Thematic Area

Enabling Secure Access Control to Encrypted Data

A central challenge in the era of cloud computing is enabling users to outsource data storage and computation to powerful third-party servers without sacrificing confidentiality. Standard encryption protects data at rest but breaks essential functionality such as searching or selective sharing. Our research has consistently expanded the frontier of what is possible, developing advanced cryptographic techniques that restore rich functionality on encrypted data securely and efficiently. Our track record shows a clear trajectory of identifying fundamental limitations in existing schemes and introducing new paradigms that overcome them.

Contribution

Optimal Multi-Client Searchable Encryption

Stylized documents and encrypted channels

Classic searchable symmetric encryption (SSE) provides sublinear search for a single data owner (reader). Public-key searchable encryption (PKSE) lets anyone with the reader's public key add searchable ciphertexts, so writers act independently with no shared index, and the server therefore performs linear work per query.

To bridge this gap, we introduced hybrid searchable encryption (HSE) [WC@USS22], which achieves sublinear search while enabling multiple writers via a writer-maintained index and structured updates, and we built an identity-coupling key-aggregate encryption (KAE) scheme that keeps per-user keys compact.

As an alternative formulation of sublinear multi-writer searchable encryption, we then introduced Delegatable Searchable Encryption (DSE) [WC@NDSS24]. In DSE, the owner issues per-keyword delegations that let authorized users generate search and update tokens. A single delegation sets up a secure collaboration channel and supports key-management features such as revocation via key or epoch rotation, while preserving forward privacy. After HSE achieved sublinear search with multiple writers, DSE achieves it for the full multi-writer and multi-reader setting, removes HSE's extra traversal, and reduces public-key operations by shifting most work to symmetric primitives, yielding a simpler and more scalable foundation.

Together, HSE and DSE resolve, to our knowledge, a two-decade open problem in searchable encryption, combining sublinear search with multi-writer (and multi-reader) support and forward privacy under the stated system model, and define an access-control–based paradigm beyond SSE and PKSE.

Contribution

Practical and General Access Control Encryption

Abstract key and policy graph

Another line of works improves access control encryption (ACE). Beyond read access control, ACE enforces write access control: every outgoing message must pass through a "blindfolded" sanitizer that cannot see the plaintext or the communicating parties, yet certifies that the message follows the policy and strips any subliminal channels. This stops a malware-infected device from leaking data by writing outside its allowed scope.

Before our work, ACE for arbitrary policies relied on heavy tools such as indistinguishability obfuscation or randomized functional encryption. Our work [WC@SP21] introduced a generic ACE framework that avoids those tools, simultaneously achieving:

  • Efficiency: Constant-size ciphertexts, independent of user count.
  • Expressiveness: Support for fine-grained access control across all pairs of users.
  • Practicality: Real-world viability, with performance in seconds even for thousands of receivers.

A line of our follow-ups make ACE post-quantum secure [WWC@ACNS21] and even information-theoretic secure [LC@ISIT23].

Additional Contributions

Systems-Driven Advances

Our work also includes improving the expressiveness of queries, including content-based image retrieval [LZWCDCL@Infocom18], skyline queries [WDC@DASFAA20], and range queries [WC@PETS22]. We also designed storage-efficient volume-hiding encrypted multi-maps to protect data access patterns [WC@DBSec21] (Best Student Paper Award).

Our work on Password-Hardened Encryption (PHE) [LERCMS@USS18] introduced a simple, deployable method to protect data from offline dictionary attacks in systems where users authenticate with low-entropy passwords.

Foundational Contributions

Core Theoretical Advances

Our work has advanced the theory of modern cryptographic systems by designing the first communication-efficient multi-client oblivious RAM with insider security [CFLM@AsiaCrypt20]. In identity-based cryptography, we developed anonymous hierarchical IBE from broader assumptions [HC@ACNS23], analyzed the security boundaries of the widely used dual system encryption proof technique [YZC@ACNS22], strengtehning the formal guarantees that remain under practical side-channel considerations.

References

Selected Publications

  1. [WC@NDSS24] Jiafan Wang, Sherman S. M. Chow.
    Unus pro omnibus: Multi-Client Searchable Encryption via Access Control.
    Network and Distributed System Security Symposium (NDSS) 2024.
  2. [HC@ACNS23] Huangting Wu, Sherman S. M. Chow.
    Anonymous (Hierarchical) Identity-Based Encryption from Broader Assumptions.
    Applied Cryptography and Network Security (ACNS) 2023.
  3. [LC@ISIT23] Cheuk Ting Li, Sherman S. M. Chow.
    Unconditionally Secure Access Control Encryption.
    IEEE International Symposium on Information Theory (ISIT) 2023.
  4. [WC@USS22] Jiafan Wang, Sherman S. M. Chow.
    Omnes pro uno: Practical Multi-Writer Encrypted Database.
    Usenix Security 2022.
  5. [WC@PETS22] Jiafan Wang, Sherman S. M. Chow.
    Forward and Backward-Secure Range-Searchable Symmetric Encryption.
    Proceedings on Privacy Enhancing Technologies (PoPETs) 2022
  6. [YZC@ACNS22] Tsz Hon Yuen, Cong Zhang, Sherman S. M. Chow.
    Don't Tamper with Dual System Encryption (Beyond Polynomial Related-Key Security of IBE).
    Applied Cryptography and Network Security (ACNS) 2022.
  7. [WC@DBSec21] Jiafan Wang, Sherman S. M. Chow.
    Simple Storage-Saving Structure for Volume-Hiding Encrypted Multi-maps (A Slot in Need is a Slot Indeed).
    IFIP Data and Applications Security and Privacy (DBSec) 2021.
  8. [WWC@ACNS21] Xiuhua Wang, Harry W. H. Wong, Sherman S. M. Chow.
    Access Control Encryption from Group Encryption.
    Applied Cryptography and Network Security (ACNS) 2021.
  9. [WC@SP21] Xiuhua Wang, Sherman S. M. Chow.
    Cross-Domain Access Control Encryption: Arbitrary-policy, Constant-size, Efficient.
    IEEE Symposium on Security and Privacy (S&P) 2021.
  10. [CFLM@AsiaCrypt20] Sherman S. M. Chow, Katharina Fech, Russell W. F. Lai, Giulio Malavolta.
    Multi-client Oblivious RAM with Poly-logarithmic Communication.
    IACR Advances in Cryptology -- AsiaCrypt 2020.
  11. [WDC@DASFAA20] Jiafan Wang, Minxin Du, Sherman S. M. Chow.
    Stargazing in the Dark: Secure Skyline Queries with SGX.
    Database Systems for Advanced Applications (DASFAA) 2020
    12. (Best In-Session Presentation Award)
  12. [LERCMS@USS18] Russell W. F. Lai, Christoph Egger, Manuel Reinert, Sherman S. M. Chow, Matteo Maffei, Dominique Schröder.
    Simple Password-Hardened Encryption Services.
    Usenix Security 2018.
  13. [LZWCDCL@Infocom18] Minghui Li, Mingxue Zhang, Qian Wang, Sherman S. M. Chow, Minxin Du, Yanjiao Chen, Chenliang Li.
    InstantCryptoGram: Secure Image Retrieval Service.
    IEEE Conference on Computer Communications (INFOCOM) 2018.
Contact

Get in touch

Email: [firstname]@ie.cuhk.edu.hk