Abstract
In this paper, we present a unidirectional homomorphic proxy re-encryption (PRE) scheme from learning with errors assumption, which can homomorphically evaluates ciphertexts at input or output side, no matter ciphertexts are fresh or re-encrypted (re-encrypted ciphertexts can come from different identities). Our PRE scheme modify the recent HE scheme of Gentry etc. We also use the approximate eigenvector method to manage the noise level and decrease the decryption complexity without introducing additional assumptions. Furthermore, with the security definition of Nishimai etc., we prove that our homomorphic PRE is indistinguishable against chosen-plaintext attacks, key privacy secure and master secret secure.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) FOCS 2011, pp. 97–106. IEEE (2011)
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325. ACM (2012)
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_50
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40041-4_5
Zhang, X., Xu, C., Jin, C., Xie, R., Zhao, J.: Efficient fully homomorphic encryption from RLWE with an extension to a threshold encryption scheme. Future Gener. Comput. Syst. 36, 180–186 (2014)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from Ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_29
Hiromasa, R., Abe, M., Okamoto, T.: Packing messages and optimizing bootstrapping in GSW-FHE. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 699–715. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_31
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). doi:10.1007/BFb0054122
Lu, Y., Li, J.: A pairing-free certificate-based proxy re-encryption scheme for secure data sharing in public clouds. Future Gener. Comput. Syst. doi:10.1016/j.future.2015.11.012
Li, J., Zhao, X., Zhang, Y.: Certificate-based conditional proxy re-encryption. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 299–310. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11698-3_23
Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006)
Smith, T.: DVD Jon: Buy DRM-less Tracks from Apple iTunes (2005). http://www.theregister.co.uk/2005/03/18/itunes_pymusique/
Xagawa, K.: Cryptography with Lattices. Ph.D. thesis. Department of Mathematical and Computing Sciences Tokyo Institute of Technology (2010)
Aono, Y., Boyen, X., Phong, T.L., Wang, L.: Key-private proxy re-encryption under LWE. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 1–18. Springer, Heidelberg (2013)
Singh, K., Pandu, R.C., Banerjee, A.K.: Cryptanalysis of unidirectional proxy re-encryption scheme. In: Linawati, M.S.M., et al. (eds.) ICT-EurAsia 2014. LNCS, vol. 8407, pp. 564–575. Springer, Heidelberg (2014)
Jiang, M., Hu, Y., Wang, B., Wang, F., Lai, Q.: Lattice-based multi-use unidirectional proxy re-encryption. Secur. Commun. Netw. 8(18), 3796–3803 (2015)
Nishimak, R., Xagawa, K.: Key-private proxy re-encryption from lattices, revisiteds. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E98-A(1), 100–116 (2015)
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_17
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_41
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_35
Acknowledgements
The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work was supported by the National Natural Science Foundation of China (61472097), the Special Research Found for the Doctoral Program of Higher Education of China (20132304110017), and the Open Fund of the State Key Laboratory of Information Security(2016-MS-10).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Definition 3
(IND-UniPRE-CPA security at input side [18])
Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE scheme, k a security parameter. Suppose that there exists a PPT algorithm RandEnc which takes pp as input and outputs a random ciphertext at input side. Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt_{A,UniPRE}^{IND-UniPRE-CPA,I}\left( k \right) \), between challenger and adversary.
Initialization: Given security parameter k and coin \(b \in \{ 0,1\} \), run \(pp \leftarrow Setup({1^k})\). Initialize \(CU \leftarrow \left\{ {H + 1, \cdots ,H + C} \right\} \), which denote the set of corrupted users. For \(i = 0, \cdots ,H + C\) generate key pairs \(\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) \leftarrow \mathrm{{Gen}}\left( {\mathrm{{pp}},i} \right) \). Run the adversary on input pp, key pairs of corrupted users
\(\left\{ {\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) } \right\} {}_{i = H + 1, \cdots ,H + C}\), and public keys of honest users
\({\left\{ {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) } \right\} _{i = 0, \cdots ,H}}\).
Learning Phase: The adversary could issue queries to the following oracles in any order and many times : Oracle REKEY receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \). If i = j then it returns \( \bot \); if \(\left( {i = 0} \right) \cap \left( {j \in CU} \right) \) then the oracle returns \( \bot \); otherwise, returns \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \).
Oracle REENC receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \) and ciphertext ct. If i = j then returns \( \bot \); if \(\left( {i = 0} \right) \cap \left( {j \in CU} \right) \) then the oracle returns \( \bot \); otherwise, it queries (i,j) to REKEY, obtains \(r{k^{i \rightarrow j}}\), and returns \(\widehat{ct} \leftarrow {\mathrm{Re}} Enc(pp,r{k^{i \rightarrow j}},ct)\).
Oracle CHALLENGE receives \(\mu \). If (b = 0), it returns \(ct \leftarrow RandEnc(pp)\). If (b = 1), \(ct \leftarrow Enc(pp, {e{k^0}}, \mu )\).
Eventually. The adversary halts after it outputs its decision \(b' \in \{ 0,1\} \).
Finalization: Output 1 if \(b' = b\). Otherwise, output 0.
We define the advantage of the adversary as
We say that UniPRE is IND-UniPRE-CPA secure at output side if
\(Adv{}_{A,UniPRE}^{Ind - UniPRE - CPA,I}\left( \cdot \right) \) is negligible for every PPT adversary.
Definition 4
(IND-UniPRE-CPA security at output side [18])
Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE Scheme, k a security parameter. Suppose that there exists a PPT algorithm \(\widehat{RandEnc}\) which takes pp as input and outputs a random ciphertext at output side. Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt_{A,UniPRE}^{IND-UniPRE-CPA,O}\left( k \right) \), between challenger and adversary.
Initialization: Given security parameter k and coin \(b \in \{ 0,1\} \), run \(pp \leftarrow Setup({1^k})\). For \(i = 0, \cdots ,H + C\) generate key pairs \(\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) \leftarrow \mathrm{{Gen}}\left( {\mathrm{{pp}},i} \right) \). Run the adversary on input pp, public keys of honest users
\({\left\{ {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) } \right\} _{i = 0, \cdots ,H}}\), and key pairs of corrupted users
\(\left\{ {\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) } \right\} {}_{i = H + 1, \cdots ,H + C}\).
Learning Phase: The adversary could issue queries to the following oracles in any order and many times :
Oracle REKEY receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \). If i = j then it returns \( \bot \); otherwise, returns \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \).
Oracle REENC receives two indices \(i,j \in \{0,1,\cdots ,H + C\} \) and ciphertext ct. If i = j then returns \( \bot \); otherwise, it queries (i,j) to REKEY, obtains \(r{k^{i \rightarrow j}}\), and returns \(\widehat{ct} \leftarrow {\mathrm{Re}} Enc(pp,r{k^{i \rightarrow j}},ct)\).
Oracle CHALLENGE receives \(\mu \). If (b = 0), it returns \(\widehat{ct} \leftarrow \widehat{RandEnc}(pp)\). If (b = 1), \(\widehat{ct} \leftarrow \widehat{Enc}(pp,\widehat{e{k^0}},\mu )\).
Eventually. The adversary halts after it outputs its decision \(b' \in \{ 0,1\} \).
Finalization: Output 1 if \(b' = b\). Otherwise, output 0.
We define the advantage of the adversary as
We say that UniPRE is IND-UniPRE-CPA secure at output side if
\(Adv{}_{A,UniPRE}^{Ind - UniPRE - CPA,O}\left( \cdot \right) \) is negligible for every PPT adversary.
Definition 5
(KP-CPA security [18])Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE Scheme, k a security parameter. Suppose that there exists a PPT algorithm RandRekey which takes pp as input and outputs a random re-encryption key rk . Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt{}_{A,UniPRE}^{KP - CPA}\left( k \right) \), between challenger and adversary.
Initialization: Given security parameter k and coin \(b \in \{ 0,1\} \), run \(pp \leftarrow Setup\left( {{1^k}} \right) \). Initialize \(L \leftarrow \phi \) which is a table containing the re-encryption keys and shared among oracles. For \(i = - 1,0, \cdots ,H + C\), generate key pairs \(\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) \leftarrow \mathrm{{Gen}}\left( {\mathrm{{pp}},i} \right) \). Run adversary with pp, the public keys of honest users \({\left\{ {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) } \right\} _{i = 0, \cdots ,H}}\), and the key pairs of corrupted users \(\left\{ {\left( {\left( {\mathrm{{e}}{\mathrm{{k}}^i},\widehat{\mathrm{{e}}{\mathrm{{k}}^i}}} \right) ,\mathrm{{ }}\left( {\mathrm{{d}}{\mathrm{{k}}^i},\widehat{\mathrm{{d}}{\mathrm{{k}}^i}}\mathrm{{ }}} \right) } \right) } \right\} {}_{i = H + 1, \cdots ,H + C}\).
Learning Phase: Adversary could issue queries to the following oracles in any order and many times except for the constraint in oracle CHALLENGE.
Oracle REKEY receives two indices \(i,j \in \{ -1,0,\cdots , H+C\} \). If i=j then it returns \(\bot \); if \(\left( {i,j} \right) = \left( {0, - 1} \right) \), then it returns \(\bot \); if there already exists the re-encryption key from i to j, i. e.\(\left( {i,j,r{k^{i \rightarrow j}}} \right) \in L\), then it returns \(r{k^{i \rightarrow j}}\), otherwise, it generates \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \), updates \(L \leftarrow L \cup \left\{ {\left( {i,j,r{k^{i \rightarrow j}}} \right) } \right\} \), and returns \(r{k^{i \rightarrow j}}\).
Oracle REENC receives two indices \(i,j \in \{ -1,0,\cdots , H+C\} \) and a ciphertext ct. if i=j then it returns \(\bot \); if there exists no re-encryption key from i to j in the table L, it generates \(r{k^{i \rightarrow j}} \leftarrow Rekey\left( {pp,d{k^i},e{k^i},\widehat{e{k^j}}} \right) \), and updates \(L \leftarrow L \cup \left\{ {\left( {i,j,r{k^{i \rightarrow j}}} \right) } \right\} \), it finally returns\(\widehat{ct} \leftarrow {\mathrm{Re}} Enc\left( {pp,r{k^{i \rightarrow j}},ct} \right) \).
Oracle CHALLENGE can be queried only once. On the query, the oracle searches the table L for \(\left( {0, - 1,r{k^{0 \rightarrow - 1}}} \right) \), if such key does not exist, it generates \(r{k^{0 \rightarrow - 1}} \leftarrow {\mathrm{Re}} Key\left( {pp,d{k^0},e{k^0},\widehat{e{k^{ - 1}}}} \right) \) and updates \(L \leftarrow L \cup \left\{ {\left( {0, - 1,r{k^{0 \rightarrow - 1}}} \right) } \right\} \). If b=0 then it returns a random re-encryption key \(rk \leftarrow FakeReKey\left( {pp} \right) \), which is not contained in L. If b=1, then it returns the real re-encryption key \(r{k^{0 \rightarrow - 1}}\) contained in L.
Eventually. Adversary halts after it outputs its decision \(b' \in \{ 0,1\} \).
Finalization: Output 1 if \(b' = b\). Otherwise, output 0.
The advantage of Adversary is
We say that UniPRE is KP-CPA secure if \(Adv_{A,UniPRE}^{KP - CPA}\left( \cdot \right) \) is negligible for every polynomial-time adversary.
Definition 6
(Master secret security [16]) Let UniPRE=(Setup, Gen, \(\widehat{Enc}\), Enc, \(\widehat{Dec}\), Dec, ReKey, ReEnc) be a single-hop, unidirectional PRE Scheme, k a security parameter. Suppose that there exists a PPT algorithm RandRekey which takes pp as input and outputs a random re-encryption key rk . Let H=H(k) and C=C(k) be polynomials of k, which stands for the number of honest users and corrupted users, respectively. Consider the following game, denoted by \(Expt{}_{A,UniPRE}^{MSS}\left( k \right) \), between challenger and adversary.
Initialization: The challenger runs \(pp \leftarrow Setup\left( {{1^k}} \right) \) and gives the public parameters pp to the adversary.
Challenge: The adversary submits target delegator i.
Learning Phase :
-
The adversary can issue re-encryption key query \(r{k^{i \rightarrow j}}\) corresponding to the public keys \(e{k^i}\) and \(e{k^j}\).
-
The adversary can issue re-encryption query \(r{k^{i \rightarrow j}}\) corresponding to any public keys \(e{k^i}\) and \(e{k^j}\).
Finalization : Adversary finally outputs a guess x for private key \(d{k^i}\) of target delegator i and wins if \(x = d{k^i}\).
The advantage of adversary is \(Adv{}_{A,UniPRE}^{MSS}\left( k \right) = \left| {\Pr \left( {x = d{k^i}} \right) } \right| \), we say that unidirectional PRE is master secret security if \(Adv{}_{A,UniPRE}^{MSS}\left( \cdot \right) \) is negligible for every polynomial-time adversary.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Ma, C., Li, J., Ouyang, W. (2016). A Homomorphic Proxy Re-encryption from Lattices. In: Chen, L., Han, J. (eds) Provable Security. ProvSec 2016. Lecture Notes in Computer Science(), vol 10005. Springer, Cham. https://doi.org/10.1007/978-3-319-47422-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-47422-9_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47421-2
Online ISBN: 978-3-319-47422-9
eBook Packages: Computer ScienceComputer Science (R0)