Edificio de Investigación Ada Byron
C/ Arquitecto Francisco Peñalosa, nº 18
Ampliación Campus de Teatinos. Universidad de Málaga
29071 Málaga (Spain)
Phone: 951952914 Fax:
Domain of interest and research
- Applied Cryptography
- Security in Cloud Computing
- Cryptography for Cloud Computing and Blockchain
- PhD. in Computer Science, University of Malaga, 2016
- Title of PhD thesis: "New Security Definitions, Constructions and Applications of Proxy Re-Encryption"
- Advisors: Isaac Agudo and Javier Lopez
- ERCIM STM WG Best Thesis Award 2017
- Jornadas Nacionales de Investigación en Ciberseguridad (JNIC) - Best Thesis Award 2017
- M.Sc. in Computer Science, University of Malaga, 2011
- "Proxy Re-Encryption: Analysis of Constructions and its Application to Secure Access Delegation",
Journal of Network and Computer Applications, vol. 87, Elsevier, pp. 193-209, 06/2017.
DOI (I.F.: 3.500)
This paper analyzes the secure access delegation problem, which occurs naturally in the cloud, and postulate that Proxy Re-Encryption is a feasible cryptographic solution, both from the functional and efficiency perspectives. Proxy re-encryption is a special type of public-key encryption that permits a proxy to transform ciphertexts from one public key to another, without the proxy being able to learn any information about the original message. Thus, it serves as a means for delegating decryption rights, opening up many possible applications that require of delegated access to encrypted data. In particular, sharing information in the cloud is a prime example. In this paper, we review the main proxy re-encryption schemes so far, and provide a detailed analysis of their characteristics. Additionally, we also study the efficiency of selected schemes, both theoretically and empirically, based on our own implementation. Finally, we discuss some applications of proxy re-encryption, with a focus on secure access delegation in the cloud.Impact Factor: 3.500Journal Citation Reports® Science Edition (Thomson Reuters, 2016)
- "On the Application of Generic CCA-Secure Transformations to Proxy Re-Encryption",
Security and Communication Networks, vol. 9, issue 12, Wiley, pp. 1769-1785, 08/2016.
DOI (I.F.: 1.067)
Several generic methods exist for achieving chosen-ciphertext attack (CCA)-secure public-key encryption schemes from weakly secure cryptosystems, such as the Fujisaki–Okamoto and REACT transformations. In the context of proxy re-encryption (PRE), it would be desirable to count on analogous constructions that allow PRE schemes to achieve better security notions. In this paper, we study the adaptation of these transformations to proxy re-encryption and find both negative and positive results. On the one hand, we show why it is not possible to directly integrate these transformations with weakly secure PRE schemes because of general obstacles coming from both the constructions themselves and the security models, and we identify 12 PRE schemes that exhibit these problems. On the other hand, we propose an extension of the Fujisaki–Okamoto transformation for PRE, which achieves a weak form of CCA security in the random oracle model, and we describe the sufficient conditions for applying itImpact Factor: 1.067Journal Citation Reports® Science Edition (Thomson Reuters, 2016)
- "A Parametric Family of Attack Models for Proxy Re-Encryption",
28th IEEE Computer Security Foundations Symposium, IEEE Computer Society, pp. 290-301, 07/2015.
Proxy Re-Encryption (PRE) is a type of Public-Key Encryption (PKE) which provides an additional re-encryption functionality. Although PRE is inherently more complex than PKE, attack models for PRE have not been developed further than those inherited from PKE. In this paper we address this gap and define a parametric family of attack models for PRE, based on the availability of both the decryption and re-encryption oracles during the security game. This family enables the definition of a set of intermediate security notions for PRE that ranges from ``plain'' IND-CPA to ``full'' IND-CCA. We analyze some relations among these notions of security, and in particular, the separations that arise when the re-encryption oracle leaks re-encryption keys. In addition, we discuss which of these security notions represent meaningful adversarial models for PRE. Finally, we provide an example of a recent ``CCA1- secure'' scheme from PKC 2014 whose security model does not capture chosen-ciphertext attacks through re-encryption and for which we describe an attack under a more realistic security notion. This attack emphasizes the fact that PRE schemes that leak re-encryption keys cannot achieve strong security notions.
- "NTRUReEncrypt: An Efficient Proxy Re-Encryption Scheme Based on NTRU",
10th ACM Symposium on Information, Computer and Communications Security (AsiaCCS), pp. 179-189, 04/2015.
The use of alternative foundations for constructing more secure and efficient cryptographic schemes is a topic worth exploring. In the case of proxy re-encryption, the vast majority of schemes are based on number theoretic problems such as the discrete logarithm. In this paper we present NTRUReEncrypt, a new bidirectional and multihop proxy re-encryption scheme based on NTRU, a widely known lattice-based cryptosystem. We provide two versions of our scheme: the first one is based on the conventional NTRU encryption scheme and, although it lacks a security proof, remains as efficient as its predecessor; the second one is based on a variant of NTRU proposed by Stehlé and Steinfeld, which is proven CPA-secure under the hardness of the Ring-LWE problem. To the best of our knowledge, our proposals are the first proxy re-encryption schemes to be based on the NTRU primitive. In addition, we provide experimental results to show the efficiency of our proposal, as well as a comparison with previous proxy re-encryption schemes, which confirms that our first scheme outperforms the rest by an order of magnitude.
- "BlindIdM: A Privacy-Preserving Approach for Identity Management as a Service",
International Journal of Information Security, vol. 13, issue 2, Springer, pp. 199-215, 2014.
DOI (I.F.: 0.963)
Identity management is an almost indispensable component of today’s organizations and companies, as it plays a key role in authentication and access control; however, at the same time it is widely recognized as a costly and time-consuming task. The advent of cloud computing technologies, together with the promise of flexible, cheap and efficient provision of services, has provided the opportunity to externalize such a common process, shaping what has been called Identity Management as a Service (IDaaS). Nevertheless, as in the case of other cloud-based services, IDaaS brings with it great concerns regarding security and privacy, such as the loss of control over the outsourced data. In this paper we analyze these concerns and propose BlindIdM, a model for privacy-preserving IDaaS with a focus on data privacy protection. In particular, we describe how a SAML-based system can be augmented to employ proxy re-encryption techniques for achieving data condentiality with respect to the cloud provider, while preserving the ability to supply the identity service. This is an innovative contribution to both the privacy and identity management landscapes.Impact Factor: 0.963Journal Citation Reports® Science Edition (Thomson Reuters, 2014)
- "Integrating OpenID with Proxy Re-Encryption to enhance privacy in cloud-based identity services",
IEEE CloudCom 2012, IEEE Computer Society, pp. 241 - 248, Dec 2012.
The inclusion of identity management in the cloud computing landscape represents a new business opportunity for providing what has been called Identity Management as a Service (IDaaS). Nevertheless, IDaaS introduces the same kind of problems regarding privacy and data confidentiality as other cloud services; on top of that, the nature of the outsourced information (users’ identity) is critical. Traditionally, cloud services (including IDaaS) rely only on SLAs and security policies to protect the data, but these measures have proven insufficient in some cases; recent research has employed advanced cryptographic mechanisms as an additional safeguard. Apart from this, there are several identity management schemes that could be used for realizing IDaaS systems in the cloud; among them, OpenID has gained crescent popularity because of its open and decentralized nature, which makes it a prime candidate for this task. In this paper we demonstrate how a privacy-preserving IDaaS system can be implemented using OpenID Attribute Exchange and a proxy re-encryption scheme. Our prototype enables an identity provider to serve attributes to other parties without being able to read their values. This proposal constitutes a novel contribution to both privacy and identity management fields. Finally, we discuss the performance and economical viability of our proposal.
The following is a list of relevant developments. You can find more in my Github profile.
- Java prototype of NTRUReEncrypt, a fast proxy re-encryption scheme based on NTRU
- NICS Crypto library
- Integration of OpenID with Proxy Re-Encryption
- Proxy Re-Encryption schemes in Charm
Attended Courses and Seminars
- First IFIP WG 11.11 Summer School on Trust Management 2011 - Copenhagen, Denmark
- Intensive Program on Information Communication Security (IPICS) 2010 - Samos, Greece
- IEEE student member.
- Active member of the Cryptography Stack Exchange community
- Invited Reviewer in Journals:
- IEEE Transactions on Information Forensics and Security
- ACM Transactions on Information and System Security
- Information Sciences
- Pervasive and Mobile Computing
- Security and Communication Networks
- Computers & Electrical Engineering
- Computer Standards & Interfaces
- IEEE Wireless Communications Magazine
- Ad Hoc Networks
- Electronic Commerce Research
- Journal of Information Security and Applications
- Information Security Journal: A Global Perspective
- External Reviewer in Conferences:
- 2016: ESORICS 2016, DBSEC 2016, ARES 2016, TRUSTCOM 2016
- 2015: ESORICS 2015, FPS 2015, IFIP-SEC 2015, ARES 2015, DPM 2015, ISC 2015, NSS 2015, SECRYPT 2015, SPC 2015, STM 2015
- 2014: ACNS 2014, ESORICS 2014, ISPEC 2014, SECRYPT 2014
- 2013: ACNS 2013, ESORICS 2013, CT-RSA 2013, SAFECOMP 2013, CloudCom 2013, DPM 2013, SECURECOMM 2013
- 2012: ESORICS 2012, IFIP-SEC 2012, SECRYPT 2012, ACNS 2012, ESSOS 2012, SPCIS 2012, CloudCom 2012, DBSEC 2012
- 2011: ESORICS 2011, ISPEC 2011