Research On Reverse Firewalls For Public-key Encryption

The classical security model assumes that cryptographic algorithms will perform as specified.However,in the real world,adversaries may disrupt algorithm execution or set up backdoors.To prevent the cryptographic algorithm from revealing user secret information in the presence of an adversary,a reverse firewall is proposed.The reverse firewall sits between the controlled computer and the outside world and is responsible for modifying messages sent and received by users.Although it is not a fully trusted third party,it can resist algorithm substitution attacks while maintaining functionality and security,providing exfiltration resistance to the original cryptographic algorithm.Today,some public-key encryption algorithms that exists have been proven secure cannot provide message confidentiality in the presence of backdoors.Based on this,this thesis accomplishes the following five tasks.(1)Considering that identity-based encryption algorithms are proved secure under the classical security model without considering the possibility of disruption by adversaries,this thesis proposes a reverse firewall for identity-based encryption(IBE-RF).The reverse firewall for the private key generator uses key scalability to re-randomize the system parameters and the user’s private key,while the reverse firewall for the sender reencrypts the ciphertext using message re-randomness.Compared to existing reverse firewall and identity-based encryption schemes,our scheme ensures that the exposure of encryption random numbers does not lead to the leakage of user privacy information,providing exfiltration-resistant services for the original scheme.(2)Considering that certificateless public-key encryption algorithms are proved secure under the classical security model without considering the possibility of disruption by adversaries,this thesis proposes a reverse firewall for certificateless public-key encryption(CL-PKE-RF).Compared with the existing reverse firewall schemes and the two certificateless public-key encryption schemes,our scheme also reduces the communication cost with the advantages of resisting algorithm substitution attacks.Experimental results show that with the increase of security level,the proportion of reverse firewall operation time in the scheme is smaller.(3)Considering that many keyword searchable public-key encryption algorithms cannot resist algorithm substitution attacks and keyword guessing attacks from malicious cloud storage servers,and also have a high algorithm operation complexity,this thesis proposes a reverse firewall for keyword searchable public-key encryption(PEKS-RF).Compared with the existing searchable encryption schemes,our scheme can resist algorithm substitution attacks,chosen keyword attacks,and keyword guessing attacks without a secure channel between users and cloud servers.Experimental results show that compared with related works,our scheme has obvious advantages in computation cost and communication cost.Therefore,our scheme is secure and effective in the cloud environment.(4)Considering that proxy re-encryption algorithms are proved secure under the classical security model without considering the possibility of disruption by adversaries,this thesis proposes a reverse firewall for proxy re-encryption(PRE-RF).Compared with the existing proxy re-encryption schemes,our scheme can not only resist chosen plaintext attacks,provide unforgeability of messages,but also ensure the security of "strong" anticollusion(the collusion of the proxy server and the data recipient cannot lead to the leakage of "weak" keys),and realize the anonymity of the re-encryption key(the adversary cannot obtain the identity information of the data owner and receiver through the re-encryption key)and the exfiltration-resistant(the adversary cannot obtain the user’s private key information through the disclosure of random numbers).Compared with the related works,our scheme saves the storage space of conversion keys and ciphertext,and reduces the power consumption of the system.At the same time,as the level of security increases,the proportion of reverse firewall operation time in the scheme is smaller.(5)Considering that the current proxy re-encryption algorithms for resourceconstrained Io T sensor devices,and the need to improve the security of such algorithms,this thesis proposes a reverse firewall for identity-based proxy re-encryption(IBPRE-RF)that is applied to multi-access telemedicine data sharing.Our scheme ensures message confidentiality and exfiltration-resistant security,with a saved space for storing conversion keys and ciphertexts compared to related works.While our scheme incurs higher computational costs compared to identity-based proxy re-encryption algorithms,the gap narrows as security level increases.Experimental results demonstrate that our scheme is suitable for use in wireless body area networks.Additionally,each chapter gives the formal definition and security model of reverse firewall with identity-based encryption,certificateless public-key encryption,keyword searchable public-key encryption,and proxy re-encryption,and also uses JPBC library to implement all schemes.Experimental results demonstrate that the aforementioned five reverse firewall schemes effectively provide message confidentiality and prevent information leakage.These schemes have significant application value in the cloud environment.