Towards an auditable cryptographic access control to high-value sensitive data

Authors

Abstract

We discuss the challenge of achieving an auditable key management for cryptographic access control to high-value sensitive data. In such settings it is important to be able to audit the key management process - and in particular to be able to provide verifiable proofs of key generation. The auditable key management has several possible use cases in both civilian and military world.
In particular, the new regulations for protection of sensitive personal data, such as GDPR, introduce strict requirements for handling of personal data and apply a very restrictive definition of what can be considered a personal data. Cryptographic access control for personal data has a potential to become extremely important for preserving industrial ability to innovate, while protecting subject's privacy, especially in the context of widely deployed modern monitoring, tracking and profiling capabilities, that are used by both governmental institutions and high-tech companies. However, in general, an encrypted data is still considered as personal under GDPR and therefore cannot be, e.g., stored or processed in a public cloud or distributed ledger. In our work we propose an identity-based cryptographic framework that ensures confidentiality, availability, integrity of data while potentially remaining compliant with the GDPR framework.

References

@inproceedings{shamir1984identity,

title={Identity-based cryptosystems and signature schemes},

author={Shamir, Adi},

booktitle={Workshop on the theory and application of cryptographic techniques},

pages={47--53},

year={1984},

organization={Springer},

note={dostęp online: url{http://discovery.csc.ncsu.edu/Courses/csc774-S08/reading-assignments/shamir84.pdf}}

}

@inproceedings{boneh2001identity,

title={Identity-based encryption from the Weil pairing},

author={Boneh, Dan and Franklin, Matt},

booktitle={Annual international cryptology conference},

pages={213--229},

year={2001},

organization={Springer},

note={Available online at: url{https://crypto.stanford.edu/~dabo/papers/bfibe.pdf}}

}

@misc{GDPR,

title = {{General Data Protection Regulation 2016/679}},

author = {EU},

year = {2016}

}

@techreport{rfc,

author = {X. Boyen and L. Martin},

title = {{The Boneh-Franklin BF Cryptosystem}},

number = {RFC 5091},

institution = {IETF},

year = 2007

}

@inproceedings{yacobi,

title = "A Note on the Bi-Linear Diffie-Hellman Assumption",

year = 2002,

author={Yacobi, Yacov},

booktitle={ryptology ePrint Archive, Report 2002/113},

}

@techreport{rep2015,

author={Dustin Moody and Rene C. Peralta and Ray A. Perlner and Andrew R. Regenscheid and Allen L. Roginsky and Lidong Chen},

title={Report on Pairing-based Cryptography},

institution={NIST},

year=2015

}

@misc{209,

author = {Eleftherios Kokoris-Kogias

and Enis Ceyhun Alp and Sandra Deepthy Siby and Nicolas Gailly and Linus Gasser and Philipp Jovanovic and Ewa Syta and Bryan Ford},

title = {Verifiable Management of Private Data under Byzantine Failures},

howpublished = {Cryptology ePrint Archive 2018/209},

year = {2018}

}

@misc{016,

author = {Y. Rouselakis and B. Waters},

title = {Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption},

howpublished = {ePrint Archive 2015/016},

year = {2015}

}

@inproceedings{fed,

author = {Chadwick, D.},

title = {Federated Identity Management},

booktitle = {Foundations of Security Analysis and Design V SE - 3},

pages = {96–120},

year = {2009}

}

@misc{fed2,

author = {Vo, T.H.; Fuhrmann, W.F.; Fischer-Hellmann, K.P.},

title = {Identity-as-a-Service (IDaaS): A Missing Gap for Moving

Enterprise Applications in Inter-Cloud},

howpublished = {In Proceedings of the Eleventh International Network Conference,

INC 2016, Frankfurt, Germany},

year = {2016}

}

@inproceedings{Camenisch2009a,

author = {Camenisch, Jan and Kohlweiss, Markulf and Rial, Alfredo and Sheedy, Caroline},

booktitle = {Int. Work. Public Key Cryptogr.},

editor = {Jarecki, S. and Tsudik, G.},

pages = {196--214},

title = {{Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data}},

year = {2009}

}

@inproceedings{Kate2010a,

author = {Kate, A. and Goldberg, I.},

booktitle = {Int. Conf. Secur. Cryptogr. Networks},

title = {{Distributed Private-Key Generators for Identity-based Cryptography}},

year = {2010}

}

@inproceedings{Chow2009,

author = {Chow, Sherman S. M.},

booktitle = {Int. Work. Public Key Cryptogr.},

pages = {256--276},

publisher = {Springer},

title = {{Removing Escrow from Identity-Based Encryption}},

year = {2009}

}

@inproceedings{Boyen2006,

author = {Boyen, Xavier and Waters, Brent},

booktitle = {Adv. Cryptol. - CRYPTO},

title = {{Anonymous hierarchical identity-based encryption (Without random oracles)}},

year = {2006}

}

@article{Boneh2003a,

author = {Boneh, Dan and Franklin, Matthew},

journal = {SIAM J. Comput.},

number = {3},

pages = {586--615},

title = {{Identity-Based Encryption from the Weil Pairing}},

volume = {32},

year = {2003}

}

@article{Feldman1987,

author = {Feldman, Paul},

journal = {28th Annu. Symp. Found. Comput. Sci.},

pages = {427--438},

title = {{A practical scheme for non-interactive verifiable secret sharing}},

url = {http://ieeexplore.ieee.org/document/4568297/},

year = {1987}

}

@inproceedings{Gentry2006,

author = {Gentry, Craig},

booktitle = {EUROCRYPT Adv. Cryptol.},

pages = {445--464},

title = {{Practical Identity-Based Encryption Without Random Oracles}},

volume = {4004},

year = {2006}

}

@misc{Gresham2019,

author = {Josh Gresham},

title = {Is encrypted data personal data under the GDPR?},

year = {2019},

month = {3},

day = {6},

howpublished = {Available online at: url{https://iapp.org/news/a/is-encrypted-data-personal-data-under-the-gdpr/}}

}

@misc{EPRS2019,

author = {{European Parliamentary Research Service Scientific Foresight Unit}},

title = {Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?},

year = {2019},

month = {7},

howpublished = {Available online at: url{https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf}}

}

@inproceedings{Garg2019,

author = {Garg, Sanjam and Hajiabadi, Mohammad and Mahmoody, Mohammad and Rahimi, Ahmadreza and Sekar, Sruthi},

booktitle = {Public-Key Cryptogr. - PKC},

pages = {63--93},

title = {{Registration-Based Encryption from Standard Assumptions}},

year = {2019}

}

@inproceedings{Garg2018,

author = {Garg, Sanjam and Hajiabadi, Mohammad and Mahmoody, Mohammad and Rahimi, Ahmadreza},

booktitle = {Proc. TCC},

pages = {689--718},

title = {{Registration-based encryption: Removing private-key generator from IBE}},

year = {2018}

}

@techreport{Goyal2019,

author = {Goyal, Rishab and Vusirikala, Satyanarayana},

institution = {IACR},

pages = {1--45},

series = {eprint},

title = {{Verifiable Registration-Based Encryption}},

url = {https://eprint.iacr.org/2019/1044},

year = {2019}

}

@book{Chatterjee2011,

author = {Sanjit Chatterjee and Palash Sarkar},

title = {Identity-Based Encryption},

year = {2011},

publisher = {Springer}

}

@InProceedings{Dent2009,

author="Dent, Alexander W.",

editor="Martinelli, Fabio and Preneel, Bart",

title="A Brief Introduction to Certificateless Encryption Schemes and Their Infrastructures",

booktitle="Proc. of the European Public Key Infrastructure Workshop (EuroPKI 2009)",

year="2010",

publisher="Springer",

pages="1--16",

abstract="Certificateless encryption is a form of public-key encryption that is designed to eliminate the disadvantages of both traditional PKI-based public-key encryption scheme and identity-based encryption. Unlike public-key encryption, there is no requirement for digital certificates or a public-key infrastructure. Unlike identity-based encryption, the trusted third party need not be given the ability to decrypt ciphertexts intended for users. In this invited paper we will review the concept of certificateless encryption from an infrastructure point of view and show that many of the different formulations for ``certificateless'' encryption can be instantiated using public-key infrastructures after all."

}

@book{Greenberg2019,

author = {Andy Greenberg},

title = {Sandworm - A new era of cyberwar and the hunt for the Kremlin's hackers},

publisher = {Doubleday},

year = {2019}

}

@misc{cryptoeprint:2019:912,

author = {David Derler and Sebastian Ramacher and Daniel Slamanig and Christoph Striecks},

title = {I Want to Forget: Fine-Grained Encryption with Full Forward Secrecy in the Distributed Setting},

howpublished = {Cryptology ePrint Archive, Report 2019/912},

year = {2019},

note = {url{https://eprint.iacr.org/2019/912}},

}

@article{DBLP:journals/corr/EgorovW17,

author = {Michael Egorov and

MacLane Wilkison},

title = {NuCypher {KMS:} Decentralized key management system},

journal = {CoRR},

volume = {abs/1707.06140},

year = {2017},

url = {http://arxiv.org/abs/1707.06140},

archivePrefix = {arXiv},

eprint = {1707.06140},

timestamp = {Mon, 13 Aug 2018 16:46:57 +0200},

biburl = {https://dblp.org/rec/journals/corr/EgorovW17.bib},

bibsource = {dblp computer science bibliography, https://dblp.org}

}

@misc{umbral,

author = {David Nuñez},

title = {Umbral: a threshold proxy re-encryption scheme},

year = {2018},

note = {url{https://raw.githubusercontent.com/nucypher/umbral-doc/master/umbral-doc.pdf}},

}

@inproceedings{Egorov2018NuCypherA,

title={NuCypher : A proxy re-encryption network to empower privacy in decentralized systems},

author={Michael Egorov and David Nu{~n}ez and MacLane Wilkison},

year={2018}

}

@article{Ateniese2005ImprovedPR,

title={Improved proxy re-encryption schemes with applications to secure distributed storage},

author={Giuseppe Ateniese and Kevin Fu and Matthew Green and Susan Hohenberger},

journal={IACR Cryptology ePrint Archive},

year={2005},

volume={2005},

pages={28}

}

@article{Nuez2017ProxyRA,

title={Proxy Re-Encryption: Analysis of constructions and its application to secure access delegation},

author={David Nu{~n}ez and Isaac Agudo and Javier L{'o}pez},

journal={J. Netw. Comput. Appl.},

year={2017},

volume={87},

pages={193-209}

}

@inproceedings{Reniers2019AnalysisOA,

title={Analysis of architectural variants for auditable blockchain-based private data sharing},

author={Vincent Reniers and Dimitri Van Landuyt and Paolo Viviani and Bert Lagaisse and Riccardo Lombardi and Wouter Joosen},

booktitle={SAC '19},

year={2019}

}

@article{Widick2019BlockchainBA,

title={Blockchain Based Authentication and Authorization Framework for Remote Collaboration Systems},

author={Logan Widick and Ishan Ranasinghe and Ram Dantu and Srikanth Jonnada},

journal={2019 IEEE 20th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM)},

year={2019},

pages={1-7}

}

@article{Bernabe2019PrivacyPreservingSF,

title={Privacy-Preserving Solutions for Blockchain: Review and Challenges},

author={Jorge Bernal Bernabe and Jose Luis Canovas and Jos{'e} L. Hern{'a}ndez-Ramos and Rafael Torres Moreno and Antonio F. Skarmeta},

journal={IEEE Access},

year={2019},

volume={7},

pages={164908-164940}

}

@misc{cryptoeprint:2018:209,

author = {Eleftherios Kokoris-Kogias and Enis Ceyhun Alp and Sandra Deepthy Siby and Nicolas Gailly and Linus Gasser and Philipp Jovanovic and Ewa Syta and Bryan Ford},

title = {Verifiable Management of Private Data under Byzantine Failures},

howpublished = {Cryptology ePrint Archive, Report 2018/209},

year = {2018},

note = {url{https://eprint.iacr.org/2018/209}},

}

@misc{cryptoeprint:2020:254,

author = {Sanjam Garg and Shafi Goldwasser and Prashant Nalini Vasudevan},

title = {Formalizing Data Deletion in the Context of the Right to be Forgotten},

howpublished = {Cryptology ePrint Archive, Report 2020/254},

year = {2020},

note = {url{https://eprint.iacr.org/2020/254}},

}

@article{Amroudi2017AV,

title={A Verifiable (k,n,m)-Threshold Multi-secret Sharing Scheme Based on NTRU Cryptosystem},

author={Ali Nakhaei Amroudi and Ali Zaghain and Mahdi Sajadieh},

journal={Wireless Personal Communications},

year={2017},

volume={96},

pages={1393-1405}

}

@article{DBLP:journals/corr/abs-1801-10228,

author = {Elli Androulaki and

Artem Barger and

Vita Bortnikov and

Christian Cachin and

Konstantinos Christidis and

Angelo De Caro and

David Enyeart and

Christopher Ferris and

Gennady Laventman and

Yacov Manevich and

Srinivasan Muralidharan and

Chet Murthy and

Binh Nguyen and

Manish Sethi and

Gari Singh and

Keith Smith and

Alessandro Sorniotti and

Chrysoula Stathakopoulou and

Marko Vukolic and

Sharon Weed Cocco and

Jason Yellick},

title = {Hyperledger Fabric: {A} Distributed Operating System for Permissioned

Blockchains},

journal = {CoRR},

volume = {abs/1801.10228},

year = {2018},

url = {http://arxiv.org/abs/1801.10228},

archivePrefix = {arXiv},

eprint = {1801.10228},

timestamp = {Mon, 13 Aug 2018 16:46:46 +0200},

biburl = {https://dblp.org/rec/journals/corr/abs-1801-10228.bib},

bibsource = {dblp computer science bibliography, https://dblp.org}

}

@inproceedings{inproceedingsAzaria,

author = {Azaria, Asaph and Ekblaw, Ariel and Vieira, Thiago and Lippman, Andrew},

year = {2016},

month = {08},

pages = {25-30},

title = {MedRec: Using Blockchain for Medical Data Access and Permission Management},

doi = {10.1109/OBD.2016.11}

}

@InProceedings{10.1007/978-3-642-16441-5_1,

author="Dent, Alexander W.",

editor="Martinelli, Fabio

and Preneel, Bart",

title="A Brief Introduction to Certificateless Encryption Schemes and Their Infrastructures",

booktitle="Public Key Infrastructures, Services and Applications",

year="2010",

publisher="Springer Berlin Heidelberg",

address="Berlin, Heidelberg",

pages="1--16",

abstract="Certificateless encryption is a form of public-key encryption that is designed to eliminate the disadvantages of both traditional PKI-based public-key encryption scheme and identity-based encryption. Unlike public-key encryption, there is no requirement for digital certificates or a public-key infrastructure. Unlike identity-based encryption, the trusted third party need not be given the ability to decrypt ciphertexts intended for users. In this invited paper we will review the concept of certificateless encryption from an infrastructure point of view and show that many of the different formulations for ``certificateless'' encryption can be instantiated using public-key infrastructures after all.",

isbn="978-3-642-16441-5"

}

@article{Rajabi,

author = {Rajabi, Bahman and Eslami, Ziba},

year = {2018},

month = {11},

pages = {},

title = {A Verifiable Threshold Secret Sharing Scheme Based On Lattices},

volume = {501},

journal = {Information Sciences},

doi = {10.1016/j.ins.2018.11.004}

}

@inproceedings{10.1145/3140649.3140656,

author = {Shafagh, Hossein and Burkhalter, Lukas and Hithnawi, Anwar and Duquennoy, Simon},

title = {Towards Blockchain-Based Auditable Storage and Sharing of IoT Data},

year = {2017},

isbn = {9781450352048},

publisher = {Association for Computing Machinery},

address = {New York, NY, USA},

url = {https://doi.org/10.1145/3140649.3140656},

doi = {10.1145/3140649.3140656},

booktitle = {Proceedings of the 2017 on Cloud Computing Security Workshop},

pages = {45–50},

numpages = {6},

keywords = {security, cloud, time-series, access control, edge, blockchain, iot},

location = {Dallas, Texas, USA},

series = {CCSW ’17}

}

@article{DBLP:journals/corr/abs-1802-07344,

author = {Alberto Sonnino and

Mustafa Al{-}Bassam and

Shehar Bano and

George Danezis},

title = {Coconut: Threshold Issuance Selective Disclosure Credentials with

Applications to Distributed Ledgers},

journal = {CoRR},

volume = {abs/1802.07344},

year = {2018},

url = {http://arxiv.org/abs/1802.07344},

archivePrefix = {arXiv},

eprint = {1802.07344},

timestamp = {Mon, 13 Aug 2018 16:48:07 +0200},

biburl = {https://dblp.org/rec/journals/corr/abs-1802-07344.bib},

bibsource = {dblp computer science bibliography, https://dblp.org}

}

@article{Zyskind2015DecentralizingPU,

title={Decentralizing Privacy: Using Blockchain to Protect Personal Data},

author={Guy Zyskind and Oz Nathan and Alex Pentland},

journal={2015 IEEE Security and Privacy Workshops},

year={2015},

pages={180-184}

}

@INPROCEEDINGS{7695147,

author={X. A. {Wang} and F. {Xhafa} and Z. {Zheng} and J. {Nie}},

booktitle={2016 International Conference on Intelligent Networking and Collaborative Systems (INCoS)},

title={Identity Based Proxy Re-Encryption Scheme (IBPRE+) for Secure Cloud Data Sharing},

year={2016},

volume={},

number={},

pages={44-48},

keywords={cloud computing;public key cryptography;identity based proxy reencryption scheme;IBPRE+;cloud data sharing security;re-encryption keys;ciphertext;Alice's public key;PRE plus scheme;PRE+ scheme;message-level based line-grained delegation;3-linear map;Cloud computing;Encryption;Generators;Proposals;Servers},

doi={10.1109/INCoS.2016.83},

ISSN={null},

month={Sep.},}

@article{nun,

author = {Nuñez, David and Agudo, Isaac and Lopez, Javier},

year = {2017},

month = {03},

pages = {},

title = {Proxy Re-Encryption: Analysis of Constructions and its Application to Secure Access Delegation},

volume = {87},

journal = {Journal of Network and Computer Applications},

doi = {10.1016/j.jnca.2017.03.005}

}

@misc{cryptoeprint:2007:432,

author = {Craig Gentry and Chris Peikert and Vinod Vaikuntanathan},

title = {Trapdoors for Hard Lattices and New Cryptographic Constructions},

howpublished = {Cryptology ePrint Archive, Report 2007/432},

year = {2007},

note = {url{https://eprint.iacr.org/2007/432}},

}

@InProceedings{10.1007/978-3-642-13190-5_28,

author="Agrawal, Shweta

and Boneh, Dan

and Boyen, Xavier",

editor="Gilbert, Henri",

title="Efficient Lattice (H)IBE in the Standard Model",

booktitle="Advances in Cryptology -- EUROCRYPT 2010",

year="2010",

publisher="Springer Berlin Heidelberg",

address="Berlin, Heidelberg",

pages="553--572",

abstract="We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptively-secure IBE and a Hierarchical IBE.",

isbn="978-3-642-13190-5"

}

@inproceedings{Regev,

author = {Regev, Oded},

year = {2005},

month = {01},

pages = {84-93},

title = {On Lattices, Learning with Errors, Random Linear Codes, and Cryptography},

volume = {56},

journal = {Journal of the ACM (JACM)},

doi = {10.1145/1568318.1568324}

}

@inproceedings{euledgers,

author = {Finck, Michèle},

year = {2019},

title = {Blockchain and the General Data Protection Regulation. Can distributed ledgers be squared with European data protection law?},

}

Downloads

Published

2024-04-19

Issue

Section

Cryptography and Cybersecurity