Theoretical Computer Science. Proxy-invisible CCA-secure type-based proxy re-encryption without random oracles

Size: px

Start display at page:

Download "Theoretical Computer Science. Proxy-invisible CCA-secure type-based proxy re-encryption without random oracles"

Byron Townsend
5 years ago
Views:

Theoretical Computer Science 49 (203) 83 93 Contents lists available at SciVerse ScienceDirect Theoretical Computer Science ournal homepage: www.elsevier.

, Department of Electrical Engineering, POSTECH, Pohang, Gyungbuk, 790-784, Republic of Korea b Department of Information and Communication Engineering, Myongi University, Yongin, Gyeonggi-do,

1 Theoretical Computer Science 49 (203) Contents lists available at SciVerse ScienceDirect Theoretical Computer Science ournal homepage: Proxy-invisible CCA-secure type-based proxy re-encryption without random oracles Jae Woo Seo a, Dae Hyun Yum b,, Pil Joong Lee a a Information Security Lab., Department of Electrical Engineering, POSTECH, Pohang, Gyungbuk, , Republic of Korea b Department of Information and Communication Engineering, Myongi University, Yongin, Gyeonggi-do, , Republic of Korea a r t i c l e i n f o a b s t r a c t Article history: Received 23 June 20 Received in revised form 8 April 202 Accepted 6 November 202 Communicated by X. Deng Keywords: Public key encryption Type-based proxy re-encryption Proxy invisibility Chosen-ciphertext security In a proxy re-encryption (PRE) scheme, a delegator gives a re-encryption key to a semitrusted proxy who, by using the re-encryption key, can transform a ciphertext encrypted under the delegator s public key into one that can be decrypted using a private key of another user (called a delegatee). To provide fine-grained delegation, type-based PRE (TB-PRE) was introduced in which the decryption right can be selectively delegated. The proxy in TB-PRE can only re-encrypt ciphertexts with a specific type selected by the delegator. Tang proposed the first proxy-invisible TB-PRE scheme where proxy invisibility means that an adversary cannot distinguish between original ciphertexts and re-encrypted ciphertexts. However, Tang s scheme is only secure against chosen-plaintext attacks. Jia et al. proposed a proxy-invisible TB-PRE scheme that is secure against chosen-ciphertext attacks with random oracle heuristic. To date, there is no TB-PRE scheme achieving both proxy invisibility and chosen-ciphertext security in the standard model (i.e., without random oracles). We propose the first proxy-invisible TB-PRE scheme that is secure against chosen-ciphertext attacks in the standard model. 202 Elsevier B.V. All rights reserved.. Introduction A proxy re-encryption (PRE) scheme [4,,7] allows that a semi-trusted proxy re-encrypts a ciphertext encrypted under one key into an encryption of the same plaintext under another key, but cannot learn any information about the message it re-encrypts. The PRE schemes have been used in various applications such as remote file storage [], digital rights management [5], access control system [3], social network or mailing list services [8,5], anonymous routing protocol [20,23], and revocation system [26,22]. PRE schemes can be classified into two categories according to the direction of delegation: bidirectional and unidirectional. A PRE scheme is called bidirectional if a re-encryption key can be used not only to convert ciphertexts from a delegator to a delegatee but also vice versa. Bidirectional PRE schemes are only useful when the trust relationship between a delegator and a delegatee is mutual. On the contrary, unidirectional PRE schemes do not allow the re-encryption key to be used in converting ciphertexts from a delegatee to a delegator and thus can be adopted even when the trust relationship is not mutual. Note also that bidirectional schemes can be constructed from unidirectional schemes. PRE schemes can also be classified into single-hop and multi-hop. A ciphertext in a single-hop PRE scheme can be re-encrypted only once while that of a multi-hop PRE scheme can be re-encrypted many times; the construction of a multi-hop unidirectional PRE scheme is known to be an open problem. We focus on single-hop unidirectional schemes. This work was supported by 202 Research Fund of Myongi University, IT Consilience Creative Program (C ) and ITRC (NIPA-202- H ) of MKE and NIPA. Corresponding author. Tel.: addresses: wseo@postech.ac.kr (J.W. Seo), dhyum@mu.ac.kr (D.H. Yum), pl@postech.ac.kr (P.J. Lee) /$ see front matter 202 Elsevier B.V. All rights reserved. doi:0.06/.tcs

2 84 J.W. Seo et al. / Theoretical Computer Science 49 (203) The decryption right of PRE is delegated in an all-or-nothing manner; the proxy can transform any ciphertext encrypted under the delegator s public key into one under the delegatee s public key. However, there are applications where the delegator wants to delegate the decryption right for a subset of ciphertexts. For example, when Alice on vacation wants to delegate the decryption right for the encrypted s with the keyword urgent to Bob, the all-or-nothing delegation is not enough. Type-based PRE (TB-PRE) [2,4] provides fine-grained delegation, where a re-encryption key can transform ciphertexts with a specific type (e.g., a keyword). In other words, the delegator categorizes messages into different subsets (according to types) and is able to delegate the decryption right of each subset separately. In literature, TB-PRE is also referred to as conditional PRE [24,25,0] where a condition is equivalent to a type. The fine-grained delegation according to time periods was studied in temporary PRE [,6,7]. In privacy-sensitive contexts, proxy invisibility (also called ciphertext privacy) is a valuable attribute, which requires that all re-encrypted ciphertexts are indistinguishable from ciphertexts originally generated for the delegatee. Tang [2] introduced the first proxy-invisible TB-PRE scheme that is secure against chosen-plaintext attacks (CPA). Jia et al. [4] proposed a proxy-invisible TB-PRE scheme that is secure against chosen-ciphertext attacks (CCA) in the random oracle model. Whereas the random oracle methodology [3] that assumes public oracle access to a truly random function is a useful tool for designing a cryptosystem, the security of the cryptosystem proven in the random oracle model does not guarantee its security in the real world where random oracles do not exist; several uninstantiable random-oracle-model cryptosystems [6,9,2,2,9] are secure in the random oracle model, but are provably insecure under any actual instantiation of the oracle. Jia et al. [4] left the construction of proxy-invisible TB-PRE without random oracles as an open problem. In this work, we propose a TB-PRE scheme that achieves both the standard-model CCA security (i.e., without random oracles) and the proxy invisibility. To satisfy two security notions simultaneously, our construction is based on the ideas of the first standard-model CCA-secure (non-type-based) PRE scheme [6] and the fully secure anonymous identity-based encryption scheme []. In [6], the CHK methodology [7] and the blind exponentiation technique that re-randomizes ciphertexts via a blinding factor are employed for the standard-model CCA security. We use these techniques to achieve the standard-model CCA security. In [], a private key generator of identity-based encryption combines the master key and an identity in the form of an inverse number for anonymity. Similarly, to generate a re-encryption key, we combine the delegator s private key and a type into an inverse form for proxy invisibility. The security proof of the proposed scheme is given in a formal security model. 2. Preliminaries 2.. Bilinear maps Let G and G T are two (multiplicative) cyclic groups of prime order p. The (admissible) bilinear map e : G G G T between these two groups should satisfy the following properties:. Bilinear: we have e(g a, h b ) e(g, h) ab for all g, h G and a, b Z; 2. Non-degenerate: if g is a generator of G then e(g, g) ; 3. Computable: there is an efficient algorithm to compute e(g, h) for any g, h G Complexity assumptions The q-weak Decision Bilinear Diffie Hellman Inversion (q-wdbdhi) assumption [7,6,0] is as follows: given the tuple (g, g α,..., g αq, g, Z) as input, it is infeasible to decide whether Z e(g, g) /α or Z R in G T, where g and g are random in G and R is random in G T. Formally, an algorithm B has advantage ϵ in solving the q-wdbdhi problem if Pr B(g, g α,..., g αq, g, e(g, g) /α ) 0 Pr B(g, g α,..., g αq, g, R) 0 ϵ, where the probability is over the random choice of generator g, g G, the random choice of α Z p, the random choice of R G T, and the internal coin tosses of B. We refer to the distribution over (g, g α,..., g αq, g, e(g, g) /α ) on the left as P q-wbdhi and the distribution over (g, g α,..., g αq, g, R) on the right as R q-wbdhi. Definition. We say that (t, q, ϵ)-q-wdbdhi assumption holds in G if no t-time algorithm B has advantage at least ϵ in solving the q-wdbdhi problem in G One-time signatures A one-time signature scheme allows the signature of only a single message using a given signing key. The syntax of onetime signature schemes is the same as that of ordinary signature schemes and the one-timeness is enforced by the security definition. Tang [2] also proposed a TB-PRE scheme that is secure against chosen-ciphertext attacks in the random oracle model but is not proxy-invisible.

3 J.W. Seo et al. / Theoretical Computer Science 49 (203) Definition 2. A (one-time) signature scheme consists of a triple of algorithms Sig (G, S, V) such that: - G, the key generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a signing key ssk and a verification key svk; (ssk, svk) G(λ). - S, the signing algorithm, is a possibly probabilistic algorithm that, given a signing key ssk and a message m, outputs a signature σ on m; σ S(ssk, m). - V, the verification algorithm, is a deterministic algorithm that, a verification key svk, given a signature σ, and a message m, outputs a bit b {0, } (where b signifies acceptance and b 0 signifies reection ); b V(svk, σ, m). We require that for any message m and any key pair (ssk, svk) that is generated by G( ), we have V(svk, σ, m) if σ S(ssk, m). As in [7], we consider strongly unforgeable one-time signatures. Definition 3. A one-time signature Sig (G, S, V) is strongly unforgeable if the advantage (ssk, svk) G(λ), Adv Sig V(svk, σ Pr (m, st) F (svk), σ S(ssk, m),, m ) (m, σ (m ) F (m, σ, svk, st), σ ) (m, σ ) is negligible for any probabilistic polynomial-time (PPT) algorithm F, where st is F s state information. 3. Type-based proxy re-encryption 3.. Syntax The syntactic definition for the (single-hop unidirectional) TB-PRE schemes is as follows. Definition 4. A (single-hop unidirectional) type-based proxy re-encryption scheme consists of a tuple of algorithms (Setup, Keygen, Rekeygen, Enc, Enc 2, Renc, Dec, Dec 2 ) such that: - Setup, the global parameter generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a global parameter param to be used by all parties; param Setup(λ), where we omit a global parameter in other algorithms for simplicity. - Keygen, the key generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a public key and a secret key; (pk, sk) Keygen(λ). - Rekeygen, the re-encryption key generation algorithm, is a possibly probabilistic algorithm that, given a user i s private key sk i, a user s public key pk, and a type t, outputs the re-encryption key rk t i re-encrypting from the user i to the user for the type t; rk t i Rekeygen(sk i, pk, t). - Enc, the first level encryption algorithm, is a probabilistic algorithm that, given a user s public key pk and a message m, outputs a first level ciphertext (that cannot be re-encrypted for another user); C Enc (pk, m). - Enc 2, the second level encryption algorithm, is a probabilistic algorithm that, given a user i s public key pk i, a message m, and a type t, outputs a second level ciphertext (that can be re-encrypted into a first level ciphertext for another user); C i Enc 2 (pk i, m, t). - Renc, the re-encryption algorithm, is a possibly probabilistic algorithm that, given a re-encryption key rk t i and a second level ciphertext C i, re-encrypts the second level ciphertext C i into a first level ciphertext C. It outputs the first level ciphertext C or the special character indicating an error; C Renc(rk t, i C i). - Dec, the first level decryption algorithm, is a deterministic algorithm that, given a user s private key sk and a first level ciphertext C, outputs a message m or the special character indicating an error; m Dec (sk, C ). - Dec 2, the second level decryption algorithm, is a deterministic algorithm that, given a user i s private key sk i and a second level ciphertext C i, outputs a message m or the special character indicating an error; m Dec 2 (sk i, C i ). For any common public parameter param, any message m, and any couple of private/public key pair (sk i, pk i ), (sk, pk ), the algorithms should satisfy the following correctness properties: Dec (sk, Enc (pk, m)) m; Dec 2 (sk i, Enc 2 (pk i, m, t)) m; Dec (sk, Renc(Rekeygen(sk i, pk, t), Enc 2 (pk i, m, t))) m Security model As in [6,7], we assume that honest users and corrupt users are determined at the beginning of the game and the adversary can decrypt the ciphertexts for honest users by using re-encryption keys. The adversary can have access to all the re-encryption keys except in the case that the challenge ciphertext is trivially decrypted. That is, the adversary can make re-encryption key generation queries adaptively and read the messages for the honest users even if it does not know the private key of honest users. We consider replayable CCA security in the standard model; the adversary is not allowed to ask

4 86 J.W. Seo et al. / Theoretical Computer Science 49 (203) for decryption of a re-randomized version of the challenge ciphertext. As no non-replayable CCA-secure (type-based or nontype-based) PRE scheme in the standard model has been known to date and the replayable CCA security is arguably sufficient for most practical applications (see [8] for the argument), we consider replayable CCA security in the remainder of this paper. Three security notions should be addressed for TB-PRE: second level ciphertext security, first level ciphertext security, and proxy invisibility. Note that the first level ciphertext security implies master secret security in which no coalition of dishonest delegatees be able to pool their re-encryption keys in order to expose the private key of their common delegator [7]. Second level ciphertext security. This security notion requires that the adversary cannot learn any information about the message from second level ciphertexts even if it can access a re-encryption key generation oracle O rk, a re-encryption oracle O renc, and a first level decryption oracle O dec. A second level decryption oracle is unnecessary because second level ciphertexts can be translated into first level ciphertexts for other users (e.g., a corrupt user) by the re-encryption oracle queries and then decrypted by the first level decryption oracle. Definition 5. A type-based proxy re-encryption scheme is IND-t-Pr-RCCA at the second level if for any PPT adversary A, the probability param Setup(λ) {(pk h, sk h ) Keygen(λ)}, {(pk x, sk x ) Keygen(λ)}, Pr (m 0, m, t, pk i, st) A O rk,o renc,o dec ({pk h }, {(pk x, sk x )}), b b b {0, }, C Enc 2 (pk i, m b, t ), b A O rk,o renc,o dec (C, st) is negligibly close to /2 in the security parameter λ, where (pk i, sk i ) ( {(pk h, sk h )}) is the key pair of the target user i generated by the challenger, t is the target type chosen by the adversary, (pk h, sk h ) and (pk x, sk x ) are the key pairs of an honest user and a corrupt user, respectively, and st is the state information maintained by A. The adversary A is given a set of the public keys of honest users and of the key pairs of corrupt users, and can access to O rk, O renc and O dec oracles. The adversary A is not allowed to make queries O rk (pk i, pk x, t ), O renc (pk i, pk x, t, C ), and O dec ( pk, ˆ Ĉ), where ( pk, ˆ Ĉ) is a derivative of (pk i, C ). If Ĉ is a first level ciphertext and pk ˆ {pki, {pk h }}, we say that ( pk, ˆ Ĉ) is a derivative of (pki, C ) if Dec ( sk, ˆ Ĉ) {m0, m }. First level ciphertext security. This security notion requires that the adversary cannot learn any information about the messages from first level ciphertexts even if it can access a re-encryption key generation oracle O rk and a first level decryption oracle O dec. The re-encryption oracle is unnecessary because the adversary can access all re-encryption keys. Definition 6. A type-based proxy re-encryption scheme is IND-t-Pr-RCCA at the first level if for any PPT adversary A, the probability param Setup(λ) {(pk h, sk h ) Keygen(λ)}, {(pk x, sk x ) Keygen(λ)}, Pr (m 0, m, pk i, st) A O rk,o dec ({pk h }, {(pk x, sk x )}), b b b {0, }, C Enc (pk i, m b ), b A O rk,o dec (C, st) is negligibly close to /2 in the security parameter λ, where (pk i, sk i ) ( {(pk h, sk h )}) is the key pair of the target user i generated by the challenger, (pk h, sk h ) and (pk x, sk x ) are the key pairs of an honest user and a corrupt user, respectively, and st is the state information maintained by A. The adversary A is given a set of the public keys of honest users and of the key pairs of corrupt users, and can access to O rk and O dec oracles. The adversary A is not allowed to make queries O dec ( pk, ˆ Ĉ), where ( pk, ˆ Ĉ) is a derivative of (pki, C ). In Definitions 5 and 6, the oracles, O rk, O renc, and O dec, work as follows: - A re-encryption key generation oracle O rk (pk i, pk, t) takes as input the public key of a delegator pk i, the public key of a delegatee pk, and a type t. It outputs the re-encryption key rk t i Rekeygen(sk i, pk, t) that delegates the decryption right from the user i to the user for the type t. - A re-encryption oracle O renc (pk i, pk, t, C i ) takes as input the public key of a delegator pk i, the public key of a delegatee pk, a type t, and a ciphertext C i. It outputs the re-encrypted ciphertext C Renc(rk t i, C i) or the special character indicating an error if the given ciphertext C i is invalid. - A first level decryption oracle O dec (pk i, C i ) takes as input the public key of a receiver pk i and a ciphertext C i. It outputs a message m Dec (sk i, C i ) or the special character indicating an error if the given ciphertext C i is invalid. Proxy invisibility. This security notion requires that the adversary cannot distinguish between ciphertexts re-encrypted by a proxy and ciphertexts originally generated for the delegatee.

5 J.W. Seo et al. / Theoretical Computer Science 49 (203) Definition 7. A type-based proxy re-encryption scheme is proxy-invisible if for any PPT adversary A, the probability Pr param Setup(λ), {(pk h, sk h ) Keygen(λ)}, {(pk x, sk x ) Keygen(λ)}, b {0, }, b A O rk, O b,renc/enc ({pk h }, {(pk x, sk x )}) b b is negligibly close to /2 in the security parameter λ, where (pk h, sk h ) and (pk x, sk x ) are the key pairs of an honest user and a corrupt user, respectively. The adversary A is given a set of the public keys of honest users and of the key pairs of corrupt users, and can access O rk and O b,renc/enc oracles. The renc-or-enc oracle is initialized with a random bit b {0, } and works as follows: - A renc-or-enc oracle O b,renc/enc (pk i, pk, m, t) takes as input the public key of a delegator pk i, the public key of a delegatee pk, a message m, and a type t. If b 0, it outputs C Enc (pk, m). Otherwise, it outputs C Renc(rk t i, C i) where C i Enc 2 (pk i, m, t) and rk t i Rekeygen(sk i, pk, t). For proxy invisibility, the output distributions of the re-encryption algorithm and the encryption algorithm at the first level should be indistinguishable. That is, the following distributions D Renc and D Enc should be indistinguishable for any key pair (pk, sk), any message m, and any type t: D Enc {C C Enc (pk, m)}; D Renc {C C i Enc 2 (pk i, m, t), rk t i Rekeygen(sk i, pk, t), C Renc(rk t i, C i)}. 4. CCA-secure TB-PRE with proxy invisibility We now present proxy-invisible TB-PRE that is CCA-secure in the standard model. 4.. Construction For simplicity, we assume that the verification keys of one-time signatures and types are encoded as elements from Z p. In practice, a collision-resistant hash function should be applied to map them onto Z p. Setup(λ): Given a security parameter λ, the setup algorithm chooses groups G and G T of order p (>2 λ ) with the bilinear map e : G G G T and a strongly unforgeable one-time signature Sig (G, S, V). It picks random generators g, h, u, v G and the set of types T {t,..., t q } where t i Z p. The global parameter is param {G, G T, g, h, u, v, Sig, T}. Keygen(λ): To generate a public/private key pair, a user i chooses random x i, y i Z p and sets X i g x i and Y i h y i. The public key and private key of the user i are pk i (X i, Y i ), sk i (x i, y i ). Rekeygen(sk i, pk, t): On input of a user i s private key (x i, y i ), a user s public key (X, Y ), and a type t T, the user i sets the re-encryption key rk t i (t, rk) (t, Y /(x i t) ) re-encrypting from the user i to the user for a type t. The user i sends the re-encryption key rk t i to a proxy. Enc (pk i, m): To encrypt a message m G T under the public key pk i at the first level, the sender selects a one-time signature key pair (ssk, svk) G(λ), picks random s, r Z p, and sets c Y r i, c g /r, c 2 g s/r, c 3 m e(g, h) s, c 4 (u svk v) s. Then, the sender generates a one-time signature σ S(ssk, (c 3, c 4 )). The first level ciphertext is C i (svk, c, c, c, 2 c 3, c 4, σ ). Enc 2 (pk i, m, t): To encrypt a message m G T with a type t T under the public key pk i at the second level, the sender selects a one-time signature key pair (ssk, svk) G(λ), picks random s Z p, and sets c t, c 2 X s i g s t, c 3 m e(g, h) s, c 4 (u svk v) s. Then, the sender generates a one-time signature σ S(ssk, (c 3, c 4 )). The second level ciphertext is C i (svk, c, c 2, c 3, c 4, σ ).

6 88 J.W. Seo et al. / Theoretical Computer Science 49 (203) Renc(rk t, i C i): On input of the re-encryption key rk t (t, rk) i and a second level ciphertext C i (svk, c, c 2, c 3, c 4, σ ), the proxy first checks whether c t or not. If c t, it outputs. Otherwise, the proxy tests the following relations. V(svk, σ, (c 3, c 4 )) () e(c 2, u svk v) e(x i g c, c 4 ). (2) If the test fails, the proxy outputs. Otherwise, it picks random w Z p and computes c rkw Y w/(x i t), c (X ig c ) /w g (x i t)/w, c 2 c/w 2 g s (x i t)/w. The re-encrypted ciphertext for user is C (svk, c, c, c, 2 c 3, c 4, σ ). Dec (sk, C ): On input of a user s private key sk (x, y ) and a first level ciphertext C (svk, c, c, c, 2 c 3, c 4, σ ), the user checks the validity of the ciphertext by testing the following relations. V(svk, σ, (c 3, c 4 )) (3) e(c c c 4) e(g, Y )e(u svk v, c 2 ). (4) If the check is fails, output. Otherwise the user outputs a message, m c 3 e(c 2, c )/y. Dec 2 (sk i, C i ): On input of a user i s private key sk i (x i, y i ) and a second level ciphertext C i (svk, c, c 2, c 3, c 4, σ ), the user i checks the validity of the ciphertext by testing Eqs. () and (2). If the check fails, then is returned. Otherwise, the user i outputs a message, m c 3 e(c 2, h) /(x i c ). A TB-PRE scheme should satisfy the correctness property, saying that originally encrypted or re-encrypted ciphertexts can be decrypted by the legitimate receiver; if the ciphertext produced by a sender or a proxy is well-formed, the ciphertext should be correctly decrypted at each level. Dec (sk, Renc(rk t i, C i)) c 3 e(c 2, c )/y c 3 e(g s (x i t)/w, Y w/(x i t) ) /y (5) m e(g, h) s e(g s, Y ) /y m Dec 2 (sk i, C i ) c 3 e(c 2, h) /(x i c ) m e(g, h) s e(g s (x i t), h) /(x i t) m e(g, h) s e(g, h s ) m. If a second level ciphertext is re-encrypted, then the re-encrypted ciphertext has the same form as a first level ciphertext (i.e., originally encrypted ciphertext for a delegatee). Recall that the re-encrypted ciphertext is C (svk, c, c, c, 2 c 3, c 4, σ ) where c Y w/(x i t), c g(xi t)/w, and c 2 g s (xi t)/w. If we let r w/(x i t), then c, c, c 2 of the re-encrypted ciphertext can be written as c Y w/(x i t) Y r, c g(x i t)/w g / r, c 2 g s (x i t)/w g s/ r. which is a well-formed first level ciphertext. The validity check processes on two types of ciphertexts are required in order to achieve CCA security. In the re-encryption algorithm, Eq. (2) guarantees that c 2 and c 4 has the same exponent s with respect to bases (X i g t ) and (u svk v), respectively, from which we have e(c 2, h) e(g s(xi t), h); note that this relation is necessary for the second level decryption process (i.e., Eq. (6)). In the first level decryption algorithm, Eq. (4) ensures that c s c 2 and thus we have e(c, 2 c ) e(g s, Y ) which is necessary for the first level decryption process (i.e., Eq. (5)). (6) 4.2. Security We prove that the proposed TB-PRE scheme is CCA-secure at the second level in Theorem and at the first level in Theorem 2. Proxy-invisibility is proved in Theorem 3. Theorem. The proposed TB-PRE scheme is IND-t-Pr-RCCA at the second level if the one-time signature Sig is strongly unforgeable and the q-wdbdhi assumption holds in G.

7 J.W. Seo et al. / Theoretical Computer Science 49 (203) Proof. Let A be an adversary that breaks the IND-t-Pr-RCCA security at the second level with advantage ϵ. We construct an algorithm B that solves the q-wdbdhi problem by interacting with A. The algorithm B takes as input a random q-wdbdhi challenge (g, g,..., g q, g, Z) where g τ g ατ for τ {0,,..., q}. If Z e(g, g) /α, then the distribution of the challenge is on P q-wbdhi. Otherwise, the distribution is on R q-wbdhi. B decides if Z e(g, g) /α out of the successful IND-t-Pr-RCCA adversary A. The algorithm B proceeds as follows. Before describing B, we define an event F Sig. Assuming that C (svk, c, c, 2 c, 3 c, σ 4 ) is the challenge chiphertext, F Sig is the event that A issues a decryption query for a first level ciphertext C (svk, c, c, c, 2 c 3, c 4, σ ) or a re-encryption query for a second level ciphertext C (svk, c, c 2, c 3, c 4, σ ) where (c 3, c 4, σ ) (c, 3 c, σ 4 ) but V(σ, svk, (c 3, c 4 )). This event occurs when A selects the one-time verification key svk in the find phase or when A forges a signature on (c 3, c 4 ) (c, 3 c ) 4 in the guess phase. In the find phase, A can learn no information about svk since svk is chosen at random. Therefore, the probability for the event F Sig is Pr[F Sig ] (q renc + q dec )/p + Adv Sig where q renc and q dec are the maximum number of the re-encryption oracle queries and the first level decryption oracle queries, respectively. If the event F Sig occurs, B terminates the game and returns a random bit. However, by the strong unforgeability of the one-time signature, the probability Pr[F Sig ] must be negligible. Let HU be the set of honest users including the target user i and CU be the set of corrupt users. By Definition 5, B first generates the global parameter param, the public keys of honest users, and the key pairs of corrupt users. B gives these values to A. - Setup: B generates a type set T {t,..., t q } for t i Z p and chooses a type t at random where q types are all distinct. If α T, then B uses α to solve the q-wdbdhi problem. Otherwise, it defines a polynomial f (x) q τ,tτ t (x+t t τ ) of degree q, expands f (x), and writes f (x) q ν τ x τ where ν 0,..., ν q Z p are the coefficients of the polynomial f (x). It picks random ς Z p and sets, q h g ςf (α) ς ν g τ τ. It chooses a strongly unforgeable one-time signature Sig (G, S, V), generates a one-time signature key pair (ssk, svk ) G(λ), and sets u g γ, v g γ svk g γ 2 for random γ, γ 2 Z p. Since ς, γ, and γ 2 are uniformly distributed, the global parameters param {G, G T, g, h, u, v, Sig, T} have a distribution identical to those in the actual construction. - Key generation: The target user s public key is set as, for random y Z p, q pk i (X i, Y i ) (g x i, h y i ) g g t, h y α y ς ν g τ τ, τ where the private key sk i (x i, y i ) (α + t, yα) is unknown. For a user i HU \ {i }, B sets the public key pk i (g x i, h y i α ) for a random x i, y i Z p, where the private key is (x i, y i α). For a user CU, B sets the private key sk (x, y ) and the public key pk (g x, h y ) for random x, y Z p. To simulate A s environment successfully, B should predict the target user i and the challenge type t given by A in the challenge phase; the probability of B s successful guess is at least /(nq) where n HU, and /(nq) is non-negligible as long as both n and q are polynomial. During the find and guess phases, A requests adaptive queries to the re-encryption key generation oracle O rk (,, ), the re-encryption oracle O renc (,,, ), and the first level decryption oracle O dec (, ). B responds to the oracle queries as follows, where we assume that i. - O rk (pk i, pk, t κ ): The queries are classified into four cases. Let F (x) t κ be the q 2 degree polynomial F tκ (x) f (x)/(x + t t κ ) q τ,tτ t,tκ (x + t t τ ). We can write F (x) q 2 µ t κ τ x τ where µ 0,..., µ q 2 Z p are the coefficients of the polynomial F t κ (x). (i) If i HU \ {i } and {HU, CU}, B simply computes the re-encryption key, rk t κ i Rekeygen(sk i, pk, t κ ) since it knows all x i except for that of the target user. When computing the re-encryption key, the information of y i α that is unknown is not required. (ii) If i i, HU and t κ t, then B sets rk Y /(x i t κ ) g ς y αf (α)/(α+t tκ ) g ς y αf tκ (α) q ς y µ g τ τ. τ

8 90 J.W. Seo et al. / Theoretical Computer Science 49 (203) (iii) If i i, HU and t κ t, then B sets rk Y /(x i t κ ) h y α/(α+t tκ ) h y. (iv) If i i, CU and t κ t, then B sets rk Y /(x i t κ ) g ς y f (α)/(α+t tκ ) g ς y F tκ (α) q 2 ς y µ g τ τ. B returns the re-encryption key rk t κ i (t κ, rk) to A. In the case of O rk (pk i, pk, t ) for CU, which means that B was unfortunate in its choice of i and t at the Setup process, B terminates the simulation and returns a random bit. - O renc (pk i, pk, t κ, C i ): Given a second level ciphertext C i (svk, c, c 2, c 3, c 4, σ ), B checks if t κ c. If t κ c, B returns. Otherwise, B checks the validity of other components of the ciphertext by testing if Eqs. () and (2) hold. If the relations do not hold, B returns. Otherwise, B performs the following processes. (i) If i i, CU and t κ t, (a) If svk svk, this case is included in the event of F Sig or C i C. In the find phase, the case svk svk occurs when A uses the challenge key pair (ssk, svk ) to generate the ciphertext C i even though A does not have no information about (ssk, svk ). In the guess phase, the case svk svk occurs when A forges a new signature on new (c 3, c 4 ) or queries the challenge ciphertext C. When C i C, B does not respond to the query because the re-encryption query of the challenge ciphertext C for a corrupt user CU and the challenge type t is not allowed. When F Sig happens, B terminates the simulation and returns a random bit. (b)if svk svk, B picks random w Z p and assumes w w α, then c Y w/(x i t κ ) h y w α/(α+t tκ ) h y w, c X i g t κ /w g (x i tκ )/w g (α+t tκ )/( w α) g / w. Before computing c 2, B computes c4 γ (svk svk ) c γ 2 2 g s γ (svk svk ) g s γ 2 g s(α+t tκ )γ 2 γ (svk svk ) g s γ (svk svk ) g s γ 2 γ (svk svk ) g s γ g s, 2 where B knows γ, γ 2, and svk. Then, B computes c 2 c/w 2 g s(x i tκ )/w g s α/( w α) g s/ w. (ii) Except in the case (), B can compute the re-encryption keys rk t κ i re-encrypting from the user i to the user for the type t κ. Then, B simply re-encrypts the ciphertext C i by performing the usual re-encryption algorithm, C Renc(rk t κ, i C i). - O dec (pk i, C i ): Given a first level ciphertext C i (svk, c, c, c 2, c 3, c 4, σ ), B returns if Eqs. (3) and (4) do not hold. Otherwise, B returns a message m to A. (i) If svk svk, this case implies that F Sig occurs or (pk i, C i ) is a derivative of (pk, i C ). In the find phase, the case svk svk occurs when A uses the challenge key pair (ssk, svk ) to generate the ciphertext C i. In the guess phase, the case svk svk occurs when (pk i, C i ) is a derivative of (pk, i C ) or A forges a new signature on new (c 3, c 4 ). When σ σ, B does not respond to the query because the query for a derivative of (pk, i C ) is not allowed. When F Sig happens, B terminates the simulation and returns a random bit. (ii) If svk svk, B responds to the query in three cases. When i HU \ {i }, B first computes e(c 4, h) e(c 2, c ) γ 2 yi γ (svk svk ) e((u svk v) s, h) e(g, h y i α ) s γ 2 y i γ (svk svk ) e(g s γ (svk svk ) g s γ 2 e(g, h) s, e(g s γ 2, h), h) γ (svk svk ) where e(c 2, c ) e(g, Y i) s by Eq. (4). Then B computes m c 3 e(g, h) s. When i i, y i is replaced with y in the above computation. When i CU, B can easily decrypt the ciphertext by using the known private key y i.

9 J.W. Seo et al. / Theoretical Computer Science 49 (203) The responses of the re-encryption and the first level decryption oracles do not give any information to A and also do not help A distinguish between the simulation and the actual construction, since the validity check of input ciphertexts reects all non-well-formed ciphertexts except for negligible probability. When the find phase is over, A submits the challenge messages (m 0, m ), the challenge type t, and the target user i, where the probability that A submits (t, i ) is /(nq). Then B picks random b {0, } and generates the challenge ciphertext C (svk, c, c, 2 c, 3 c, σ 4 ) where q 2 ς c t, c 2 g, c 3 m b e Z ς ν0, c 4 g γ 2, σ S(ssk, (c 3, c 4 )), g, g ν τ+ τ for random s β/α where β log g g. If q-wdbdhi challenge is on P q-wdbdhi, C is a valid ciphertext since c 2 g β α (α+t t ) g, c 4 (usvk v) s (g γ (svk svk ) γ g 2 ) β α g γ 2, c 3 m b e(g, h) β q α q 2 α m b e g, mb e g, g ς ν τ τ g ν τ+ τ ς e(g, g) ς ν 0 α. The adversary A s view is identical to the view in the real attack environment. In contrast, if q-wdbdhi challenge is on R q-wdbdhi, Z has a random distribution on G T. Thus A cannot guess b with probability better than /2. The adversary A finally outputs a guess b {0, } and then B concludes its own game by outputting a guess as follows. If b b then B decides that q-wdbdhi challenge is on P q-wdbdhi and outputs. Otherwise, B decides that q-wdbdhi challenge is on R q-wdbdhi and outputs 0. Therefore, we have Pr[B(g, g,..., g q, g, e(g, g) α ) 0] Pr[B(g, g,..., g q, g, R) 0] ϵ nq, where Pr[F Sig ] is omitted because its probability is negligible. Theorem 2. The proposed TB-PRE scheme is IND-t-Pr-RCCA at the first level if the one-time signature Sig is strongly unforgeable and the q-wdbdhi assumption holds in G. Proof. Unlike the game of the second level ciphertext security, the adversary in the game of the first level ciphertext security can access all the re-encryption keys. Thus the re-encryption oracle is not required during the simulation. Let A be the adversary that breaks the IND-t-Pr-RCCA security at the first level with advantage ϵ. We construct an algorithm B that solves the q-wdbdhi problem by interacting with A. The algorithm B proceeds as follows. Before describing B, we define an event F Sig as in Theorem. The difference is that the event F Sig only occurs during a decryption query. Therefore, the probability for the event F Sig is Pr[F Sig ] q dec /p + Adv Sig where q dec is the maximum number of the first level decryption oracle queries. If the event F Sig occurs, B terminates the simulation and returns a random bit. Assuming the strong unforgeability of the one-time signature, the event F Sig occurs with negligible probability. In the below description, we omit the overlap with Theorem for simplicity. - Setup: B generates a type set T {t,..., t q } for t i Z p where q types are all distinct. If α T, B uses α to solve the q-wdbdhi problem. Otherwise, it defines a polynomial f (x) q τ (x t τ ) of degree q, expands f (x), and writes f (x) q ν τ x τ where ν 0,..., ν q Z p are the coefficients of the polynomial f (x). It picks random ς Z p and sets, q h g ςf (α) ς ν g τ τ. It chooses a strongly unforgeable one-time signature Sig (G, S, V), generates a one-time signature key pair (ssk, svk ) G(λ), and sets u g γ, v g γ svk g γ 2 for random γ, γ 2 Z p. The algorithm B sends the adversary A the global parameter param {G, G T, g, h, u, v, Sig, T}. - Key generation: The target user s public key is set as, for random y Z p, q pk i (X i, Y i ) (g x i, h y i ) g, h y α y ς ν g τ τ, τ where the private key sk i (x i, y i ) (α, yα) is unknown. For user i {HU, CU} \ {i }, B sets the private key sk i (x i, y i ) and the public key pk i (g x i, h y i) for random xi, y i Z p.

10 92 J.W. Seo et al. / Theoretical Computer Science 49 (203) To simulate A s environment successfully, B should predict the target user i. The probability is at least /n where n HU, and /n is non-negligible as long as n is polynomial. During the find and guess phases, A requests adaptive queries to the re-encryption key generation oracle O rk (,, ) and the first level decryption oracle O dec (, ). B responds to the queries as follows, where we assume that i. - O rk (pk i, pk, t κ ): Let F (x) t κ be the q 2 degree polynomial F tκ (x) f (x)/(x t κ) q τ,τ κ (x t τ ). We can write F (x) q 2 µ t κ τ x τ where µ 0,..., µ q 2 Z p are the coefficients of the polynomial F tκ (x). When i i, B computes, rk Y /(x i t κ ) g ς y f (α)/(α tκ ) g ς y F tκ (α) q 2 ς y µ g τ τ, and returns the re-encryption key rk t κ i (t κ, rk) to A. In other cases, B simply computes the re-encryption key, rk t κ i Rekeygen(sk i, pk, t κ ), since it knows all x i except for that of the target user. - O dec (pk i, C i ): Given a first level ciphertext C i (svk, c, c, c, 2 c 3, c 4, σ ), B returns if Eqs. (3) and (4) do not hold. Otherwise, B returns a message m to A. (i) If svk svk, this case implies that F Sig occurs or (pk i, C i ) is a derivative of (pk i, C ). When σ σ, B does not respond to the query because the query for a derivative of (pk i, C ) is not allowed. When F Sig happens, B terminates the simulation and returns a random bit. (ii) If svk svk, B responds to the query in two cases. When i i, B can compute m by using the same method as that of Theorem, e(c 4, h) e(c 2, c ) γ 2 y γ (svk svk ) e((u svk v) s, h) e(g, h y α ) s γ 2 y γ (svk svk ) e(g s γ (svk svk ) g s γ 2 e(g, h) s, e(g s γ 2, h), h) γ (svk svk ) where e(c 2, c ) e(g, Y i) s by Eq. (4). Then B computes m c 3 e(g, h) s. When i {HU, CU} \ {i }, B can easily compute m by using the known private key y i. When the find phase is over, A submits the challenge messages (m 0, m ) and the target user i, where the probability that A submits i is /n. Then B picks random b {0, } and generates the challenge ciphertext C (svk, c, c, c 2, c, 3 c, σ 4 ), c h y c, c g /c, c 2 g /c, q 2 ς c 3 m b e g, Z ς ν0, g ν τ+ τ c 4 g γ 2, σ S(ssk, (c 3, c 4 )), for random s β/α, r c/α where β log g g and c is random in Z p. If q-wdbdhi challenge is on P q-wdbdhi, C is a valid ciphertext since c Y r i hy α α c h y c, c g r g α c g /c, c 2 g s r g β α αc g /c, where c 3 and c 4 are the same as those of Theorem. A s view is identical to the view in the real attack environment. In contrast, if q-wdbdhi challenge is on R q-wdbdhi, Z has a random distribution on G T. Thus A cannot guess b with probability better than /2. The adversary A finally outputs a guess b {0, } and then B concludes its own game by outputting a guess as follows. If b b then B decides that q-wdbdhi challenge is on P q-wdbdhi and outputs. Otherwise, B decides that q-wdbdhi challenge is on R q-wdbdhi and outputs 0. Therefore, we have Pr[B(g, g,..., g q, g, e(g, g) α ) 0] Pr[B(g, g,..., g q, g, R) 0] ϵ n, where Pr[F Sig ] is omitted because its probability is negligible. Theorem 3. The proposed TB-PRE scheme is proxy-invisible. Proof. In Definition 7, the goal of the adversary A is to predict the random bit b of the renc-or-enc oracle. That is, the adversary should distinguish between the outputs of the re-encryption and the outputs of the first level encryption. In our scheme, these outputs have the same values on (svk, c 3, c 4, σ ), which does not help the adversary distinguish between original encryption and re-encryption. The difference between a first level ciphertext under pk and a re-encrypted

11 J.W. Seo et al. / Theoretical Computer Science 49 (203) ciphertext for a user can only happen in (c, c, c 2 ). These values have the same form and are computed by using different random exponents, r and w/(x i t), respectively. That is, the ciphertexts produced by the first level encryption algorithm have distribution on random r and the ciphertexts produced by the re-encryption algorithm have distribution on random w/(x i t). The ciphertexts produced by each algorithm are on uniform distributions because the random r, w Z p are chosen uniformly. To break the proxy-invisibility, the adversary A should distinguish between two uniform distributions, which is infeasible since two distributions are identical. Therefore, the proposed TB-PRE scheme satisfies proxy invisibility. References [] G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy re-encryption schemes with applications to secure distributed storage, in: NDSS, The Internet Society, 2005, pp [2] M. Bellare, A. Boldyreva, A. Palacio, An uninstantiable random-oracle-model scheme for a hybrid-encryption problem, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 3027, Springer, 2004, pp [3] M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, in: ACM Conference on Computer and Communications Security, ACM, 993, pp [4] M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 403, Springer, 998, pp [5] R. Bobba, J. Muggli, M. Pant, J. Basney, H. Khurana, Usable secure mailing lists with untrusted servers, in: IDtrust, ACM, 2009, pp [6] R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited (preliminary version), in: STOC, ACM, 998, pp [7] R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 3027, Springer, 2004, pp [8] R. Canetti, H. Krawczyk, J.B. Nielsen, Relaxing chosen-ciphertext security, in: CRYPTO, in: Lecture Notes in Computer Science, vol. 2729, Springer, 2003, pp [9] Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash., in: CRYPTO, in: Lecture Notes in Computer Science, vol. 362, Springer, 2005, pp [0] L. Fang, W. Susilo, J. Wang, Anonymous conditional proxy re-encryption without random oracle, in: ProvSec, in: Lecture Notes in Computer Science, vol. 5848, Springer, 2009, pp [] C. Gentry, Practical identity-based encryption without random oracles, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 4004, Springer, 2006, pp [2] S. Goldwasser, Y.T. Kalai, On the (in)security of the Fiat Shamir paradigm, in: FOCS, IEEE Computer Society, 2003, pp [3] S. Jahid, P. Mittal, N. Borisov, EASiER: encryption-based access control in social networks with efficient revocation, in: ASIACCS, ACM, 20, pp [4] X. Jia, J. Shao, J. Jing, P. Liu, CCA-secure type-based proxy re-encryption with invisible proxy, in: CIT, IEEE Computer Society, 200, pp [5] S. Lee, H. Park, J. Kim, A secure and mutual-profitable DRM interoperability scheme, in: ISCC, IEEE Computer Society, 200, pp [6] B. Libert, D. Vergnaud, Unidirectional chosen-ciphertext secure proxy re-encryption, in: PKC, in: Lecture Notes in Computer Science, vol. 4939, Springer, 2008, pp [7] B. Libert, D. Vergnaud, Unidirectional chosen-ciphertext secure proxy re-encryption, IEEE Trans. Inform. Theory 57 (20) [8] M.M. Lucas, N. Borisov, FlyByNight: mitigating the privacy risks of social networking, in: WPES, ACM, 2008, pp. 8. [9] J.B. Nielsen, Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case., in: CRYPTO, in: Lecture Notes in Computer Science, vol. 2442, Springer, 2002, pp. 26. [20] M.G. Reed, P.F. Syverson, D.M. Goldschlag, Proxies for anonymous routing, in: ACSAC, IEEE Computer Society, 996, pp [2] Q. Tang, Type-based proxy re-encryption and its construction, in: INDOCRYPT, in: Lecture Notes in Computer Science, vol. 5365, Springer, 2008, pp [22] G. Wang, Q. Liu, J. Wu, Hierarchical attribute-based encryption for fine-grained access control in cloud storage services, in: CCS, ACM, 200, pp [23] X. Wang, J. Luo, A collaboration scheme for making peer-to-peer anonymous routing resilient, in: CSCWD, IEEE, 2008, pp [24] J. Weng, R.H. Deng, X. Ding, C.K. Chu, J. Lai, Conditional proxy re-encryption secure against chosen-ciphertext attack, in: ASIACCS, ACM, 2009, pp [25] J. Weng, Y. Yang, Q. Tang, R.H. Deng, F. Bao, Efficient conditional proxy re-encryption with chosen-ciphertext security, in: ISC, in: Lecture Notes in Computer Science, vol. 5735, Springer, 2009, pp [26] S. Yu, C. Wang, K. Ren, W. Lou, Attribute based data sharing with attribute revocation, in: ASIACCS, ACM, 200, pp

Type-based Proxy Re-encryption and its Construction

Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown