Semantically Secure Anonymity: Foundations of Re-encryption

Abstract

The notion of universal re-encryption is an established primitive used in the design of many anonymity protocols. It allows anyone to randomize a ciphertext without changing its size, without first decrypting it, and without knowing who the receiver is (i.e., not knowing the public key used to create it). By design it prevents the randomized ciphertext from being correlated with the original ciphertext. We revisit and analyze the security foundation of universal re-encryption and show a subtlety in it, namely, that it does not require that the encryption function achieve key anonymity. Recall that the encryption function is different from the re-encryption function. We demonstrate this subtlety by constructing a cryptosystem that satisfies the established definition of a universal cryptosystem but that has an encryption function that does not achieve key anonymity, thereby instantiating the gap in the definition of security of universal re-encryption. We note that the gap in the definition carries over to a set of applications that rely on universal re-encryption, applications in the original paper on universal re-encryption and also follow-on work. This shows that the original definition needs to be corrected and it shows that it had a knock-on effect that negatively impacted security in later work. We then introduce a new definition that includes the properties that are needed for a re-encryption cryptosystem to achieve key anonymity in both the encryption function and the re-encryption function, building on Goldwasser and Micali’s “semantic security” and the original “key anonymity” notion of Bellare, Boldyreva, Desai, and Pointcheval. Omitting any of the properties in our definition leads to a problem. We also introduce a new generalization of the Decision Diffie-Hellman (DDH) random self-reduction and use it, in turn, to prove that the original ElGamal-based universal cryptosystem of Golle et al. is secure under our revised security definition.

Appendices

A Proof for Cryptosystem A

Below is the proof of Theorem 1. \(\mathtt {DDHRerand5}\) is covered in Sect. B.

Proof

Suppose for the sake of contradiction that there exists a successful probabilistic polynomial time USS distinguishing adversary \(\mathcal {A}\) for Cryptosystem A. Adversary \(\mathcal {A}\) is stateful. Consider algorithm \(\mathtt {AlgRA}\) that takes as input a Decision Diffie-Hellman problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. Clearly \(C_j\) is the ciphertext under public key \(PK_j\) as specified by \(\mathcal {A}\) for \(j=0,1\). It follows from the definition of \(\mathtt {DDHRerand5}\) that \(C_j'\) is a re-encryption of \(C_j\) in accordance with \(\mathtt {URe}\) for \(j=0,1\). Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in USS. Since \(\mathcal {A}\) distinguishes with non-negligible advantage, it follows that \(b = b'\) with probability greater than or equal to \(\frac{1}{2} + \gamma \) where \(\gamma \) is non-negligible in the security parameter.

Now consider the case that the input is not a DH 3-tuple. It follows from definition of \(\mathtt {DDHRerand5}\) that the 5-tuple \((\theta _j',\theta _j,y_j,\mu _j,\mu _j')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\) for \(j=0,1\). Therefore, \(C_j'\) is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\) for \(j=0,1\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(b' = 0\). Then the probability that \(b = b'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). It follows that \(\mathcal {A}\) has negligible advantage to distinguish in this case. \(\square \)

B The New Construction: Expanded DDH Self-reduction

We now generalize the DDH random self-reduction to output five values instead of three. This allows us to transform a DDH problem instance into either two DH 3-tuples with a common “public key” or a random 5-tuple, depending on the input problem instance. We utilize this property in our proofs of security in Sect. 7 (granted, this new reduction is given for pragmatic and proof simplicity reasons, and not as an essential issue as are the modeling issues and their correction presented above). We define algorithm \(\mathtt {DDHRerand5}\) as follows. \(\mathtt {DDHRerand5}((p,q),g,x,y,z)\) randomizes a DDH problem instance by choosing the values \(u_1,u_2,v,v',u_1'\ {\in }_U\ [1,q]\) and computing,

$$\begin{aligned} (x'',x',y',z',z'') \leftarrow (x^{v'} g^{u_1'},x^v g^{u_1}, y g^{u_2},z^v y^{u_1} x^{v u_2} g^{u_1 u_2}, z^{v'} y^{u_1'} x^{v' u_2} g^{u_1' u_2}) \end{aligned}$$

Case 1. Suppose (x, y, z) is a valid Diffie-Hellman (DH) 3-tuple. Then \(x = g^a\), \(y=g^b\), \(z = g^{ab}\) for some a, b. It follows that \((x',y',z')\) is also a valid DH 3-tuple. It is straightforward to show that \((x'',y',z'')\) is a valid DH 3-tuple as well.

Case 2. Suppose (x, y, z) is not a valid DH 3-tuple. Then \(x=g^a\), \(y=g^b\), \(z=g^{ab+c}\) for some \(c \ne 0\). In this case, \(x' = g^{a'}\), \(y' = g^{b'}\), \(z' = g^{a'b'}g^{cv}\). Since \(c \ne 0\) it follows that \(g^c\) is a generator of \(G_{\mathfrak {p}}\). Also, \(x'' = g^{a''}\), \(y' = g^{b'}\), \(z'' = g^{a''b'}g^{cv'}\).

So, when (x, y, z) is a valid DH 3-tuple then \((x',y',z')\) and \((x'',y',z'')\) are random DH 3-tuples with \(y'\) in common and when (x, y, z) is not a valid DH 3-tuple then the output is a random 5-tuple.

C Proofs

Below is proof of Theorem 2.

Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(AnonEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\), and a sufficiently large \(\kappa \), such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR3}\) that takes as input a DDH problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that c is an encryption of m in accordance with \(\mathtt {UE}\) using \(y_u\) as the public key. Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 4. It follows that \(u = u'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents a and b in [1, q], Pr[\(\mathtt {AlgR3}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define \(\psi \) = Pr[\(\mathtt {AlgR3}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) that the 5-tuple \((\theta _u',\theta _u,y_u,\mu _u,\mu _u')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\). Therefore, c is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(u' = 0\). Then the probability that \(u = u'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents a, b, and c in [1, q], the probability Pr[\(\mathtt {AlgR3}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{q^2}{q^3}\psi + (1-\frac{q^2}{q^3})\frac{1}{2}\) \(= \frac{1}{2} + \frac{2\psi -1}{2q}\) which is overwhelmingly close to \(\frac{1}{2}\). \(\square \)

Below is proof of Theorem 3.

Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(AnonReEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\), and a sufficiently large \(\kappa \) such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR4}\) that takes as input a Decision Diffie-Hellman problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. Clearly \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) is the ciphertext under public key \(y_u\) as specified by \(\mathcal {A}\). It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that \(c'\) is a re-encryption of \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) in accordance with \(\mathtt {URe}\). Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 5. It follows that \(u = u'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents a and b in [1, q], Pr[\(\mathtt {AlgR4}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define the value \(\psi \) to be Pr[\(\mathtt {AlgR4}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from definition of \(\mathtt {DDHRerand5}\) that the 5-tuple \((\theta _u',\theta _u,y_u,\mu _u,\mu _u')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\). Therefore, \(c'\) is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(u' = 0\). Then the probability that \(u = u'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents a, b, and c in [1, q], the probability Pr[\(\mathtt {AlgR4}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{1}{2} + \frac{2\psi -1}{2q}\). \(\square \)

Below is proof of Theorem 4.

Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(PubKEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\) and a sufficiently large \(\kappa \), such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR1}\) that takes as input a DDH problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that c is an encryption of \(m_b\) according to \(\mathtt {UE}\) using y as the public key. Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 2. It follows that \(b = b'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents a and b in [1, q], Pr[\(\mathtt {AlgR1}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define \(\psi \) = Pr[\(\mathtt {AlgR1}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) that \((\theta ',\theta ,y,\mu ,\mu ')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\). Therefore, c is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(b' = 0\). Then the probability that \(b = b'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents a, b, and c in [1, q], the probability Pr[\(\mathtt {AlgR1}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{1}{2} + \frac{2\psi -1}{2q}\). \(\square \)

Below is the proof of Theorem 5.

Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(PubKReEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\), and a sufficiently large \(\kappa \), such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR2}\) that takes as input a DDH problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. Clearly \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) is the ciphertext of \(m_b\) as specified by adversary \(\mathcal {A}\). It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that \(c'\) is a re-encryption of \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) according to \(\mathtt {URe}\). Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 3. It follows that \(b = b'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents a and b in [1, q], Pr[\(\mathtt {AlgR2}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define the value \(\psi \) to be Pr[\(\mathtt {AlgR2}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) that \((\theta ',\theta ,y,\mu ,\mu ')\) is uniformly distributed in the set \(G_{\mathfrak {p}}^5\). Therefore, \(c'\) is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(b' = 0\). Then the probability that \(b = b'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents a, b, and c in [1, q], the probability Pr[\(\mathtt {AlgR2}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{1}{2} + \frac{2\psi -1}{2q}\). \(\square \)

Theorems 2, 3, 4, and 5 show that Theorem 6 holds.

D Related Work

Fairbrother sought a more efficient hybrid universal cryptosystem based on \(\mathtt {UCS}\) [8]. Universal re-encryption was used in a protocol to control anonymous information flow, e.g., to prevent spam from being injected into the anonymization network [16]. Onion-based routing and universal re-encryption were leveraged to form hybrid anonymous communication protocols [12, 17]. A circuit-based anonymity protocol was presented based on universal re-encryption [18]. Weaknesses in [12, 16,17,18] were presented in [6]. Golle presented a reputable mix network construction based on universal re-encryption [10].

Groth presented a re-randomizable and replayable cryptosystem based on DDH achieving adaptive chosen ciphertext security [13]. The construction and security arguments do not address key anonymity. Prabhakaran and Rosulek presented a construction for a rerandomizable encryption scheme [22] that aims to be CCA-secure under DDH. See also [23]. Re-encryption mix networks are utilized in actual electronic voting systems such as Helios [1]. They are also used in GR.NET’s Zeus system (github.com/grnet/zeus).

There has been more recent work on proxy encryption [15]. In proxy encryption a ciphertext of a message m encrypted under Alice’s public key is re-encrypted into a ciphertext of m under Bob’s public key. Our setting differs since the receiver’s public key does not change during re-encryption.

The notion of key anonymity was introduced by Bellare, Boldyreva, Desai, and Pointcheval [2]. They formally defined public key cryptosystems that produce ciphertexts that do not reveal the receiver and showed that ElGamal and Cramer-Shoup achieve key anonymity.

The present paper was published in 2016 on e-print [28]. It influenced the privacy-preserving user-auditable pseudonym system of Camenisch and Lehmann [4] who leverage our security definition for incomparable public keys and cite the applicability of our reduction technique from Appendix B. The present paper was also mentioned as a needed building block for universal re-encryption for AppeCoin⁴.