We can consider a weak re-encryption simulatability for UPRE (and PRE).
Definition A.5 (Weak Re-encryption simulatability for UPRE).LetReEncSimbe a PPT simulator. We define
the following experimentsExpwD-re-sim(1λ,b)between a challenger and a distinguisherDas follows. 1. The challenger generates(pkf,skf)←Genf(1λf),(pk
t,skt)←Gent(1λt), and sends(1λf,pkf, 1λt,pkt,skt)
toD.
2. The challenger andDdo the setup phase as in Definition3.9and setHList:=HList∪ {f}andCList:=
CList∪ {t}.
3. Dhas the re-encryption key oracleOrekeyas in Definition3.9.
4. Dchooses a messagem∈ Mf, generates a ciphertextctf ←Encf(pkf,m)and sends(m,ctf)to the
challenger.
5. Ifb=0, the challenger computesrkf→t←ReKeyGen(skf,pkt)andct∗←ReEnc(rkf→t,ctf)and returns
ct∗toD. Otherwise, the challenger returnsct∗ ←ReEncSim(pkf,pkt,skt,ctf,m). 6. Doutputsb0 ∈ {0, 1}. The experiment outputsb0.
We say thatUPREis weakly re-encryption simulatable if there exists a simulatorReEncSim, for any PPTD, it holds that
|Pr[ExpwD-re-sim(1λ, 0) =1]−Pr[Expw-re-sim
D (1λ, 1) =1]| ≤negl(λ).
The difference between the re-encryption simulatability and a weak one is that the indistinguishability is only computational. Moreover, the distinguisher is given oracle access to the re-encryption key oracleOrekey. Note thatOrekeydoes not giverkf→tsincef ∈HList∧t∈CList. This weak variant is sufficient to prove UPRE-HRA
security. That is, we can prove that if a UPRE scheme is UPRE-CPA secure and weakly re-encryption simulatable, then it is UPRE-HRA secure.
Theorem A.6.If a UPRE schemeUPRE is multi-hop selective-graph UPRE-CPA secure and satisfies weak
re-encryption simulatability, thenUPREis multi-hop selective-graph UPRE-HRA secure.
Proof. We define hybrid games.
HybA0(b): The first experiment is the original security experiment forb,ExpAupre-msg-hra(1λ,b). That is, it holds thatHyb0A(b) =ExpAupre-msg-hra(1λ,b). Note that in the successive experiments, we can easily simulate all keys inG= (V,E)since vertices inVare not connected to the target vertex inG∗and simulators can generate keys for them by itself.
Hyb1A(b): This experiment is the same asHyb0A(b)except that
1. we record not only(cti,Σi,i, #CT)but alsominKeyCTListfor honest encryption query(i,m)and 2. for re-encryption query(i,j0,k)such thatj0 ∈CList∧k∈/Drv, the re-encrypted ciphertext is differently
generated as follows. First, we retrieve(cti,Σi,i, #CT=k,m)fromKeyCTList(if there is no such an
entry, just outputs⊥). Then, we compute the following value instead of computingrki→j0. (a) rct←ReEncSim(pki,pkj0,skj0,cti,m).
Finally, we setrctas a re-encrypted ciphertext for userj0and send it toA.
Note that for(i,j0)such thati ∈Vh∗∧j0 ∈Vc∗, we do not needski andrki→j0since we just output⊥for such(i,j0)∈ E∗. The change above is for ciphertexts thatAcan decrypt. Here,Acan obtainskj0 since userj0is corrupted. However, it is not an issue since a distinguisher is givenskj0as auxiliary input in the weak re-encryption simulatability game. In LemmaA.7, we prove thatHyb1A(b)≈s Hyb0A(b)holds due to the weak re-encryption simulatability.
In LemmaA.8, we prove thatHyb1A(0)≈c Hyb1A(1)holds due to the UPRE-CPA security ofΣi∗. Therefore, it holds thatHyb0A(0)≈c Hyb0A(1)by LemmataA.7andA.8
Lemma A.7.IfUPREis weakly re-encryption simulatable, then it holdsHyb0A(b)≈c Hyb1A(b).
Proof. In fact, we useq0intermediate hybrids to prove this whereq0is the number of uncorrupted keypkisuch
that re-encryption query(i,j0,k)is sent andi∈HList∧j∈CList∧k∈/Drv. For each hybrid, we use the weak
re-encryption simulatability. Below, we write only the case for onepkifor simplicity.
We construct a distinguisherDof the weak re-encryption simulatability. To useAof UPRE,Dgenerates key pairs(pki0,ski0)for alli0∈HList\ {i}andi0 ∈CList\ {j0}. Forpki,pkj0,skj0, we use keys(1λi,pki, 1λj0pk
j0,skj0) from the challenger, which is given toD. The only issue is that we do not haveskiandrki→j0. First, we do not needrki→j0sincei∈HList∧j0 ∈CList. Second, for re-encryption keys(i, ˆj)such thatjˆ∈HList,Dpasses the query(i, ˆj)to the re-encryption key oracleOrekeyin the weak re-encryption simulatability game, receivesrki→jˆ,
and returns it toA. This is possible sincei, ˆj∈HList. Therefore,Bcan simulate all oracles.
However, to useA,DsimulatesOreenc in a slightly different way. As we defineHyb1A(b), the simulation
for query(i,j0,k)to Oreenc such that j0 ∈ CList∧k ∈/ Drvand(cti,Σi,i, #CT,m) ∈ KeyCTListis different.
When D receives a re-encryption query for such (i,j0,k), D generates cti ← Enci(pki,m) and sends it to the challenger of the weak re-encryption simulatability game. IfD is givenct∗, thenD returnsct∗ as a re-
encrypted ciphertext for(i,j0,k)Note thatBdoes not needskifor this query. This completes the simulation. If ct∗ = ReEnc(rki→j0,cti)whererki→j0 ← ReKeyGen(ski,pkj0), then the view is totally the same asHyb0A(b). Ifct∗ ←ReEncSim(pki,pkj0,skj0,cti,m), then the view is totally the same asHyb1A(b). Therefore, ifA can distinguishes two experiment,Dcan break the weak re-encryption simulatability.
Lemma A.8.IfUPREis UPRE-CPA secure, then it holdsHyb1A(0)≈c Hyb1A(1).
Proof. We construct an adversaryBof UPRE-CPA, which is given oracle access toOrekey,Oreenc,Ochaand can send hones/corrupted key queries. To use a distinguisherA of these two hybrids,B must simulate oracles of the HRA security. Basically,Bcan easily simulate them by using its oracles exceptOencandOreenc (note that re-encryption key oracles in the CPA/HRA-security are the same). Moreover, it is easy to simulateOencsince all encryption keys are public. The only issue is the simulation ofOreencin the case that re-encryption queries(i,j0,k) such thatj0∈CList∧k∈/Drvare sent. This is already solved since we useReEncSimin these hybrids. Thus,B can simulate all oracles by using its oracles andReEncSim.
When(i∗,m0,m1)is queried to the challenge oracleOcha, thenBpasses(i∗,m0,m1)to the challenger of the
CPA game and receives a target ciphertextct∗i∗.Breturnsct∗i∗toA. IfAcan distinguish two experiments, thenB can break the CPA security sincect∗i∗ =Enci∗(pki∗,m0)andct∗i∗=Enci∗(pki∗,m1)perfectly simulateHyb1A(0) andHyb1A(1), respectively.