Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext - - PowerPoint PPT Presentation

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao

Institute for Infocomm Research (I2R), Singapore School of Information Systems, SMU, Singapore DIES, Faculty of EEMCS, University of Twente, the Netherlands Email: {yyang@i2r.a-star.edu.sg} ISC 2009, Pisa Italy

September 5, 2009

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion

Outline

Introduction Model of Conditional Proxy Re-Encryption(C-PRE). Our Proposed C-PRE Scheme. Conclusion

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Proxy Re-Encryption Conditional Proxy Re-Encryption

Proxy Re-Encryption

Proxy re-encryption (PRE), introduced by Blaze, Bleumer and Strauss in Eurocrypt’98, allows a semi-trust proxy to convert a ciphertext originally intended for Alice into an encryption of the same message intended for Bob1. PRE has found many practical applications, such as digital rights management (DRM), distributed file systems, outsourced filtering of encrypted spam, and encrypted email forwarding, etc.

1The original ciphertext is called second level ciphertext, and the transformed

ciphertext is named first level ciphertext

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Proxy Re-Encryption Conditional Proxy Re-Encryption

Conditional Proxy Re-Encryption

Traditional PRE enforces coarse-grained delegation of decryption right, in the sense that the proxy can transform all of Alice’s second level ciphertexts. In practice, fine-grained delegation is often more desirable. To address this problem, Tang (Indocrypt’08) and Weng et al. (ASIACCS’09) independently introduced the notion of Conditional Proxy Re-Encryption(C-PRE)2. In C-PRE, ciphertexts are generated with respect to a certain condition, and the proxy can translate a ciphertext only if the associated condition is satisfied.

2In their full paper of PKC’08, Libert and Vergnaud also considered the problem

• f how to add keywords into PRE, and gave a concrete scheme.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Proxy Re-Encryption Conditional Proxy Re-Encryption

Problems of Existing Models for C-PRE

Weng et al. and Tang’s definition and security notion have their respective pros and cons: In Tang’s definition, the proxy needs only one key pair to perform transformation, while the proxy in Weng et al.’s definition needs two key pair; In Weng et al.’s definition, a user can acts as delegator for any

• ther users, and can also be the delegatee for any other users. In

Tang’s definition, the delegators and the delegatees have to be in different systems, which means that the user in a given system can only act as either (not both) a delegator or a delegatee. Both of Weng et al. and Tang’s security notions only consider the second level ciphertext security, and do not address the first level ciphertext security.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Proxy Re-Encryption Conditional Proxy Re-Encryption

Our Work

We re-formalize the definition and security models for C-PRE. In

• ur definition,

the proxy needs only one key pair for performing transformations A user can act as the delegator or the delegatee for any other users.

We propose a more efficient C-PRE scheme, and prove its CCA-security under our rigorous security model.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Definition of C-PRE Security Notions of C-PRE

Definition of C-PRE

A C-PRE scheme consists of the following algorithms: Setup algorithm: Setup(1κ) = ⇒ param. Key generation algorithm: KeyGen(1κ) = ⇒ (pki, ski). Re-encryption key generation algorithm: ReKeyGen(ski, w, pkj) = ⇒ rki w

→j.

Second level encryption algorithm: Enc2(pk, m, w) = ⇒ CT First level encryption algorithm: Enc1(pk, m) = ⇒ CT. Re-encryption algorithm: ReEnc(CTi, rki w

→j) =

⇒ CTj Second level decryption algorithm: Dec2(CT, sk) = ⇒ m. First level decryption algorithm: Dec1(CT, sk) = ⇒ m.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Definition of C-PRE Security Notions of C-PRE

Security Notions of C-PRE: IND-2CPRE-CCA

Chosen-ciphertext security for second level ciphertexts (IND-2CPRE-CCA): The adversary A is challenged with a second level ciphertext CT∗ encrypted under a target public key pki∗ and a target condition w∗. A is allowed to issue a series of queries, except those queries which allow A to trivially decrypt CT∗. For examples, A should not obtain the re-encryption key rki∗w∗

→j where skj is corrupted.

If there exists no polynomial time adversary A can obtain anything about the underlying plaintext of CT∗, then the C-PRE is said to be IND-2CPRE-CCA secure.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Definition of C-PRE Security Notions of C-PRE

Security Notions of C-PRE: IND-1CPRE-CCA

Chosen-ciphertext security for first level ciphertexts (IND-1CPRE-CCA): The adversary A is challenged with a first level ciphertext CT∗ encrypted under a target public key pki∗. A is allowed to issue a series of queries, except those queries which allow A to trivially decrypt CT∗. But now A is even allowed to obtain the re-encryption key rki∗w∗

→j where skj is

corrupted. If there exists no polynomial time adversary A can obtain anything about the underlying plaintext of CT∗, then the C-PRE is said to be IND-1CPRE-CCA secure.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Principles for Designing CCA-Secure C-PRE Our Proposed C-PRE Scheme Security of Our Scheme

Principles for Designing CCA-Secure C-PRE

Three principles: The validity of the second level ciphertext should be publicly verifiable. The first level ciphertext should be able to resist the adversary’s malicious manipulating The first level ciphertext should not contains all the components

• f the second level ciphertext3.

3Otherwise, it will suffers from a similar attack as Zhang et al.’s attack (eprint,

2009/344) against Shao-Cao’s PRE scheme in PKC’09

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Principles for Designing CCA-Secure C-PRE Our Proposed C-PRE Scheme Security of Our Scheme

Our Scheme: A First Attempt

Setup(1κ): The global parameter is param = ((q, G, GT, e), g, n, H1, · · · , H5). KeyGen(1κ): user i’s secret key ski = xi ∈R Zq, and public key pki = gxi. ReKeyGen(ski, w, pkj): Pick s ∈R Zq. The re-encryption key from user i to j w.r.t condition w is rki w

→j = (rk1, rk2) =

• H2(pki, w)pks

j

−ski , pks

i

• .

Enc2(pk, m, w): Pick R ∈R GT, and compute r = H1(m, R). The second level ciphertext is CT = (C1, C2, C3, C4) =

• gr, R · e(pk, H2(pk, w))r, m ⊕ H3(R), H4(C1, C2, C3)r

. ReEnc(CTi, rki w

→j): Given CTi = (C1, C2, C3, C4) and rki w →j = (rk1, rk2), check

e(C1, H4(C1, C2, C3)) ? = e(g, C4). If no, output ⊥; else output CTj = (C1, C2, C3, C4) = (C1, C2 · e(C1, rk1), C3, rk2) . Enc1(pk, m): Pick R ∈R GT, s ∈R Z∗

q, and compute r = H1(m, R). The first level

ciphertext CT is CT = (C1, C2, C3, C4) =

• gr, R · e(g, pk)−r·s, m ⊕ H3(R), gs

. Algorithms Dec2(CT, sk) and Dec1(CT, sk) can be given accordingly.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Principles for Designing CCA-Secure C-PRE Our Proposed C-PRE Scheme Security of Our Scheme

Our Scheme: Final One

Setup(1κ): The global parameter is param = ((q, G, GT, e), g, n, H1, · · · , H5). KeyGen(1κ): user i’s secret key ski = xi ∈R Zq, and public key pki = gxi. ReKeyGen(ski, w, pkj): Pick s ∈R Zq. The re-encryption key from user i to j w.r.t condition w is rki w

→j = (rk1, rk2) =

• H2(pki, w)pk

s·H5(pks·ski

j

) j

−ski, pks

i

• .

Enc2(pk, m, w): Pick R ∈R GT, and compute r = H1(m, R). The second level ciphertext is CT = (C1, C2, C3, C4) =

• gr, R · e(pk, H2(pk, w))r, m ⊕ H3(R), H4(C1, C2, C3)r

. ReEnc(CTi, rki w

→j): Given CTi = (C1, C2, C3, C4) and rki w →j = (rk1, rk2), check

e(C1, H4(C1, C2, C3)) ? = e(g, C4). If no, output ⊥; else output CTj = (C1, C2, C3, C4) = (C1, C2 · e(C1, rk1), C3, rk2) . Enc1(pk, m): Pick R ∈R GT, s ∈R Z∗

q, and compute r = H1(m, R). The first level

ciphertext CT is CT = (C1, C2, C3, C4) =

• gr, R · e(g, pk)−r·s·H5(pks), m ⊕ H3(R), gs

. Algorithms Dec2(CT, sk) and Dec1(CT, sk) can be given accordingly.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Principles for Designing CCA-Secure C-PRE Our Proposed C-PRE Scheme Security of Our Scheme

Security of Our Final Scheme

Definition The Decisional Bilinear Diffie-Hellman (DBDH) assumption in groups (G, GT) means that, given a tuple (g, ga, gb, gc, Z) ∈ G4 × GT with unknown a, b, c ∈R Zq, it is difficult to decide whether Z = e(g, g)abc. Theorem Our final scheme is IND-2CPRE-CCA and IND-1CPRE-CCA secure in the random oracle model, assuming the DBDH assumption holds in groups (G, GT).

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion

Conclusion

We re-formalized the definition and security notions for conditional proxy re-encryption (C-PRE), and proposed an efficient CCA-secure C-PRE scheme under our model. Some open questions:

One is how to construct a CCA-secure (instead of replayable CCA-secure) C-PRE scheme without random oracles. Another is how to construct CCA-secure C-PRE schemes supporting “OR” and “AND” gates over conditions.

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion

Many thanks for your attention!!!

Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext