4.4 Security Analysis of a Recent “CCA1-secure” PRE scheme
4.4.3 Analysis of the attack
There are two main reasons that explain why this attack is possible. The first is related to the construction itself, whereas the second concerns the underlying security model.
Firstly, the scheme leaks the re-encryption key through queries to the re-encryption oracle. That is, it fails to satisfy the private re-encryption keys property. This characteristic is what makes possible for the attacker to learn the re-encryption key from the target user to one under her control, thus winning the security game. This is a consequence of how the re-encryption function is constructed, which is simply the multiplication of a ciphertext by the re-encryption key. Thus, when the input ciphertexts are carefully chosen, it is possible to recover the desired re-encryption key. A possible solution to thwart this attack consists on adding a small noise after the multiplication. Another issue with the re-encryption func- tion is that it is performed without any kind of validity check on the input. This poses an interesting problem since this validity check should be performed with- out the proxy seeing the original plaintexts. The usual solution to this problem is to make the ciphertexts publicly verifiable [54]. A consequence of this property
is that it prevents the proxy from acting as an oracle [121], which is exactly the weak point of the analyzed scheme.
Secondly, the adversarial model used in this scheme (i.e., CCA1,0) does not provide access to a re-encryption oracle during the security game, so the scheme is obliv- ious to the fact that it is insecure when one considers access to this oracle, as in CCA1,1. As discussed in Section 4.3.4, the only attack models deemed meaningful for PRE are CCA2,2, CCA1,1, and CCA0,0, as there should be very strong reasons for justifying any asymmetry between the adversarial capabilities concerning de- cryption and re-encryption. In addition, the re-encryption capabilities should be wide enough to allow the adversary to ask for the re-encryption of ciphertexts that are unrelated to the challenge ciphertext, for any pair of users.
4.5
Summary
In this chapter we have studied the notions of security for proxy re-encryption by identifying a parametric family of attack models that not only considers the availability of the decryption oracle (as in PKE), but also the re-encryption oracle. Although this seems to be a rather natural step, to the best of our knowledge, it has not been explicitly considered before. This parametric family of attack models for PRE allows us to define a collection of security notions, whose relations we analyze. This type of study is necessary to achieve a better understanding of the definitions of security upon which design proxy re-encryption schemes. For instance, one immediate application of this work is found in Section 5.2, where we use it to reason about the construction of generic CCA-secure transformations in the context of proxy re-encryption.
Part of this chapter has been concerned with studying separations between PRE notions of security. In particular, we have established separations between secu- rity notions by exploiting the private re-encryption keys property, or more accu- rately, the failure to fulfill this property. The consequence of these separations is that schemes that leak re-encryption keys through queries to the re-encryption oracle cannot achieve strong security notions. These results strengthen the idea that meaningful chosen-ciphertext attacks for PRE should consider both oracles (decryption and re-encryption).
In addition, these separation results have been illustrated with an example of a recent PRE scheme from PKC 2014 [48] that is said to be “CCA1-secure”, but that fails to achieve a meaningful notion of security for PRE, since we construct a chosen-ciphertext attack based on queries to the re-encryption oracle.
New Proxy Re-Encryption
Constructions
One of the main interests that drive the work on this thesis is to investigate more concrete aspects of proxy re-encryption schemes, such as those related to performance and security constructions. This chapter is divided according these two aspects.
In the first half we explore the use of lattice-based cryptography for constructing more efficient PRE schemes. In particular, we propose new proxy re-encryption schemes based on NTRU [16], a widely known lattice-based cryptosystem. Lattice- based cryptography is a promising field, not only due to its potential regarding post-quantum security, but also because its performance can be outstanding in some cases. We provide two different schemes: the first one is based on the con- ventional NTRU cryptosystem and, although it lacks a security proof, remains as efficient as its predecessor; the second one is based on a variant of NTRU proposed by Stehl´e and Steinfeld [122], which is proven CPA-secure under the Ring-LWE assumotion. To the best of our knowledge, our proposals are the first proxy re-encryption schemes to be based on the NTRU primitive. In addition, we provide experimental results to demonstrate the efficiency of our proposal, as well as a comparison with previous proxy re-encryption schemes, which confirms that our first scheme outperforms the rest by an order of magnitude.
The second half of this chapter has a different focus, as it is dedicated to the con- struction of CCA-secure schemes. In the case of traditional public-key encryption, there are several generic methods for achieving CCA-secure schemes from weakly secure cryptosystems, such as the Fujisaki-Okamoto [71, 17] and REACT [18] transformations. In PRE, however, this process is completely ad-hoc for each
scheme. Therefore, it would be desirable to count on analogous constructions that allow PRE schemes to “bootstrap” security by means of generic transforma- tions. In this section, we study the adaptation of some of these transformations to proxy re-encryption and find both positive and negative results: although direct application is not possible (as it leads to flawed constructions), we devise viable extensions that enable to enhance the security of existing schemes.