Unconditionally Secure Revocable Storage: Tight Bounds, Optimal Construction, and Robustness

Data stored in cloud storage sometimes requires long-term security due to its sensitivity (e.g.,genome data), and therefore, it also requires flexible access control for handling entities who canuse the data. Broadcast encryption can partially provide such flexibility by specifying privilegedreceivers so that only they can decrypt a ciphertext. However, once privileged receivers arespecified, they can be no longer dynamically added and/or removed. In this paper, we proposea new type of broadcast encryption which provides long-term security and appropriate accesscontrol, which we call unconditionally secure revocable-storage broadcast encryption (RS-BE).In RS-BE, privileged receivers of a ciphertext can be dynamically updated without revealingany information on the underlying plaintext. Specifically, we define a model and security ofRS-BE, derive tight lower bounds on sizes of secret keys required for secure RS-BE, and proposea construction of RS-BE which meets all of these bounds. Our lower bounds can be appliedto traditional broadcast encryption. Furthermore, to detect an improper update, we considersecurity against modification attacks to a ciphertext, and present a concrete construction secureagainst this type of attacks.