Starting from aFuPE scheme, we define two additional algorithmsPPunc0 and NPunc0that are compatible withPPuncandNPuncof theFuPEscheme but work on encrypted secret keys:
PPunc0(Csk, τ+) : Computes positively puncturedCsk0 using the tagτ+. NPunc0(Csk, τ−) : Computes negatively puncturedCsk0 using the tagτ−. We require this PPunc0 algorithm to be compatible with PPunc in the sense that for all valid inputs sk, τ+ to PPunc it holds that for all k ∈ N, for all
(pkHPKE,skHPKE)←GenHPKE(1k), for allC
sk←EncHPKE(pkHPKE,sk) we have DecHPKE(skHPKE,PPunc0(Csk, τ+)) =PPunc(sk, τ+).
Analogously, we require such a functionality forNPunc0. From a theoretical view- point, this means no additional assumption on theFuPE scheme, since one can use a fully-homomorphic encryption (FHE) scheme as HPKE. From a practi- cal viewpoint, we observe that many suitable candidateHIBEschemes forFuPE only require linear operations forPPuncandNPunc, and thusPPunc0 as well as NPunc0 may be instantiated very efficiently using linear encryption [BBS04]. HIBE with public delegation. To generically implement the PPunc0 and NPunc0algorithms, we introduce another property of HIBE schemes. In particu- lar, we define a delegation algorithmPDelwhich operates on encryptions of the actual secret key instead of the secret key itself. Using this algorithm, one can then straight forwardly implement thePPunc0 andNPunc0 algorithms analogous toPPuncandNPuncin Scheme 6, but replacing every call toDelbyPDel.
More formally, letHPKE= (GenHPKE,EncHPKE,DecHPKE) be aHPKEscheme as defined above, and (pkHPKE,skHPKE)←GenHPKE(1k). A publicly delegateable HIBEscheme HIBEwith message space Mand identity space ID≤` is a HIBE
scheme as defined in Section 3 with a additional delegation algorithm as follows (and we further need that the message space ofHPKEis the secret-key space of HIBE):
PDel(CHPKE,id0,id) : On input aHPKEciphertextCHPKE,id0 ←EncHPKE(pkHPKE, skid0) and identityid, output an encryptionEnc(pkHPKE,skid) of a secret key skid if and only ifid0 is a prefix of id (encryption is component-wise).
Correctness of delegation.For allk, `∈N, all (pk,skε)←Gen(1k, `), allM ∈ M,
allid,id0∈ ID≤` whereid0 is a prefix ofid, allskid ←Del(skid0,id), allCid ← Enc(pk, M,id), for all (pkHPKE,skHPKE) ← GenHPKE(1k), for all CHPKE,id0 ← EncHPKE(pk, skid0), all CHPKE,id ← PDel(CHPKE,id0,id), all skid := DecHPKE( skHPKE, CHPKE,id), we haveDec(skid, Cid) =M.
Example of HIBE with public delegation.Consider the adaptively secure HIBE scheme of Chen and Wee [CW14] for depth ` — which is similar to the HIBE schemes of Boneh, Boyen, Goh [BBG05] and Lewko, Waters [LW10] — and a linearly homomorphicHPKEscheme. We choose the message space of theHPKE scheme to be the secret-key space of the Chen-WeeHIBE. TheHIBEscheme uses BGGenn to generate a composite-order bilinear group BG = (n,G,GT, e, g,g).
The secret keys and the first two parts of the ciphertext lie inGwhile the third
element of the ciphertext lies inGT.
Concretely, the public and secret keys of the Chen-WeeHIBEare given by pk:= (g, u1, . . . , u`, u`+1, e(g, g)α), skid0 := (gr, gα(u`+1·uid 0 1 1 · · ·u id0`0 `0 )r, ur`0+1, . . . , ur`) for secret keygαwith exponentα←R
Zn, for (u0, . . . , u`+1)←RG`+2, for exponent
r←R
Zn, and identityid0= (id01, . . . ,id
0
`0)∈ ID` 0
, for`0∈[`]. The ciphertext is
C:= (gs,(u`+1uid11· · ·u id`0
fors←R
Znand identityid= (id1, . . . ,id`0)∈ ID` 0
, for some integer`0∈[`]. The key delegation is as follows: For a secret keyskid0 = (K0, K1, K`0+1, . . . , K`) = (gr, gα(u `+1·u id01 1 · · ·u id0`0 `0 )r, ur`0+1, . . . , ur`), we sampler0← R Zn and compute skid ←(K0·gr 0 , K1·ur 0 `+1·u id0 1·r0 1 · · ·u id0 `·r0 `0 ·u id`0+1·r0 `0+1 · · ·u id`00·r0 `00 , K`0+1·ur 0 `0+1, . . . , K`·ur 0 `),
for some identityid = (id1, . . . ,id`00), where id0 = (id01, . . . ,id0`0) is a prefix of
id, for some `00 ∈ [`]. It is easy to see that this yields a correctly distributed secret key for identityid in the sense of the Chen-WeeHIBE.
Let (SetupFuPE,GenFuPE,EncFuPE,DecFuPE,NPuncFuPE,PPuncFuPE) be aFuPEscheme and (SetupHPKE,GenHPKE,EncHPKE,DecHPKE,EvalHPKE) be a F-HPKEscheme such that the secret-key space of theFuPEscheme is contained in the message space of the HPKE
scheme and a compatiblePPunc0 algorithm exists.
Setup(1k) : SetppFuPE←SetupFuPE(1
k
),ppHPKE ←SetupHPKE(1
k
), and return (ppFuPE,
ppHPKE).
Gen(pp, n) : Choose an injective map h: [0,2n+ 1]→ T−, setτ−←h(0) and return (pkFuPE, h,pkHPKE),(skFuPE,sk0FuPE,skHPKE),⊥), where
(pkFuPE,skFuPE)←GenFuPE(ppFuPE), (pkHPKE,skHPKE)←GenHPKE(ppHPKE),
sk0FuPE←NPunc(skFuPE, τ−).
Evo(sk(i)) : Parse assk(i) as (sk(2FuPEi),skFuPE(2i+1),skHPKE). Set τ1,−←h(2i) andτ2,−←h( 2i+ 1) and returnsk(i+1)= (sk(2i+2)
FuPE ,sk (2i+3)
FuPE ,skHPKE), where
skFuPE(2i+2)←NPunc(skFuPE(2i+1), τ1,−), sk(2FuPEi+3)←NPunc(skFuPE(2i+2), τ2,−).
Enc(1)(pk, M, i) : Chooseτ+← R
T+ and returnEncFuPE(pk, M, τ+, h(2i)).
Enc(2)(pk, M, i) : Chooseτ+← R
T+ and returnEncFuPE(pk, M, τ+, h(2i+ 1)).
Dec(1)(sk(i), C) : Parsesk(i)as (sk(2i)
FuPE,·,skHPKE) and returnDecFuPE(sk (2i)
FuPE, C, τ+, h(2i)) if C was not re-encrypted. Otherwise parse C as (C1,rk) and return DecFuPE(
DecHPKE(skHPKE,rk), C1, τ+, h(2i+ 1)).
Dec(2)(sk(i), C) : Parsesk(i) as (·,skFuPE(2i+1),·) and returnDecFuPE(skFuPE(2i+1), C, τ+, h(2i+ 1)).
ReGen(sk(Ai),pkB) : Parsesk
(i)
as (·,sk(2FuPEi+1),·), and returnEncHPKE(sk (2i+1)
A ,pkB). ReEvo(rk(Ai→) B) : ReturnNPunc0(NPunc0(rk(Ai)→B, h(2i)), h(2i+ 1)).
ReEnc(rk(Ai→) B, CA) : Let τ+ ∈ T+ be the tag for CA. Compute rk0 ← PPunc0(
rk(Ai)→B, τ+) and returnrk
0
, CA.
Scheme 7.fs-PREscheme from aFuPEscheme.
Since the delegation operation uses only linear operations on group elements, we can use any linearly homomorphic HPKE where the message space suits the secret-key space of the respectiveHIBEscheme. Then, one can perform the same operations on ciphertexts in a component-wise manner, i.e, each secret-key component is encrypted separately under the public key of theHPKE.
Hence, we observe that the Chen-Wee HIBEscheme together with a linear HPKEscheme exhibit the publicly delegatable property of aHIBEscheme in the sense of the definition above.
fs-PRE instantiation. Now given a FuPE scheme and a HPKE scheme that allow compatible PPunc0 and NPunc0 algorithm as outlined above, the fs-PRE be constructed by combining these two schemes. Forward secrecy is achieved by selecting a mapping of periods to negative tags. The re-encryption keys are composed of encryptedFuPEkeys and the re-encryption performs positive punc- turing of the encrypted keys usingPPunc0. TheNPunc0-algorithm is used for the evolution of the re-encryption keys. The full scheme is given in Scheme 7.
Remark 1. When instantiating the fs-PRE scheme with the HIBE-based FuPE scheme, we choose h so that it preserves the ordering on the elements. This reduces the size of the keys toO(logn).
Theorem 7. If instantiated with FPuE-IND-CPA secure FuPE and IND-CPA
HPKEschemes, Scheme 7 is a fs-PRE+-secure fs-PREscheme.
Proof. fs-IND-CPA-1 security follows with a direct reduction from a fs-IND- CPA-1 adversaryA1:
– When started on pp and pk, we select h and theHPKE keys honestly. We extendpk with the public HPKE key andh, and start A1 on the extended pk. We choose τ+←
R
T+ and from the period j∗ chosen by the adversary computeτi,− ←h(i) for i∈[0,2j∗−2]. We return the computed tags and
request the challenge ciphertext forτ2j∗−2,−.
– Now, when started to select the challenge messages, all oracles of the fs-IND- CPA game that involve the target secret key, can be simulated using hand the access to the NPuncoracle. The secret keys given to the adversary can be computed in the same vein. The challenge messages returned byA1 are simply forwarded.
– Now when given the challenge ciphertext, it is a ciphertext for τ2j∗−2,−, which is a level 1 ciphertext for j∗ −1 hence we can simply forward the challenge ciphertext toA1 and return the result.
To show fs-RIND-CPA security we build again an adversary against FPuE-IND- CPA. The fs-RIND-CPA adversary is denoted asAr.
– When started on pp, and pk, we set up the HPKE keys and h as above. We start Ar and compute τi,− ← h(i) for i ∈ [0,2j∗+ 1] where j∗ is the
targeted period chosen by the adversary. Choose τ+ ← T+ and return τ+, the sequence of negative tags and chooseτ2j∗+1,− as target negative tag. – When started onst, we can simulateReEnchonestly usingPPunc0.
– When started onst andC, the ciphertext is a level 2 ciphertext for period
j∗, hence we returnAr(st, C).
For fs-IND-CPA-2 security we first replace all encrypted secret keys with random values using the IND-CPA security of the HPKE scheme. This game changes
requires the same game changes as in Theorem 1, hence we skip them here for the sake of brevity. Since the re-encryption keys are now encryptions of random values, we only need to simulate secret keys of the target period. The reduction is as follows from a fs-IND-CPA-2 adversaryA2:
– When started on pp and pk, we select h and theHPKE keys honestly. We extendpk with the public HPKE key andh, and start A1 on the extended pk. We choose τ+←
R
T+ and from the period j∗ chosen by the adversary computeτi,− ←h(i) for i∈[0,2j∗−1]. We return the computed tags and
request the challenge ciphertext forτ2j∗−1,−.
– Now, when started on select the challenge messages, the secret keys given to the adversary can be simulated using NPunc. The challenge messages returned by A2are simply forwarded.
– Now when given the challenge ciphertext, it is a ciphertext for τ2j∗−1,−, which is a level 2 ciphertext for periodj∗−1 hence we can simply forward the challenge ciphertext toA2and return the result.
The adversaries succeed if and only ifA1,A2 andAr, respectively, succeed.
u t
fs-PKE from FuPE.Finally, we also note that one can construct fs-PKEfrom the negative puncturing functionality of FuPE. This can be straight forwardly done using similar ideas as in the construction above, which is why we do not present an explicit construction.