A Homomorphic Proxy Re-encryption from Lattices

Abstract

In this paper, we present a unidirectional homomorphic proxy re-encryption (PRE) scheme from learning with errors assumption, which can homomorphically evaluates ciphertexts at input or output side, no matter ciphertexts are fresh or re-encrypted (re-encrypted ciphertexts can come from different identities). Our PRE scheme modify the recent HE scheme of Gentry etc. We also use the approximate eigenvector method to manage the noise level and decrease the decryption complexity without introducing additional assumptions. Furthermore, with the security definition of Nishimai etc., we prove that our homomorphic PRE is indistinguishable against chosen-plaintext attacks, key privacy secure and master secret secure.

Appendix

Definition 3

(IND-UniPRE-CPA security at input side [18])

Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE scheme, k a security parameter. Suppose that there exists a PPT algorithm RandEnc which takes pp as input and outputs a random ciphertext at input side. Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt_{A,UniPRE}^{IND-UniPRE-CPA,I}\left( k \right) \), between challenger and adversary.

Initialization: Given security parameter k and coin \(b \in \{ 0,1\} \), run \(pp \leftarrow Setup({1^k})\). Initialize \(CU \leftarrow \left\{ {H + 1, \cdots ,H + C} \right\} \), which denote the set of corrupted users. For \(i = 0, \cdots ,H + C\) generate key pairs \(\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) \leftarrow \mathrm{{Gen}}\left( {\mathrm{{pp}},i} \right) \). Run the adversary on input pp, key pairs of corrupted users

\(\left\{ {\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) } \right\} {}_{i = H + 1, \cdots ,H + C}\), and public keys of honest users

\({\left\{ {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) } \right\} _{i = 0, \cdots ,H}}\).

Learning Phase: The adversary could issue queries to the following oracles in any order and many times : Oracle REKEY receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \). If i = j then it returns \( \bot \); if \(\left( {i = 0} \right) \cap \left( {j \in CU} \right) \) then the oracle returns \( \bot \); otherwise, returns \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \).

Oracle REENC receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \) and ciphertext ct. If i = j then returns \( \bot \); if \(\left( {i = 0} \right) \cap \left( {j \in CU} \right) \) then the oracle returns \( \bot \); otherwise, it queries (i,j) to REKEY, obtains \(r{k^{i \rightarrow j}}\), and returns \(\widehat{ct} \leftarrow {\mathrm{Re}} Enc(pp,r{k^{i \rightarrow j}},ct)\).

Oracle CHALLENGE receives \(\mu \). If (b = 0), it returns \(ct \leftarrow RandEnc(pp)\). If (b = 1), \(ct \leftarrow Enc(pp, {e{k^0}}, \mu )\).

Eventually. The adversary halts after it outputs its decision \(b' \in \{ 0,1\} \).

Finalization: Output 1 if \(b' = b\). Otherwise, output 0.

We define the advantage of the adversary as

$$\begin{array}{l} Adv{}_{A,UniPRE}^{Ind - UniPRE - CPA,I}\left( k \right) = \left| \begin{array}{l} \Pr \left[ {Expt{}_{A,UniPRE}^{Ind - UniPRE - CPA,I}\left( k \right) \rightarrow 1\left| {b = 1} \right. } \right] \\ - \Pr \left[ {Expt{}_{A,UniPRE}^{Ind - UniPRE - CPA,I}\left( k \right) \rightarrow 1\left| {b = 0} \right. } \right] \\ \end{array} \right| \\ \end{array}$$

We say that UniPRE is IND-UniPRE-CPA secure at output side if

\(Adv{}_{A,UniPRE}^{Ind - UniPRE - CPA,I}\left( \cdot \right) \) is negligible for every PPT adversary.

Definition 4

(IND-UniPRE-CPA security at output side [18])

Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE Scheme, k a security parameter. Suppose that there exists a PPT algorithm \(\widehat{RandEnc}\) which takes pp as input and outputs a random ciphertext at output side. Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt_{A,UniPRE}^{IND-UniPRE-CPA,O}\left( k \right) \), between challenger and adversary.

Initialization: Given security parameter k and coin \(b \in \{ 0,1\} \), run \(pp \leftarrow Setup({1^k})\). For \(i = 0, \cdots ,H + C\) generate key pairs \(\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) \leftarrow \mathrm{{Gen}}\left( {\mathrm{{pp}},i} \right) \). Run the adversary on input pp, public keys of honest users

\({\left\{ {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) } \right\} _{i = 0, \cdots ,H}}\), and key pairs of corrupted users

\(\left\{ {\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) } \right\} {}_{i = H + 1, \cdots ,H + C}\).

Learning Phase: The adversary could issue queries to the following oracles in any order and many times :

Oracle REKEY receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \). If i = j then it returns \( \bot \); otherwise, returns \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \).

Oracle REENC receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \) and ciphertext ct. If i = j then returns \( \bot \); otherwise, it queries (i,j) to REKEY, obtains \(r{k^{i \rightarrow j}}\), and returns \(\widehat{ct} \leftarrow {\mathrm{Re}} Enc(pp,r{k^{i \rightarrow j}},ct)\).

Oracle CHALLENGE receives \(\mu \). If (b = 0), it returns \(\widehat{ct} \leftarrow \widehat{RandEnc}(pp)\). If (b = 1), \(\widehat{ct} \leftarrow \widehat{Enc}(pp,\widehat{e{k^0}},\mu )\).

Eventually. The adversary halts after it outputs its decision \(b' \in \{ 0,1\} \).

Finalization: Output 1 if \(b' = b\). Otherwise, output 0.

We define the advantage of the adversary as

$$\begin{array}{l} Adv{}_{A,UniPRE}^{Ind - UniPRE - CPA,O}\left( k \right) = \left| \begin{array}{l} \Pr \left[ {Expt{}_{A,UniPRE}^{Ind - UniPRE - CPA,O}\left( k \right) \rightarrow 1\left| {b = 1} \right. } \right] \\ - \Pr \left[ {Expt{}_{A,UniPRE}^{Ind - UniPRE - CPA,O}\left( k \right) \rightarrow 1\left| {b = 0} \right. } \right] \\ \end{array} \right| \\ \end{array}$$

We say that UniPRE is IND-UniPRE-CPA secure at output side if

\(Adv{}_{A,UniPRE}^{Ind - UniPRE - CPA,O}\left( \cdot \right) \) is negligible for every PPT adversary.

Definition 5

(KP-CPA security [18])Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE Scheme, k a security parameter. Suppose that there exists a PPT algorithm RandRekey which takes pp as input and outputs a random re-encryption key rk . Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt{}_{A,UniPRE}^{KP - CPA}\left( k \right) \), between challenger and adversary.

Initialization: Given security parameter k and coin \(b \in \{ 0,1\} \), run \(pp \leftarrow Setup\left( {{1^k}} \right) \). Initialize \(L \leftarrow \phi \) which is a table containing the re-encryption keys and shared among oracles. For \(i = - 1,0, \cdots ,H + C\), generate key pairs \(\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) \leftarrow \mathrm{{Gen}}\left( {\mathrm{{pp}},i} \right) \). Run adversary with pp, the public keys of honest users \({\left\{ {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) } \right\} _{i = 0, \cdots ,H}}\), and the key pairs of corrupted users \(\left\{ {\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) } \right\} {}_{i = H + 1, \cdots ,H + C}\).

Learning Phase: Adversary could issue queries to the following oracles in any order and many times except for the constraint in oracle CHALLENGE.

Oracle REKEY receives two indices \(i,j \in \{ -1,0,\cdots , H+C\} \). If i=j then it returns \(\bot \); if \(\left( {i,j} \right) = \left( {0, - 1} \right) \), then it returns \(\bot \); if there already exists the re-encryption key from i to j, i. e.\(\left( {i,j,r{k^{i \rightarrow j}}} \right) \in L\), then it returns \(r{k^{i \rightarrow j}}\), otherwise, it generates \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \), updates \(L \leftarrow L \cup \left\{ {\left( {i,j,r{k^{i \rightarrow j}}} \right) } \right\} \), and returns \(r{k^{i \rightarrow j}}\).

Oracle REENC receives two indices \(i,j \in \{ -1,0,\cdots , H+C\} \) and a ciphertext ct. if i=j then it returns \(\bot \); if there exists no re-encryption key from i to j in the table L, it generates \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \), and updates \(L \leftarrow L \cup \left\{ {\left( {i,j,r{k^{i \rightarrow j}}} \right) } \right\} \), it finally returns\(\widehat{ct} \leftarrow {\mathrm{Re}} Enc\left( {pp,r{k^{i \rightarrow j}},ct} \right) \).

Oracle CHALLENGE can be queried only once. On the query, the oracle searches the table L for \(\left( {0, - 1,r{k^{0 \rightarrow - 1}}} \right) \), if such key does not exist, it generates \(r{k^{0 \rightarrow - 1}} \leftarrow {\mathrm{Re}} Key\left( {pp,d{k^0},e{k^0},\widehat{e{k^{ - 1}}}} \right) \) and updates \(L \leftarrow L \cup \left\{ {\left( {0, - 1,r{k^{0 \rightarrow - 1}}} \right) } \right\} \). If b=0 then it returns a random re-encryption key \(rk \leftarrow FakeReKey\left( {pp} \right) \), which is not contained in L. If b=1, then it returns the real re-encryption key \(r{k^{0 \rightarrow - 1}}\) contained in L.

Eventually. Adversary halts after it outputs its decision \(b' \in \{ 0,1\} \).

Finalization: Output 1 if \(b' = b\). Otherwise, output 0.

The advantage of Adversary is

$$\begin{array}{l} Adv_{A,UniPRE}^{KP-CPA}\left( k \right) = \left| \begin{array}{l} \Pr \left[ {Expt{}_{A,UniPRE}^{KP - CPA}\left( k \right) \rightarrow 1\left| {b = 1} \right. } \right] \\ - \Pr \left[ {Expt{}_{A,UniPRE}^{KP - CPA}\left( k \right) \rightarrow 1\left| {b = 0} \right. } \right] \\ \end{array} \right| \\ \end{array}$$

We say that UniPRE is KP-CPA secure if \(Adv_{A,UniPRE}^{KP - CPA}\left( \cdot \right) \) is negligible for every polynomial-time adversary.

Definition 6

(Master secret security [16]) Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE Scheme, k a security parameter. Suppose that there exists a PPT algorithm RandRekey which takes pp as input and outputs a random re-encryption key rk . Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt{}_{A,UniPRE}^{MSS}\left( k \right) \), between challenger and adversary.

Initialization: The challenger runs \(pp \leftarrow Setup\left( {{1^k}} \right) \) and gives the public parameters pp to the adversary.

Challenge: The adversary submits target delegator i.

Learning Phase :

• The adversary can issue re-encryption key query \(r{k^{i \rightarrow j}}\) corresponding to the public keys \(e{k^i}\) and \(e{k^j}\).

• The adversary can issue re-encryption query \(r{k^{i \rightarrow j}}\) corresponding to any public keys \(e{k^i}\) and \(e{k^j}\).

Finalization : Adversary finally outputs a guess x for private key \(d{k^i}\) of target delegator i and wins if \(x = d{k^i}\).

The advantage of adversary is \(Adv{}_{A,UniPRE}^{MSS}\left( k \right) = \left| {\Pr \left( {x = d{k^i}} \right) } \right| \), we say that unidirectional PRE is master secret security if \(Adv{}_{A,UniPRE}^{MSS}\left( \cdot \right) \) is negligible for every polynomial-time adversary.