What About Bob? The Inadequacy of CPA Security for Proxy Reencryption

Abstract

In the simplest setting of proxy reencryption, there are three parties: Alice, Bob, and Polly (the proxy). Alice keeps some encrypted data that she can decrypt with a secret key known only to her. She wants to communicate the data to Bob, but not to Polly (nor anybody else). Using proxy reencryption, Alice can create a reencryption key that will enable Polly to reencrypt the data for Bob’s use, but which will not help Polly learn anything about the data.

There are two well-studied notions of security for proxy reencryption schemes: security under chosen-plaintext attacks (CPA) and security under chosen-ciphertext attacks (CCA). Both definitions aim to formalize the security that Alice enjoys against both Polly and Bob.

In this work, we demonstrate that CPA security guarantees much less security against Bob than was previously understood. In particular, CPA security does not prevent Bob from learning Alice’s secret key after receiving a single honestly reencrypted ciphertext. As a result, CPA security provides scant guarantees in common applications.

We propose security under honest reencryption attacks (HRA), a strengthening of CPA security that better captures the goals of proxy reencryption. In applications, HRA security provides much more robust security. We identify a property of proxy reencryption schemes that suffices to amplify CPA security to HRA security and show that two existing proxy reencryption schemes are in fact HRA secure.

Supported by Facebook Fellowship 2018, NSF GRFP, NSF MACS CNS-1413920, DARPA IBM W911NF-15-C-0236, and Simons Investigator Award Agreement Dated 6-5-12. We would like to thank Rio LaVigne, Akshay Degwekar, Shafi Goldwasser, Vinod Vaikuntanathan, and anonymous reviewers for their helpful feedback.

Appendices

A The Trivial Scheme

The following description and definition of circular security is adapted with slight modification from [6].

Let \((\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) be a public-key encryption scheme with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) such that \(\mathcal {K}\subseteq \mathcal {M}\). Let \(n>0\) be an integer and let \(\mathcal {C}\) be the set of functions \(\mathcal {C}= \{f:\mathcal {K}^n \rightarrow \mathcal {M}\}\) consisting of

• all \(|\mathcal {M}|\) constant functions \(f_m(z) = m\) for all \(z \in \mathcal {K}^n\), and

• all n selector functions \(f_i(x_1,\dots ,x_n) = x_i\) for \(1\le i \le n\).

We define circular security using the following game between a challenger and an adversary \(\mathcal {A}\). For an integer \(n>0\) and a security parameter \(\lambda \), the game proceeds as follows:

• Initialization: The challenger chooses a random bit \(b\leftarrow \{0,1\}\). It generates \((\mathsf {pk}_1,\mathsf {sk}_1),\dots ,(\mathsf {pk}_n,\mathsf {sk}_n)\) by running \(\mathsf {KeyGen}(1^\lambda )\) n times, and sends \((\mathsf {pk}_1,\dots ,\mathsf {pk}_n)\) to \(\mathcal {A}\).

• Queries: The adversary repeatedly issues queries where each query is of the form (i, f) with \(1\le i\le n\) and \(f\in \mathcal {C}\). The challenger responds by setting \(y = f(\mathsf {sk}_1,\dots ,\mathsf {sk}_n)\) and

  $$\begin{aligned} \mathsf {ct}\leftarrow {\left\{ \begin{array}{ll} \mathsf {Enc}(\mathsf {pk}_i,y) &{} \text {if } b=0 \\ \mathsf {Enc}(\mathsf {pk}_i,0^{|y|}) &{} \text {if } b=1 \end{array}\right. } \end{aligned}$$

  and sends \(\mathsf {ct}\) to \(\mathcal {A}\).

• Finish: Finally, the adversary outputs a bit \(b' \in \{0,1\}\).

We say that \(\mathcal {A}\) wins the game if \(b=b'\). Let \(\mathsf {win}\) be the event that \(\mathcal {A}\) wins the game and define \(\mathcal {A}\)’s advantage as

$$\begin{aligned} \mathsf {Adv}_{\mathsf {circ},n}^\mathcal {A}(\lambda ) = \Pr [\mathsf {win}]. \end{aligned}$$

Definition 8

(n-Circular Security). We say that a public-key encryption scheme \((\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) is n-way circular secure if for all probabilistic polynomial time adversaries \(\mathcal {A}\), there exists a negligible function \(\mathsf {negl}\) such that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}}(\lambda ) < \frac{1}{2} + \mathsf {negl}(\lambda ). \end{aligned}$$

Because existing constructions of circularly secure encryption schemes based on standard assumptions require a bound on the total number of public keys n, the corresponding Trivial Scheme will only satisfy a bounded-key variant of CPA security, defined next.

Definition 9

(Proxy Reencryption: n-CPA Security). For \(n\in \mathbb {N}\), the n-CPA security game is identical to the CPA security game in Definition 3 except for the following underlined modifications. Recall that \(\mathsf {numKeys}\) is initialized to 0 and is incremented after every key generation call in the security game.

• Uncorrupted Key Generation: obtain a new key pair \((\mathsf {pk}_i,\mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(\mathsf {pp})\). \(\mathcal {A}\) is given \(\mathsf {pk}_i\). The current value of \(\mathsf {numKeys}\) is added to \(\mathsf {Hon}\) and \(\mathsf {numKeys}\) is incremented.

• Corrupted Key Generation: obtain a new key pair \((pk_i, \mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(\mathsf {pp})\). \(\mathcal {A}\) is given \((\mathsf {pk}_i,\mathsf {sk}_i)\). The current value of \(\mathsf {numKeys}\) is added to \(\mathsf {Cor}\) and \(\mathsf {numKeys}\) is incremented.

The corresponding n-CPA advantage of \(\mathcal {A}\) is denoted \(\mathsf {Adv}_{\mathsf {cpa},n}^\mathcal {A}(\lambda ).\) A proxy reencryption scheme is n-CPA secure if for all probabilistic polynomial-time adversaries \(\mathcal {A}\), there exists a negligible function \(\mathsf {negl}\) such that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {cpa},n}^\mathcal {A}(\lambda ) < \frac{1}{2} + \mathsf {negl}(\lambda ) \end{aligned}$$

 

Trivial Scheme. :

Let \((\mathsf {KeyGen}_\mathsf {circ}, \mathsf {Enc}_\mathsf {circ}, \mathsf {Dec}_\mathsf {circ})\) be an n-way circular secure encryption scheme. Let \(\mathsf {Setup}\equiv \bot \), \(\mathsf {KeyGen}\equiv \mathsf {KeyGen}_\mathsf {circ}\); \(\mathsf {Enc}\equiv \mathsf {Enc}_\mathsf {circ}\);

$$\begin{aligned}&\mathsf {ReKeyGen}(\mathsf {sk}_i,\mathsf {pk}_j) := \mathsf {Enc}_\mathsf {circ}(\mathsf {pk}_j, \mathsf {sk}_i)\\&\mathsf {ReEnc}(\mathsf {rk}_{i\rightarrow j},\mathsf {ct}_i):= \mathsf {ct}_i \Vert \mathsf {rk}_{i\rightarrow j}\\&\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) := \left\{ \begin{array}{ll} \mathsf {Dec}_\mathsf {circ}(\mathsf {Dec}_\mathsf {circ}(\mathsf {sk},\mathsf {ct}^2),\mathsf {ct}^1) &{} \hbox {if } \mathsf {ct}= \mathsf {ct}^1 \Vert \mathsf {ct}^2 \\ \mathsf {Dec}_\mathsf {circ}(\mathsf {sk},\mathsf {ct}) &{} \hbox {otherwise} \end{array} \right. . \end{aligned}$$

 

Theorem 2 states that if \((\mathsf {KeyGen}_\mathsf {circ}, \mathsf {Enc}_\mathsf {circ}, \mathsf {Dec}_\mathsf {circ})\) is an n-way circular secure encryption scheme, then the corresponding Trivial Scheme \(\mathsf {PRE}\) is an n-CPA secure proxy reencryption scheme. In fact, the proof below extends the case when there are n uncorrupted keys and any number of corrupted keys.

Proof

(of Theorem 2). For all \(n\in \mathbb {N}\) and any probabilistic, polynomial-time algorithm \(\mathcal {A}\) (the adversary against the trivial scheme), we construct an efficient algorithm \(\mathcal {A}_\mathsf {circ}\) such that \(\mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}_\mathsf {circ}} = \frac{1}{2}\cdot \mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\). By the hypothesis, this advantage is negligible, completing the proof.

At the beginning of the game, the circular security challenger picks a random bit b. If \(b = 0\), then the Queries oracle encrypts all messages correctly; if \(b =1\), then the Queries oracle encrypts only the message 0. \(\mathcal {A}_\mathsf {circ}\) runs \(\mathcal {A}\) and simulates the CPA security game for \(\mathsf {PRE}\) (if \(\mathcal {A}\) does not follow the specification of the game, \(\mathcal {A}_\mathsf {circ}\) simply aborts).

At the start of Phase 1, \(\mathcal {A}_\mathsf {circ}\) calls its Initialization oracle in the circular security game. In return it receives the public keys \((\mathsf {pk}_1^\mathsf {circ},\dots ,\mathsf {pk}_n^\mathsf {circ})\). To answer an Uncorrupted Key Generation query, \(\mathcal {A}_\mathsf {circ}\) gives to \(\mathcal {A}\) the first unused public key \(\mathsf {pk}_i^\mathsf {circ}\) from this list. To answer a Corrupted Key Generation query, \(\mathcal {A}_\mathsf {circ}\) generates a new key pair \((\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KeyGen}\) and gives \((\mathsf {pk},\mathsf {sk})\) to the adversary.

\(\mathcal {A}\) begins Phase 2 by using its Queries oracle to learn the reencryption keys for all pairs of uncorrupted keys generated. Using its knowledge of the corrupted secret keys, it also computes reencryption keys for all the pairs of corrupted keys generated. Oracle calls from \(\mathcal {A}\) to \(\mathcal {O}_\mathsf {ReKeyGen}\) are answered with the corresponding reencryption key (or with \(\bot \)). To answer oracle calls from \(\mathcal {A}\) to \(\mathcal {O}_\mathsf {ReEnc}\), computes the appropriate response; namely, it concatenates the reencryption key to the ciphertext (or returns \(\bot \)).

At some point, \(\mathcal {A}\) queries the Challenge oracle with an honest key index i and a pair of messages \((\mathbf {m}_0,\mathbf {m}_1)\). \(\mathcal {A}_\mathsf {circ}\) chooses a random one of the messages \(\mathbf {m}\) and queries its own Queries oracle with the pair \((i,\mathbf {m})\), returning the resulting ciphertext to \(\mathcal {A}\).

Finally, \(\mathcal {A}\) guesses whether \(\mathbf {m}= \mathbf {m}_0\) or \(\mathbf {m}_1\). If \(\mathcal {A}\) guesses correctly, \(\mathcal {A}_\mathsf {circ}\) guesses the bit \(b' = 0\). Otherwise, \(\mathcal {A}_\mathsf {circ}\) guesses a random \(b' \leftarrow \{0,1\}\). Conditioned on \(b=0\), \(\mathcal {A}_\mathsf {circ}\) perfectly simulates the \(\mathsf {PRE}\) security game, and guesses \(b' = 0\) with probability \(\mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\). It follows that \(\mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}_\mathsf {circ}} = \frac{1}{2}\cdot \mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\).

B Comparison to RIND-CPA

The concurrent work of Derler, Krenn, Lorünser, Ramacher, Slamanig, and Striecks identify the same problem with CPA security as discussed [14]. They define a new security notion—RIND-CPA security—as an additional property that proxy reencryptions schemes should guarantee.

The key feature of RIND-CPA security is that the adversary gets access to an unrestricted \(\mathsf {ReEnc}\) oracle, but only before seeing the challenge ciphertext. The definition is similar to \(\mathsf {IND\text {-}CCA}_{0,1}\) of [28]. The definition of the RIND-CPA security experiment is from [14, Experiment 8].

Definition 10

(RIND-CPA Security Experiment).

• \(\mathsf {pp}\leftarrow \mathsf {Setup}(1^\lambda ), (\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {KeyGen}(\mathsf {pp}), b \leftarrow \{0,1\}\)

• \((\mathsf {pk}^*,\mathsf {st})\leftarrow \mathcal {A}(\mathsf {pp},\mathsf {pk})\)

• \(\mathsf {rk}\leftarrow \mathsf {ReKeyGen}(\mathsf {sk},\mathsf {pk}^*)\)

• \((\mathbf {m}_0,\mathbf {m}_1,\mathsf {st}) \leftarrow \mathcal {A}^{\{\mathsf {ReEnc}(\mathsf {rk},\cdot )\}}(\mathsf {st})\)

• \(b^* \leftarrow \mathcal {A}(\mathsf {st},\mathsf {Enc}(\mathsf {pk},\mathbf {m}_b))\)

• if \(b = b^*\) return 1, else return 0.

RIND-CPA security requires that for all efficient adversaries, the probability of outputting 1 in the experiment is \(\frac{1}{2} \pm \mathsf {negl}(\lambda )\).

In this section, we compare the approach of [14] with ours. We begin by describing RIND-CPA security as defined by [14]. Next, we compare RIND-CPA with HRA security informally, arguing that HRA provides the better generalization of Enc-CPA security to the PRE setting. Finally, we show that HRA and RIND-CPA security are incomparable notions.

1.1 B.1 Informal Comparison

RIND-CPA is less suitable than HRA as a replacement for CPA security of proxy reencryption. First and most importantly, HRA better captures the intuitive guarantees of Enc-CPA security for standard encryption. Second, access to an unrestricted \(\mathsf {ReEnc}\) oracle makes it a more useful as a testing ground for the development of new techniques. Finally, two idiosyncrasies of the [14] formulation of RIND-CPA security present additional issues.

Capturing Enc-CPA security. In Enc-CPA security for standard encryption, the adversary is able to arbitrarily affect the distribution of plaintext messages. One way of viewing this aspect of the definition is that Enc-CPA requires security while being agnostic as to the true distribution over messages (except that it is efficiently sampleable). Other than choosing the distribution over messages, the adversary is only allowed to see publicly-available information (i.e. public keys and parameters) and honestly encrypted ciphertexts. Informally, the Enc-CPA guarantee is that security should hold under normal operating conditions against eavesdropping parties without making distributional assumptions on plaintext messages. However, Enc-CPA makes no guarantees about dishonestly generated or malformed ciphertexts.

HRA security captures this intuitive guarantee better than RIND-CPA. In the course of normal operation of a proxy reencryption, an adversarial party will see reencrypted ciphertexts. These ciphertexts may come at any time—both before and after other ciphertexts whose contents should remain secret. While HRA allows reencryption both before and after the challenge, RIND-CPA restricts the reencryption oracle to the period before the challenge.

HRA makes minimal assumptions about the distribution of plaintext messages by allowing the adversary to choose messages itself, just as in Enc-CPA. RIND-CPA goes further by making requirements in the face of malformed or dishonestly generated ciphertexts.

A testing ground for new techniques. For classical encryption, Enc-CCA security is strictly stronger than Enc-CPA security. In fact, there are many settings where Enc-CPA security is demonstrably insufficient. Why then does the cryptography community continue to study it? There are many answers to this question, but we mention only two. First, although insufficient for some applications, Enc-CPA is useful in others. Second, it is useful as an intermediate goal because it seems to capture a sort of hard core of the general problem of encryption and spurs the development of new techniques.

HRA security enjoys these same features; RIND-CPA does not. As for usefulness for applications, HRA is meaningful in many of the envisioned applications of proxy reencryption—many more than CPA security. Because RIND-CPA restricts the reencryption oracle to the period before the challenge ciphertext, its usefulness in applications is less clear.

The challenge of constructing CCA secure proxy reencryption is the same as the challenge of Enc-CCA secure encryption: namely, dealing with dishonestly generated, possibly malformed ciphertexts. RIND-CPA, by allowing malformed ciphertexts, presents similar challenges as full CCA security.

As for the usefulness of HRA as an intermediate goal towards CCA security, the historical development of proxy reencryption is proof itself. This sounds paradoxical: how can this be true if the notion has only just been introduced in this work? Many of cryptographers that were targeting CPA security developed schemes that achieve HRA security with only minimal modification. The techniques developed in these constructions were later adapted to achieve CCA security. This suggests that cryptographers’ intuitions for the hard core of reencryption were not flawed, only the formalization of these intuitions as CPA security. HRA security is a better formalization for these intuitions and thus an appropriate intermediate goal for reencryption research.

Idiosyncrasies of the RIND-CPA definition. We mention two unusual properties of the [14] definition. Unlike the adversary’s access to a \(\mathsf {ReEnc}\) oracle, these properties are not inherent in the RIND-CPA concept. It would be easy to propose a modified RIND-CPA definition that did not have these properties (e.g., \(\mathsf {IND\text {-}CCA}_{0,1}\) in [28]).

First, the definition only considers the two party setting. Much like the informal description of proxy reencryption in Sect. 1, there is only a single uncorrupted key and a single corrupted key. It is easy to show that security in the two party setting does not imply security in a many party setting.

Second, not only are inputs to \(\mathsf {ReEnc}\) allowed to be malformed, but the corrupted public key \(\mathsf {pk}^*\) can be malformed as well. The adversary outputs \(\mathsf {pk}^*\) itself and it needs not be honestly generated. This makes RIND-CPA security as defined in [14] formally incomparable to all other definitions of proxy reencryption security we know of, including the \(\mathsf {IND\text {-}CCA}_{0,1}\) of [28].

These drawbacks of the [14] definition do not affect the proof of Theorem 7, but neither does the proof depend on them.

1.2 B.2 Separating RIND-CPA and HRA Security

The following pair of theorems support the conclusion that HRA security and RIND-CPA security are incomparable.

Theorem 6

If there exists an HRA secure PRE scheme, then there exists a PRE scheme that is HRA secure but not RIND-CPA secure.

Proof

Suppose \(\mathsf {PRE}\) is HRA secure, and let \(\top \) be a special symbol that is not a valid ciphertext. Define a new scheme \(\mathsf {PRE}'\) by modifying reencryption as follows:

$$\begin{aligned} \mathsf {ReEnc}'(\mathsf {rk}, \mathsf {ct}) := \left\{ \begin{array}{ll} \mathsf {ReEnc}(\mathsf {rk}, \mathsf {ct}) &{} \quad \hbox {if }\mathsf {ct}\ne \top \\ \mathsf {rk}&{} \quad \hbox {if } \mathsf {ct}= \top \end{array} \right. . \end{aligned}$$

\(\mathsf {PRE}'\) is still HRA secure: \(\mathcal {O}_{\mathsf {ReEnc}'}\) is functionally equivalent to \(\mathcal {O}_\mathsf {ReEnc}\) when restricted to honestly generated ciphertexts.

\(\mathsf {PRE}'\) is not RIND-CPA secure: a single call to \(\mathcal {O}_{\mathsf {ReEnc}'}(i,j,\top )\) (made before the challenge) allows the adversary to learn the reencryption key \(\mathsf {rk}_{i\rightarrow j}\) and thereby decrypt the challenge ciphertext.

Theorem 7

Under the assumptions stated below, there exists a PRE scheme that is RIND-CPA secure but not HRA secure.

The claim assumes the existence of pair of encryption schemes, \(\mathsf {PRE}\) and \(\mathsf {FHE}\) with the following properties. \(\mathsf {PRE}\) is a RIND-CPA secure proxy reencryption scheme with a ciphertext space \(\mathcal {C}_\mathsf {inner}\). \(\mathsf {FHE}\) is a circuit private fully homomorphic encryption scheme with message space \(\mathcal {M}_\mathsf {fhe}= \mathcal {C}_\mathsf {inner}\). The message spaces and ciphertext spaces of the two schemes are all disjoint and efficiently decidable. Finally, the additional proxy reencryption scheme \(\mathsf {PRE}_\mathsf {FHE}\) corresponding to the FHE scheme (see Sect. 5.3) is RIND-CPA secure.¹⁰ For simplicity, we also assume perfect correctness of reencryption (for both schemes) and of homomorphic evaluation.

Below we present a intuition for the proof of Theorem 7. The proof is included in the full version [13].

Proof Intuition for Theorem 7. Recall that RIND-CPA security allows the adversary access to an unrestricted \(\mathsf {ReEnc}\) oracle, but only before the challenge ciphertext is generated. The main difficulty in separating RIND-CPA and HRA security is the restriction in the HRA reencryption oracle to honestly generated ciphertexts.

The first idea in our construction is the observation that separating RIND-CPA and HRA security would be easy if it were possible to use \(\mathsf {Enc}\) oracle to generate a fresh, honest encryption of the challenge plaintext. This fresh encryption could be reencrypted by the HRA reencryption oracle to a corrupted key, revealing the challenge plaintext.

The second idea is to have two layers of encryption, where the message space of the outer layer is equal to the ciphertext space of the inner layer. If the challenge ciphertext comes from the inner layer, then it can be used as input to the \(\mathsf {Enc}\) oracle to generate a new outer ciphertext containing information about the challenge plaintext—namely, an encryption of the challenge ciphertext. The outer ciphertext is honestly generated and can be reencrypted to a corrupt party and decrypted. But it seems we are no better off; decrypting the outer ciphertext only returns the challenge ciphertext still encrypted under the key of an honest party.

The third idea is to modify \(\mathsf {ReEnc}\)—using fully homomorphic encryption—to reencrypt both the outer ciphertext and the inner challenge ciphertext. In addition to the usual reencrypted ciphertext, we augment \(\mathsf {ReEnc}\) to output an additional, doubly reencrypted ciphertext, where both the outer and inner ciphertexts have been reencrypted. If the recipient of the resulting ciphertext is corrupt, the adversary can decrypt both layers and recover the challenge plaintext, violating HRA security.

We now describe the intuition for how to perform double reencryption. Suppose the proxy reencryption scheme used for the outer layer of encryption is also fully homomorphic. Such a scheme can be constructed from any FHE scheme (see Sect. 5.3). Given input an outer layer ciphertext \(\mathsf {ct}_\mathsf {outer}= \mathsf {Enc}(\mathsf {ct}_\mathsf {inner})\), \(\mathsf {ReEnc}\) will homomorphically evaluate \(\mathsf {Eval}_\mathsf {fhe}(\mathsf {ReEnc},\mathsf {ct}_\mathsf {outer})\). The result is an (non-reencrypted) outer ciphertext containing a reencrypted inner ciphertext. Then, \(\mathsf {ReEnc}\) reencrypts that outer ciphertext. This produces a reencrypted outer ciphertext containing a reencrypted inner ciphertext.

Violating HRA security is simple: the adversary encrypts the challenge ciphertexts, reencrypts it to a corrupted key, then decrypts the doubly-reencrypted component twice to recover the challenge message.

It remains to prove that the constructed PRE scheme is RIND-CPA secure. The homomorphic double reencryption functionality can be simulated by a sequence of calls to \(\mathsf {Enc}\), \(\mathsf {Dec}\) and \(\mathcal {O}_\mathsf {ReEnc}\), allowing us to analyze the two-layered scheme without the double-reencryption modification to \(\mathsf {ReEnc}\). The RIND-CPA security of that scheme follows directly from the RIND-CPA security of the PRE scheme underlying the two layers.