05/06/2022

    Advanced encryption scheme to increase cloud computing securityIntelligent encryptionNTT Social Informatics Laboratories

    Overview

    Intelligent encryption is an entirely new type of "fine-grained" encryption that can incorporate advanced logic into the encryption and decryption mechanism, providing granular control over data transmission and reception.
    For example, this enables setting of conditions in the data such as "this document is viewable only by general managers or section managers in the human resources department," which will facilitate the distribution of sensitive information in the cloud.
    Cryptography has a history of generational changes as networks evolve, and intelligent cryptography is the third generation of cryptography for the cloud era (Figure 1).

    Advantages of this technology

    • This prevents information from being leaked even if the ciphertext is distributed in the cloud and accessed by an unspecified number of people. This is because decryption conditions, such as "viewable only by general managers or section managers in the human resources department," are embedded in the ciphertext logic so that only those who satisfy the pre-set conditions can view the document.
    • The sender can encrypt only on the condition of who can decrypt. Conventional cryptography requires the recipient's key to be received at the time of encryption, but this is not necessary.
    • The recipient can receive the decryption key at any time. Therefore, even if the recipient's attributes such as affiliation or position change after the sender has created the ciphertext, it can be decrypted based on the changed attributes.

    Explanatory chart

    Technical explanation

    Intelligent encryption can specify "encryption-decryption" logic by introducing various parameters (attributes and conditional expressions) into the ciphertext and decryption key. Specifically, it is possible to incorporate "attribute information in the decryption key and conditional expressions in ciphertext," or "attribute information in ciphertext and conditional expressions in the decryption key."
    Figure 2 shows an example of using "attribute information in the decryption key and conditional expressions in ciphertext." In this example, we create Document A that is allowed to be viewed only by all general managers and section managers of the Human Resources department, and encrypt it with the conditional expression "general manager OR (human resources department AND section manager)" before storing it in the cloud environment (1). This enables a system in which Document A can be decrypted and accessed (2) when a section manager in the Human Resources department accesses the cloud environment using his or her decryption key (distributed in advance as an employee card or ID card (*)). Furthermore, if there a transfer takes place after the ciphertext is saved, the decryption key can be updated(*) to allow the user to view the document.
    In the past, access control in this way was achieved by logging in to a computer system using a user name and password. By replacing this with an intelligent encryption system, the document itself can restrict the disclosure of information without the need for an access control system. This will enable the ciphertext to be stored in open spaces, such as the cloud, and is expected to increase convenience and scalability.

    Department in charge

    NTT Social Informatics Laboratories - Information Security Technology Research Project

    Related content