A Provably-Secure Unidirectional Proxy Re-Encryption Scheme
Without Pairing in the Random Oracle Model
S. Sharmila Deva Selvi?, Arinjita Paul?? and C. Pandu Rangan??
Theoretical Computer Science Lab, Department of Computer Science and Engineering, Indian Institute of Technology Madras, Chennai, India.
{sharmila,arinjita,prangan}@cse.iitm.ac.in
Abstract. Proxy re-encryption (PRE) enables delegation of decryption rights by entrusting a proxy server with special information, that allows it to transform a ciphertext under one public key into a ciphertext of the same message under a different public key. It is important to note that, the proxy which performs the re-encryption learns nothing about the message encrypted under either public keys. Due to its transformation property, proxy re-encryption schemes have practical applications in distributed storage, encrypted email forwarding, Digital Rights Management (DRM) and cloud storage. From its introduction, several proxy re-encryption schemes have been proposed in the literature, and a majority of them have been realized using bilinear pairing. In Africacrypt 2010, the first PKI-based collusion resistant CCA secure PRE scheme without pairing was proposed in the random oracle model. In this paper, we point out an important weakness in the scheme. We also present the first collusion-resistant pairing-free unidirectional proxy re-encryption scheme which meets CCA security under a variant of the computational Diffie-Hellman hardness assumption in the random oracle model.
Keywords: Proxy Re-Encryption, Random Oracle Model, Chosen Ciphertext Security, provably secure, unidi-rectional.
1
Introduction
Encryption is one of the fundamental cryptographic primitives for scenarios requiring confidentiality. Proxy re-encryption is an important primitive that allows a third party termed asproxy server, to transform the ciphertext of a user into a ciphertext of another user without learning anything about the underlying message. Consider the email forwarding scenario, where Alice with public keyP KAliceis on a vacation and wishes her mail server to forward all her encrypted emails to Bob with public keyP KBob. Here, Alice is not interested in sharing her private keySKAlicewith either the mail server or Bob as that would compromise her private key. As pointed out by Mambo and Okamoto in [18], this is a common situation in practice where a data encrypted underP KAlice is required to be encrypted under
P KBob. When Alice is online, the encrypted messageEP KAlice(m) can be decrypted by Alice usingSKAlice to extract
the messagem, followed by encrypting it underP KBobto obtain the ciphertextEP KBob(m). But in applications like
encrypted email forwarding (described above), secure distributed file systems and outsourced filtering of encrypted spam, when the owner of SKAlice is not online, proxy re-encryption efficiently solves the problem of delegation of decryption rights with the involvement of an untrusted party called proxy. Here, Alice provides a secret information to the proxy called Re-Encryption Key (but not her private keySKAlice) that allows it to transformEP KAlice(m) to EP KBob(m). Since Alice delegates her decryption rights to Bob, Alice is termed as delegator and Bob as delegatee.
The important property to note here is, the proxy learns nothing aboutmorSKAlice.
A PRE scheme can be unidirectional or bidirectional. In a bidirectional scheme, the re-encryption key (RKAlice→Bob) allows re-encryption in both directions, i.e., the transformation of a ciphertextEP KAlice(m) under the public key of
Alice to a ciphertextEP KBob(m) under the public key of Bob and alsoEP KBob(m) toEP KAlice(m). In a unidirectional
scheme, the re-encryption key RKAlice→Bob allows the transformation of the ciphertext only in one direction, i.e.,
EP KAlice(m) to EP KBob(m) but not vice versa. Again, the re-encryption algorithm can be single-hop or multi-hop.
In a single-hop scheme, the re-encrypted ciphertext cannot be re-encrypted any further. In a multi-hop scheme, the re-encrypted ciphertext can be re-encrypted multiple times. We focus on unidirectional single-hop PRE schemes in this paper.
PRE can be used in many applications, including encrypted email forwarding, distributed file systems, secure certified email mailing lists, the DRM of Apple’s iTunes, access control and privacy for public transportation [1,2,21,14,22].
?Postdoctoral researcher supported by Project No. CCE/CEP/22/VK&CP/CSE/14-15 on Information Security & Awareness(ISEA) Phase-II by
Ministry of Electronics & Information Technology, Government of India.
In 1998, Blaze, Bleumer and Strauss [5] proposed the first Elgamal-based bidirectional proxy re-encryption scheme. However, their scheme istransitiveand notcollusion resistant. In a transitive PRE scheme, given the re-encryption keysRKAlice→Bob andRKBob→Carol, the proxy can computeRKAlice→Carol. Also, collusion resistance is an impor-tant property of PRE, which prevents a colluding proxy and the delegatees to extract the delegator’s private key. Besides, bidirectionality may not be always desirable. Dodis and Ivan [15] proposed a CCA security model for PRE and designed the first unidirectional PRE scheme. However, in their protocol, the decryption key of the delegatee Bob requires a part of the the private key of the delegator Alice.
In 2005, Atenieseet al.[1,2] gave the first construction of a unidirectional PRE scheme based on bilinear maps. Their scheme is non-transitive and collusion resistant. But, their scheme only offers chosen plaintext security which is insuf-ficient for many practical applications.
In 2007, Canetti and Hohenberger [6] proposed the security notion of PRE satisfying chosen-ciphertext attack and presented a bidirectional CCA secure PRE scheme using bilinear pairing satisfying the same in the standard model. In 2008, Libert and Vergnaud [17] presented a single-hop unidirectional PRE scheme in the standard model using pairing. Their scheme is secure against replayable chosen-ciphertext attack (RCCA). RCCA security is a weaker variant of the CCA security in the sense that a harmless mauling of the challenge ciphertext is tolerated. Green and Ateniese [13] also proposed a pairing based CCA-secure PRE scheme for ID-based cryptosystems.
Note that, despite recent advances in implementation techniques, bilinear pairing takes more than twice the time taken by modular exponentiation computation [4] and is an expensive operation. Wenget al.[10] proposed a CCA secure pairing-free bidirectional PRE scheme, but their scheme is not collusion resilient [23]. Subsequently, Shao and Cao [20] proposed a unidirectional PRE scheme without pairing, which was later shown to be vulnerable to CCA attack by Chowet al.[8]. In Africacrypt 2010, Chow et al. [8] proposed a CCA secure PRE scheme that does not use bilinear pairing. Their scheme is unidirectional and resists collusion attack. This is the only scheme that offers these properties without pairing. However, in this work, we expose a critical weakness in the security proof of the scheme.
2
Our Contributions
Although several PRE schemes have been proposed in the literature, a majority of the schemes relies on costly bilinear pairing operations. As stated by Chowet al.[8], removing pairing operations from PRE constructions is one of the open problems left by [6]. Wenget al.[10] proposed the first CCA secure pairing-free PRE scheme, which was however shown to be vulnerable tocollusion attack[23]. Note that collusion resistance is an important property in the PRE setting, which prevents a colluding proxy and malicious delegatees from recovering the private key of the delegator. Collusion resistance, also termed asdelegator secret security is a desirable property in many practical scenarios such as secure cloud services. In 2010, Chowet al.[8] proposed the first construction of a collusion-resistant CCA secure pairing-free PRE scheme. However, in our work, we point out a major weakness in the security proof of the scheme by Chowet al., which clearly shows that the scheme is not provably secure. Further, we justify that a trivial fix to the scheme is not possible. We also provide the first construction of a CCA-secure collusion-resistant pairing-free unidirectional single-hop proxy re-encryption scheme under the Computational Diffie-Hellman(CDH) and the Divisible Computational Diffie-Hellman(DCDH) hardness assumptions in the random oracle model. To the best of our knowledge, ours is the first construction of pairing-free PRE that affirmatively satisfies the collusion-resistance property.
3
Definition and Security Model
We provide the definitions and security notions of unidirectional proxy re-encryption systems in this section.
3.1 A Generic Model for Single-hop Unidirectional Proxy Re-Encryption Scheme
A single-hop unidirectional PRE scheme consists of the following algorithms described below:
– Setup(λ): The setup algorithm is run with the security parameterλas input, and it returns the public parameters
P ARAM S.
– KeyGen(Ui, P ARAM S): The key generation algorithm takes the user information Ui and public parameters
P ARAM S as inputs, and returns the private keySKi and its corresponding public keyP Ki for a userUi.
– ReKeyGen(SKi, P Ki, P Kj, P ARAM S): The re-encryption key (re-key) generation algorithm takes the private key SKi and public key P Ki of the delegator, the public key of the delegatee P Kj and the public parameters
P ARAM S as inputs and returns the re-encryption keyRKi→j. This algorithm is run by the userUi.
– Encrypt(m, P Ki, P ARAM S): The encryption algorithm takes a messagem∈ M, public keyP Kiof the receiver and the public parametersP ARAM Sas inputs, and returns the ciphertextσi, which is an encryption ofmunder
– ReEncrypt(σi, P Ki, P Kj, RKi→j, P ARAM S): The re-encryption algorithm takes a ciphertextσi (encryption of a message m ∈ M under P Ki), the public key of delegator P Ki, the public key of the delegatee P Kj, the re-encryption keyRKi→j and the public parameters P ARAM S as inputs, and returns the re-encrypted ciphertext
ˆ
σj which is an encryption ofmunderP Kj. This algorithm is run by the proxy who does not learn anything about the messagem. The re-encrypted ciphertext ˆσj is termedtransformed ciphertext.
– Encrypt1(m, P Ki, P ARAM S): The encryption algorithm takes a messagem∈ M, public keyP Kiof the receiver and the public parameters P ARAM S as inputs, and returns a non-transformable ciphertext ˆσi, which is an encryption ofmunder P Ki. The generated ciphertext ˆσi is termednon-transformable since it cannot be further re-encrypted.
– Decrypt(σi, P Ki, SKi, P ARAM S): The decryption algorithm takes the ciphertext σi (original,transformed or non-transformable) which is an encryption of a messagem∈ Munder P Ki, the public keyP Ki, the private key
SKiand the public parametersP ARAM Sas inputs. It returns the messagem∈ Mifσi is a valid encryption of
munderP Ki, or the error symbol⊥otherwise.
3.2 Security Model
We adopt the game based definitions of ciphertext security of a single-hop unidirectional PRE scheme from the security model of Chowet al. [8]. The security of a unidirectional PRE scheme is modelled in the form of a security game between two entities : the challengerCand the adversaryA.Csimulates an environment running PRE forA, who can adaptively query the oracles (to be listed later) whichC answers. Our security model is based on the Knowledge of Secret Key(KOSK) model [6,16]. The challenger computes and provides the public keys of the honest users (HU) and the public/private key pairs of the corrupt users (CU) beforehand and the adversary cannot determine which parties are to be compromised adaptively.C executes the key generation algorithm nh times and nc times to generate the public/private key pairs of the honest and corrupt users respectively. Due to the presence of three types of ciphertexts: original, transformed and non-transformable ciphertexts, it is essential to prove the security for all the three types. Hence, we consider separate security models for the original, transformed and non-transformable ciphertexts in our scheme.
Original ciphertext security The original ciphertext security model involves an adversary A challenged with an original ciphertext under the target public key P KT. The security of the scheme is shown by a game between an adversaryAand the challengerC as demonstrated below:
– Phase I:C takes the security parameterλas input, runs the algorithmSetup(λ) and gives the resulting system parameters P ARAM Sto A.C runs the KeyGen algorithm and provides the public keys of the honest users and the public/private key pairs of the corrupt users toA. Additionally,Acan adaptively query the following oracles provided byC.
• OReKeyGen(P Ki, P Kj): C runs the algorithm ReKeyGen(SKi, P Ki, P Kj, P ARAM S) and returns the re-encryption key RKi→j to A.
• OReEncrypt(σi, P Ki, P Kj):C runs the algorithmReEncrypt(σi, P Ki, P Kj, ReKeyGen(SKi, P Ki, P Kj,
P ARAM S), P ARAM S)and returns the re-encrypted ciphertext ˆσj toA.
• ODecrypt(σi, P Ki) orODecrypt( ˆσi, P Ki):Cruns the algorithmDecrypt(σi, P Ki, SKi, P ARAM S) and returns the result toA. Here,ODecrypt(σi, P Ki) is a query to decrypt the original ciphertexts andODecrypt( ˆσi, P Ki) to decrypt the transformed/non-transformable ciphertexts.
– Challenge Phase: After taking sufficient training, A provides a target public key P KT (T ∈ HU), and two messages m0, m1 ∈ M of equal length. C flips a random coin δ ∈ {0,1}, sets the challenge ciphertext to be σT =Encrypt(mδ, P KT, P ARAM S) and providesσT as the challenge ciphertext toA.
– Phase II:A adaptively issues queries to the oracles simulated byC and C responds as inPhase I. However, A
is restricted from placing the following queries toC, which trivially letsAdecrypt the challenge ciphertextσT:
• OReKeyGen(P KT, P Kj) is allowed only ifP Kj∈HU.
• Acannot issue a re-encryption queryOReEncrypt(σi, P Ki, P Kj) whereP Kj∈CU, if (σi, P Ki) is achallenge
derivative(See Definition 1) of (σT, P KT).
• Acannot issue a decryption queryODecrypt(σi, P Ki) if (σi, P Ki) is a challenge derivativeof (σT, P KT).
• Acannot issue a corrupted key generation query on userUT to obtain the target private keySKT.
Definition 1. (Challenge Derivative for Chosen-Ciphertext Security). Achallenge derivative(σi, P Ki)
in the CCA setting is defined below. The definition is adopted from [8]:
• Reflexitivity: (σi, P Ki)is a challenge derivative of itself.
• Derivative by re-encryption: ( ˆσj, P Kj)is a challenge derivative of(σi, P Ki)ifσˆj← OReEncrypt (σi, P Ki, P Kj).
• Derivative by re-encryption key: (ˆσj, P Kj)is a challenge derivative of(σi, P Ki)if RKi→j←
OReKeyGen(P Ki, P Kj) andσˆj =Re-Encrypt(σi, P Ki, P Kj, RKi→j, P ARAM S).
– Guess: Finally,Aoutputs a guessδ0∈ {0,1} and wins the game ifδ0=δ.
Transformed ciphertext security In a single-hop PRE scheme, it is essential to also prove the security for the transformed ciphertext as the ciphertexts cannot be further re-encrypted in a single-hop environment. The adversary
Ais challenged with a transformed ciphertext, and does not have access to its corresponding original ciphertext. A
is challenged with a ciphertext ˆσT (re-encryption of σi0 under the public keyP Ki0 to ˆσT under P KT) re-encrypted
using the re-keyRKi0→T. The security for the transformed ciphertext remains unaffected by the fact whetherUi0 is a
corrupt user or not. The security of the scheme is shown by a game between an adversaryAand the challengerCand is demonstrated below:
– Phase I: C takes the security parameter λ as input and runs the algorithm Setup(λ) and gives the resulting system parameters P ARAM S to A. C runs the KeyGen algorithm and provides the public keys of the honest users and the public/private key pairs of the corrupt users toA. Additionally, Acan adaptively query the re-key generation oracleOReKeyGen(P Ki, P Kj), re-encryption oracleOReEncrypt(σi, P Ki, P Kj) and decryption oracles
ODecrypt(σi, P Ki) provided byC.
– Challenge Phase: After taking sufficient training,A provides the delegator’s public key P Ki0, the delegatee’s
(target) public keyP KT (T ∈HU), and two messagesm0, m1∈ Mof equal length.Cflips a random coinδ∈ {0,1} and sets the challenge ciphertext to be ˆσT =ReEncrypt(mδ, P Ki0, P KT, RKi0→T, P ARAM S) and provides ˆσT as
challenge ciphertext toA.
– Phase II: Aadaptively issues queries and C responds as inPhase I. However, the adversaryAis subjected to the following restrictions during this phase :
1. IfP Ki0∈CU,Acannot queryRKi0→T.
2. IfAhas already obtainedRKi0→T whereP Ki0 ∈CU, P Ki0 cannot be the delegator in the challenge phase.
3. Acannot issue a corrupted key generation query on userUT to obtain the target private keySKT. 4. Acannot issue decryption queries on ˆσT under P KT.
– Guess: Finally,Aoutputs a guessδ0∈ {0,1} and wins the game ifδ0=δ.
Nontransformable Ciphertext Security Non-transformable ciphertexts are the encryptions of very sensitive information that should not be further encrypted. TheEncrypt1algorithm produces non-transformable ciphertexts ˆ
σi, indistinguishable from re-encrypted ciphertexts generated by the ReEncypt algorithm. The security of the scheme is shown by a game between an adversaryAand the challengerC and is demonstrated below:
• Phase I:Cruns the algorithmSetup(λ) and gives the system parametersP ARAM StoA.Cruns the KeyGen algorithm and provides the public keys of the honest users and the public/private key pairs of the corrupt users toA. Additionally,Acan adaptively query the re-key generation oracleOReKeyGen(P Ki, P Kj) and decryption oraclesODecrypt(σi, P Ki) provided by C.
• Challenge Phase: After taking sufficient training,Aprovides the target public keyP KT (T ∈HU) and two messages m0, m1∈ Mof equal length. C flips a random coinδ∈ {0,1}, and sets the challenge ciphertext to be ˆσT =Encrypt1(mδ, P KT, P ARAM S) and provides ˆσT as challenge ciphertext toA.
• Phase II:Aadaptively issues queries andC responds as inPhase I. However, the adversaryAis subjected to the following restrictions during this phase :
1. Acannot issue a corrupted key generation query on userUT to obtain the target private keySKT. 2. Acannot issue decryption queries on ˆσT underP KT.
We refer to the above adversaryA against all the three types of ciphertexts asIN D-P RE-CCAadversary.A’s advantage in attacking the PRE scheme is defined as :
AdvP RE,IN D−AP RE−CCA=|2P r[δ0−δ]−1|,
where, the probability is over the random coin tosses performed by C and A. Given a t-time IN D-P RE-CCA
adversary A who makes at most qRK re-encryption key generation queries, qRE re-encryption queries and qd decryption queries, a single-hop unidirectional PRE scheme is defined as (t, )-IN D-P RE-CCA secure if the advantage ofAisAdvIN DP RE,−AP RE−CCA≤.
Delegator Secret Security
Delegator secret security or collusion-resistance prevents a colluding dishonest proxy and delegatees to derive the delegator’s private key in full [8]. This attack is also captured by the transformed/non-transformable ciphertext security, since the challenger provides the adversary with all the re-encryption keys, which makes decryption of ciphertexts encrypted under the delegator’s public key easy when the adversary can derive the delegator’s private key completely. We adopt the delegator secret security model from the definition in Chowet al.[7]. The security is defined by the following game between the challengerC and the adversaryAas demonstrated below:
– Setup: C takes the security parameter λ as input, runs Setup(λ) and gives the resulting system parameters
P ARAM S toA.
– Queries:Aissues the following queries adaptively toC:
• Uncorrupted-Key Generation: C runs the KeyGen(Ui, P ARAM S) algorithm to generate the public/private key pair (P Ki, SKi) of userUi and returnsP Ki toA.
• Corrupted-Key Generation: C runs the KeyGen(Ui, P ARAM S) algorithm to generate the public/private key pair (P Ki, SKi) of userUi and returns (P Ki, SKi) toA.
• Re-encryption Key Generation (P Ki, P Kj): C generates the public/private key pairs(corrupted or uncor-rupted) of users Ui and Uj and runs theReKeyGen(SKi, P Ki, P Kj, P ARAM S) algorithm to generate the re-encryption keyRKi→j from usersUi toUj.
– Output:AreturnsSKi∗as the private key of public keyP Ki∗. Awins the game ifSKi∗ is a valid private key of an uncorrupted user with public keyP Ki∗.
We refer to the above adversary A as the DSK adversary. The advantage of A in attacking the delegator secret security of the scheme is defined as:
AdvP RE,DSKA=P r[Awins].
where, the probability is over the random coin tosses performed by C and A. Given a t-time DSK adversary A
who makes at mostqRK re-encryption key generation queries, a single-hop unidirectional PRE scheme is defined as (t, )-DSK secure if the advantage ofAisAdvDSK
P RE,A≤.
Complexity Assumptions
We define the complexity assumptions used in the proof of security of our PRE scheme.
Definition 2. Computational Diffie Hellman Assumption (CDH): Let G be a cyclic multiplicative group of
prime orderq. The Computational Diffie Hellman problem inGis, given(g, ga, gb)∈G3, computegab, wherea, b←Z∗q.
Definition 3. Divisible Computational Diffie Hellman Assumption (DCDH):LetGbe a cyclic multiplicative group of prime orderq. The Divisible Computational Diffie Hellman problem inGis, given (g, ga, gb)∈G3, compute
gb/a, wherea, b← Z∗q.
Definition 4. Discrete Logarithm Assumption (DL):Let G be a cyclic multiplicative group of prime order q. The Discrete Logarithm problem inGis, given(g, ga)∈
G2, compute a, where a←Z∗q.
4
Analysis of a Unidirectional PRE Scheme by Chow
et al.
[8]
4.1 Review of the scheme
– Setup(λ): Choose two primespandqsuch thatq|p−1 and the security parameterλdefines the bit-length ofq. LetGbe a subgroup ofZ∗q with order q and letg be a generator of the group G. Choose four hash functions:
H1:{0,1}l0× {0,1}l1 →
Z∗q,
H2:G→ {0,1}l0+l1,
H3:{0,1}∗→Z∗q,
H4:G→Z∗q.
The hash functionsH1, H2, H3are modelled as random oracles in the security proof reduction. Here l0 andl1are security parameters determined byλ, and the message spaceMis{0,1}l0.
Return the public parametersP ARAM = (q,G, g, H1, H2, H3, H4, l0, l1).
– KeyGen(Ui, P ARAM S): To generate the private key (SKi) and the corresponding public key (P Ki) of userUi:
• Pick xi,1, xi,2∈RZq∗ and set SKi = (xi,1, xi,2).
• ComputeP Ki = (P Ki,1, P Ki,2) = (gxi,1, gxi,2).
– ReKeyGen(SKi, P Ki, P Kj, P ARAM S): On input of the private key of user Ui: SKi = (xi,1, xi,2) and public
keyP Ki= (P Ki,1, P Ki,2) and userj’s public keyP Kj= (P Kj,1, P Kj,2), generate the re-encryption keyRKi→j as shown:
• Pick h∈R{0,1}l0,π∈R{0,1}l1.
• Computev=H1(h, π).
• ComputeV =P Kv
j,2 andW =H2(gv)⊕(h||π).
• Define RKih→1ij= x h
i,1H4(P Ki,2)+xi,2.
• ReturnRKi→j= (RKh
1i
i→j, V, W).
– Encrypt(m, P Ki, P ARAM S): To encrypt a messagem∈ Munder the public keyP Ki:
• Pick u∈RZ∗q.
• ComputeD= P KH4(P Ki,2)
i,1 P Ki,2
u
.
• Pick ω∈R{0,1}l1.
• Computer=H1(m, ω).
• ComputeE= P KH4(P Ki,2)
i,1 P Ki,2
r
andF =H2(gr)⊕(m||ω).
• Computes=u+r·H3(D, E, F) mod q.
• Output the ciphertextσi= (D, E, F, s).
– ReEncrypt(σi, P Ki, P Kj, RKi→j, P ARAM S): On input of an original ciphertext σi = (D, E, F, s) encrypted under the public key of the delegatorP Ki= (P Ki,1, P Ki,2), the public key of the delegateeP Kj= (P Kj,1, P Kj,2),
the re-encryption keyRKi→j= (RK
h1i
i→j, V, W), re-encryptσi into a ciphertext ˆσj under P Kj as follows:
• Check if the following condition holds to satisfy the well-formedness of ciphertexts:
P KH4(P Ki,2)
i,1 P Ki,2
s ?
=D·EH3(D,E,F) (1)
If it does not hold, return ⊥.
• Else, compute ˆE=ERK
h1i
i→j =grh.
• Output ˆσj= ( ˆE, F, V, W) = (grh, H2(gr)⊕(m||ω), P Kj,v2, H2(g
v)⊕(h||π)).
– Encrypt1(m, P Ki, P ARAM S): To generate a non-transformable ciphertext under public keyP Ki of a message
m∈ M:
• Pick h∈R{0,1}l0 andπ∈R{0,1}l1.
• Computev=H1(h, π).
• ComputeV =P Kj,v2 andW =H2(gv)⊕(h||π).
• Pick ω∈R{0,1}l1 and computer=H1(m, ω).
• Compute ˆE= (gr)h andF=H
2(gr)⊕(m||ω).
– Decrypt(σi, P Ki, SKi, P ARAM S): On input of a ciphertext σi, public key P Ki and its corresponding private keySKi= (xi,1, xi,2) ,decrypt according to two cases:
• Original Ciphertext σi= (D, E, F, s):
∗ If equation (1) does not hold, return⊥.
∗ Otherwise, compute:
(m||ω) =F⊕H2(E
1
xi,1H4 (P Ki,2 )+xi,2). (2)
∗ ReturnmifE=? P KH4(P Ki,2)
i,1 P Ki,2
H1(m,ω)
holds; else return⊥.
• Transformed /Non-transformable Ciphertext ˆσi= ( ˆE, F, V, W):
∗ Compute (h||π) =W ⊕H2(V1/SKi,2) and (m||ω) =F⊕H2( ˆE1/h).
∗ ReturnmifV =? P KH1(h,π)
i,2 and ˆE ?
=gH1(m,ω)·hholds; else return ⊥.
4.2 Our Attack
In this section, we point out the weakness of the scheme by Chowet al.[8]. We show that the simulation of the oracles defined in the security proof of the scheme is not consistent with the real algorithm. This allows the adversary to distinguish the simulation run by the challenger from the real system. We demonstrate this flaw by considering the validity of the ciphertexts with respect to the ReEncryptand Decrypt algorithm in the simulation and in the real system. To make it simple, we considerP KT as the public key of the target user in the challenge phase and the attack is posed inPhase-IIafter the challenge phase is over. We re-encrypt a ciphertextσT underP KT into a ciphertext ˆσj underP Kj (P Kj is corrupt) and further decrypt ˆσj. All the computations hereafter are done usingP KT andP Kj. Before we explain the flaw, let us partially review the re-encryption and decryption oracles of the scheme in [7] which is relevant to our attack. We note that the re-encryption keys are maintained in a listRlist in the form of tuples
hP KT, P Kj,(RKh
1i
T→j, V, W), h, τi. In order to respond to the random oracle queries of the adversary, the challenger maintains listH1listwith tupleshm, ω, risuch thatH1(m, ω) =rand listH2listwith tupleshR, βisuch thatH2(R) =β. The description of the re-encryption and decryption oracles are as follows:
– Re-encryption Oracle (ORE(P KT, P Kj, σT)):
• ParseσT to obtain (D, E, F, s). Note that σT (UT is honest) is to be re-encrypted to ˆσj (Uj is corrupt).
• Search for tuplehm, ω, riin H1list such that (P K
H4(P KT ,2)
T ,1 P KT ,2)r ?
=E. If no such tuple exists, return⊥.
• Else, retrieve tuple hP KT, P Kj,(∗, V, W), h,0−0iin listRlist.
• If found, compute ˆE=Er·h.
• Else, prepare the partial re-encryption key as follows:
∗ Pickh∈R{0,1}l0,π∈R{0,1}l1. Computev=H1(h, π).
∗ ComputeV =P Kv
j,2 andW =H2(gv)⊕(h||π).
∗ Update listRlist with tuple hP Ki, P Kj,(⊥, V, W), h,0−0i, define ˆE=Er·h.
• Return ˆσj= ( ˆE, F, V, W) toA.
– Decryption Oracle (ODec(P KT, σT)) or (ODec(P Kj,σˆj)):
• To decrypt an original ciphertextσT = (D, E, F, s) under the public key P KT (uncorrupt), search listsH1list
andH2list for tupleshm, ω, riandhR, βisuch that:
(P KH4(P Ki,2)
T ,1 P KT ,2)r ?
=E, β⊕(m||ω)=? F, R=? gr. (3) If yes, returnmto the adversary. Else, return ⊥.
• To decrypt a transformed ciphertext ˆσj = ( ˆE, F, V, W) under public key P Kj (corrupt), run algorithm
Decrypt(ˆσj, P Kj, SKj, P ARAM S) and return the result to A.
First, we encrypt a messagemunderP KT. Let us consider two forms of ciphertextσReal=hDReal, EReal, FReal, sReali andσF ake =hDF ake, EF ake, FRand, sF akei.σReal is the ciphertext obtained from the encryption algorithm Encrypt (i.e., encryption ofmunder P KT by executing theEncrypt(m, P KT, P ARAM S)).σF ake is a cooked-up ciphertext that can pass the verification tests ofReEncryptalgorithm but not theDecryptalgorithm. We list down the steps to constructσReal andσF ake.
• Pick uReal∈RZ∗q.
• ComputeDReal=
(P KT ,1)H4(P KT ,2)P KT ,2
uReal
.
• Pick ωReal∈R{0,1}l1.
• ComputerReal=H1(m, ωReal).
• ComputeEReal=
(P KT ,1)H4(P KT ,2)P KT ,2
rReal
.
• ComputeFReal=H2(grReal)⊕(m||ωReal).
• ComputesReal=uReal+rRealH3(DReal, EReal, FReal) modq.
• Output the ciphertextσReal= (DReal, EReal, FReal, sReal). It is clear thatσT passes the ciphertext verification test of equation (1).
– Construction of σF ake: σF ake is a cooked-up ciphertext that clears the verification tests of the ReEncrypt algorithm but fails against the verification of theDecryptalgorithm. We denote the algorithm for the construction ofσF ake as EncryptF ake(m, P KT), which is as follows:
• Pick uF ake∈RZ∗q.
• ComputeDF ake=
(P KT ,1)H4(P KT ,2)P KT ,2
uF ake
.
• PickrRand∈RZ∗q. Here it should be noted thatrRanddoes not follow the actual algorithm, instead it is picked at random from Z∗q.
• PickωF ake∈R{0,1}l1 and computerF ake=H1(m, ωF ake).Note that in theEncryptalgorithm,rF akeis the output ofH1oracle on giving a message and a random string (ωF ake) of size{0,1}l1 as input.
• ComputeEF ake=
(P KT ,1)H4(P KT ,2)P KT ,2
rRand
.
• ChooseFRand∈R{0,1}l0+l1. In theEncryptalgorithm,F is the encryption of the message to be encrypted along with a random stringωF akeof length {0,1}l1. But in the construction ofσF ake, we note that FRand is chosen at random.
• ComputesF ake=uF ake+rRandH3(DF ake, EF ake, FRand) mod q.
• Output the ciphertextσF ake= (DF ake, EF ake, FRand, sF ake). It should be noted that the components FRand and rRand violate the definitions given in the Encrypt algorithm. However, σF ake passes the ciphertext validation test of equation (1). In fact:
RHS =DF ake·(EF ake)H3(DF ake,EF ake,FRand) =(P KT ,1)H4(P KT ,2)P KT ,2
uF ake
·(P KT ,1)H4(P KT ,2)P KT ,2
rRandH3(DF ake,EF ake,FRand)
=(P KT ,1)H4(P KT ,2)P KT ,2
sF ake
=LHS.
The important properties possessed byσReal andσF ake are:
1. Output of Decrypt(σReal, P KT, SKT, P ARAM S) is m and the output of ODecrypt(P KT, σReal) is m. This is becauseσReal is a legitimate ciphertext ofmproduced byEncryptalgorithm.
2. Output of Decrypt(σF ake, P KT, SKT, P ARAM S) is⊥and the output of theODecrypt(P KT, σF ake) is⊥. This is because:
– In Decrypt algorithm: Since FRand ∈R {0,1}l0+l1, according to equation (2), we obtain (mk||ωk) ← F ⊕
H2(E
1
xi,1H4 (P Ki,2 )+xi,2) where (m
k||ωk) is a junk message which does not satisfy the validity check: E 6= (P KH4(P Ki,2)
i,1 P Ki,2)H1(mk,ωk). Consequently,⊥is returned.
– In ODecrypt Simulation: Note that rRand is used for the construction of σF ake and there exists no tuples
hm, ωF ake, ri ∈H1list andhR, βi ∈H2list such that condition (3) holds. Hence,⊥is returned.
3. σRealis a valid ciphertext andσF akeis an invalid ciphertext with respect to bothDecryptalgorithm andODecrypt oracle. Therefore, the simulation of the decryption algorithm is perfect.
4. BothσRealandσF akeare valid ciphertexts corresponding to theReEncryptalgorithm. This is becauseσRealis a legitimate ciphertext ofmproduced by theEncryptalgorithm. Again,σF akepasses the ciphertext verification test of equation (1) and the algorithm computes the re-encrypted ciphertext ˆσF ake= ( ˆE, F, V, W) as per the protocol where ˆEF ake=grF akeh, whererF ake=H1(m, ωF ake) has already been computed.
ReEncrypti.e., ˆσ(RealScheme)←ReEncrypt(σReal, P KT, P Kj, RKT→j, P ARAM S) and ˆσ
(Oracle)
Real to denote the result of re-encryption ofσRealobtained from the re-encryption oracleOReEncrypti.e., ˆσ
(Oracle)
Real ← OReEncrypt(P KT, P Kj, σReal). Also, we use ˆσF ake(Scheme)to denote the result of re-encryption ofσF akeobtained from the re-encryption algorithm
ReEn-crypti.e., ˆσF ake(Scheme) ←ReEncrypt(σF ake, P KT, P Kj, RKT→j, P ARAM S) and ˆσ
(Oracle)
F ake to denote the result of re-encryption ofσF akeobtained from the re-encryption oracleOReEncrypti.e., ˆσ
(Oracle)
F ake ← OReEncrypt(P KT, P Kj, σF ake).
Observations on ˆσReal(Scheme) and ˆσ(RealOracle) :
1. ˆσReal(Scheme)= ˆσ(RealOracle). 2. ˆσF ake(Scheme)6= ˆσ(F akeOracle).
The reason for observation 1 follows directly from the fact thatσRealis a valid ciphertext. The reason for the violation in observation 2 is that theReEncryptalgorithm is only a function of the re-encryption key but OReEncrypt oracle makes use of the knowledge ofrF aketo generate ˆσ
(Oracle)
F ake . However, in the construction ofσF ake,rRandis used in the generation of ˆσ(F akeOracle). The question here is, how will the adversary find this difference, that is ˆσF ake(Scheme)6= ˆσF ake(Oracle). Let us now demonstrate how the adversary captures this difference shown by the OReEncrypt oracle simulation and theReEncryptalgorithm. We first analyse the ciphertexts ˆσ(F akeScheme) and ˆσF ake(Oracle).
Closer Look at ˆσ(F akeScheme):
– σˆF ake(Scheme)=EˆF ake(Scheme), FRand(Scheme), VF ake(Scheme), WF ake(Scheme)←ReEncrypt(σF ake, P KT, P Kj, RKT→j, P ARAM S).
– EˆF akeScheme=ERKi→j
F ake =
P KH4(P KT ,2)
T ,1 P KT ,2
rRand xT, h
1H4 (P KT,2 )+xT,2
= (grRand)h.
– v=H1(h, π) whereh∈R{0,1}l0 and π∈R{0,1}l1.
– VF ake=P Kj,v2 andWF ake=H2(gv)⊕(h||π).
– So, we have ˆσ(F akeScheme)= grRandh, F
Rand, P Kj,v2, H2(gv)⊕(h||π)
.
Closer look at ˆσF ake(Oracle) :
– ⊥ ← OReEncrypt(P KT, P Kj, σF ake).
Since there exists no tupleshm, ω, riinH1list such that (P KH4(P KT ,2)
T ,1 P KT ,2)r ?
=E,the oracle returns⊥. This is because, although there exists a tuplehm, ωF ake, rF akeiin H1list,rRand is used in the construction ofEF ake.
Distinguishing The Oracle From The Real Algorithm:
Using the above observations, the adversary can easily distinguish between the real algorithm and the simulated environment provided by the challengerC. The adversaryAcan perform the following simple test to distinguish the simulatedOReEncrypt and the real algorithmReEncrypt:
Distinguisher
1. C provides the system parametersP ARAM S toA.
2. After getting training in Phase-I, Aprovides two messagesm0 andm1 of equal length and a target public key
P KT toC.
3. C generates the challenge ciphertextσT and gives as challenge toA. 4. Anow does the following:
(a) GenerateσF ake=EncryptF ake(m0, P KT) = (DF ake, EF ake, FRand, sF ake) where:
– DF ake=
(P KT)H4(P KT)P KT
uF ake
.
– EF ake=
(P KT)H4(P KT)P KT
rRand
whererRand∈RZ∗q.
– FRand∈R{0,1}l0+l1.
– sF ake=uF ake+rRandH3(DF ake, EF ake, FRand) modq. Here AknowsrRand anduF ake.
(b) A queriesOReEncrypt(σF ake, P KT, P Kj, RKT→j, P ARAM S). It should noted thatv, V, h, π, W are fixed for
T →j delegation.
4.3 Fixing the flaw
Note that modifying the re-encryption algorithm to fix the flaw is not possible since re-encryption of a valid ciphertext
σT will always require the knowledge ofr=H1(m, ω) as no other trapdoor exists to obtain a re-encrypted ciphertext ˆ
σj. Again, the knowledge of the private key of the delegator is necessary to generate the encryption keys and re-encrypted ciphertexts. Consequently, we cannot provide a trivial fix to the scheme in order to address the problem. As a solution, we propose a new collusion-resistant unidirectional proxy re-encryption scheme without any pairing operation. We have incorporated additional information to the existing Encrypt algorithm along with ciphertext validity checks in both theRe-Encrypt and theDecrypt algorithm. Our technique prevents any cooked up ciphertexts violating the definitions of Encrypt algorithm to clear the ciphertext validity checks of both the Re-Encrypt and
Decryptalgorithms.
5
A Unidirectional Proxy Re-Encryption Scheme
– Setup(λ): Choose two primespandq such thatq|p−1 and the bit-length ofq is the security parameterλ. Let Gbe a subgroup ofZ∗q with order q.g is a generator of the groupG. Choose five hash functions:
H1:{0,1}l0× {0,1}l1 →
Z∗q,
H2:G→ {0,1}l0+l1,
H3:{0,1}∗→Z∗q
H4:G→Z∗q,
H5:G4× {0,1}l0+l1 →
G.
The hash functions are modelled as random oracles in the security proof reduction. Herel0 and l1 are security
parameters determined byλ, and the message spaceMis{0,1}l0.
Return the public parametersP ARAM S= (q,G, g, H1, H2, H3, H4, H5, l0, l1).
– KeyGen(Ui, P ARAM S): To generate the private key (SKi) and the corresponding public key (P Ki) of userUi:
• Pick xi,1, xi,2∈RZq∗ and set SKi = (xi,1, xi,2).
• ComputeP Ki = (P Ki,1, P Ki,2) = (gxi,1, gxi,2).
– ReKeyGen(SKi, P Ki, P Kj, P ARAM S): On input of a user i’s private key SKi = (xi,1, xi,2) and public key P Ki = (P Ki,1, P Ki,2) and user j’s public keyP Kj = (P Kj,1, P Kj,2), generate the re-encryption keyRKi→j as shown:
• Pick h∈R{0,1}l0,π∈R{0,1}l1.
• Computev=H1(h, π).
• ComputeV =P Kj,v2 andW =H2(gv)⊕(h||π).
• Define RKih→1ij= h
xi,1H4(P Ki,2)+xi,2.
• ReturnRKi→j= (RK
h1i
i→j, V, W).
– Encrypt(m, P Ki, P ARAM S): To encrypt a messagem∈ M:
• Pick u∈RZ∗q.
• ComputeD= P KH4(P Ki,2)
i,1 P Ki,2
u .
• Compute ¯D=H5(P Ki,1, P Ki,2, D, E, F)u.
• Pick ω∈R{0,1}l1.
• Computer=H1(m, ω).
• ComputeE= P KH4(P Ki,2)
i,1 P Ki,2
r
.
• Compute ¯E=H5(P Ki,1, P Ki,2, D, E, F)r.
• ComputeF =H2(gr)⊕(m||ω).
• Computes=u+r·H3(D,E, F¯ ) mod q.
• Output the ciphertextσi= (D,E, F, s¯ ).
– ReEncrypt(σi, P Ki, P Kj, RKi→j, P ARAM S): On input of an original ciphertextσi= (D,E, F, s¯ ) encrypted un-der public keyP Ki= (P Ki,1, P Ki,2), the public keysP KiandP Kj, a re-encryption keyRKi→j= (RK
h1i
• ComputeE and ¯D as follows:
E= P KH4(P Ki,2)
i,1 P Ki,2
s
·D−1H3(D,E,F¯ )−1
=P KH4(P Ki,2)
i,1 P Ki,2
(u+r·H3(E,E,F¯ ))
· P KH4(P Ki,2)
i,1 P Ki,2
−uH3(D,E,F¯ )−1
= P KH4(P Ki,2)
i,1 P Ki,2
rH3(D,E,F¯ )H3(D,
¯
E,F)−1
= P KH4(P Ki,2)
i,1 P Ki,2
r
.
¯
D=H5(P Ki,1, P Ki,2, D, E, F)s·( ¯EH3(D,
¯
E,F))−1
=H5(P Ki,1, P Ki,2, D, E, F)(u+r·H3(D,
¯
E,F))· H5(P K
i,1, P Ki,2, D, E, F)rH3(D,
¯
E,F)−1
=H5(P Ki,1, P Ki,2, D, E, F)u.
• Check if the following verification for the well-formedness of the ciphertext holds:
P KH4(P Ki,2)
i,1 P Ki,2
s ?
=D·EH3(D,E,F¯ ) (4)
H5(P Ki,1, P Ki,2, D, E, F) s ?
= ¯D·E¯H3(D,E,F¯ ) (5)
If the above checks do not hold, return⊥.
• Else, compute ¯E=ERK
h1i
i→j =grh.
• Output ˆσj= ( ¯E, F, V, W) = (gr·h, H2(gr)⊕(m||ω), P Kj,v2, H2(gv)⊕(h||π)).
– Encrypt1(m, P Ki, P ARAM S): To generate a non-transformable ciphertext under public keyP Ki of a message
m∈ M:
• Pick h∈R{0,1}l0 andπ∈R{0,1}l1.
• Computev=H1(h, π).
• ComputeV =P Kv
j,2 andW =H2(gv)⊕(h||π).
• Pick ω∈R{0,1}l1 and computer=H1(m, ω).
• Compute ˆE= (gr)h andF=H2(gr)⊕(m||ω).
• Output the non-transformable ciphertext ˆσj = ( ˆE, F, V, W).
– Decrypt(σi, P Ki, SKi, P ARAM S): On input a ciphertextσi, public keyP Ki and private keySKi= (xi,1, xi,2),
decrypt according to two cases:
• Original ciphertext of the form σi= (D,E, F, s¯ ) :
∗ Check if the ciphertext is well-formed by computing the values ofE and ¯D and checking if equations (4) and (5) holds. If they do not hold, return⊥.
∗ Otherwise, extract the message as:
(m||ω) =F⊕H2(E
1
xi,1H4 (P Ki,2 )+xi,2) (6)
∗ Returnmif the following checks hold, else return⊥.
D=? P KH4(P Ki,2)
i,1 P Ki,2
s
·(E)H5(D,E,F¯ )−1
¯
E=? H5(P Ki,1, P Ki,2, D, E, F)H1(m,ω)
• Transformed ciphertext or a non-transformable ciphertext of the formσi = ( ˆE, F, V, W):
∗ Compute (h||π) =W ⊕H2(V1/SKi,2) and extract the message as:
(m||ω) =F⊕H2( ˆE1/h) (7)
∗ ReturnmifV =? P KH1(h,π)
i,2 and ˆE ?
5.1 Correctness
– Correctness of ciphertext verification from equation (4):
RHS=D·EH3(D,E,F¯ )
= (P KH4(P Ki,2)
i,1 P Ki,2)u·(P K
H4(P Ki,2)
i,1 P Ki,2)rH3(D, ¯
E,F)
= (P KH4(P Ki,2)
i,1 P Ki,2)u+rH3(D, ¯
E,F)
= (P KH4(P Ki,2)
i,1 P Ki,2)s
=LHS.
– Correctness of ciphertext verification from equation (5):
RHS= ¯D·E¯H3(D,E,F¯ )
=H5(P Ki,1, P Ki,2, D, E, F)u·H5(P Ki,1, P Ki,2, D, E, F)rH3(D, ¯
E,F)
=H5(P Ki,1, P Ki,2, D, E, F)u+rH3(D, ¯
E,F)
=H5(P Ki,1, P Ki,2, D, E, F)s =LHS.
– Consistency ofEncryptionandDecryptionof Original Ciphertext from equation (6):
RHS=F⊕H2(E
1
xi,1H4 (P Ki,2 )+xi,2)
=F⊕H2((P K
H4(P Ki,2)
i,1 P Ki,2)
r× 1
xi,1H4 (P Ki,2 )+xi,2)
=H2(gr)⊕(m||ω)⊕H2(gr)
= (m||ω) =LHS.
– Consistency ofEncryptionandDecryptionof Transformed/Non-transformable ciphertext from equation (7):
RHS =F⊕H2( ˆEh1)
=H2(gr)⊕(m||ω)⊕H2(grh×h1)
= (m||ω).
5.2 Security Proof
Original Ciphertext Security:
Theorem 1. The proposed scheme is CCA-secure for the original ciphertext under the DCDH assumption and the
EU F−CM Asecurity of Schnorr signature scheme [19]. If a(t, )IN D-P RE-CCAAwith an advantagebreaks the IND-PRE-CCA security of the given scheme in timet,C can solve the DCDH problem with advantage0 within time
t0 where:
0≥ 1
qH2
e(qRK+ 1)
−qH1
2l1 −
qH3+qH5
2l0+l1 −qd
qH
1+qH2
2l0+l1 +
2
q
−1−2
,
t0 ≤t+ (qH1+qH2+qH3+qH4+qH5+nh+nc+qRK+qRE+qd)O(1)
+ (2nh+ 2nc+ 2qRK+ 5qRE+ 2qd+qH1qRE+ (2qH2+ 2qH1)qd)te,
We note thateis the base of natural logarithm, 1 denotes the advantage in breaking the CCA security of the hashed Elgamal encryption scheme and2 denotes the advantage in breaking the EUF-CMA security of the Schnorr Signature scheme andte denotes the time taken for exponentiation in groupG.
Proof. Given an adversaryAthat breaks the (t, )IN D-P RE-CCAsecurity of the scheme, we show how to construct a polynomial time algorithm C which breaks the DCDH assumption inG or the existential unforgeability against chosen message attack (EU F-CM A) of the Schnorr Signature with a non-negligible advantage.C maintains two lists
• Lkey :hP Ki, xi,1, xi,2, cii.
• LRK :hP Ki, P Kj, RK
h1i
i→j, V, W, h, τi.
− Key Generation:C maintains the listLkey that contains information of all the user keys. C generates the keys of the users in the following ways:
• Uncorrupted User Keys: C uses Coron’s coin tossing technique [9] to generate the uncorrupted user keys by flipping a coinci∈ {0,1}that takes the value 1 with probabilityρ, which we shall determine later.C chooses
xi,1, xi,2∈RZ∗q and computesP Ki according to the following cases:
∗ Ifci= 1, computeP Ki= (P Ki,1, P Ki,2) = (gxi,1, gxi,2). Add the tuplehP Ki, xi,1, xi,2, ci= 1itoLkey.
∗ If ci = 0, compute P Ki = (P Ki,1, P Ki,2) = ((ga)xi,1,(ga)xi,2). Add the tuple hP Ki, xi,1, xi,2, ci = 0ito
Lkey.
• Corrupted User Keys:C chooses xi,1, xi,2∈RZ∗q and computes P Ki = (P Ki,1, P Ki,2) = (gxi,1, gxi,2). It adds
the tuplehP Ki, xi,1, xi,2, ci=−itoLkey.
− Phase 1:C answers the queries issues byAas follows:
• Oracle Queries:
H1(m, ω):Cmaintains a listLH1 with tupleshm, ω, ri. If a tuplehm, ω, rialready appears inLH1 list, respond
withH1(m, ω) =r. Else pickr∈RZq∗, add the tuple hm, ω, ritoLH1 and returnr.
H2(R): C maintains a list LH2 with tuples hR, θi. If a tuple hR, θi already appears in LH2 list, respond
withH2(R) =θ. Else pickθ∈R{0,1}l0+l1, add the tuplehR, θitoLH2 and returnθ.
H3(D,E, F¯ ):C maintains a listLH3 with tupleshD,E, F, ψ¯ i. If a tuple hD,E, F, ψ¯ i already appears inLH3
list, respond with H3(D,E, F¯ ) =ψ. Else pickψ∈RZq∗, add the tuplehD,E, F, ψ¯ itoLH3 and returnψ.
H4(P Ki,2): C maintains a listLH4 with tuples hP Ki,2, νi. If a tuplehP Ki,2, νialready appears in LH4 list,
respond with H4(P Ki,2) =ν. Else pickν∈RZq∗, add the tuplehP Ki,2, νitoLH4 and returnν.
H5(P Ki,1, P Ki,2, D, E, F):Cmaintains a listLH5 with tupleshP Ki,1, P Ki,2, D, E, F, β, γi. If a tuplehP Ki,1,
P Ki,2, D, E, F, β, γi already appears in LH5 list, respond with H5(P Ki,1, P Ki,2, D, E, F) = γ. Else, pick
β ∈RZ∗q. Computeγ=gβ and setH5(P Ki,1, P Ki,2, D, E, F) =γ.
• OReKeyGen(P Ki, P Kj): C maintains the list LRK that contains information of the re-encryption keys of the users. If the re-encryption keys from P Ki to P Kj already exists in LRK, retrieve and return RKi→j = (RKih→1ij, V, W). Else,Ccomputes the re-encryption keys as shown:
∗ Selecth∈R{0,1}l0, π∈R{0,1}l1.
∗ Computev=H1(h, π),V = (P Kj,2)v,W =H2(gv)⊕(h||π).
∗ Compute the value ofRKih→1ij)according to the following cases:
· Ifci= 1∨ci=−, computeRK
h1i
i→j=
h
xi,1H4(P Ki,2)+xi,2. Setτ= 1 and update the list LRK.
· If ci = 0∧(cj ∈ {0,1}), pickRKh
1i
i→j ∈R Z∗q and set τ = 0. Since a random value of RKi→j would not match the value hassociated with (V, W), we rely on the security of hashed Elgamal encryption scheme [3,11,12] as shown in the security proof of original paper [7].
· Ifci= 0∧cj=−, abort and report failure.
∗ Return the re-encryption keyRKi→j = (RKh
1i
i→j, V, W) toA.
• OReEncrypt(σi, P Ki, P Kj): Check for the well-formedness ofσi by computingE and ¯D and verifying if equa-tions (4) and (5) hold (both the checks ensure that only legitimate ciphertexts obeying the definition of the Encrypt algorithm can clear the verification condition). If they do not hold, return ⊥. Else, compute the re-encrypted ciphertext ˆσj according to the following cases:
∗ If (ci= 0∧cj=−) does not hold, check for the existence of a tuplehP Ki, P Kj, RKh
1i
i→j, V, W, h, τiinLRK. If not found, compute the re-encryption keys by issuing a re-key generation queryOReKeyGen(P Ki, P Kj) and obtain ˆσj=ReEncrypt(σi, P Ki, P Kj, RKi→, P ARAM S). Return ˆσj toA.
∗ Otherwise if (ci = 0∧cj = −) holds, retrieve tuple hP Ki,1, P Ki,2, D, E, F, β, γi from LH5. Compute
R = ( ¯E)β1 and extract (m||ω) = F ⊕H
2(R). Search list LRK for a tuple hP Ki, P Kj,⊥, V, W, h,−i. If found, compute ˆE =gr·h and return ˆσ
Computev=H1(h, π),V = (P Kj,2)v,W =H2(gv)⊕(h||π) and ˆE=gr·h. Update the listLRK with the tuplehP Ki, P Kj,⊥, V, W, h,−i. Return ˆσj = ( ˆE, F, V, W) toA.
• ODecrypt(σi, P Ki): The challenger decrypts the original ciphertexts and transformed ciphertexts respectively as follows:
∗ σi is an Original ciphertext: Check for the well-formedness of σi by computing E and ¯D and verifying if equations (4) and (5) hold. If they do not hold, return⊥. Else, ifci=−orci= 1, runDecryptalgorithm to extract and return m. Else, ifci = 0, retrieve tuple hP Ki,1, P Ki,2, D, E, F, β, γi from LH5. Compute
R= ( ¯E)β1 and extract (m||ω) =F⊕H2(R). Returnm toA.
∗ σi is a transformed ciphertext: Cdecrypts according to the following two scenarios: - If there exists a tuplehP Kj, P Ki,(RKh1i, V, W), h,0iin LRK, compute E = ˆE
1
RKh1i. Search for the
existence of a tuplehm, ω, riin LH1 andhR, θiinLH2 such that the following conditions hold:
P KH4(P Kj,2)
j,1 P Kj,2
r ?
=E, θ⊕(m||ω) =F,
R=gr.
If they hold, returnm, else return⊥.
- Else, searchLH1 for two tupleshm, ω, riandhh, π, viandLH2 for two tupleshR, θiandhR
0, θ0isuch
that the following conditions hold:
gr·h= ˆE, θ⊕(m||ω) =F, R=gr,
P Ki,v2=V, θ0⊕(h||π) =W, R0=gv.
If all the checks are satisfied, returnm. Otherwise, return⊥.
− Challenge: A outputs two messages m0, m1 ∈R {0,1}l0 and the target public key P Ki∗. C recovers tuple
hP Ki∗, x∗i,1, x∗i,2, c∗ii from list Lkey and check if c∗i = 1. If so, C aborts and reports failure. Else, if c∗i = 0, C picksδ∈R{0,1}and computes the challenge ciphertextσi∗ in the following steps:
1. Pickω∗∈R{0,1}l1 and implicitly defineH1(mδ, ω∗) =b/a. 2. Pick ¯e∗, f∗∈RZ∗q. Setu,e¯∗−
b af
∗.
3. ComputeD∗= (ga)(xi,∗1H4(P Ki,∗2)+x ∗
i,2)¯e ∗
(gb)−(x∗i,1H4(P K∗i,2)+x ∗
i,2)f ∗
= ga(x∗i,1H4(P Ki,∗2)+x ∗
i,2)
¯
e∗−b af
∗
= ga(x∗i,1H4(P Ki,∗2)+x ∗
i,2)
u
= P KH4(P Ki∗,2)
i,1 P Ki∗,2
u . 4. ComputeE∗= (gb)x∗i,1H4(P K∗i,2)+x
∗
i,2 = (gax ∗
i,1H4(P Ki,∗2)+ax ∗
i,2)
b a
= P KH4(P Ki∗,2)
i∗,1 P Ki∗,2
r . 5. SetH5(P Ki∗,1, P Ki∗,2, D∗, E∗, F∗) =γ= (ga)β, whereβ∈RZ∗q. Update listLH
5.
6. Compute ¯E∗= (gb)β= (gaβ)ba =H5(P Ki∗,1, P Ki∗,2, D∗, E∗, F∗)r.
7. ChooseF∗∈
R{0,1}l0+l1 and defineH3(E∗,E¯∗, F∗) =f∗.
8. Implicitly define H2(gb/a) = (m
δ||ω∗)⊕F∗. 9. Sets∗= ¯e.
10. Output the challenge ciphertextσi∗= (E∗,E¯∗, F∗, s∗) toA.
− Phase 2:Aissues queries to Cas shown in Phase 1, with the restrictions described for IND-PRE-CCA game.
− Guess:Areturns its guessδ0 ∈R{0,1}toC.C randomly picks a tuplehR, θifromLH2 list and outputsRas the
solution to the DCDH instance.
− Probability Analysis:We first analyse the simulation of the random oracles. The simulations of the hash function
− EH∗
1: (mδ, ω
∗) has been queried toH1.
− EH∗ 2: (g
b/a) has been queried toH2.
− EH∗ 3: (D
∗,E¯∗, F∗) has not been queried toH3 before theChallengephase.
− EH∗
5: (P Ki∗,1, P Ki∗,2, D
∗, E∗, F∗) has not been queried toH5 before theChallengephase.
Note that, in the Challengephase,F∗ is chosen uniformly at random from{0,1}l0+l1 by the ChallengerC, and
henceP r[EH3]≤
qH3
2l0 +l1. Also,P r[EH5]≤
qH5
2l0 +l1.
Next we analyse the probability with whichCaborts during the simulation. LetAbortdenote the probability that
C aborts during there−encryption key generationorChallengephase. In both these phases,C does not abort in the following events:
− E1:ci= 1 in there-encryption key generationquery.
− E2:c∗i = 0 in theChallengephase.
We haveP r[¬Abort]≥ρqRK(1−ρ), which has a maximum value at ρ
OP T =1+qRKqRK. UsingρOP T, we obtain:
P r[¬Abort]≥ 1
e(1+qRK).
The simulation of the decryption oracle is perfect unless valid ciphertexts are rejected by the oracle. This error occurs since a valid ciphertext can be produced without querying H1 and H2 i.e., without querying gr to H2
where r =H1(m, ω). Let Eval denote the event that the ciphertext is a valid ciphertext. We use EH1 and EH2
to denote the events that (m, ω) is queried toH1 andgr is queried toH2. We analyse P r[Eval|¬EH1∨ ¬EH2]≤
P r[Eval|¬EH1] +P r[Eval|¬EH2]:
P r[Eval|¬EH1] =P r[Eval∧EH2|¬EH1] +P r[Eval∧ ¬EH2|¬EH1]
≤P r[Eval∧EH2|¬EH1] +P r[Eval|¬EH2∧ ¬EH1]
= Eval∧EH2∧ ¬EH1
¬EH1
+1
q
≤ qH2
2l0+l1 +
1
q
Similarly, we obtainP r[Eval|¬EH1]≤
qH1
2l0 +l1 +
1
q, andP r[Eval|(¬EH1+¬EH2)]≤
qH1+qH2
2l0 +l1 +
2
q
LetEder denote the event thatEval|(¬EH1+¬EH2) takes place during the entire simulation. We obtain:
P r[Eder]≤qd
q
H1+qH2
2l0 +l1 +
2
q
.
Let Eerr denote the event (EH∗
1 ∨EH2∗∨EH3∗∨EH5∗∨Eder)|¬Abort. If Eerr does not occur, the adversary A
does not gains no advantage greater than 12 in guessing δ due to the randomness in the output of H2, i.e.,
P r[δ0=δ|¬Eerr] = 12. The probability that the adversary correctly guessesδis:
P r[δ0=δ] =P r[δ0 =δ|¬Eerr]P r[¬Eerr] +P r[δ0=δ|Eerr]P r[Eerr]
≤1/2P r[¬Eerr] +P r[Eerr] = 1/2 + 1/2P r[Eerr].
Again,
P r[δ0=δ]≥P r[δ0 =δ|¬Eerr]P r[¬Eerr]≥1/2−1/2P r[Eerr]. From the definition of the advantage of IND-PRE-CCA adversary, we know:
=|2P r[δ0 =δ]−1| ≤P r[Eerr] =P r[(EH∗
1 ∨EH∗2 ∨EH3∗∨Eder)|¬Abort]
≤P r[EH1∗] +P r[EH ∗
2] +P r[EH ∗
3] +P r[EH ∗
5] +P r[Eder]
P r[¬Abort].
Note thatP r[EH∗ 1]≤
qH1
2l1 asC picks ω∈R{0,1}l1, and we obtain the following bound on P r[EH∗ 2]:
P r[EH∗
2]≥P r[¬Abort]·−P r[EH ∗
1]−P r[EH ∗
3]−P r[EH ∗
5]−P r[Eder]
≥
e(qRK+ 1)
−qH1
2l1 −
qH3
2l0+l1 −
qH5
2l0+l1 −qd
qH
1+qH2
2l0+l1 +
2
q
We observe that, if eventEH∗
2 occurs, then the challenger Csolves theDCDH instance with advantage:
0≥ 1
qH2
P r[EH∗ 2]≥
1
qH2
e(qRK+ 1)
−qH1
2l1 −
qH3+qH5
2l0+l1 −qd
qH
1+qH2
2l0+l1 +
2
q
We also bound the running time ofC to solve DCDH instance by:
t0 ≤t+ (qH1+qH2+qH3+qH4+qH5+nh+nc+qRK+qRE+qd)O(1)
+ (2nh+ 2nc+ 2qRK+ 5qRE+ 2qd+qH1qRE+ (2qH2+ 2qH1)qd)te.
This completes the proof of the theorem. tu
Transformed Ciphertext Security:
Theorem 2. The proposed scheme is CCA-secure for the transformed ciphertext under the DCDH assumption and theEU F−CM Asecurity of Schnorr signature scheme [19]. If a(t, )IN D-P RE-CCAAwith an advantagebreaks the IND-CPRE-CCA security of the given scheme,C can solve the DCDH problem with advantage 0 within time t0
where:
0 ≥ 1
qH2
2 e(2 +qRK)2
−qH1
2l1 −qd
qH
1+qH2
2l0+l1 +
2
q
−2
,
t0≤t+ (qH1+qH2+qH3+qH4+qH5+nh+nc+qRK+qRE+qd)O(1)
+ (2nh+ 2nc+ 2qRK+ 3qRE+ 2qd+ (2qH2+ 2qH1)qd)te,
We note thate is the base of natural logarithm, 2 denotes the advantage in breaking the EUF-CMA security of the Schnorr Signature scheme andte denotes the time taken for exponentiation in groupG.
Proof. Given an adversaryAthat breaks the (t, )IN D-P RE-CCAsecurity of the scheme, we show how to construct a polynomial time algorithm C which breaks the DCDH assumption inG or the existential unforgeability against chosen message attack (EU F-CM A) of the Schnorr Signature with a non-negligible advantage. As described in the
Original Ciphertext Security game,C maintains a list Lkey to store the lists of the public/private key pairs of the users.Calso maintains listLRKwith tuples of the formhP Ki, P Kj, RK
h1i
i→j, V, W, h, zito store the lists of re-encryption keys of the users. Both the lists are initially empty.
− Key Generation: C maintains a list Lkey that contains tuples of the form hP Ki, xi,1, xi,2, cii which includes information of all the user keys.C generates the keys of the users in the following ways:
• Uncorrupted User Keys: C uses Coron’s coin tossing technique [9] to generate the uncorrupted user keys by flipping a biased coin ci ∈ {0,1} that yields value 1 with probability ρ, which we shall determine later. C chooses xi,1, xi,2∈RZ∗q and computesP Ki according to the following cases:
∗ Ifci= 1, computeP Ki= (P Ki,1, P Ki,2) = ((ga)
1/H4(P Ki,2)·gxi,1, gxi,2/ga). Add the tuplehP K
i, xi,1, xi,2, ci = 1itoLkey.
∗ If ci = 0, compute P Ki = (P Ki,1, P Ki,2) = ((ga)xi,1,(ga)xi,2). Add the tuple hP Ki, xi,1, xi,2, ci = 0ito
Lkey.
• Corrupted User Keys:C chooses xi,1, xi,2∈RZ∗q and computes P Ki = (P Ki,1, P Ki,2) = (gxi,1, gxi,2). It adds
the tuplehP Ki, xi,1, xi,2, ci=−itoLkey.
− Phase 1:C answers the queries issues byAas follows:
• Oracle Queries: C responds to the hash function queries of Ain the same way as it responds in theOriginal Ciphertext Security.
• OReKeyGen(P Ki, P Kj):Cmaintains a listLRK with entries of the formhP Ki, P Kj, RK
h1i
i→j, V, W, h, τi. If the re-encryption keys from P Ki to P Kj already exists in LRK, retrieve and return RKi→j = (RK
(1)
i→j, V, W). Else,C computes the re-encryption keys as shown:
∗ Ifci= 0∧cj∈ {1,0−0}: abort and report failure.
∗ Ifci= 1∨ci=0 −0:
· DefineRKih→1ij= h
· Selecth∈R{0,1}l0, π∈R{0,1}l1.
· Computev=H1(h, π),V = (P Kj,2)v,W =H2(gv)⊕(h||π).
· Setτ= 1, z= 0.
We note that the computation ofRKih→1ij is correct for both the cases, as we have:
· Forci =0 −0, the correctness is trivial from the definition of the private key SKi= (xi,1, xi,2).
· Forci = 1,RK
h1i
i→j =
h
a
H4 (P Ki,2 )+xi,1
H4(P Ki,2)−a+xi,2
= x h
i,1H4(P Ki,2)+xi,2.
∗ Ifci= 0∧cj= 0:
· Pick RKih→1ij ∈R Z∗q and set τ = 0. Since a random value of RKi→j would not match the value h associated with (V, W), we rely on the security of hashed Elgamal encryption scheme [3,11,12] as shown in the security proof of original paper [7].
· Select z ∈R Z∗q and set V = (gb) z
. Observe that bz = (axj,2)v i.e., gv = (gb/a)
axj,2
follows from the definition in Scheme description.
· Selecth∈R{0,1}l0, π∈R{0,1}l1.
· Pick W ∈R{0,1}l0+l1 and implicitly define H2((gb/a) axj,2
) = (h||π)⊕W.
· Store tuplehP Ki, P Kj, RKh
1i
i→j, V, W, h,0, ziin the listLRK.
∗ Return the re-encryption keyRKi→j = (RK
h1i
i→j, V, W) toA.
• OReEncrypt(σi, P Ki, P Kj): The re-encryption oracle remains the same as demonstrated in the Original
Ci-phertext Security game.
• ODecrypt(σi, P Ki): The decryption oracle is simulated in the exact manner as demonstrated in the Original
Ciphertext Security game.
− Challenge:Aoutputs two messagesm0, m1∈R{0,1}l0, the delegator’s public keyP Ki0and the target(delegatee)
public keyP K∗
i.Crecovers tupleshP Ki0, xi0,1, xi0,2, c0iiandhP Ki∗, x∗i,1, x∗i,2, c∗iifrom listLkey. Ifc0i= 1 or c∗i = 1,
C aborts and reports failure. Else,C picksδ∈R{0,1} and computes the challenge ciphertextσ∗i as shown below. Note that,c0i=− ∧ c∗i = 0 is a special case of the simulation below asAcannot query for the re-keyRKi0→i∗.
1. Pickt∈RZ∗q andω∗∈ {0,1}l1. Define ˆE∗= (gb)t, which impliesr∗h∗=bt, i.e., r∗=H1(mδ, ω∗) =bt/h∗. 2. Observe that RKi0→i∗ = h
∗
a(xi0,1H4(P Ki0,2)+xi0,2)
. Therefore, h∗ = RK
i0→i∗ a(xi0,1H4(P Ki0,2) +xi0,2), which
implicitly definesr∗= (b/a)(t/(RK
i0→i∗(xi0,1H4(P Ki0,2) +xi0,2)).
3. PickF∗∈R{0,1}l0+l1 and implicitly defineH2(g(b/a)(
t/(RKi0 →i∗(xi0,1H4(P Ki0,2)+xi0,2))
) =F∗⊕(mδ⊕ω∗). 4. Retrieve the tuple hP Ki0, P Ki∗, RKih01→ii∗, V∗, W∗,⊥,0, z∗i from LRK. If such a tuple does not exist, define
V∗, W∗, h∗, z∗ in the following way:
• Selectz∗∈RZ∗q and set V∗= (gb) z∗
. Observe thatbz∗= (axi∗,2)v i.e.,gv= (gb/a)
axi∗,2
.
• Selecth∗∈R{0,1}l0, π∗∈R{0,1}l1.
• PickW∗∈R{0,1}l0+l1 and implicitly defineH2((gb/a)
axi∗,2) = (h∗||π∗)⊕W∗.
• Store tuplehP Ki0, P Ki∗, RKih01→ii∗, V∗, W∗, h∗,0, z∗iin the listLRK. 5. Output the challenge ciphertext ˆσ∗
i = ( ˆE
∗, F∗, V∗, W∗) to A.
− Phase 2:Aissues queries to Cas shown in Phase 1, with the restrictions described for IND-PRE-CCA game.
− Guess: A returns its guess δ0 ∈
R {0,1} to C, who first retrieves tuple hmδ0, ω, ri from LH
1 and checks if
(ga)r·RKi0 →i∗(xi0,i∗H4(P Ki0,2)+xi0,2)/t =gb. If no such entry exists,C randomly picks a tuple hR, θi from L H2 list
and outputsRas the solution to the DCDH instance.
− Probability Analysis: We first analyse the simulation of the random oracles. The simulations of the hash functions H3, H4 andH5 are perfect. Also, the simulations of H1 andH2 are perfect unless the following event occurs:
− EH∗ 1: (h
∗, π∗) has been queried toH1.
− EH∗ 2: (g
b/a) or (gb/a)t/RKi0 →i∗(xi0,1H4(P Ki0,2+xi0,2))
⊕(mδ||ω∗) has been queried toH2.
Next we analyse the probability with whichCaborts during the simulation. LetAbortdenote the probability that
C aborts during there−encryption key generationorChallengephase. In both these phases,C does not abort in the following events:
− E2:c∗i = 0∧c0i6= 1 in the Challengephase.
We haveP r[¬Abort]≥ρqRK(1−ρ)2, which has a maximum value atρ
OP T = 2+qRKq
RK. UsingρOP T, we obtain: P r[¬Abort]≥ 2
e(2+qRK)2.
The analysis of the simulation of the decryption oracle is remains the same as shown for the original ciphertext security. The probability of the decryption oracle rejecting valid ciphertexts throughout the entire simulation denoted by LetEder is:
P r[Eder]≤qd
q
H1+qH2
2l0 +l1 + 2
q
.
Again, letEerr denote the event (EH∗ 1∨EH
∗
2∨Eder)|¬Abort. Following a similar analysis as shown in Section 5.2
and from the definition of the advantage of IND-PRE-CCA adversary, we obtain the following bound onP r[EH∗ 2]:
P r[EH∗
2]≥P r[¬Abort]·−P r[EH ∗
1]−P r[Eder]
≥ 2
e(2 +qRK)2
−qH1
2l1 −qd
qH
1+qH2
2l0+l1 +
2
q
We observe that, if eventEH∗
2 occurs, then the challenger Csolves theDCDH instance with advantage:
0 ≥ 1
qH2
P r[EH∗ 2]≥
1
qH2
2 e(2 +qRK)2
−qH1
2l1 −qd
qH
1+qH2
2l0+l1 +
2
q
We also bound the running time ofC to solve DCDH instance by:
t0 ≤t+ (qH1+qH2+qH3+qH4+qH5+nh+nc+qRK+qRE+qd)O(1)
+ (2nh+ 2nc+ 2qRK+ 3qRE+ 2qd+ (2qH2+ 2qH1)qd)te.
This completes the proof of the theorem. tu
Non-transformable Ciphertext Security:
Theorem 3. The proposed scheme is CCA-secure for the non-transformable ciphertext under the CDH assumption. If a(t, −2)IN D-P RE-CCA Awith an advantage −2 breaks the IND-PRE-CCA security of the given scheme,
C can solve the CDH problem with advantage0 within timet0 where:
0 ≥ 1
qH2
−2−qH1
2l1 −qd
qH
1+qH2
2l0+l1 +
2
q
,
t0≤t+ (qH1+qH2+qH3+qH4+qH5+nh+nc+qRK+qd)O(1)
+ (2nh+ 2nc+ 2qRK+ 2qd+ (2qH2+ 2qH1)qd)te,
We note that2 is the advantage of an attacker againstEU F−CM Asecurity game of the Schnorr signature scheme. eis the base of natural logarithm andte denotes the time taken for exponentiation in groupG.
Proof. Let us assume that the Schnorr Signature is (t0, 2)−EU F −CM A where the probability2 < . Given an
adversary A that breaks the (t,(−2))IN D-P RE-CCA of the scheme, we show how to construct a polynomial time algorithm C which breaks the CDH assumption in G with a non-negligible advantage. C maintains two lists
Lkey in the same manner as described in Original Ciphertext Security game and LRK with tuples of the form
hP Ki, P Kj, RK
h1i
i→j, V, W, hito store the lists of the public/private key pairs and the re-encryption keys of the users respectively. Both the lists are initially empty.
− Key Generation: C maintains a list Lkey that contains tuples of the form hP Ki, xi,1, xi,2, cii which includes information of all the user keys.C generates the keys of the users in the following ways:
• Uncorrupted User Keys:C chooses xi,1, xi,2∈R Z∗q and computesP Ki = (P Ki,1, P Ki,2) = ((ga)1/H4(P Ki,2)· gxi,1, gxi,2/ga). Add the tuplehP K
i, xi,1, xi,2, ci = 0itoLkey.
• Corrupted User Keys:C chooses xi,1, xi,2∈RZ∗q and computes P Ki = (P Ki,1, P Ki,2) = (gxi,1, gxi,2). It adds
− Phase 1:C answers the queries issues byAas follows:
• Oracle Queries: C responds to the hash function queries of Ain the same way as it responds in theOriginal Ciphertext Security.
• OReKeyGen(P Ki, P Kj): C maintains a listLRK with entries of the form hP Ki, P Kj, RKh
1i
i→j, V, W, hi. If the re-encryption keys from P Ki to P Kj already exists in LRK, retrieve and return RKi→j = (RK
(1)
i→j, V, W). Else,C computes the re-encryption keys as shown:
∗ ci= 1: Return the re-encryption key obtained by calling the re-encryption algorithmReKeyGen (SKi, P Ki, P Kj, P ARAM S) toA.
∗ ci= 0: Compute the re-encryption key as shown below:
· Pick h∈R{0,1}l0, π∈R{0,1}l1.
· ComputeRKih→1ij = ( a h
H4 (P Kj,2 )+xi,1)H4(P Ki,2)−a+xi,2
= x h
i,1H4(P Ki,2)+xi,2. Note that the knowledge ofa
is not needed to computeRKih→1ij.
· Computev=H1(h, π), V =gv.
· ComputeW =H2(P Kj,v2)⊕(h||π).
· ReturnRKi→j = (RK
h1i
i→j, V, W).
• ODecrypt(σi, P Ki): The decryption oracle is simulated in the exact manner as demonstrated in the Original
Ciphertext Security game.
− Challenge: A outputs two messages m0, m1 ∈R {0,1}l0 and the target public key P Ki∗. C recovers tuple
hP Ki∗, x∗i,1, x∗i,2, c∗ii from list Lkey, picks δ ∈R {0,1} and computes the challenge ciphertext ˆσi∗ in the following steps:
1. Pickω∗∈R{0,1}l1 and issues a H1 queryH1(mσ, ω∗) to obtainr∗.
2. Pickh∗∈R{0,1}l0, π∈R{0,1}l1. Implicitly defineH1(h∗, π∗) =b(b is not known toC).
3. ChooseW∗∈R{0,1}l0+l1and implicitly defineH2(g−abgbxi∗,2) = (h∗||π∗)⊕W∗. Note thatW∗=H2(g−abgbxi∗,2)⊕ (h∗||π∗) =H2(gv)⊕(h∗||π∗).
4. ComputeV∗=gb=P Kiv∗,2.
5. Compute ˆE∗=gr∗h∗,F∗=H
2(gr
∗
)⊕(mσ||ω∗). 6. Return the ciphertext ˆσi∗= ( ˆE∗, F∗, V∗, W∗).
− Phase 2:Aissues queries to Cas shown in Phase 1, with the restrictions described for IND-PRE-CCA game.
− Guess:Areturns its guessδ0 ∈R{0,1}toC.Crandomly picks a tuplehR, θifromLH2list and outputs
R gbxi∗,2
−1
as the solution to the CDH instance.
− Probability Analysis: We first analyse the simulation of the random oracles. The simulations of the hash functions H3, H4 andH5 are perfect. Also, the simulations of H1 andH2 are perfect unless the following event
occurs:
− EH∗ 1: (h
∗, π∗) has been queried toH
1.
− EH∗ 2: (g
b/a) or (gb/a)t/RKi0 →i∗(xi0,1H4(P Ki0,2+xi0,2))
⊕(mδ||ω∗) has been queried toH2.
The analysis of the simulation of the decryption oracle is remains the same as shown for the original ciphertext security. The probability of the decryption oracle rejecting valid ciphertexts throughout the entire simulation denoted by LetEder is:
P r[Eder]≤qd
q
H1+qH2
2l0 +l1 + 2
q
. Again, letEerrdenote the event thatEH∗
1, EH∗2 orEder occurs i.e.,Eerr= (EH1∗∨EH2∗∨Eder). From the analysis
as shown in the Original Ciphertext security game and from the definition of the advantage of IND-PRE-CCA adversary, we obtain:
−2=|2P r[δ0=δ]−1| ≤P r[Eerr] =P r[(EH∗
1 ∨EH2∗∨Eder)]
≤P r[EH∗
1] +P r[EH∗2] +P r[Eder]
We obtain the following bound onP r[EH∗ 2]:
P r[EH∗
2]≥−2−P r[EH1∗]−P r[Eder]
≥−2−qH1
2l1 −qd
qH
1+qH2
2l0+l1 +
2
q
