efficient conditional proxy re encryption with chosen
play

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext - PowerPoint PPT Presentation

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),


  1. Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R), Singapore School of Information Systems, SMU, Singapore DIES, Faculty of EEMCS, University of Twente, the Netherlands Email: { yyang@i2r.a-star.edu.sg } ISC 2009, Pisa Italy September 5, 2009 Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  2. Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Outline Introduction Model of Conditional Proxy Re-Encryption(C-PRE). Our Proposed C-PRE Scheme. Conclusion Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  3. Introduction Model of C-PRE Proxy Re-Encryption Our proposed C-PRE Scheme Conditional Proxy Re-Encryption Conclusion Proxy Re-Encryption Proxy re-encryption (PRE), introduced by Blaze, Bleumer and Strauss in Eurocrypt’98, allows a semi-trust proxy to convert a ciphertext originally intended for Alice into an encryption of the same message intended for Bob 1 . PRE has found many practical applications, such as digital rights management (DRM), distributed file systems, outsourced filtering of encrypted spam, and encrypted email forwarding, etc. 1 The original ciphertext is called second level ciphertext, and the transformed ciphertext is named first level ciphertext Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  4. Introduction Model of C-PRE Proxy Re-Encryption Our proposed C-PRE Scheme Conditional Proxy Re-Encryption Conclusion Conditional Proxy Re-Encryption Traditional PRE enforces coarse-grained delegation of decryption right, in the sense that the proxy can transform all of Alice’s second level ciphertexts. In practice, fine-grained delegation is often more desirable. To address this problem, Tang (Indocrypt’08) and Weng et al. (ASIACCS’09) independently introduced the notion of Conditional Proxy Re-Encryption(C-PRE) 2 . In C-PRE, ciphertexts are generated with respect to a certain condition, and the proxy can translate a ciphertext only if the associated condition is satisfied. 2 In their full paper of PKC’08, Libert and Vergnaud also considered the problem of how to add keywords into PRE, and gave a concrete scheme. Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  5. Introduction Model of C-PRE Proxy Re-Encryption Our proposed C-PRE Scheme Conditional Proxy Re-Encryption Conclusion Problems of Existing Models for C-PRE Weng et al. and Tang’s definition and security notion have their respective pros and cons: In Tang’s definition, the proxy needs only one key pair to perform transformation, while the proxy in Weng et al. ’s definition needs two key pair; In Weng et al. ’s definition, a user can acts as delegator for any other users, and can also be the delegatee for any other users. In Tang’s definition, the delegators and the delegatees have to be in different systems, which means that the user in a given system can only act as either (not both) a delegator or a delegatee. Both of Weng et al. and Tang’s security notions only consider the second level ciphertext security, and do not address the first level ciphertext security. Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  6. Introduction Model of C-PRE Proxy Re-Encryption Our proposed C-PRE Scheme Conditional Proxy Re-Encryption Conclusion Our Work We re-formalize the definition and security models for C-PRE. In our definition, the proxy needs only one key pair for performing transformations A user can act as the delegator or the delegatee for any other users. We propose a more efficient C-PRE scheme, and prove its CCA-security under our rigorous security model. Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  7. Introduction Model of C-PRE Definition of C-PRE Our proposed C-PRE Scheme Security Notions of C-PRE Conclusion Definition of C-PRE A C-PRE scheme consists of the following algorithms: Setup algorithm: Setup ( 1 κ ) = ⇒ param . Key generation algorithm: KeyGen ( 1 κ ) = ⇒ ( pk i , sk i ) . Re-encryption key generation algorithm: ReKeyGen ( sk i , w , pk j ) = ⇒ rk i w → j . Second level encryption algorithm: Enc 2 ( pk , m , w ) = ⇒ CT First level encryption algorithm: Enc 1 ( pk , m ) = ⇒ CT. Re-encryption algorithm: ReEnc ( CT i , rk i w → j ) = ⇒ CT j Second level decryption algorithm: Dec 2 ( CT , sk ) = ⇒ m . First level decryption algorithm: Dec 1 ( CT , sk ) = ⇒ m . Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  8. Introduction Model of C-PRE Definition of C-PRE Our proposed C-PRE Scheme Security Notions of C-PRE Conclusion Security Notions of C-PRE: IND-2CPRE-CCA Chosen-ciphertext security for second level ciphertexts ( IND-2CPRE-CCA ): The adversary A is challenged with a second level ciphertext CT ∗ encrypted under a target public key pk i ∗ and a target condition w ∗ . A is allowed to issue a series of queries, except those queries which allow A to trivially decrypt CT ∗ . For examples, A should not obtain the re-encryption key rk i ∗ w ∗ → j where sk j is corrupted. If there exists no polynomial time adversary A can obtain anything about the underlying plaintext of CT ∗ , then the C-PRE is said to be IND-2CPRE-CCA secure. Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  9. Introduction Model of C-PRE Definition of C-PRE Our proposed C-PRE Scheme Security Notions of C-PRE Conclusion Security Notions of C-PRE: IND-1CPRE-CCA Chosen-ciphertext security for first level ciphertexts ( IND-1CPRE-CCA ): The adversary A is challenged with a first level ciphertext CT ∗ encrypted under a target public key pk i ∗ . A is allowed to issue a series of queries, except those queries which allow A to trivially decrypt CT ∗ . But now A is even allowed to obtain the re-encryption key rk i ∗ w ∗ → j where sk j is corrupted. If there exists no polynomial time adversary A can obtain anything about the underlying plaintext of CT ∗ , then the C-PRE is said to be IND-1CPRE-CCA secure. Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  10. Introduction Principles for Designing CCA-Secure C-PRE Model of C-PRE Our Proposed C-PRE Scheme Our proposed C-PRE Scheme Security of Our Scheme Conclusion Principles for Designing CCA-Secure C-PRE Three principles: The validity of the second level ciphertext should be publicly verifiable. The first level ciphertext should be able to resist the adversary’s malicious manipulating The first level ciphertext should not contains all the components of the second level ciphertext 3 . 3 Otherwise, it will suffers from a similar attack as Zhang et al .’s attack (eprint, 2009/344) against Shao-Cao’s PRE scheme in PKC’09 Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

  11. Introduction Principles for Designing CCA-Secure C-PRE Model of C-PRE Our Proposed C-PRE Scheme Our proposed C-PRE Scheme Security of Our Scheme Conclusion Our Scheme: A First Attempt Setup ( 1 κ ) : The global parameter is param = (( q , G , G T , e ) , g , n , H 1 , · · · , H 5 ) . KeyGen ( 1 κ ) : user i ’s secret key sk i = x i ∈ R Z q , and public key pk i = g x i . ReKeyGen ( sk i , w , pk j ) : Pick s ∈ R Z q . The re-encryption key from user i to j w.r.t condition w is �� � � − sk i , pk s H 2 ( pk i , w ) pk s rk i w → j = ( rk 1 , rk 2 ) = j i . Enc 2 ( pk , m , w ) : Pick R ∈ R G T , and compute r = H 1 ( m , R ) . The second level ciphertext is g r , R · e ( pk , H 2 ( pk , w )) r , m ⊕ H 3 ( R ) , H 4 ( C 1 , C 2 , C 3 ) r � � CT = ( C 1 , C 2 , C 3 , C 4 ) = . ReEnc ( CT i , rk i w → j ) : Given CT i = ( C 1 , C 2 , C 3 , C 4 ) and rk i w → j = ( rk 1 , rk 2 ) , check e ( C 1 , H 4 ( C 1 , C 2 , C 3 )) ? = e ( g , C 4 ) . If no, output ⊥ ; else output CT j = ( C 1 , C 2 , C 3 , C 4 ) = ( C 1 , C 2 · e ( C 1 , rk 1 ) , C 3 , rk 2 ) . Enc 1 ( pk , m ) : Pick R ∈ R G T , s ∈ R Z ∗ q , and compute r = H 1 ( m , R ) . The first level ciphertext CT is g r , R · e ( g , pk ) − r · s , m ⊕ H 3 ( R ) , g s � � CT = ( C 1 , C 2 , C 3 , C 4 ) = . Algorithms Dec 2 ( CT , sk ) and Dec 1 ( CT , sk ) can be given accordingly. Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Recommend


More recommend