由於行動科技的發展相當快速，我們使用筆記型電腦、智慧型手機等行動裝置隨時隨地上網、處理檔案的情況已經相當普遍。隨著個人裝置越來越多的情況下，在檔案的同步上就越不便利，亦即使用者無法自由地於各裝置上編輯同一個檔案。近年來由於雲端技術非常熱門，且也開始出現一些新的商業模式。其中以Dropbox這個雲端儲存平台為例，使用者在使用各裝置時可利用此平台對檔案進行同步，亦可於此分享檔案給他人。一方面除了降低裝置遺失所造成的損失，另一方面更解決了小型行動裝置無足夠儲存空間管理使用者所有檔案的問題。然而，Dropbox已被指出並未對檔案做適當的保護。先前已經有許多專業學者提出加解密協定，但大多數協定套用於此環境時，皆無法於系統內提供檔案分享功能。其中一些協定雖有提供此功能，但授予者必須完全信任接收者，原因是這些協定僅支援將他的所有檔案分享給其他使用者。在一些特殊的情況下，檔案授予者可能需限制接收者取得檔案內容的時間，但目前並無協定能夠達到此需求，並且同時讓伺服器可以針對特定的密文進行轉換。因此我們因應雲端環境提出一個具時間生效機制之代理式條件重加密協定，使用者能安全地將檔案存放於雲端、分享指定的檔案給其他使用者，並且能設定接收者取得資訊內容的時間。最後，我們亦對協定提出正規理論證明以確認其安全性。

The mobile technology is being developed very fast and it is a general situation where people can fetch or edit files via the Internet by mobile devices such as notebooks, smart phones, and so on. Due to possible possession of various devices of a user, it may be inconvenient for him to synchronize a file such that he cannot edit the same file via his devices easily. Recently, the cloud technology is becoming more and more popular and there are some new business models launched. One of them is a storage platform Dropbox which can synchronize users' files in their own devices and also allow users to share their files to others. However, Dropbox was indicated that the privacy of the files has not been protected well. Many encryption schemes have been proposed in the literature, but most of them do not support the property of secret file sharing when deploying them in cloud environment. Even though some schemes support the property, they can only provide a file owner to share all of his files with others. In some situations, the file owner may want to ensure that the receiver cannot decrypt the ciphertext until a specified time arrives. The existing encryption schemes cannot achieve these goals simultaneously. Hence, in order to cope with these problems, we propose a timed-release proxy conditional re-encryption scheme for cloud computing. Not only are users’ files stored safely but also each user can freely share a desired file with another user. Furthermore, the receiver cannot obtain any information of the file until the chosen time arrives. Finally, we also demonstrate the security of our proposed scheme via formal proofs.

論文審定書 i
誌謝 iii
中文摘要 iv
英文摘要 v
List of Figures ix
List of Tables x
Chapter 1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2 Related Works 5
2.1 Timed-Release Encryption . . . . . . . . . . . . . . . . . . . . . 5
2.2 Proxy Re-Encryption . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 The Definition of Proxy Re-Encryption Scheme . . . . . . . . . . 8
2.2.2 Review of Libert-Vergnaud Scheme . . . . . . . . . . . . . . . 10
2.2.3 Review of Ateniese-Benson-Hohenberger Scheme . . . . . . . . . 13
Chapter 3 Preliminaries 16
3.1 Backgrounds . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.1 Bilinear Mapping . . . . . . . . . . . . . . . . . . . . . . 16
3.1.2 The Decisional Bilinear Diffie-Hellman Problem . . . . . . . 17
3.1.3 The Decisional Bilinear Diffie-Hellman Assumption . . . . . . . 17
3.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 4 Our Construction 30
4.1 The Proposed Scheme . . . . . . . . . . . . . . . . . . . . . . . 30
4.2 The Application in Cloud Storage . . . . . . . . . . . . . . . . . 38
Chapter 5 Security Proof 45
Chapter 6 Comparisons 72
6.1 Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
6.2 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter 7 Conclusion 75
Bibliography 76

[1] G. Ateniese, K. Benson, and S. Hohenberger. Key-Private Proxy Re-Encryption. In Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology – CT-RSA 2009, volume 5473 of Lecture Notes in Computer Science, pages 279–294. Springer Berlin / Heidelberg, 2009.
[2] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage. In Proceedings of the 12th Annual Network and Distributed Systems Security Symposium, NDSS'05, pages 29–43, 2005.
[3] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage. ACM Transactions on Information and System Security, volume 9, issue 1, pages1-30, 2006.
[4] P. Barreto, S. Galbraith, C.O' Heigeartaigh, and M. Scott. Efficient Pairing Computation on Supersingular Abelian Varieties. Designs, Codes and Cryptography, volume 42, issue 3, pages 239-271, 2007.
[5] P. Barreto, H. Kim, B. Lynn, and M. Scott. Efficient Algorithms for Pairing-Based Cryptosystems. In Proceedings of the 22nd Annual International Cryptology Conferenceon Advances in Cryptology – CRYPTO2002, volume 2442 of Lecture Notes in Computer Science, pages354–369.SpringerBerlin / Heidelberg, 2002.
[6] P. S. L. M. Barreto, B. Lynn, and M. Scott. Efficient Implementation of Pairing-Based Cryptosystems. Journal of Cryptology, volume 17, issue 4, pages 321-334, 2004.
[7] M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS'93, pages 62–73. ACM, 1993.
[8] M. Blaze, G. Bleumer, and M. Strauss. Divertible Protocols and Atomic Proxy Cryptography. In Advances in Cryptology – EUROCRYPT 1998, pages 127–144. Springer-Verlag, 1998.
[9] D. Boneh and M. K. Franklin. Identity-Based Encryption from the Weil Pairing. In Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, CRYPTO'01, pages 213–229. Springer-Verlag, 2001.
[10] D. Boneh, B. Lynn, and H. Shacham. Short Signatures from the Weil Pairing. In Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, ASIACRYPT'01, pages 514–532. Springer-Verlag, 2001.
[11] F. Brezing and A. Weng. Elliptic Curves Suitable for Pairing Based Cryptography. Designs, Codes and Cryptography, volume 37, issue 1, pages 133-141, 2005.
[12] R. Canetti and S. Hohenberger. Chosen-Ciphertext Secure Proxy Re-Encryption. In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS'07, pages 185–194. ACM, 2007.
[13] J. Cathalo, B. Libert, and J. J. Quisquater. Efficient and Non-Interactive Timed-Release Encryption. In Proceedings of the 7th International Conference on Information and Communications Security – ICICS 2005, volume 3783 of Lecture Notes in Computer Science, pages 291–303. Springer Berlin / Heidelberg, 2005.
[14] K. Chalkias, D. Hristu-Varsakelis, and G. Stephanides. Improved Anonymous Timed-Release Encryption. In Proceedings of the 12th European Symposium On Research In Computer Security, ESORICS'07, pages 311–326, 2007.
[15] K. Chalkias and G. Stephanides. Timed Release Cryptography from Bilinear Pairings Using Hash Chains. In Proceedings of the 10th IFIP TC-6 TC-11 International Conference on Communications and Multimedia Security – CMS 2006, volume 4237 of Lecture Notes in Computer Science, pages 130–140. Springer Berlin / Heidelberg, 2006.
[16] A. C. F. Chan and I. F. Blake. Scalable, Server-Passive, User-Anonymous Timed Release Cryptography. In Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, ICDCS 2005, pages 504–513, 2005.
[17] C. K. Chu and W. G. Tzeng. Identity-Based Proxy Re-Encryption Without Random Oracles. In Proceedings of the 10th International Conference on Information Security – ISC2007, volume 4779 of Lecture Notes in Computer Science, pages 189–202. Springer Berlin / Heidelberg, 2007.
[18] A. W. Dent and Q. Tang. Revisiting the Security Model for Timed-Release Encryption with Pre-Open Capability. In Proceedings of the 10th International Conference on Information Security – ISC 2007, volume 4779 of Lecture Notes in Computer Science, pages 158–174. Springer Berlin / Heidelberg, 2007.
[19] G. Di Crescenzo, R. Ostrovsky, and S. Rajagopalan. Conditional Oblivious Transfer and Timed-Release Encryption. In Advances in Cryptology – EUROCRYPT 1999, volume 1592 of Lecture Notes in Computer Science, pages 74–89. Springer Berlin / Heidelberg, 1999.
[20] K. Emura, A. Miyaji, and K. Omote. A Timed-Release Proxy Re-Encryption Scheme and Its Application to Fairly-Opened Multicast Communication. In Proceedings of the 4th International Conference on Provable Security – ProvSec 2010, volume 6402 of Lecture Notes in Computer Science, pages 200–213. Springer-Verlag, 2010.
[21] A. Fujioka, Y. Okamoto, and T. Saito. Generic Construction of Strongly Secure Timed-Release Public-Key Encryption. In Proceedings of the 16th Australasian Conference on Information Security and Privacy – ACISP 2011, volume 6812 of Lecture Notes in Computer Science, pages 319–336. Springer Berlin / Heidelberg, 2011.
[22] S. Galbraith, K. Harrison, and D. Soldera. Implementing the Tate Pairing. In Algorithmic Number Theory, volume 2369 of Lecture Notes in Computer Science, pages 69–86. Springer Berlin / Heidelberg, 2002.
[23] M. Green and G. Ateniese. Identity-Based Proxy Re-Encryption. In Applied Cryptography and Network Security, volume 4521 of Lecture Notes in Computer Science, pages 288–306. Springer Berlin / Heidelberg, 2007.
[24] F. Hess. Efficient Identity Based Signature Schemes Based on Pairings. In Selected Areas in Cryptography – SAC 2003, volume 2595 of Lecture Notes in Computer Science, pages 310–324. Springer Berlin / Heidelberg, 2003.
[25] Y. Hwang, D. Yum, and P. Lee. Timed-Release Encryption with Pre-Open Capability and Its Application to Certified E-Mail System. In Proceedings of the 8th International Conference on Information Security – ISC 2005, volume 3650 of Lecture Notes in Computer Science, pages 344–358. Springer Berlin / Heidelberg, 2005.
[26] B. Libert and D. Vergnaud. Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption. In Public Key Cryptography – PKC 2008, volume 4939 of Lecture Notes in Computer Science, pages 360–379. Springer Berlin / Heidelberg, 2008.
[27] B. Libert and D. Vergnaud. Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption. IEEE Transactionson Information Theory, volume57, issue 3, pages 1786-1802, 2011.
[28] T. Matsuda, Y. Nakai, and K. Matsuura. Efficient Generic Constructions of Timed-Release Encryption with Pre-open Capability. In Pairing-Based Cryptography – Pairing 2010, volume 6487 of Lecture Notes in Computer Science, pages 225–245. Springer Berlin / Heidelberg, 2010.
[29] T. C. May. Time-Release Crypto. Manuscript, 1993.
[30] Y. Nakai, T. Matsuda, W. Kitada, and K. Matsuura. A Generic Construction of Timed-Release Encryption with Pre-Open Capability. In Advances in Information and Computer Security, volume 5824 of Lecture Notes in Computer Science, pages 53–70. Springer Berlin / Heidelberg, 2009.
[31] R. L. Rivest, A. Shamir, and D. A. Wagner. Time-Lock Puzzles and Timed-Release Crypto. Massachusetts Institute of Technology, 1996.
[32] Q. Tang. Type-Based Proxy Re-Encryption and Its Construction. In Progress in Cryptology – INDOCRYPT 2008, volume 5365 of Lecture Notes in Computer Science, pages 130–144. Springer Berlin / Heidelberg, 2008.
[33] J. Weng, R. H. Deng, X. Ding, C. K. Chu, and J. Lai. Conditional Proxy Re-Encryption Secure against Chosen-Ciphertext Attack. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS'09, pages 322–332. ACM, 2009.
[34] J. Weng, Y. Yang, Q. Tang, R. Deng, and F. Bao. Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security. In Proceedings of the 12th International Conference on Information Security – ISC 2009, volume 5735 of Lecture Notes in Computer Science, pages 151–166. Springer Berlin / Heidelberg, 2009.