Generic Traceable Proxy Re-encryption and Accountable Extension in Consensus Network

Abstract

Proxy re-encryption provides a promising solution to share encrypted data in consensus network. When the data owner is going to share her encrypted data with some receiver, he will generate re-encryption key for this receiver and distribute the key among the consensus network nodes following some rules. By using the re-encryption key, the nodes can transform the ciphertexts for the receiver without learning anything about the underlying plaintexts. However, if malicious nodes and receivers collude, they can obtain the capability to decrypt all transformable ciphertexts of the data owner, especially for multi-nodes setting of consensus network. In order to address this problem, some “tracing mechanisms” are naturally required to identify misbehaving nodes and foster accountability when the re-encryption key is abused for distributing the decryption capability.

In this paper, we propose a generic traceable proxy re-encryption construction from any proxy re-encryption scheme, with the twice size ciphertext as the underlying proxy re-encryption scheme. Then our construction can be instantiated properly to yield the first traceable proxy re-encryption with constant size ciphertext, which greatly reduces both the communication and storage costs in consensus network. Furthermore, we show how to generate an undeniable proof for node’s misbehavior and support accountability to any proxy re-encryption scheme. Our construction is the first traceable proxy re-encryption scheme with accountability, which is desirable in consensus network so that malicious node can be traced and cannot deny his leakage of re-encryption capabilities.

A Asymmetric Fingerprinting Codes

In fingerprinting schemes, since both the provider and the receiver know the fingerprinted copy, it cannot be proved that a found copy was leaked by the receiver instead of the provider. While in asymmetric fingerprinting schemes, introduced by [30] and further studied by [29], only the receiver knows the fingerprinted copy, and a found copy can be proved to third parties whose copy it was.

Asymmetric fingerprinting is defined by the following algorithms [29]:

• \(\mathrm {AsymCodeGen}(n,\lambda ,s_u):\) This is a two party protocol between the provider and the receiver. \(\lambda \) is the security parameter. The receiver chooses a private input \(s_u\) to generate the u-th word of the code \(\varGamma \), containing up to n codewords. At the end of this algorithm, the provider obtains a tracing key tk and the receiver gets a word \(\bar{w}^{(u)}\).

• \(\mathrm {AsymIdentify}(tk,\bar{w}^*):\) On input of a pirate word \(\bar{w}^*\in \{0,1\}^l\), this algorithm either fails to identify and outputs \(\bot \), or outputs a codeword index \(u \in \{1,\cdots ,n\}\) along with a proof \(\varOmega \). Informally, the u-th user is “accused” of being a traitor for creating the word \(\bar{w}^*\).

• \(\mathrm {ArbiterPredicate}(tk,u,\varOmega ,s_u)\) This is a 3-party protocol between the arbiter, the provider and the receiver. The provider inputs \((tk,u,\varOmega )\), where u denotes an index of a traitor being “accused” for creating the word \(\bar{w}^*\). The receiver inputs \(s_u\), which is his private input for creating the u-th word of the code \(\varGamma \). This predicate returns 1 if proof \(\varOmega \) contains some non-trivial information on \(s_u\) and returns 0 otherwise.

For simplifying, we consider \(\mathrm {AsymCodeGen}\) is a secure 2-party protocol as [29]. That is, the provider obtains no more than the tracing key tk and the receiver obtains no more than the word \(\bar{w}^{(u)}\).

In addition to the tracing capability, an asymmetric fingerprinting code supports two additional features, non-repudiation and non-framing. We recall the security properties of asymmetric fingerprinting codes as follows [29]:

• Traceability: For any adversary \(\mathcal {A}\), any \(n>0\) and any subset \(C\subset \{1, \cdots , n\}\), the following holds

  $$\Pr \left[ \begin{aligned} \{(\bar{w}^{(i)},tk) \leftarrow \mathrm {AsymCodeGen}(n,\lambda ,s_i)\}_{ i=1,\cdots ,n};\\ \bar{w}^*\in F(\{\bar{w}^{(i)}\}_{i\in C})\leftarrow \mathcal {A}(n,\lambda ,\{s_i,\bar{w}^{(i)}\}_{i\in C}):\\ (u,\varOmega )\leftarrow \mathrm {AsymIdentify}(tk,\bar{w}^*):\\ u=\bot \text { or } u\notin C \end{aligned} \right] < \mathsf {negl}(\lambda )$$

• Non-repudiation: It further holds that

  $$\Pr \left[ 0\leftarrow \mathrm {ArbiterPredicate}(tk,u,\varOmega ,s_u) \right] < \mathsf {negl}(\lambda )$$

• Non-framing: For any adversary \(\mathcal {A}\), any \(n>0\) and any \(u'\in [n]\), the following holds

  $$\Pr \left[ \begin{aligned} \{(\bar{w}^{(i)},tk) \leftarrow \mathrm {AsymCodeGen}(n,\lambda ,s_i)\}_{ i=1,\cdots ,n};\\ \varOmega '\leftarrow \mathcal {A}(n,\lambda ,tk,\{s_i\}_{i\in [n] \backslash \{u'\}}):\\ 1\leftarrow \mathrm {ArbiterPredicate}(tk,u',\varOmega ',s_{u'}) \end{aligned} \right] < \mathsf {negl}(\lambda )$$

Remark 2

Pehlivanoglu [29] introduced an asymmetric binary fingerprinting code based on Boneh-Shaw code and proved it satisfying the above properties. Despite that the above definition seems slightly different from [29] in expression, the functionality and security remain unchanged.