMGs-CLPSS is proved to have the indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2 security) and existential unforgeability under adaptive chosen-message attacks (UF-CMA security) in the random oracle model. CMGs-CLPSS outperforms the existing schemes on the basis of computational complexity and is suitable for applications in digital contract signing and online proxy auction, and so on.

Light-Weight and Privacy-Preserving Authentication Protocol for Mobile Payments in the Context of IoT

The widespread use of smart devices attracts much attention on the research for a mobile payment protocol in the context of the Internet of Things (IoT). However, payment trust and user privacy still raise critical concerns to the application of mobile payments since existing authentication protocols for mobile payments either suffer from the heavy workload on a resource-limited smart device or cannot provide user anonymity in the mobile payment. To address these challenges elegantly, this paper presents a lightweight and privacy-preserving authentication protocol for mobile payment in the context of IoT. First, we put forward a unidirectional certificateless proxy re-signature scheme, which is of independent interest. Based on this signature scheme, this paper, then, gives a new mobile payment protocol that for the first time not only achieves anonymity and unforgeability but also leaves low resource consumption on smart devices. In the proposed protocol, the efficiency is notably improved by placing the most computational cost on Pay Platform (usually with abundant computational power) instead of lightweight mobile devices. Moreover, by considering that the Pay Platform and Merchant Server needs to perform computation for each transaction, the idea of batch-verification has been adopted to mitigate the overhead for millions of users at the Pay Platform and Merchant Server to address the scalability issue. Through the formal security analysis presented in this paper, the proposed protocol is proved to be secure under the extended CDH problem. In addition, the performance evaluation shows that the proposed protocol is feasible and efficient for the resource-limited smart devices in the IoT.

An Efficient and Provably-Secure Certificateless Proxy-Signcryption Scheme for Electronic Prescription System

Electronic prescription is increasingly popular in our society, particularly in technologically advanced countries. Due to strict legal requirements and privacy regulations, authorization and data confidentiality are two important features in electronic prescription system. By combining signature and encryption functions, signcryption is an efficient cryptographic primitive that can be used to provide these two features. While signcryption is a fairly established research area, most signcryption schemes proposed recently have several limitations (e.g., high communication costs, limited bandwidth, and insecurity), and designing secure and practical signcryption schemes remains challenging. In this paper, we propose an improved certificateless proxy signcryption (CLPSC) scheme, based on elliptic curve cryptography (ECC). We also demonstrate that the proposed CLPSC scheme is secure in the random oracle model and evaluate its performance with related schemes. The security and performance evaluations show that the proposed CLPSC scheme can potentially be implemented on resource-constrained low-computing mobile devices in an electronic prescription system.