International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
DOI : 10.5121/ijnsa.2012.4214 179
S. Sree Vivek
1
, S. Sharmila Deva Selvi
1
, V. Radhakishan
2
, C. Pandu Rangan
1
1
Department of Computer Science and Engineering, Indian Institute of Technology Madras
svivek@cse.iitm.ac.in, sharmila@cse.iitm.ac.in, prangan@iitm.ac.in
2
National Institute of Technology Trichy, India
vrkishan@gmail.com
A
BSTRACT
In a proxy re-encryption (PRE) scheme, Alice gives a special information to a proxy that allows it to
transform messages encrypted under Alice's public key into a encryption under Bob's public key such that
the message is not revealed to the proxy. In [14], Jian Weng and others introduced the notion of
conditional proxy re-encryption (C-PRE) with bilinear pairings. Later, a break for the same was
published in [17] and a new C-PRE scheme with bilinear pairings was introduced. In C-PRE, the proxy
also needs to have the right condition key to transform the ciphertext (associated with a condition set by
Alice) under Alice's public key into ciphertext under Bob's public key, so that Bob can decrypt it. In this
paper, we propose an efficient C-PRE scheme which uses substantially less number of bilinear pairings
when compared to the existing one [17]. We then prove its chosen-ciphertext security under modified
Computational Diffie-Hellman (mCDH) and modified Computational Bilinear Diffie-Hellman (mCBDH)
assumptions in the random oracle model.
K
EYWORDS
Random Oracle Model, Proxy Re-Cryptography, Conditional Proxy Re-encryption, Chosen Ciphertext
Security.
1.
I
NTRODUCTION
Encryption is used as a building block of any application requiring confidentiality. Let pk
i
and
pk
j
be two independent public keys. As pointed out by Mambo and Okamato in [15], it is a
common situation in practice where a data encrypted under pk
i
is required to be encrypted under
pk
j
(j ≠ i). When the holder of sk
i
is online, E
i
(m) is decrypted using sk
i
and then message m is
encrypted under pk
j
giving E
j
(m). But in many applications like encrypted mail forwarding,
secure distributed file systems, and outsourced filtering of encrypted spam, when the holder of
sk
i
is not online, this has to be done by an untrusted party.
In 1998 Blaze, Bleumar, and Strauss [9] introduced the concept of proxy re-encryption (PRE).
A re-encryption key (rk
i,j
) is given to a potentially untrusted proxy so that the proxy can
transform a message m encrypted under public key pk
i
into an encryption of the same message
m under a different public key pk
j
without knowing the message. A PRE scheme can be of two
types - unidirectional and bidirectional. The former is a scheme in which a re-encryption key
(rk
i → j
) can be used to transform from pk
i
to pk
j
but not vice versa and the latter is a scheme in
which the same re-encryption key (rk
i ↔ j
) can be used to transform from pk
i
to pk
j
and vice
versa. The re-encryption algorithm can be of two types - single hop, in which the re-encrypted
ciphertext cannot be further re-encrypted and multi hop, in which the re-encrypted ciphertext
can be further re-encrypted.
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
180
PRE can be used in many applications, including simplification of key distribution [9], key
escrow [13], multicast [19], distributed file systems [3, 5], security in publish/subscribe systems
[4], secure certified email mailing lists [20, 23], the DRM of Apple's iTunes [22], interoperable
architecture of DRM [21], access control [11], and privacy for public transportation [7].
Hohenberger and others published a result of securely obfuscating re-encryption [16], which is
the first positive result for obfuscating an encryption functionality. Shao and Cao have proposed
a unidirectional PRE scheme without pairing [2]. Matthew Green and Giuseppe Ateniese have
proposed a PRE scheme for ID-based cryptosystems [18].
Ran Canetti and Susan Hohenberger proposed a definition of security against chosen-ciphertext
attacks for PRE schemes and presented a scheme that satisfied the definition [1]. In 2009, Jian
Weng and others [14] introduced the concept of C-PRE, whereby Alice has a fine-grained
control over the delegation. As a result, Alice can flexibly assign Bob the decryption capability
based on the conditions attached to the messages using a proxy. For example, suppose Alice is
on a vacation. She can make Bob to read only those messages which have the keyword “urgent”
in their subject. This flexible delegation is obviously not possible with PRE schemes. In this
paper, two separate keys are used - a partial re-encryption key and a condition key. The message
can be delegated by the proxy only if both the keys are known.
Later in 2009, Jian Weng and others published a break of the scheme in [14] and gave a new
scheme for C-PRE [17], which combines the re-encryption key and the condition key into a
single key, which is then used for re-encryption. Also Cheng-Kang Chu and others in [8]
introduced a generalized version of C-PRE named conditional proxy broadcast re-encryption
(CPBRE), in which the proxy can re-encrypt the ciphertexts for a set of users at a time.
In this paper, we propose an efficient C-PRE scheme (single-hop and unidirectional) which uses
significantly less number of bilinear pairings when compared to the existing schemes in [14]
and [17]. Our scheme, as in [14], uses two separate keys for re-encryption.
1.1. Our Results
Let us briefly describe a C-PRE scheme. A C-PRE scheme involves a delegator (say user U
i
), a
delegatee (say user U
j
) and a proxy. A message sent to U
i
with condition w is encrypted by the
sender using both U
i
’s public key and w. To re-encrypt the message to U
j
, the proxy is given the
re-encryption key (rk
i → j
) and the condition key (ck
i,w
) corresponding to w. Both the keys can be
generated only by U
i
. These two keys form the secret trapdoor to be used by the proxy to
perform translation. Proxy will not be able to re-encrypt cipher texts for which the right
condition key is not available. Thus U
i
can flexibly assign U
j
the decryption rights by setting
condition keys properly. The scheme works in practice as follows: the message encrypted for U
i
is first handled by proxy and under appropriate conditions the proxy transforms the ciphertext
into a ciphertext for U
j
. However, proxy will obtain no information about the original message.
While it is some what easier to design a PRE without pairing, designing C-PRE requires pairing
based operations crucially. We have used a few constructions from [12] which drastically
reduces the number of bilinear pairings. Table 1 compares the number of bilinear pairings and
exponentiations between the scheme in [17] and our scheme.
Table 1. Computational Complexity Comparison
Algorithm Scheme in [17]
Our Scheme
BP EXP BP EXP
Encryption case 1 1 4 0 0
Encryption case 2 1 3 1 6
Re-Encryption 3 4 1 3
Decryption case 1
3 3 1 4
Decryption case 2
1
1
0
6
Total 9 15 3 19
BP − Bilinear Pairings, EXP − Exponentiations.
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
181
Encryption case 1 refers to the encryption without the condition. Encryption case 2 refers to the
encryption with the condition. Decryption case 1 refers to the decryption of the re-encrypted
ciphertext (first level ciphertext) and Decryption case 2 refers to the decryption of the encrypted
ciphertext (second level ciphertext).
Although the number of exponentiations in our scheme is slightly more, it is insignificant when
compared to the reduction in number of bilinear pairings. Thus, our scheme is more efficient
than the existing one. We then formally prove the security of our scheme. We have slightly
modified the security model in [14], as discussed in Section 3.
The C-PRE scheme in [14] has a break as given in [17]. Scheme in [17] has combined the two
keys into a single key. Having the keys separate has an advantage. The delegation power of the
proxy can be controlled. One of the two keys can be given to the proxy for partial re-encryption
and the other key can be given to a third party for full re-encryption. Since the scheme in [14]
has a break, our scheme is the only existing scheme having this unique property.
2.
P
RELIMINARIES
Bilinear Groups and Bilinear Pairings: Let and
T
be two cyclic multiplicative groups
with the same prime order q. A bilinear pairing is a map e : × →
T
with the following
properties.
− Bilinearity: We have
∈∀=
21
ab
21
b
2
a
1
g,g)g,(ge
ˆ
)g,(ge
ˆ
and
*
q
ba, ∈∀
;
− Non-degeneracy: There exist g
1
, g
2
∈ such that
1)g,(ge
ˆ
21
≠
;
− Computability: There exists an efficient algorithm to compute
∈
∀
2121
g,g)g,(ge
ˆ
.
Modified Computational Diffie-Hellman Problem: Let G be a cyclic multiplicative group
with a prime order q. Let g be the generator of , The mCDH problem in is as follows:
Given
)g,g,g(g,
ba
a
1
for some a, b ∈
*
q
, compute W = g
ab
∈ . An algorithm has an
advantage ε in solving mCDH in if
g)g,g,g(g,Pr
abba
a
1
≥
=
where the probability is over the random choice of a, b ∈
*
q
, the random choice of g ∈ and
the random bits of .
Modified Computational Bilinear Diffie-Hellman Problem: Let and
T
be two cyclic
multiplicative groups with the same prime order q. Let e : × →
T
be an admissible
bilinear map and let g be the generator of . The mCBDH problem in (,
T
, e) is as follows:
Given
)g,g,g,g(g,
cba
a
1
for some a, b, c ∈
*
q
, compute W =
abc
g)(g,e
ˆ
∈
T
. An algorithm
has an advantage ∈ in solving mCBDH in (,
T
, e) if
[
]
g)(g,e
ˆ
)g,g,g,g(g,Pr
abccba
a
1
≥=
where the probability is over the random choice of a, b, c ∈
*
q
, the random choice of g ∈
and the random bits of .
3.
M
ODEL OF
C
ONDITIONAL
P
ROXY
R
E
-E
NCRYPTION
We give the definitions and security notions for C-PRE systems in this section.
3.1. Definition of C-PRE systems
A unidirectional C-PRE scheme consists of seven algorithms which are described as follows:
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
182
Global Setup (λ): The global setup algorithm takes a security parameter λ as input and outputs
the global parameters param. The parameters in param are implicitly given as input to the
following algorithms.
KeyGen (i): The key generation algorithm takes the user index i as input and generates a public
key(pk
i
) and a secret key(sk
i
) for user U
i
.
ReKeyGen (sk
i
, pk
j
): The partial re-encryption key generation algorithm takes a secret key sk
i
and another public key pk
j
as input and outputs the partial re-encryption key rk
i
→
j
. This
algorithm is run by U
i
. Here sk
j
is not taken as input which indeed makes the scheme
unidirectional.
CKeyGen (sk
i
, w): The condition key generation algorithm takes a secret key sk
i
and a
condition w as input and outputs the condition key ck
i, w
. This algorithm is run by U
i
.
Encrypt (pk, m, w): The encryption algorithm takes a public key pk, a message m and a
condition w as input and outputs the ciphertext ζ associated with w under pk. Here m ∈
where denotes the message space.
ReEncrypt (rk
i
→
j
, ck
i, w
,ζ
i
): The re-encryption algorithm takes a partial re-encryption key rk
i
→
j
, a condition key ck
i, w
associated with condition w and a ciphertext ζ
i
under the public key pk
i
as input and outputs the re-encrypted ciphertext ζ
j
under the public key pk
j
. This algorithm is
run by the proxy.
Decrypt (sk, ζ): The decryption algorithm takes a secret key sk and a ciphertext ζ as input and
outputs either a message m ∈ or the error symbol ⊥.
Correctness: For any m ∈ , any condition w, any (pk
i
, sk
i
) ← KeyGen (i), (pk
j
, sk
j
) ←
KeyGen (j), and
ζ
i
= Encrypt (pk
i
, m, w),
Pr [Decrypt(sk
i
, ζ
i
) = m] = 1, and
Pr [Decrypt(sk
j
, ReEncrypt (rk
i, j
, ck
i, w
, ζ
i
)) = m] = 1.
while for any other condition w′ and user j′ with w′ ≠ w and j′ ≠ j, we have
Pr [Decrypt(sk
j
, ReEncrypt (rk
i, j
, ck
i, w
′
, ζ
i
)) = ⊥] = 1−neg(λ)
Pr [Decrypt(sk
j
, ReEncrypt (rk
i, j
′
, ck
i, w
, ζ
i
)) = ⊥] = 1−neg(λ).
3.2 Security Notions
The following game between an adversary and a challenger is used to define the semantic
security of our C-PRE scheme against chosen ciphertext attacks.
Setup. takes a security parameter λ and runs the algorithm GlobalSetup(λ) and gives the
resulting global parameters param to .
Phase 1. adaptively issues queries q
1
, …, q
m
where q
i
is one of the following:
− Uncorrupted key generation query: first runs algorithm KeyGen (i) to obtain the
public/secret key pair (pk
i
, sk
i
), and then gives pk
i
to .
− Corrupted key generation query: first runs algorithm KeyGen (j) to obtain the
public/secret key pair (pk
j
, sk
j
), and then gives (pk
j
, sk
j
) to .
− Partial re-encryption key generation query (pk
i
, pk
j
): runs the algorithm ReKeyGen(sk
i
,
pk
j
) and returns the generated re-encryption key rk
i
→
j
to . Here sk
i
is the secret key
corresponding to pk
i
.
− Condition key generation query (pk
i
, w): runs the algorithm CKeyGen(sk
i
, w) and
returns the generated condition key ck
i, w
to .
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
183
− Re-encryption query (pk
i
, pk
j
, w, ζ
i
): runs the algorithm ReEncrypt(ReKeyGen(sk
i
, pk
j
),
CKeyGen(sk
i
, w), ζ
i
) and returns the generated ciphertext ζ
j
to A.
− Decryption query (pk, w, ζ) or (p
k
, ζ): runs the algorithm Decrypt(sk, ζ) and returns its
result to . Here (pk, w, ζ) and (pk, ζ) are queries on original ciphertexts and re-encrypted
ciphertexts respectively.
For the last four queries it is required that pk, pk
i
and pk
j
are generated beforehand by the
KeyGen algorithm.
Challenge. Once decides Phase 1 is over, it outputs a target public key pk
i*
, a target condition
w
*
and two equal-length plaintexts m
0
, m
1
∈ . flips a random coin δ ∈ {0, 1}, and sets the
challenge ciphertext to be ζ
*
= Encrypt(pk
i*
, m
δ
, w
*
), which is sent to .
Phase 2: adaptively issues queries as in Phase 1, and answers them as before.
Guess: Finally, outputs a guess δ′ ∈ {0, 1} and wins the game if δ′ = δ. Adversary is
subject to the following restrictions during the above game.
1. cannot issue corrupted key generation queries on i* to obtain the target secret key sk
i*
.
2. can issue decryption queries on neither (pk
i*
, w
*
, ζ
*
) nor (pk
j
, ReEncrypt(rk
i*
→ j,
ck
i*,w*
, ζ
*
)).
3. cannot issue re-encryption queries on (pk
i*
, pk
j
, w
*
, ζ
*
) if pk
j
appears in a previous
corrupted key generation query.
4. cannot obtain the partial re-encryption key rk
i*
→
j
if pk
j
appears in a previous corrupted
key generation query.
We refer to the above adversary as an IND-CPRE-CCA adversary. ’s advantage in attacking
our CPRE scheme is defined as
[
]
,1/2PrAdv
CCACPREIND
PRE,C
−=
′
=
−−
−
where the probability is
taken over the random coins consumed by the adversary and the challenger. As in [14], we also
distinguish between two types of IND-CPRE-CCA adversaries as follows:
− Type I IND-CPRE-CCA adversary: In the game, adversary does not obtain the re-
encryption key rk
i*
→
j
with pk
j
corrupted.
− Type II IND-CPRE-CCA adversary: In the game, adversary does not obtain both the
condition key ck
i*, w*
and the re-encryption key rk
i* → j
with pk
j
corrupted.
4.
A
N
E
FFICIENT
C-PRE
S
CHEME
Here we present our efficient C-PRE scheme and then prove its security.
4.1 Construction
Our proposed scheme consists of the following seven main algorithms and one auxiliary
algorithm for checking the validity of the ciphertext.
Global Setup (λ) : This algorithm takes the security parameter λ as input. Then two primes p
and q are chosen such that q | p−1 where q is a λ bit prime. Then the algorithm generates (q, ,
T
, e) where and
T
are two cyclic groups with prime order q and e is a bilinear pairing e :
× →
T
. Let g be the generator of group , which is a subgroup of
*
q
with order q. Choose
hash functions as follows: