Achieving key privacy without losing CCA security in proxy re-encryption

https://doi.org/10.1016/j.jss.2011.09.034Get rights and content

Abstract

In proxy re-encryption (PRE), a semi-trusted proxy can transform a ciphertext under the delegator's public key into another ciphertext that the delegatee can decrypt by his/her own private key. However, the proxy cannot access the plaintext. Due to its transformation property, proxy re-encryption can be used in many applications, such as encrypted email forwarding. Some of these applications require that the underlying PRE scheme is CCA-secure and key-private. However, to the best of our knowledge, none of the existing PRE schemes satisfy this security requirement in the standard model. In this paper, based on the 5-Extended Decision Bilinear Diffie–Hellman assumption and Decision Diffie–Hellman assumption, we propose the first such PRE scheme, which solves an open problem left by Ateniese et al. (2009).

Highlights

► A proxy re-encryption scheme with two security properties is proposed. In particular, it holds chosen ciphertext security (CCA security) and key privacy. ► We give the security proofs in standard model based on the 5-Extended Decision Bilinear Diffie-Hellman assumption and Decision Diffie-Hellman assumption. ► An application named ‘anonymous sharing’ for the proposed scheme is proposed.

Introduction

There are many applications requiring that the ciphertext under one public key can be transformed into another ciphertext under another public key with the same message. During the transformation process, the corresponding plaintext would not be revealed. Let's consider the following scenario.

A group of members share an account of an outsourcing storage service, and every member can use this account to upload/download files to/from the server. In order to protect the secrecy of the files, the files should be encrypted before being sent to the server. When the owner of the files wants to share them to other group member, he/she needs to delegate his/her decryption rights on the encrypted files to the intended group member. Such delegation can be done via the server. That is, the server transforms the files encrypted under the owner's public key to other files encrypted by the intended group member's public key. However, the server cannot access the files. In other words, the outsourcing storage service does not require the full trustiness of the server.

To solve the above problem, Blaze et al. (1998) proposed the concept of proxy re-encryption (PRE). In such a scheme, a semi-trusted proxy with specific information (a.k.a., re-encryption key) can transform a ciphertext under Alice's (delegator's) public key into another ciphertext of the same plaintext under Bob's (delegatee's) public key. However, the proxy cannot learn anything about the plaintext. Two methods are given in Blaze et al. (1998) to classify PRE schemes. One method is according to the direction of transformation. If the re-encryption key allows the proxy to transform from Alice to Bob, and vice versa, the PRE scheme is bidirectional; otherwise, it is unidirectional. The other method is according to the times of transformation allowed. If the ciphertext can be transformed from Alice to Bob, then from Bob to Charlie, and so on, the PRE scheme is multi-use; otherwise, it is single-use.

According to the security requirements of applications, there are two security notions for PRE (Ateniese et al., 2005, Ateniese et al., 2006, Ateniese et al., 2009, Canetti and Hohenberger, 2007).

  • Indistinguishability of encryptions: the adversary cannot get the plaintext, if he is not the intended receiver (including the delegator and delegatees). In the security model, an adversary cannot effectively distinguish between the encryption of two messages of his choosing. Like public key encryption (PKE), there are three levels of this indistinguishability, i.e., chosen-plaintext (CPA) security, replayable chosen-ciphertext (RCCA) security, and chosen-ciphertext (CCA) security (ordered by the adversary's ability).

  • Indistinguishability of keys (Key privacy): the adversary cannot identify the delegatee even if he holds the re-encryption key. In the security model, an adversary cannot effectively distinguish between the real re-encryption key of the challenge delegation (from an uncorrupted user to an uncorrupted user) of his choosing and a random key. All the applications of PRE can benefit from this property, i.e., the recipient of the ciphertext can keep his/her identity secret. This property is highly desirable for many encrypted communication scenarios (Ateniese et al., 2009).

To the best of our knowledge, though there are many PRE schemes proposed (Blaze et al., 1998, Ateniese et al., 2005, Ateniese et al., 2006, Ateniese et al., 2009, Canetti and Hohenberger, 2007, Libert and Vergnaud, 2008, Shao and Cao, 2009), no existing scheme holds CCA security and key privacy simultaneously in the standard model.

On the other hand, there are many applications requiring CCA-secure PRE scheme with key privacy. Let's still consider the above outsourcing storage service. The following chosen ciphertext attack may be launched: an adversary might obtain a “decryption oracle” by faking encrypted files, sending them to the owner of the files, and then hoping that he/she responds with, “Did you share the following to me? [Decrypted attachment.]” Furthermore, in such an environment, it is also highly desired that the server cannot extract a list of “Who was sharing files privately with whom” or a list of “Who is using the re-encryption service”. Because these two lists could not only hurt the secrecy of users’ action, but also may hurt the secrecy of the content of files (the adversary may only focus on decrypting encrypted files related to a specified group member). The high-level description of the whole scenario is given in Fig. 1.

In this paper, we will propose the first such PRE scheme in the standard model, which is an open problem left by Ateniese et al. (2009). Our construction demands a new Diffie–Hellman related intractability assumption in bilinear map groups. Note that our proposal is single-use, while it is enough for the above encrypted email setting.

Besides the encrypted email forwarding, PRE can be used in many applications, including simplification of key distribution (Blaze et al., 1998), distributed file systems (Ateniese et al., 2005, Ateniese et al., 2006), security in publish/subscribe systems (Khurana and Koleva, 2006), multicast (Chiu et al., 2005), secure certified email mailing lists (Khurana et al., 2005, Khurana and Hahm, 2006), interoperable architecture of DRM (Taban et al., 2006), access control (Talmy and Dobzinski, 2006), and privacy for public transportation (Heydt-Benjamin et al., 2005). Hence, since the introduction of proxy re-encryption by Blaze et al. (1998), there have been many papers (Blaze et al., 1998, Ateniese et al., 2005, Ateniese et al., 2006, Ateniese et al., 2009, Green and Ateniese, 2007, Hohenberger et al., 2007, Canetti and Hohenberger, 2007, Weng et al., 2008, Shao and Cao, 2009) that have proposed different PRE schemes with different security properties.

The first CPA-secure PRE scheme was proposed by Blaze et al. (1998) based on ElGamal encryption (ElGamal, 1985). Later, by using key sharing technique, Green and Ateniese (2007), and Weng et al. (2008) proposed two efficient single-use unidirectional PRE schemes, respectively. The first CCA-secure multi-use bidirectional PRE scheme in the standard model was proposed by Canetti and Hohenberger (2007).

Nevertheless, none of the above schemes are collusion resistant.1 Based on public key encryption with double trapdoors (strong and weak private keys), Ateniese et al., 2005, Ateniese et al., 2006 proposed the first collusion resistant PRE schemes. However, their schemes are only CPA-secure. Recently, Libert and Vergnaud (2008) proposed the first RCCA-secure and collusion resistant PRE scheme in the standard model, and Shao and Cao (2009), and Chow et al. (2010) proposed CCA-secure and collusion resistant PRE schemes in the random oracle model. These three schemes are all single-use and unidirectional.

However, as mentioned by Ateniese et al. (2009), none of the above schemes is key-private. Based on the scheme in (Ateniese et al., 2005, Ateniese et al., 2006), Ateniese et al. (2009) proposed the first key-private PRE scheme. However, their scheme is only CPA-secure. And they left how to achieve key privacy without losing CCA security in proxy re-encryption as an open problem.

In this paper, we attempt to take this challenge.

In this paper, we propose the first CCA-secure and key-private PRE scheme in the standard model, which is an open problem left by Ateniese et al. (2009). Furthermore, the key privacy of our proposal is proved in a revised security model, where multiple re-encryption keys can correspond to one delegation. As mentioned by Ateniese et al. (2009), Ateniese et al.'s scheme is not key-private in the revised security model.

In the rest of the paper, we first introduce some basic knowledge we use in this paper. In Section 3, we propose our construction and give the security proofs. Finally, we draw the conclusion.

Section snippets

Definitions and security models

In this section, we review some basic knowledge we will use later, including the definitions and security models for one-time symmetric key encryption (SKE), one-time signature (SIG), and proxy re-encryption (PRE), and the definitions of the 5-Extended Decision Bilinear Diffie–Hellman (5-EDBDH) assumption and the Decision Diffie–Hellman (DDH) assumption.

Our proposal

In this section, we first propose a new PRE scheme, and then prove its CCA security and key privacy in the standard model one by one.

Conclusion

In this paper, we first revised the security model of key privacy for single-use unidirectional PRE. The revised security model allows multiple re-encryption keys to correspond to one delegation, and allows the adversary to get the re-encryption key of any delegation he wants. After that, based on the 5-EDBDH assumption and DDH assumption, we proposed the first PRE scheme which is CCA-secure and key-private in the standard model.

Acknowledgements

The authors thank the anonymous reviewers for their insightful comments and helpful suggestions. Jun Shao was supported by NSFC, no. 61003308; ZJGSUSF, no. 1130XJ2010045; and ECZJF, no. Y201017312. Peng Liu was supported by AFOSR, FA9550-07-1-0527 (MURI); ARO, W911NF-09-1-0525 (MURI); NSF, CNS-0905131 and CNS-0916469. Yuan Zhou was supported by NSFC, No. 60873217.

Jun Shao is now an associate professor in College of Computer and Information Engineering at Zhejiang Gongshang University. Before joining in Zhejiang Gongshang University, he was a post-doctoral researcher in S2 Lab in College of Information Sciences and Technology at Pennsylvania State University. He obtained his Ph.D. degree in Department of Computer Science and Engineering at Shanghai Jiao Tong University in May, 2008. His research interests are in the area of applied cryptography.

References (27)

  • AtenieseG. et al.

    Key-private proxy re-encryption

  • AtenieseG. et al.

    Improved proxy re-encryption schemes with applications to secure distributed storage

  • AtenieseG. et al.

    Improved proxy re-encryption schemes with applications to secure distributed storage

    ACM Transactions on Information and System Security (TISSEC)

    (2006)
  • BellareM. et al.

    Key-privacy in public-key encryption

  • BlazeM. et al.

    Divertible protocols and atomic proxy cryptography

  • CanettiR. et al.

    Chosen-ciphertext security from identity-based encryption

  • CanettiR. et al.

    Chosen-ciphertext secure proxy re-encryption

  • ChiuY.-P. et al.

    Secure multicast using proxy encryption

  • ChowS. et al.

    Efficient unidirectional proxy re-encryption

  • CramerR. et al.

    A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack

  • CramerR. et al.

    Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack

    SIAM Journal on Computing

    (2003)
  • ElGamalT.

    A public key cryptosystem and a signature scheme based on discrete logarithms

    IEEE Transactions on Information Theory

    (1985)
  • FujisakiE. et al.

    Secure integration of asymmetric and symmetric encryption schemes

  • Cited by (18)

    View all citing articles on Scopus

    Jun Shao is now an associate professor in College of Computer and Information Engineering at Zhejiang Gongshang University. Before joining in Zhejiang Gongshang University, he was a post-doctoral researcher in S2 Lab in College of Information Sciences and Technology at Pennsylvania State University. He obtained his Ph.D. degree in Department of Computer Science and Engineering at Shanghai Jiao Tong University in May, 2008. His research interests are in the area of applied cryptography.

    Peng Liu received his B.S. and M.S. degrees from the University of Science and Technology of China, and his Ph.D. degree from George Mason University in 1999. He is a full professor in College of Information Sciences and Technology and the director of LOINS center at Penn State. His research interests are in all areas of computer and network security.

    Yuan Zhou received Ph.D. in 2006 from Shanghai Jiao Tong University. Now, he is an advanced engineer at National Network Emergency Response Technical Team/Coordination Center, P.R. China. He has authored or co-authored over 40 papers. His research interests include public key cryptography and P2P network protocol.

    View full text