One major barrier to adoption of cloud services and storage is concern over privacy and security issues. In other words, the concern is about maintaining the confidentiality and the integrity of private data when that data is being stored in a public cloud. For example, unless they choose to host their own private cloud, hospitals and medical practitioners face the challenge of outsourcing the storage and handling of their patients' data in a private, reliable, and secure way that complies with government regulations for handling sensitive data and protecting privacy.
At least one existing architecture uses cryptographic cloud storage to address this problem. This architecture uses existing and emerging cryptographic building blocks such a searchable encryption, attribute-based encryption (ABE), and proofs of storage. In an ABE-based approach, the owner of the data can give each potential recipient a decryption key that allows them to decrypt only those documents that satisfy a given policy. However, this technique has several disadvantages including that changing the access policy requires distributing new keys to all affected recipients, and revoking access rights requires changing the master key and downloading and re-encrypting all messages.
Using ABE is essentially a way to do key management by outsourcing key management to the cloud according to a pre-specified policy for handling of encrypted data. The policy specification itself is not private though. This policy may contain sensitive information that would then leak information about the data once the policy is known. This is undesirable in some application. For example, imagine a scenario whereby a company or an individual wishes to set up private policy for how to handle its sensitive data. This policy would determine the parties that would read the data, such that leaking the policy would reveal information about the parties, the type of data, and the preferences of the data owner.
Some approaches have the server implement the access policy, and then translate incoming ciphertexts into ciphertexts readable by the recipients. Of course, this should be done without allowing the server to actually decrypt any ciphertexts. This is called proxy re-encryption, which allows a server to translate messages intended for the data owner into messages intended for a given recipient. Proxy re-encryption has two problems, however. First, it is not possible to choose an appropriate recipient based on the encrypted message. Second, it is not possible to do this without revealing the access policy to the server.