Chosen Public Key and Ciphertext Secure Proxy Re-encryption Schemes

Chosen Public Key and Ciphertext Secure Proxy Re-encryption Schemes

*1

Liming Fang,

2

Willy Susilo,

1

Yongjun Ren,

1

Chunpeng Ge, and

1

Jiandong Wang

1

College of Information Science and Technology

Nanjing University of Aeronautics and Astronautics, Nanjing, China

Email: [email protected]

2

Centre for Computer and Information Security Research

School of Computer Science and Software Engineering

University of Wollongong, Australia

Email: [email protected]

doi:10.4156/jdcta.vol4. issue9.18

Abstract

A proxy re-encryption scheme enables a proxy to re-encrypt a ciphertext and designate it to a delegatee. Proxy re-encryption schemes have been found useful in many applications, including e-mail forwarding, law-enforcement monitoring, and content distribution. Libert and Vergnaud presented the first construction of unidirectional proxy re-encryption scheme with chosen ciphertext security in the standard model in PKC 2008. In this paper, we show the insecurity of Libert and Vergnaud's scheme against chosen public key attack. We note that this insecurity is not considered in the original model proposed by Libert and Vergnaud's, but we argue that our attack is very realistic and important in this scenario. Furthermore, we present a new and efficient construction proxy re-encryption (PRE) scheme. We provide chosen public key and chosen ciphertext attack security analysis for our scheme and compare their performance.

Keywords

:

Information Security, Proxy Re-encryption, Pairing Based Cryptography

1. Introduction

A proxy re-encryption (PRE) scheme allows a proxy to transform a ciphertext under delegator’s pub-lickey into a delegatee’s ciphertext on the same message by using some additional information. This concept is proposed by Blaze, Bleumer, and Strauss [2], and formalized later by Ateniese et al. [1]. PRE schemes have been found useful in many applications, such as e-mail forwarding, lawenforcement monitoring, and content distribution.

Recently, Canetti and Hohenberger [5] described a construction of proxy re-encryption providing chosen-ciphertext security according to an appropriate definition of PRE systems. In contrast to the previous work, their scheme relies on the fact that the proxy key can be used to translate ciphertexts from delegatee to delegator, hence this is called bidirectional (cf. unidirectional scheme that was originally proposed in the model by Blaze et al. [2]). Till then, there was no known unidirectional PRE systems with chosen-ciphertext security that rely on the standard model. To fill this gap, Libert and Vergnaud [11] presented the first construction of unidirectional proxy re-encryption scheme with chosen ciphertext security in the standard model. Nonetheless, they left an open problem on how to capture a scenario where adversaries are allowed to generate public keys on behalf of corrupted parties (possibly non-uniformly or as a function of honest parties’ public keys). This is a daunting problem where the adversaries can generate any public keys on behalf of the corrupted parties, and Libert and Vergnaud’s scheme [11] cannot deter against this attack.

Motivation of This Work. Although Libert and Vergnaud’ scheme [11] PRE scheme is very elegant, there are several unsolved issues with regards to the security of PRE that are outlined as follows.

In [11], the adversaries are not permitted to generate public keys on behalf of the corrupted parties. One possible solution to prevent this attack is to require users to prove their knowledge of secret keys during the registration phase. Nonetheless, this approach requires zero-knowledge proof system, which may not be desirable in several applications. In contrast to this approach, we take a different direction in this work. We incorporate a trusted party with a system secret key. When the user selects its public

key, the trusted party runs the key generation algorithm with the system secret key together with the user’s public key, and the user’s secret key then will be generated for the user. A new problem with this approach is that the attacker in this model has to share its secret key with the third party, which will be quite natural. Since relative to Libert and Vergnaud’s security model, the challenger is required to generate all public keys for all parties and allow the adversary to obtain private keys for some of these users.

Furthermore, Libert and Vergnaud only considered a static corruption model, in which the challenger generates public keys for all parties. Proving security against adaptive corruptions is a challenging and daunting task. Finally, Libert and Vergnaud only provided a scheme in a selective public key model, where the target (challenge) public key has to be determined by the challenger at the beginning of the game. A possible enhancement is to allow adversaries to adaptively query the target public key at the challenge phase within the set of honest players, which we refer to as the full public key model.

Our Contributions. In this paper, we address the problem of constructing a PRE in the full public key, adaptive corruption model and to allow the adversaries to generate public keys on behalf of corrupted parties. Specifically, we show that Libert and Vergnaud’s scheme is insecure against chosen public key attack. We note that although our attack is not applicable to the original model presented by Libert and Vergnaud’s [11], our attack is very natural and applicable in practice. Then, we provide a formal definition of PRE-CPCA game, in which the adversary can chose any public key freely. We also present a new construction of chosen-ciphertext secure proxy re-encryption schemes which are PRE-CPCA secure in the standard model.

Related Work. After the seminal work by Blaze, Bleumer and Strauss [2], Ateniese et al. [1] presented a unidirectional PRE scheme based on bilinear pairings in 2005. Both of these schemes are CPA secure. In 2007, Canetti and Hohenberger [5] presented a construction of CCA secure bidirectional PRE scheme. Later, Libert and Vergnaud [11] presented a CCA secure unidirectional PRE scheme from bilinear pairings. Recently, Deng et al. [8] proposed a CCA secure bidirectional PRE scheme without pairings. In Pairing’08, Libert and Vergnaud [12] introduced the notion of traceable proxy re-encryption, where malicious proxies leaking their re-encryption keys can be identified.

Since in PKI-based setting, it is needed to distribute public key certificates, the work [10, 7, 15] extended the above notion to identity-based proxy re-encryption (IB-PRE). Due to the fact that pairing computation is a costly expensive operation, the subsequent work [8, 16, 14] studied PRE schemes to be constructed without bilinear pairings, especially in computation resource limited settings.

2. Definitions

In this section, we first review the complexity assumption required in our schemes, and then provide the definition and security of a proxy re-encryption scheme.

2.1. Bilinear Maps

Let G G₁, ₂ be multiplicative cyclic groups of prime order

p

, and

g

g

be a generator of

1

G . Here

1 2

( , ,p g G G e, , )denote the bilinear map parameters. We say that

1 1 2

:

e G G G is a bilinear map if the following conditions hold.

1. ( ₁a, ₂b) ( ₁, ₂)ab e g g e g g , for all 1 2 1 , _p, , a bZ g g G

.

2. _{e g g( , )}₁

.

3. There is an efficient algorithm to computee g g( ₁, ₂) for allg g₁, ₂G₁.

2.2. The Truncated q − ABDHE Assumption

Let

1 1 2

:

1 2

( , ,p g G G e, , ) denote the bilinear map parameters. We define the advantage function

1,

( )

q ABDHE G B

Adv





of an adversary

B

as 2 1 2 Pr[ ( x, , xp, z, zxq , ( , )zxq ) 1] Pr[ ( x, , xp, z, zxq , ( , ) )r 1] B g g g g  e g g    B g g g g  e g g 

where

x z r

, ,



Z

_p are randomly chosen. We say that the truncated _q_ABDHE assumption [9] relative to generator 1 G holds if 1, ( ) q ABDHE G B

Adv   is negligible for all PPT B.

2.3. Proxy Re-encryption

In the following, we will provide the definition of a PRE scheme and its game-based security definition.

Definition 1 (Proxy Re-encryption).

A proxy re-encryption scheme comprises the following algorithms: ( )

Setup  : On input a security parameter



, a system public parameter PP and a system secret key

SKare generated.

( , , i)

KeyGen PP SK pk : On input a system public parameter PP , a system secret keySK, and a

public key

pk

_i, output the decryption key

sk

_i.

( , i, )

Enc PP pk m : On input a system public parameterPP, an public key pk and a message_i

m

, output the level 1 ciphertext

C

_i(1)(i.e., a regular ciphertext).

ReKeyGenLev sk1( _i): On input a secret key

sk

_iof public key

i

pk , output the re-encryption key

rk

_i(1)_i.

ReKeyGenLev2(sk sk_i, _j): On input a secret key

sk

_iof public key

i

pk , and a secret key sk_j of

public key

pk

_j, output the re-encryption key

rk

_i(2)_j.

(1) (1)

ReEncLev C1( i ,rkii): On input a level 1 re-encryption key (1)

i i

rk

_ and a level 1 ciphertext

C

_i(1)

under

pk

_i, output the new level 2 ciphertext ( 2) i

C (i.e., a re-encryption ciphertext) under

pk

_i.

(2) (2)

ReEncLev2(Ci ,rkij): On input a level 2 re-encryption key (2)

i j

rk

_ , and a level 2 ciphertext

( 2) i

C under

pk

i, output the new ciphertext C( 2)j under

pk

j. (1)

1( _i , _i)

DecLev C sk : On input a secret key

sk

_i and any level 1 ciphertext (1) i C under i pk , output

m

. (2) 2( _j , _j)

DecLev C sk : On input a secret key

sk

_j, and any level 2 ciphertext ( 2) j

C under pkj,

output

m

.

In the following, we provide the game-based security definition of PRE as follows.

Definition 2 (PRE-CPCA game [5])). Let



be the security parameter and

A

be the adversary. The game consists of an execution of between an adversary

A

and a challenger

C

with the following oracles subject to the constraints below:

1. Setup: The challenger

C

performs Setup( ) to get a system public parameter PPand a system secret keySK. Give the system public parameter PP to

A

.

2. Query phase 1.

A

makes the following queries:

private key

sk

_iof

pk

_i.

– Re-encryption key generation level 1 query pk_i : On input

pk

iby the adversary, return the

level 1 re-encryption key

rk

_i(1)_ito

A

. We only allow the ReKeyGenLev1 query after the key generation query.

– Re-encryption key generation level 2 query _,

i j

pk pk : On input pki,pkj by the adversary,

A

is given the level 2 re-encryption key

rk

_i(2)_j. – Re-encryption level 1 query (1)

,

i i

C pk : On input a level 1 ciphertext Ci(1)and public keypk , i

A

is given the new level 2 ciphertext

C

_i(2).

– Re-encryption level 2 query: On input a level 2 ciphertext (2)

i

C

under public key

pk

_iand public key pk_j,

A

is given the new level 2 ciphertext

C

(2)_j .

– Decryption level 1 query (1)

,

i i

pk C : On input a public key

pk

iand any level 1 ciphertext (1) i

C , make a Key Generation query to get secret key

sk

_i of

pk

_i, then decrypt it.

A

is given

m

. – Decryption level 2 query (1)

,

j i

pk C : On input a public key

i

pk , and any level 2 ciphertext (2)

j

C

, make a key generation query on hpkji to get secret key

sk

_jof

pk

_j , then decrypt it.

A

is given

m

.

3. Challenge.

A

presents

0 1

(pk*,m m, ), where _pk* is called the challenge public key. If the

*

pk

is fresh, the challenger

C

chooses a bit

p

bZ and returns the challenge ciphertext

* ( *, _b)

C Enc pk m .

A(pk*) is fresh if none of the following queries made by

A

: – Key generation query _pk*

– Re-encryption key generation level 1 query pk*

– (

pk

is the public key derivatives of pk*), and then

A

makes Key generation query pk or Re-encryption key generation level 1 query _pk

Public key derivatives of (pk*) are defined recursively, as follows. – (pk*) is a derivative of itself.

– If (

pk

) is a derivative of (

pk

*

) and (

pk

'

) is a derivative of ( pk ), then (pk') is a derivative of (

pk

*

).

– If

A

has queried the level 2 re-encryption key generation oracle on input ( _,

i j

pk pk ) or (pk_j,pk_i), then (

j

pk ) is a derivative of (pk ). i

4. Query phase 2.

A

continues making queries as in the Query phase 1, except for the following queries:

– Key generation query pk*

– Re-encryption key generation level 1 query pk*

– (

pk

is the public key derivatives of

pk

*

), and then

A

makes Key generation query

pk

or Re-encryption key generation level 1 query pk

– One of the (

pk

_i) and (

pk

_j) is fresh and the other is not fresh and Re-encryption level 2 query (2)

, ,

i i j

– Decryption level 1 query (1) , i i pk C and ( (1) , i i

pk C ) is the level 1 ciphertext derivatives of (_pk*,C*)

– Decryption level 2 query _, (2) i i

pk C and ( (2)

,

i i

pk C ) is the level 2 ciphertext derivatives of (pk*,C ) *

( (1)

,

i i

pk C ) is the level 1 ciphertext derivatives of (pk*,C*) if

pk

_i=

pk

*

and

C

_i(1)=

C

(1)_pk*

where (1) * pk C = ReEncLev C1( *,rk(1)pk*pk*) ( (2) , i i

pk C ) is the level 2 ciphertext derivatives of ( pk*,C* ) if C_i( 2) =

(1) (2) * * Re 2( , ) i pk pk pk EncLev C rk 

5.Guess. A outputs the guess

b

'

, if

b

'

=

b

, then output 1; else output 0.

We say that

A

wins the PRE-CPCA game with advantage



if the probability that the decision oracle is invoked and outputs 1 is at least 1/2 +



.

Comparing our scheme with Libert and Vergnaud’s model [11], our security model outperforms Libert and Vergnaud’s scheme in the following aspects:

– In our security model, the adversaries are permitted to generate public keys on behalf of the corrupted parties.

– Furthermore, Libert and Vergnaud only considered a static corruption model, in which the challenger generates public keys for all parties. In contrast, our model allows the adversary to adaptively determine which parties will be compromised.

– Finally, Libert and Vergnaud only provided a scheme in a selective public key model, where the target (challenge) public key has to be determined by the challenger at the beginning of the game. In contrast, in our model, the adversary can determine the target (challenge) public key at anytime.

3. Chosen Public Key Attack on Libert and Vergnaud’ PRE

Libert and Vergnaud [11] presented the first construction of unidirectional proxy re-encryption scheme with chosen ciphertext security in the standard model. Their system is a reminiscent of the public key cryptography system obtained by applying the Canetti-Halevi-Katz transform to the second selective-ID secure identity-based encryption scheme described in [3]. Unfortunately, as they claimed, their scheme does not capture a scenario where adversaries generate public keys on behalf of corrupt parties. In this section, we will firstly review their scheme and show the chosen public key attack subsequently. The idea of the attack is as follows.

In Libert-Vergnaud’s scheme [11], user

i

’s public key is defined as

X

_i =

_g

xi _{for a random}

i

x

, where the private key is

x

_i. The adversary, after querying the Key Generation for user i to get the private key xi and public key

X

_i =

_g

xi_{, can choose the challenge public key is}

_PK

_*

₌

₍

₎

a

i

X

=

i

ax

g

where

a

is randomly chosen. Hence, the adversary can compute the private key of

PK

*

as

ax

_i. We note that this attack is not captured in the original model of Libert-Vergnaud’s scheme [11]. Nonetheless, our attack is very natural and realistic in this scenario.

4. Our Construction

In this section, we present our CPCA secure PRE scheme from the q − ABDHE assumption. The idea of our scheme is based on the exponent inversion IBE scheme proposed by Gentry [9].

4.1. Our PRE Scheme

We will first describe our scheme, and follow with the description on the properties later.

parameters. Let

{0,1,2}

,{ yk}

x

k k

ug Y g  , and where {yk}k{0,1,2} and

x

are randomly

chosen in

p

Z . Let

H

be a hash function from a family of universal one-way hash functions. The system secret key SK ({yk}k_{0,1,2}, )x , and the system public parameter

1 2 {0,1,2}

( , , , , , ,{ k}k , )

PP p g G G e u Y  H .

–KeyGen PP SK pk( , , i): On input a system public parameter PP, a system secret key

SK

, and a public key

i

pk in

Z

p, select random {si k, }k{0,1,2} in Zp, compute , 1/ ( ) , ( ) i k i s x pk i k K d  Y g  where _k_{{0,1, 2}}, output

sk

_i



{

d

_{i k,}

,

s

_{i k,}

}

_k{0,1,2}.

–ReKeyGenLev1(ski): On input a secret key ski {di k, ,si k, }k{0,1,2} of public keypki, output

the re-encryption key (1)

, {0,1,2}

{( ) }

i i i k k

rk  d  .

–ReKeyGenLev2(sk sk_i, _j): On input a secret key

, , {0,1,2}

{ , }

i i k i k k

sk  d s _ of public key pk_i, and a secret key

, , {0,1,2}

{ , }

j j k j k k

sk  d s _ of public key

j

pk , output the re-encryption key

(2)

, , {0,1,2}

{( ) }

i j i k j k k

rk_  s s _ .

–Enc PP pk m( , i, ): On input a system public parameter PP, an public key pkiand a message

2

m



G

, Select a random P rZ and compute 1 ( ) i pk r C  ug 2 ( , ) r C e g g 3 ( , 0) r C m e g Y tH C( 2,C3,m) 4 ( , 1) ( , 2) tr r C e g Y e g Y

Output the level 1 ciphertext (1)

1 2 3 4

( , , , )

i

C  C C C C . Notice that encryption does not require

any pairing computations once ( , )e g g and e g Y( , _k) have been pre-computed. Alternatively,

( , )

e g g

and

e g Y

( ,

_k

)

can be included in the system parameters.

– (1) (1)

ReEncLev C1( i ,rkii): On input a level 1 ciphertext

(1) i

C under pk_iand a level 1 re-encryption key (1) i i rk_ , let (1) , {0,1,2} {( ) } i i i k k

rk  d  , let level 1 ciphertext be

(1)

1 2 3 4

( , , , )

i

C  C C C C . Reencrypt the level 1 ciphertext under pk_i as: '

1,k ( 1, i k, )

C e C d , output the new level 2 ciphertext as (2) '

1, 2 3 4 {0,1,2} ( , , , ) i k k C  C C C C  . –_{Re 2(} ( 2)_, ( 2)₎ I i j

EncLev C rk_ : On input a level 2 re-encryption keyrk_i( 2)_j, and a level 2 ciphertext

(2) i C under

pk

_i, let (2) , , {0,1,2} {( ) } i j i k j k k

rk  s s  , and re-encrypt the ciphertext to be under

identity

pk

_j as: '' ' , ,

1, 1, 2

i k j k

s s k k

C C C  , output the new ciphertext

(2) '' 1, 2 3 4 {0,1,2} ( , , , ) j k k C  C C C C _ – (1) 1( i , i)

DecLev C sk : On input a secret key

, , {0,1,2}

{ , }

i i k i k k

sk  d s _ and any level 1 ciphertext

(1) 1 2 3 4 ( , , , ) i C  C C C C , compute ,0 1 ,0 2 ( , ) si i K e C d C 3/ mC K 2 3 ( , , ) tH C C m . If ,1 ,2 4 ( 1, ,1 ,2) 2 i i s t s t i i C e C d d C  , then output

m

. – (2) 2( j , j)

DecLev C sk : On input a secret key

, , {0,1,2}

{ , }

j j k j k k

sk  d s  , and any ciphertext

(2) '' 1, 2 3 4 {0,1,2} ( , , , ) j k k C  C C C C _ , compute ,0 '' 1,0 2 ( )( )sj K  C C 3/ mC K

2 3 ( , , ) tH C C m . If '' ,1 '' ,2 4 (( 1,1)(( 2) ) (( 1,2)(( 2) ) j j s t s C  C C C C , then output

m

.

4.2. Security of Our PRE

In this subsection, we prove the CPCA security for our scheme without any random oracle. Our PRE scheme works in an adaptive corruption model in which the adversary has to determine the corrupted parties (Key Generation query) adaptively and choice the public key as her will when making the key generation query. Additionally, we also allow the adversary to adaptively query a re-encryption oracle and decryption oracles.

Theorem 1. Let

q



q

_k



1

, where

q

_kis the number of key generation queries.If the qABDHE assumption holds, then our PRE scheme is PRE-CPCA secure in the standard model.

Proof. Suppose there exists a polynomial-time adversary,

A

, that can attack our scheme in the standard model. Let

q

_kis the number of key generation queries. We build a simulator

B

that can play

a

q



ABDHE

game. The simulation proceeds as follows:

We first let the challenger set the groups

G

₁ and

G

₂with an efficient bilinear map

e

and a gene-rator

g

of

G

₁. Simulator

B

inputs a _qABDHE instance ( , x, x2, , xq, z, zxq2, )

g g g g g g  T ,

and has to distinguish 1

( , )zxq

T e g g  from a random element in

G

₂. 1. Setup: Let



be the security parameter and

1 2

( , ,p g G G e, , ) be the bilinear map parameters. Let

H

be a hash function from a family of universal one-way hash functions.

B

picks three random degree

q

polynomials f_k(X)wherek{0,1, 2}, defines ( )

{0,1,2}

{ fk x}

k k

Y g  . This implicitly

defines the system secret key values as

{0,1,2}

{y_k  f_k( )}x _k , and sends the system public parameter

1 2 {0,1,2}

( , , , , , ,{ k}k , )

PP p g G G e u Y  H to

A

.

2. Query phase 1.

A

makes the following queries: – Key generation query

i

pk :

A

chooses

pk

_i as her like,

B

sets

, {0,1,2}

{s_{i k}  f_k(pk_i)}_k

computes _, (fk( )x fk(pki))/(x pki)

i k

d



g

  and stores the

pk

_iand

sk

_i, outputs , , {0,1,2}

{

,

}

i i k i k k

sk



d

s

_ to

A

. When , {0,1,2} 1,{ ( )} k i k k i k qq  s  f pk  is a random value

from

A

’s view, since fk(X)where k{0,1, 2}are random degree

q

polynomials. – Re-encryption key generation level 1 query pk_i : if

A

never made a Key generation query

on

i

pk , then make a Key generation query on pki , output the re-encryption key (1)

, {0,1,2}

{( ) }

i i i k k

rk_  d _ .

– Re-encryption key generation level 2 query pk_i,pk_j : if

A

never made a Key generation query on

i

pk or

j

pk , then make a Key generation query on pki or pkj , output the

re-encryption key

rk

_i(2)_j



{(

s

_{i k,}



s

_{j k k,}

)

_{0,1,2}

}

. – Re-encryption level 1 query (1)

,

i i

C pk : On input a level 1 ciphertext (1)

1 2 3 4

( , , , )

i

C  C C C C

under

pk

_i,

B

queries a level 1 re-encryption key (1)

, {0,1,2}

{( ) }

i i i k k

rk  d  , and re-encrypt the

level 1 ciphertext under

pk

_i as: '

1,k ( 1, i k, )

C e C d , output the new level 2 ciphertext

(2) '

1, 2 3 4 {0,1,2}

( , , , )

i k k

C  C C C C _ .

– Re-encryption level 2 query (2)_{, ,}

i i j

(2) '

1, 2 3 4 {0,1,2}

( , , , )

i k k

C  C C C C _ under

pk

_i ,

B

queries a level 2 re-encryption key

(2)

, , {0,1,2}

{( ) }

i j i k j k k

rk  s s  , re-encrypt the ciphertext to be under public key

pk

j as:

, , '' ' 1, 1, 2 i k j k s s k k

C C C  , output the new ciphertext (2) ''

1, 2 3 4 {0,1,2}

( , , , )

j k k

C  C C C C _

– Decryption level 1 query (1) , i i

pk C : On input any level 1 ciphertext (1)

1 2 3 4

( , , , )

i

C  C C C C

under

pk

_i,

B

queries a secret key

, , {0,1,2} { , } i i k i k k sk  d s _ , and computes ,0 1 ,0 2 ( , ) si i K e C d C 3/ mC K 2 3 ( , , ) tH C C m If ,1 ,2 4 ( 1, ,1 ,2) 2 i i s t s t i i C e C d d C  , then output

m

. – Decryption level 2 query _, (2)

j j

pk C : On input any level 2 ciphertext

(2) ''

1, 2 3 4 {0,1,2}

( , , , )

j k k

C  C C C C _ ,

B

queries a secret key

, , {0,1,2} { , } j j k j k k sk  d s  , and computes ,0 '' 1,0 2 ( )( )sj K  C C 3/ mC K 2 3 ( , , ) tH C C m . If '' ,1 '' ,2 4 (( 1,1)(( 2) ) (( 1,2)(( 2) ) j j s t s C  C C C C , then output

m

.

3. Challenge.

A

presents

{

pk m m

*,

₀

,

₁

}

, where

pk

*

is the challenge public key and

m m

₀

,

₁



G

₂. If the challenge public key fits the restrictions described in Definition 2,

B

responds by choosing a random

b



{0,1}

and set

{0,1,2}

{sk* fk(pk*)}k Then B computes ( ( ) ( *))/( *)

* fk x fk pk x pk

k

d g   . It defines the degree q1 polynomial

2 2 1 0 * ( ) ( q ( *)q ) / ( *) q ( * i) i i F X  X   pk  Xpk   F X . It also computes 2 2 * * 1 * 0 * * * * 1 2 * ( *) 1 * 2 0 * * * * 3 1 0 2 * * * 2 3 * * * * * 4 1 1 2 2 ( ) ( , ( ) ) ( , )( ) ( , , ) ( , ( ) ) ( ) q q i q i zx z pk q F z x F i s b b s t s t C g g C T e g g C m e C d C t H C C m C e C d d C             



and outputs the challenge ciphertext * * * * *

1 2 3 4 ( , , , ) C  C C C C . Let _r*_zF*_{( )x , if} 1 ( , )zxq T e g g  , then * ( *) * 1 x pk r C g  , * * 2 ( , ) r C e g g , * * 3 ( , 0) r b C m e g Y , 4* ( , 1)* * ( , 2)* t r r C e g Y e g Y

4. Query phase 2.

A

continues making queries as in the Query phase 1, except for the restrictions described in Definition 2.

5. Guess. Finally,

A

will output a guess

b

'

. If

b



b

'

, then

B

outputs 1, otherwise

B

outputs 0. Probability Analysis: If

T



e g g

( , )

zxq1, then the simulation is perfect, and

A

will guess the bit

b

correctly with probability 1/2 +



. Else,

T

is uniformly random, and thus * *

1 2

(C C, ) is a uniformly random and independent element. In this case, the inequality * * 1/( *)

2 ( 1, )

x pk

C e C g  holds with probability 1 1/ p . When these inequality hold, the value of * * * *0

1 0 2 * ( , )( )s K e C d C * 0 * 1/( *) * * 1/( * *) 1 0 2 1 ( , ( ) x pk )(( ) / ( ( , ) x pk ))s e C Y  C e C g 

view (except for the value * 3

C ), since

s

*₀is uniformly random (when *

{0,1,2}

1,{ ( *)}

k k k k

qq  s  f pk _

are random values from

A

’s view) and independent from

A

’s view (except for the value * 3

C ). Thus, *

3

C

is uniformly random and independent, and * * *

1 2 3

(C ,C ,C )can reveal no information regarding the bit

b

.

5. Performance Comparison

In this section, we compare our schemes with the existing PRE schemes without random oracles from the literature. We denote LV as Libert and Vergnaud’s proposed [11] unidirectional proxy reencryption scheme with chosen ciphertext security in the standard model. We denote

t t t

p

, ,

e s, and

v

t

as the computational cost of a bilinear pairings, an exponentiation over a bilinear group, a one-time signature and verification, respectively. Notice that encryption in our scheme does not require any pairing computations once

e g g

( , )

and

e g Y

( ,

k

)

have been pre-computed. Let

G

1 and

G

2be the bilinear groups and

svk

and



be the onetime signatures public key and signature. The result of the comparison is outlined in Table 1.

From the table 1 it is observed that our PRE from Section 3 gives comparable generalization performance as that of Libert and Vergnaud’s construction. Our PRE scheme works in an adaptive corruption and chosen public key attack model in which the adversary has to determine the corrupted parties adaptively by the chosen public key.

Table 1. Comparison Among Various PRE Schemes without random oracles

Scheme LV Our scheme

Enc ComputeCost _3.5 e

t

+

t

_s 5

t

_e ReEnc ComputeCost ₂ p

t

+4

t

_e+

t

_s 3

t

_p+3

t

_e 1 DecLev ComputeCost ₃ p

t

+2

t

_e+

t

_v 2

t

_p+3

t

_e 2 DecLev ComputeCost ₅ p

t

+2

t

_e+

t

_v 2.5

t

_e 1 Level CiphertextSize 1 2 2 svk  G  G 



1G1 3G2 2 Level CiphertextSize svk 4G₁  G₂  6G2 Adaptive Corruptions × √ Selective Model √ × CPCA × √

6. Conclusion

In this paper, we show the insecurity of Libert and Vergnaud’s scheme against chosen

public key attack. And then, we present a new construction of proxy re-encryption scheme

which is chosen ciphertext and public key secure in the standard model.

7. References

[1] G. Ateniese, K. Fu, M. Green, and S. Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. In Proc. Internet Society (ISOC), pp.29–43.

[2] M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and atomic proxy cryptography. In Proc. EUROCRYPT 1998, pp.127–144. (1998)

In Proc. EUROCRYPT 2004, LNCS 3027, Springer-Verlag, pp. 223–238. (2004)

[4] D. Boneh and M. Franklin. Identity-based encryption from the weil pairing. In Proc. CRYPTO 2001, pp.231–229. (2001)

[5] R. Canetti and S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. In Proc. the 14th ACM conference on Computer and communications security, ACM New York, NY, USA, pp.185–194. (2007)

[6] R. Canetti, H. Krawczyk and J.B. Nielsen. Relaxing chosen-ciphertext security. In Proc. CRYPTO 2003, LNCS 2729, Springer-Verlag,, pp. 565–582. (2003)

[7] C. Chu and W. Tzeng. Identity-based proxy re-encryption without random oracles. In Proc. of ISC 2007, LNCS, vol. 4779, pp.189-202. Springer, Heidelberg (2007)

[8] R. H. Deng, J. Weng, S. Liu, K. Chen. Chosen-Cipertext Secure Proxy Re-Encryption without Pairings. In Proc. of CANS 2008. LNCS, vol. 5339, pp. 1-17. Springer, Heidelberg (2008) [9] C. Gentry. Practical identity-based encryption without random oracles. In Proc. EUROCRYPT

2006, LNCS 4004, Springer-Verlag, 2006, pp. 457–464. (2006)

[10] M. Green and G. Ateniese. Identity-based proxy re-encryption. In Proc. ACNS 2007, LNCS, vol. 4521, pp. 288-306, 2007. Full version: Cryptology ePrint Archieve: Report 2006/473.

[11] B.Libert, D.Vergnaud. Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption. In Proc. PKC’08, LNCS 4939, Springer-Verlag, pp. 360–379. (2008)

[12] B.Libert, D.Vergnaud. Tracing Malicious Proxies in Proxy Re-Encryption. In Proc. Pairing’08, LNCS 5209, Springer-Verlag, pp. 332–353. (2008)

[13] T. Matsuo. Proxy Re-encryption Systems for Identity-Based Encryption. In Proc. Pairing 2007, LNCS 4575, Springer-Verlag, pp. 247–267. (2007)

[14] T. Matsuda, R. Nishimaki, and K. Tanaka. CCA Proxy Re-Encryption without Bilinear Maps in the Standard Model. In Proc. of PKC 2010, LNCS, vol. 6056, pp. 261-278. Springer, Heidelberg (2010).

[15] J. Lai, W. Zhu, R. Deng, S. Liu, and W. Kou. New constructions for identity-based unidirectional proxy re-encryption. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY. Express, Vol. 25, No. 4, pp. 793C806. (2010)

[16] J. Shao and Z. Cao. CCA-secure proxy re-encryption without pairings. In Proc. of PKC 2009, LNCS, vol. 5443, pp. 357-376. Springer, Heidelberg (2009)