Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Transcription

1 NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain ACM AsiaCCS 2015 Singapore

2 1. Proxy Re-Encryption 2. NTRU 3. NTRUReEncrypt 4. PS-NTRUReEncrypt 5. Experimental results 6. Conclusions

3 Proxy Re-Encryption: Overview A Proxy Re-Encryption scheme is a public-key encryption scheme that permits a proxy to transform ciphertexts under Alice s public key into ciphertexts under Bob s public key The proxy needs a re-encryption key r A B to make this transformation possible, generated by the delegating entity Proxy Re-Encryption enables delegation of decryption rights

4 Syntax of Bidirectional Proxy Re-Encryption Definition. A bidirectional proxy re-encryption scheme is a tuple of algorithms (Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec): KeyGen() (pk A, sk A ) ReKeyGen(sk A, sk B ) rk A B Enc(pk A, M) C A ReEnc(rk A B, C A ) C B Dec(sk A, C A ) M

5 Correctness Definition: Multihop Correctness. A bidirectional PRE scheme (Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec) is multihop correct with respect to plaintext space M if: (Encrypted Ciphertexts) For all (pk A, sk A ) output by KeyGen and all messages M M, it holds that: Dec(sk A, Enc(pk A, M)) = M (Re-Encrypted Ciphertexts) For any sequence of pairs (pk i, sk i ) output by KeyGen, with 0 i N, all re-encryption keys rk j j+1 output by ReKeyGen(sk j, sk j+1 ), with j < N, all messages M M, and all ciphertexts C 1 output by Enc(pk 1, M), it holds that: Dec(sk N, ReEnc(rk N 1 N,...ReEnc(rk 1 2, C 1 ))) = M

6 Bidirectional CPA-security game Let us assume: k is the security parameter A is a polynomial-time adversary H, C are the sets of indices of honest and corrupt users The IND-CPA game consists of an execution of A with the following oracles, which can be invoked multiple times in any order, subject to the constraints below:

7 Bidirectional CPA-security game Phase 0: Phase 1: The challenger obtains global parameters params Setup(1 k ) and initializes sets H, C to. The challenger generates the public key pk of target user i, adds i to H, and sends pk to the adversary. Uncorrupted key generation O honest : On input an index i, where i H C, the oracle obtains a new keypair (pk i, sk i ) KeyGen() and adds index i to H. The adversary receives pk i. Corrupted key generation O corrupt : On input an index i, where i H C, the oracle obtains a new keypair (pk i, sk i ) KeyGen() and adds index i to C. The adversary receives (pk i, sk i ).

8 Bidirectional CPA-security game Phase 2: Phase 3: Re-encryption key generation O rkgen : On input (i, j), where i j, and either i, j H or i, j C, the oracle returns rk i j ReKeyGen(sk i, sk j ). Challenge oracle O challenge : This oracle can be queried only once. On input (M 0, M 1 ), the oracle chooses a bit b {0, 1} and returns the challenge ciphertext C Enc(pk, M b ), where pk corresponds to the public key of target user i. Decision: A outputs guess b {0, 1}. A wins the game if and only if b = b.

9 Other remarks Static corruption model We only allow queries to O rkgen where users are either both corrupt or both honest Otherwise, these queries would corrupt honest users Re-encryption oracle is not necessary in CPA

10 NTRUEncrypt: Overview Originally proposed by Hoffstein, Pipher and Silverman One of the first PKE schemes based on lattices NTRU Encryption is very efficient, orders of magnitude faster than other PKE schemes IEEE Standard and ANSI X It is conjectured to be based on hard problems over lattices Post-quantum cryptography It lacks a formal proof in the form of a reduction to a hard problem (i.e. not provably-secure)

11 NTRUEncrypt: Basics Defined over the quotient ring R NT RU = Z[x]/(x n 1), where n is a prime parameter Other parameters of NTRU: Integer q, which is a small power of 2 of the same order of magnitude than n Small polynomial p R NT RU, which usually takes values p = 3 or p = x + 2 In general, operations over polynomials will be performed in R NT RU /q or R NT RU /p

12 NTRUEncrypt: Key Generation Private key: sk = f R NT RU f is chosen at random, with a determined number of coefficients equal to 0, -1, and 1 f must be invertible in R NT RU /q and R NT RU /p fq 1, fp 1 For efficiency, f can be chosen to be 1 mod p Public key: pk = h = p g fq 1 mod q g R NT RU is chosen at random

13 NTRUEncrypt: Encryption and Decryption Encryption: plaintext M from message space R NT RU /p ciphertext C = h s + M mod q noise term s is a small random polynomial in R NT RU Decryption: Compute C = f C mod q Compute m = f 1 p C mod p Why does it work? C = f (p g fq 1 s + M) mod q = p g s + f M mod q This equation holds if f C is small enough fp 1 ( p g s + f M) mod p = fp 1 f M mod p = M If f = 1 mod p, then the last step is simply m = C mod p

14 NTRUReEncrypt We extended NTRUEncrypt to support re-encryption NTRUReEncrypt New requirement: secret polynomial f = 1 mod p Not for efficiency reasons, but necessary to correctly decrypt re-encrypted ciphertexts

15 NTRUReEncrypt: Key Generation Private key: sk A = f A R NT RU f A is chosen at random, with a determined number of coefficients equal to 0, -1, and 1 f A must be invertible in R NT RU /q f 1 A Since f is chosen to be 1 mod p, its inverse mod p is not necessary Public key: pk A = h A = p g A f 1 A mod q g A R NT RU is chosen at random

16 NTRUReEncrypt: Encryption and Decryption Encryption: plaintext M from message space R NT RU /p ciphertext C A = h A s + M mod q noise term s is a small random polynomial in R NT RU Decryption: Compute C A = f C A mod q Compute m = C A mod p

17 NTRUReEncrypt: Re-Encryption Key Generation Re-Encryption Key Generation: Input: secret keys sk A = f A and sk B = f B The re-encryption key between users A and B is rk A B = sk A sk 1 B = f A f 1 B Three-party protocol, so neither A, B nor the proxy learns any secret key. A selects a random r R NT RU /q A sends r f A mod q to B and r to the proxy B sends r f A f 1 B The proxy computes rk A B = f A f 1 B mod q to the proxy mod q

18 NTRUReEncrypt: Re-Encryption Re-Encryption Input: a re-encryption key rk A B and a ciphertext C A Samples a random polynomial e R NT RU Output re-encrypted ciphertext C B = C A rk A B + pe The noise e prevents B from extracting A s private key

19 NTRUReEncrypt: Re-Encryption Why does it work? Re-encrypted ciphertext: C B = C A rk A B + p e mod q = (p g f 1 A = p g f 1 B s + M) f A f 1 B s + f A f 1 B Decrypting a re-encrypted ciphertext: f B C B + p e mod q M + p e mod q mod p = (p g s + p e) + f A M mod p = f A M mod p = M

20 NTRUReEncrypt: Re-Encryption Limited Multihop: The scheme does not support unlimited re-encryptions The noise e added during the re-encryption accumulates on each hop, until eventually, decryption fails This depends heavily on the choice of parameters

21 NTRUReEncrypt: Analysis Computational costs: The core operation in NTRU is the multiplication of polynomials It can be done in O(n log n) time using the Fast Fourier Transform (FFT) Encryption, decryption and re-encryption only need a single multiplication

22 NTRUReEncrypt: Analysis Space costs: Keys and ciphertexts are polynomials of size O(n log 2 q) bits Ciphertext expansion is O(log 2 q) Other lattice-based schemes have ciphertexts of size O(n 2 ) Table : Comparison of space costs (in KB) Size Aono et al. NTRUReEncrypt Public keys Secret key Re-Encryption key Ciphertext

23 NTRUReEncrypt: Analysis Bidirectional: Given rk A B = f A f 1, one can easily compute Limited multihop rk B A = (rk A B ) 1 = f B f 1 A B Not collusion-safe: Secret keys can be extracted from the re-encryption key if the proxy colludes with a user involved f A = rk B A f B This is common in interactive bidirectional PRE schemes

24 PS-NTRUReEncrypt A second proxy re-encryption scheme, called PS-NTRUReEncrypt Provable secure under the Ring-LWE assumption Extends the NTRU variant proposed by Stehlé and Steinfeld [Eurocrypt 11], which is proven IND-CPA secure

25 Preliminaries Φ(x) is the cyclotomic polynomial x n + 1, with n a power of 2 q is a prime integer such that q = 1 mod 2n R is the ring Z[x]/Φ(x) R q = R/q = Z q [x]/φ(x) R q is the set of invertible elements of R q

26 The Ring-LWE problem The Ring Learning With Errors (Ring-LWE) problem is a hard decisional problem based on lattices We use a variant of this problem proposed by Stehlé and Steinfeld. s R q and ψ a distribution over R q A s,ψ is the distribution that samples pairs of the form (a, b) a is chosen uniformly from R q b = a s + e, for some e sampled from ψ The Ring-LWE problem is to distinguish distribution A s,ψ from a uniform distribution over R q R q The Ring-LWE assumption is that this problem is computationally infeasible

27 PS-NTRUReEncrypt: Setup and Key Generation Setup: Global parameters: (n, q, p, α, σ) Key Generation: D Z n,σ is a Gaussian distribution over Z n with standard deviation σ The keys are computed as follows: 1. Sample f from D Zn,σ Let f A = 1 + p f ; if (f A mod q) R q, resample 2. Sample g A from D Z n,σ; if (g A mod q) R q, resample 3. Compute h A = p g A f 1 A 4. Return secret key sk A = f A and pk A = h A

28 PS-NTRUReEncrypt: Encryption and Decryption Encryption: Input: public key pk A and message M M Sample noise polynomials s, e from a distribution Ψ α Output ciphertext: Decryption: C A = h A s + pe + M R q Input: secret key sk A = f A and ciphertext C A Compute C A = C A f A Output the message M = (C A mod p) M

29 PS-NTRUReEncrypt: Re-Encryption Key Generation and Re-Encryption Re-Encryption Key Generation: Input: secret keys sk A = f A and sk B = f B The re-encryption key between users A and B is Re-Encryption: rk A B = sk A sk 1 B = f A f 1 B Input: a re-encryption key rk A B and a ciphertext C A Samples a random polynomial e from a distribution Ψ α Output re-encrypted ciphertext C B = C A rk A B + pe

30 Multihop Correctness Ciphertext re-encrypted N times: C N = pg 0 f 1 N s + pe 0f 0 f 1 N + pe 1f 1 f 1 N pe N 1 f N 1 f 1 = pg 0 f 1 N s + [ N 1 i=0 pe i f i f 1 N ] N + pe N + Mf 0 f 1 N + pe N + Mf 0 f 1 N When decrypting C N (assuming no decryption failures): [ N ] C N = C N f N = pg 0 s + pe i f i + Mf 0 i=0 Since, f 0 = 1 mod p and pg 0 s = pe i f i = 0 mod p, then: C N mod p = M

31 Experimental setting Implementation of our proposals: NTRUReEncrypt is implemented on top of an available open-source Java implementation of NTRU PS-NTRUReEncrypt was coded from scratch, using the Java Lattice-Based Cryptography (jlbc) library Execution enviroment: Intel Core GHz

32 Performance of NTRUReEncrypt Table : Computation time (in ms) and number of hops of NTRUReEncrypt for different parameters Parameters Enc. Dec. Re-Enc. # Hops (439, no, 128) (439, yes, 128) (1087, no, 256) (1087, yes, 256) (1171, no, 256) (1171, yes, 256) (1499, no, 256) (1499, yes, 256)

33 Comparison of NTRUReEncrypt to other schemes Time (ms) Encryption Decryption Re-Encryption NTRUReEncrypt BBS Aono et al. Weng et al.

34 Comparison of NTRUReEncrypt to other schemes Table : Computation time of several proxy re-encryption schemes (in ms) Scheme Enc. Dec. Re-Enc. NTRUReEncrypt Aono et al BBS Weng et al Ateniese et al Libert and Vergnaud

35 Performance of PS-NTRUReEncrypt Table : Computation time (in ms) and size (in KB) of PS-NTRUReEncrypt for different parameters n log 2 q Enc. Dec. Re-Enc. Size

36 Conclusions NTRUReEncrypt is a highly-efficient proxy re-encryption scheme based on the NTRU cryptosystem This scheme is bidirectional and multihop, but not collusion-resistant The key strength of this scheme is its performance: outperforms other schemes by an order of magnitude Potential improvement with parallelization techniques Opens up new practical applications of PRE in constrained environments We also propose PS-NTRUReEncrypt, a provably-secure variant that is CPA-secure under the Ring-LWE assumption

37 Future Work Achieve CCA-security Definition of a unidirectional and collision-resistant scheme Fine-tune the parameters of NTRUReEncrypt for decreasing the probability of decryption failures after multiple re-encryptions Better bounds for the provably-secure version Analysis of the selection of parameters based on best known lattice attacks

38 Thank you!