Introduction

In 1998, Blaze, Bleumer, and Strauss (BBS) [2] proposed an application called atomic proxy re-encryption, in which a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure re-encryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the wide-spread adoption of BBS re-encryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis [3], we present new re-encryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy re-encryption as a method of adding access control to the SFS read-only file system. Performance measurements of our experimental file system demonstrate that proxy re-encryption can work effectively in practice.

Semantics

Proxy re-encryption allows a proxy to transform a ciphertext computed under Alice into one that can be opened by Bob. There are many useful applications of this primitive. For instance, Alice might wish to temporarily forward encrypted email to her colleague Bob, without giving him her secret key. In this case, Alice the delegator could designate a proxy to re-encrypt her incoming mail into a format that Bob the delegatee can decrypt using his own secret key. Clearly, Alice could provide her secret key to the proxy but this requires an unrealistic level of trust in the proxy. We present several efficient proxy re-encryption schemes that offer security improvements over earlier approaches. The primary advantage of our schemes is that they are unidirectional (i.e., Alice can delegate to Bob without Bob having to delegate to her).

Application

We present an application for proxy cryptography in securing distributed file systems. Our system uses a centralized access control server to manage access to encrypted files stored on distributed, untrusted replicas. We use proxy re-encryption to allow for centrally managed access control without granting full decryption rights to the access control server.

No experimental implementation of proxy re-encryption schemes has been provided, to our knowledge, which makes it difficult to argue about the effectiveness of the proxy re-encryption primitive. In this paper, we provide new protocols with improved security guarantees (based on bilinear maps) and demonstrate their practicality based on runtime experiments.

We outline the characteristics and security guarantees of previously known schemes, and compare them to a suite of improved re-encryption schemes we present over bilinear maps [1]. These pairing-based schemes realize important new features, such as safeguarding the master secret key of the delegator from a colluding proxy and delegatee. One of the most promising applications for proxy re-encryption is giving proxy capabilities to the key server of a confidential distributed file system; this way the key server need not be fully trusted with all the keys of the system and the secret storage for each user can also be reduced. We implemented this idea in the context of the Chefs file system [4], and showed experimentally [1] that the additional security benefits of proxy re-encryption can be purchased for a manageable amount of run-time overhead. We leave open the theoretical problem of finding a proxy re-encryption scheme that does not allow further delegations; that is, Bob (plus the proxy) can not delegate to Carol what Alice has delegated to him. We also leave open the practical problems of finding more efficient implementations of secure proxy re-encryption schemes, as well as conducting more experimental tests in other applications.

Chefs [4] is part of the SFSRO [5] code base available via CVS from www.fs.net. Source code for our proxy re-encryption library and file system is available upon email request.

Research Support

Partial support came from Project Oxygen and an Intel Fellowship. This research is in collaboration with the Johns Hopkins University Information Security Institute.

References

[1] Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), February 2005.

[2] M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. In Proceedings of Eurocrypt '98, volume 1403, pages 127-144, 1998.

[3]Y. Dodis and A. Ivan. Proxy cryptography revisited. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS), February 2003.

[4] Kevin Fu. Integrity and access control in untrusted content distribution networks. PhD thesis. Manuscript, April 2005.

[5] Kevin Fu, M. Frans Kaashoek, and David Mazieres. Fast and secure distributed read-only file system. In ACM Transactions on Computer Systems, Volume 20, Number. 1, February 2002, Pages 1-24.

[6] M. Mambo and E. Okamoto. Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts. In IEICE Trans. Fund. Electronics Communications and Computer Science, E80-A/1:54-63, 1997.