Proxy Re-encryption Scheme based on New
Multivariate Quadratic Assumptions
Shuaishuai Zhu
Network and Information Security Key Laboratory, Electronics Department, Engineering University of the Armed Police Force; Xi’an, China; [email protected]
Xiaoyuan Yang
Network and Information Security Key Laboratory, Electronics Department, Engineering University of the Armed Police Force; Xi’an, China; [email protected]
Abstract—In PKC 2012, a public key encryption based on new multivariate quadratic assumptions is proposed. The compactness and security of the algorithm illumined us in applying it in proxy re-encryption scheme. In this paper, a novel unidirectional PRE scheme (NMQ-PRE) is constructed based on new multivariate quadratic assumptions. The new scheme is a formal PRE scheme and compact in cryptographic protocols. By applying the nature property of multivariate quadratic assumptions, NMQ-PRE is proved chosen ciphertext attack in standard model. Compared with the traditional PRE scheme based on RSA or pairings, NMQ-PRE is computationally efficient and simpler. Finally, a NMQ-PRE scheme for message block is built for application convenience, such as file sharing or mail forwarding.
Index Terms—Proxy Re-encryption, Multivariate Quadratic, Public Key Encryption
IINTRODUCTION
Mambo and Okamoto[1], first pointed out that the
encrypted data often needs to be shared to with other logical users. In 1998, Blaze, Bleumer and Strauss[2]
proposed a new cryptosystem structure called proxy re-encryption (PRE) scheme to meet the new needs in file authorization. In a PRE scheme, a semi-trusted proxy can transform a ciphertext encrypted by Alice’s public key into a ciphertext that can be decrypted by Bob’s secret key. During the transformation, the proxy cannot access to the original message. PRE systems have many practical applications, such as secure email forwarding[3],
digital rights management[4], file sharing in distributed
systems[5], et al. Normally, PRE systems can be
categorized into bidirectional PRE and unidirectional PRE, according to whether the PRE scheme can work or not in the opposite direction. And, there are single-hop(single-use) PRE and multi-hop(multi-use) PRE system, according to whether the delegatee can spread the ciphertext to another user.
In recent years, many new PRE schemes based on different cryptography tools with special properties has appeared[6~10]. In 2005, Ateniese
et al. [6] presented a
unidirectional PRE schemes based on bilinear pairings,
and proved CPA secure under the random oracle model. However, applications often require security against chosen-ciphertext attacks (CCA). In CCS'07, Canetti and Hohenberger[7] raised a CCA secure PRE scheme, but
their construction is based on pairings computation. And they pointed out that constructing a PRE scheme secure against chosen-ciphertext attack (CCA) without pairings is a challenge. In CANS'08, Deng et al. [8] successfully
proposed a CCA-secure bidirectional PRE scheme without pairings. In PKC'09, Shao and Cao [9] proposed a
unidirectional PRE without pairings and claimed CCA secure in the random oracle. But Weng et al.[10] recently
pointed out that Shao's scheme is not CCA-secure because first level ciphertext is not verified on decrypting and a replayable chosen ciphertext attack can be launched. They also presented a more efficient CCA-secure unidirectional PRE scheme without parings. These proposals are mainly based on three basic tools: pairing computation, RSA modules or ElGamal PKE. Different levels of sematic security are claimed in these schemes, but varieties of potential security threats still remain. Besides, most of these schemes are too complex to applying in a communication channel.
New hard problem assumptions are badly needed in constructing a new PRE scheme to improve its performance and properties. Multivariate Quadratic Assumption (MQ-assumption) is well known to be NP-hard[11~13], and more importantly, it permits efficiency
on designing a cryptosystem[14][15]. A new type of
MQ-assumption is developed in [16], and a public key encryption (PKE) is built based on the new MQ-assumption (NMQ-assumption). In this simple but effective PKE scheme, plaintext is encrypted by adding Gauss noise, and decrypted by eliminating the noise.
In this paper, we constructed an unidirectional PRE scheme based on the NMQ-assumption. The paper mainly includes the following three parts: In Section 2, we present some necessary preliminaries; In Section 3, NMQ-PRE scheme is presented and some details are discussed; We draw the conclusions in Section 4.
A. Definitions of a PRE Scheme
Usually, in a unidirectional PRE scheme, a ciphertext encrypted by a delegator is called the second level ciphertext for this delegator, and the transformed ciphertext is called the first level ciphertext for a delegate. We note , as the user X’s first level ciphertext, and
, as X’s second level ciphertext.
Here we list formal PRE scheme definition [8][9]: 1 → , : On input the security parameter 1 , the randomize algorithm outputs a key pair , .
, → → : On input a secret key and a public key ,the re-encryption key generation algooithm outputs a unidirectional re-encryption key → .
, → , : On input a receiver’s public key and a message m, the encryption algorithm
outputs a second level ciphertext , that can be re-encrypted into a first level one for another user.
→ , , → , : On input a re-encryption key → and a second level ciphertext , , the algorithm outputs a first level ciphertext , for Y.
, → : On input a secret key sk, and a
ciphertext , the algorithm outputs a plaintext m if
the is valid.
B. Security Model
CCA secure at the first level ciphertext
As the PKE scheme based on new MQ assumption is proved semantically secure in [16], which means it is secure for a ciphertext at the second level. Here we only concern whether it’s secure at the first level.
We define the security model by the following game between a challenger and an adversary . In the game, we suppose the adversary can adaptively execute encryption, decryption and transformation operations. Phase 1. The adversary A issues queries
, , … , where query is adaptively one of the following three functions:
z : Challenger first runs algorithm 1 to obtain a key pair , , and sends to adversary in which i is an index of
every key pair. Finally, the challenger records , , in table .
z : On receiving a public key , the challenger searches the table . If , , exists, returns to adversary. Finally, the challenger records , , in corrupted key table .
z , : On input and , the
challenger first runs ReKenGen to generate a
re-encryption key → , then challenger returns → to adversary. Adversary is not allowed to query → if , , is in .
Challenge: Once the adversary deciding it has
already collected enough information, it shut down phase 1. The challenger declares the challenged re-encryption key is ∗→ . , are chosen from and , did
not appear in . The challenger flips a random coin ∈ 0,1 , and encrypts b under public key and
→
∗ to generate a firstlevel ciphertext ,
∗ . Finally,
the challenger returns , , ∗, to adversary as the challenged ciphertext.
Phase 2. Adversary continues toissues
queries , … , , in which is a time limited
query. Each of the queries is one of the following: z PKGen(i): The same as in Phase 1.
z SKGen(i): The adversary cannot ask the secret key
of , . Because on knowing either of the secret key, ,
∗ can be transferred into ,
∗ or
,
∗ ,
then the attack becomes a second level attack. And in a second level attack, an adversary cannot access to the secret key.
z ReKeyGen , : If is in , then the
adversary generate → .
Guess. Finally, Adversary outputs a guess δ ∈ 0,1.
Then we define the advantage of adversary A is:
, | δ 1/2|
Definition 1. (CCA secure at the first level ciphertext). A single-hop unidirectional PRE scheme is secure against an adaptive chosen ciphertext attack, if for any polynomial time adversary A, the advantage to win the
game , is negligible.
Collusion resistant
In a PRE scheme, the behavior proxy is supposed to be arbitrary. It can collude with a delegatee to recover delegator’s private key.
Definition 2. (Collusion resistant PRE). A PRE scheme is collusion resistant if for any adversary controlling proxy and delegatee, to recover the delegator’s private key is hard.
C. PKE based on New MQ Assumption
Here we review the public-key Encryption scheme for bits[16].
z KeyGen( 1 ): choose six public parameters
, , , , , ∈ , and they satisfy the following three constraints:
1. ∙ ∙ ∙ ∙ /4.
2. ∙ log 2 1 1 ∙log 2 .
3. , , , , are chosen to satisfy that , , , Φ , is hard to solve.
Then a random instance
, ← , , , Φ , is chosen to
generate the key pair. Let ,
, , .
z Enc( ∈ 0,1 ): Randomly choose ∈ ,
compute , ∙ , ∙ ∙
/2
z Dec( , ): compute ∙ . If |
/2| q/4 then output 1, otherwise 0.
III.NMQ-PREALGORITHM
A. NMQ-PRE Algorithm for Bits
unidirectional NMQ-PRE algorithm for bits. The algorithm includes six functions as follows.
SystemSetup : On input a security parameter k, the
system chooses six public parameters , , , , , and ∈ satisfying the following three constraints[16]:
1. ∙ ∙ ∙ ∙ /4.
2. ∙log 2 1 n 1 ∙ log 2 . 3. , , , Φ , is hard to solve.
KeyGen(
1
k): A user A randomly chooses a vector andan instance of , , , Φ , , noted as
. Then let
, , , , , .
Enc( ): On input a bit ∈ 0,1 , user A computes the
second level ciphertext ,
∙ , ∙ ∙ ∙ . Then A
can choose to send to a proxy or keep it by himself.
RekeyGen( ): If A want to authorize user B to get b, he
computes → ∙ ∙
1 mod , and sends it to the proxy.
ReEnc( → , ): On input a re-encryption key → ,
he transform the second level ciphertext for A into
the first level ciphertext for B by computing
́ , ́ → ∙ ∙ ,
→ ∙ , → ∙ ∙ .
Dec:
Alice: On receiving , computing ∙ , if | /2| /4 then output 1, otherwise 0. On receiving , computing ́ ∙ / ,
́ ,then ∙ , if |
/2| /4 then output 1, otherwise 0.
Bob: On receiving , computing ́ ́ ∙ , if | /2| /4 then output 1, otherwise 0.
B. Correctness
Lemma 1. If is sampled from , then →
∙ ∙
1 mod is uniformly distributed in .
Proof. We have
→
mod
2 ∙
∙ mod
)mod
According to the definition of arithmetical module of vectors, → ) mod is still in the field of with the same distribution as .
Claim 1. A delegatee B can recover the original M. Proof. For B, the second level ciphertext transferred by
the proxy is ́ , ́ → ∙ , → ∙
∙
We compute ́ ́ ∙
→ ∙ ∙ 2
→ ∙ ∙
→ ∙ ∙ 2
According to Lemma 19 in [16], for any
∈ , → ∈ ,
, , , , → ∙ 4 .
Then the value of |t q/2| is bounded by q/4, so that the delegatee B can decrypt b.
Claim 2. A delegator A can recover the original M from
either or .
Proof. As ́ , ́ → ∙ , → ∙
∙
→ ∙ , ∙ ∙ 1 ∙
mod ∙
→ ∙ , ∙ ∙ ∙
Then, A can recover .
→ 1 ∙
A computes ́ ∙ ∙ ∙
, and then the decryption of transforms into that of . Finally, A decrypts by Dec(∙) in the original PKE
scheme.
Claim 3. A NMQ-PRE scheme is a formal PRE scheme.
Proof. After a delegate received a first level ciphertext, the decryption only needs his private key. According to the PRE definition in BBS[2], a PRE scheme allows a
semi-trusted proxy to convert a ciphertext under Alice’s public key to another ciphertext under Bob’s public key, which means the transformed ciphertext can be decrypted by Bob’s private key. It’s obvious that NMQ-PRE satisfies the original formal definition of PRE.
C. Security
Theorem1.NMQ-PRE(KeyGen(∙),Enc(∙),ReKenGen(∙),Re Enc(∙),Dec(∙)) is against chosen ciphertext attack in
standard model if the Multivariate Quadratic Problem , , , Φ , is hard to solve.
Proof. We prove the theorem by the game in Section 2. Phase 1. The adversary issues queries , , … ,
where query is adaptively one of the following three functions: PKGen(index), SKGen(index),
ReKeyGen , .
Challenge. Once the adversary deciding it has already
∈ 0,1 , and encrypts b under public key and
→
∗ to generate a firstlevel ciphertext ,
∗ . Finally,
the challenger returns , , ∗, to adversary as the
challenged ciphertext.
Phase 2. continues toissues more queries
, … , , in which is a time limited query. Each
of the queries is one of the following: PKGen(i),
SKGen(i), ReKeyGen , .
z PKGen(i): The same as in Phase 1.
z SKGen(i): The adversary cannot ask the secret key
of , .
z ReKeyGen , : If is in , then the
adversary generate → .
In limited span of time t, flips a random coin
∈ 0,1executes a series encryption test and generates
, , , , , , , , … , , , , , in which
, , , is the ciphertext of encrypted by any possible → . Then chooses the optimal ciphertext
, satisfying , , ∗ | , , ∗, ∗ | .
Guess. Finally, Adversaryoutputs a guess .
From Lemma 19 in [16], we have | ∙ | 2 . In one encryption, the probability of finding the right ciphertext is
1 2∙
2
∙ | ∙ | q
4 1 2
∙ 2 1
2 Then the advantage of the adversary is at most
, | ∙ 2 12 12| ∙ 2
which is negligible.
D. NMQ-PRE Scheme for Message Block
In [16], the author also constructed a KEM scheme for message block and proved its correctness. Based on this KEM scheme, we constructed an NMQ-PRE scheme for message block. In the scheme, we first choose a random vector with the same length as the message . Then we encrypt the vector by our NMQ-PRE scheme to get a one-time pseudorandom vector ∗. Finally, we compute ∗ XOR M as the ciphertext. In the transformation, the proxy only needs to transform the coordinate pseudorandom vector.
We add two hash functions : → , : → to ensure the correctness of ciphertext, so that any modification of the ciphertext can be detected.
SystemSetup : The same as bit encryption.
KeyGenKEM(1 ): A user A randomly chooses a
vector and an instance of , , , Φ , , noted
as . Then let , , , , ,
. Choose two random hash functions : → , : → .
EncKEM(M): For block ∈ , randomly choose
∈ , and computes , for ∈ 1, .
Then compute ∗ ⨁ ,
∙, , ∗
∗ .The resulting ciphertext will be , ∗, , ∗
, , , , ∗, , ∗ .
RekeyGen( ): The same as bit encryption.
ReEncKEM( → , ): On input a re-encryption key
→ , and a second level ciphertext , the proxy computes ∙, , ∗ ∗ . If , and ∗
∗ , then computes ́
→ , , , , ,
∈ 1, , ́∙, . Output the first level ciphertext C ́, ∗, , ∗ .
: On or received, any user can check the validity by computing ∙, , ∗
∗ . If , and ∗ ∗, then according to user’s identity, it computes , ́ or
, ́ for ∈ 1, . Finally, it outputs
∗⨁ .
IV.CONCLUSIONS
In [16], the author developed a new NP-Assumption which is compact and easy to use. Based on this assumption, we build the first NMQ-PRE scheme and analyzed its correctness and security.
There are still many problems to be solved, such as designing more efficient key encapsulation mechanism and constructing a bidirectional PRE based on MQ problem.
ACKNOWLEDGEMENT
The authors thank all the reviewers and editors for their valuable comments. This paper is supported by the National Natural Science Foundation of China (No. 61272492, No.61103231, No.61103230), Natural Science Foundation of ShaanXi Provence (No.2013JM8012).
REFERENCES
[1] Masahiro Mambo and Eiji Okamoto. Proxy cryptosystems: delegation of the power to decrypt ciphertexts. IEICE Transactions on Fundamentals of
Electronics, Communications and Computer Sciences,E80-A(1):54–63, 1997.
[2] Matt Blaze, Gerrit Bleumer, and Martin Strauss. Divertible Protocols and Atomic Proxy Cryptography. In EUROCRYPT, pages 127-144, 1998.
[3] H. Khurana and H-S. Hahm. Certified mailing lists. In ASIACCS 2006, pages 46–58, 2006.
[4] G. Taban, A.A. C′ardenas, and V.D. Gligor. Towards a secure and interoperable drm architecture. In ACM DRM 2006, pages 69–78, 2006.
[5] Yang Xiaoyuan, Zhu Shuaishuai. Design of a Secure and Efficient Distributed Cryptographic Storage System,
China Communications, 2011.3, 8(2): 66-74.
[6] Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst.Secur., 9(1):1-30, 2006.
[7] Ran Canetti and Susan Hohenberger. Chosen-Siphertext Cecure Proxy Re-Encryption. In Peng Ning, Sabrina De
Capitani di Vimercati, and Paul F. Syverson, editors, ACM Conference on Computer and Communications Security, pages 185–194. ACM, 2007.
Chen. Chosen-Ciphertext Secure Proxy Re-encryption without Pairings. In Matthew K. Franklin, Lucas Chi
Kwong Hui, and Duncan S. Wong, editors, CANS, volume 5339 of Lecture Notes in Computer Science, pages 1–17. Springer, 2008.
[9] Jun Shao and Zhenfu Cao. CCA-Secure Proxy Re-encryption without Pairings. In Stanislaw Jarecki and
Gene Tsudik, editors, Public Key Cryptography, volume 5443 of Lecture Notes in Computer Science, pages357– 376. Springer, 2009.
[10] Jian Weng, Sherman S.M. Chow, Yanjiang Yang, and Robert H. Deng. Effcient unidirectional proxy re-encryption. Cryptology ePrint Archive, Report
2009/189, 2009. http://eprint.iacr.org.
[11] Eligijus Sakalauskas. The Multivariate Quadratic Power Problem Over Zn is NP-Complete. Information Technology and Control, 2012, Vol.41 (1), 33-39. [12] M. Garey, D. Johnson. Computers and Intractability: a
Guide to Theory of NP-Completeness, H. Freeman, New
York, 1979.
[13] J. Patarin, L. Goubin. Trapdoor One-Way Permutations and Multivariate Polynomials. In Proceedings of the
First International Conference on Information and Communication Security, LNCS1334, 1997, pp. 356-368.
[14] E. Bresson, D. Catalano, and D. Pointcheval. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In ASIACRYPT 2003, volume 2894 of LNCS, pages 37–54,
2003.
[15] Christopher Wolf. Multivariate Quadratic Public Key
Cryptography. IACR eprint: 2005, Ph.D.thesis.
Katholieke University, Nov.2005
[16] Yun-Ju Huang, Feng-Hao Liu, Bo-Yin Yang. Public-Key Cryptography from New Multivariate Quadratic Assumptions. In Preceedings of Public Key
Cryptography 2012 (PKC 2012), Darmstadt, Germany. Pages 190-205.
Shuaishuai Zhu, a teaching assistant in Engineering University of Chinese Armed Police Force. He was born in 1985. He obtained bachelor’s degree of Cryptography in Engineering University of Chinese Armed Police Force in 2008. Then, he received his master’s degree of Computer Science at the same university in 2011. Now the major research fields are cryptography, algorithm designing and network security.
He is now a TA of Network and Information Security Key Laboratory, Electronics Department, Engineering University of CAPF, and has participated several national natural science projects of network security, new cryptography scheme design, and data storage.
Xiaoyuan Yang, a professor of Network and Information
