• Open Access

SCCR: a generic approach to simultaneously achieve CCA security and collusion-resistance in proxy re-encryption

Authors


Abstract

By allowing a proxy to blindly perform meaningful transformations from one ciphertext to another, proxy re-encryption (PRE) is an important cryptographic primitive in many applications, such as encrypted email forwarding and distributed file system. Due to its usefulness, various PRE schemes have been proposed; however, only one can simultaneously achieve chosen ciphertext security (CCA security) and collusion-resistance. When such schemes are deployed, lack of CCA security will cause secret leaking, and lack of collusion-resistance will cause non-repudiation damage. In this paper, we propose a novel approach (denoted SCCR) to simultaneously achieve CCA security and collusion-resistance in PRE, which faces daunting new challenges. We address these challenges by using CCA-secure (2, 2) threshold cryptosystem to obtain public verifiability, and the method of key management in identity-based encryption (IBE) to achieve collusion-resistance. These two novel techniques have not been yet used in any previous PRE schemes. A unique characteristic of SCCR is that it is a generic construction which has more advantages than a concrete PRE scheme does. Copyright © 2009 John Wiley & Sons, Ltd.

1 INTRODUCTION

There are many applications, such as encrypted email forwarding 1 and distritbuted file system 2, 3, demand the permission of blindly ciphertext transformation, such that a proxy can blindly perform meaningful transformations from one ciphertext to another, while the proxy cannot access the corresponding plaintext. To solve the problem, Blaze et al. 1 proposed a new cryptographic primitive, called proxy re-encryption (PRE), where a semi-trusted proxy with a re-encryption key rk can transform a ciphertext for Alice (delegator) into another ciphertext for Bob (delegatee) on the same plaintext, but the proxy cannot access the plaintext. In their paper, they classified PRE schemes by two methods. One is according to the direction of transformation, and the other is according to the times of transformation. Following the first method, the PRE schemes are classified into bidirectional, i.e., the proxy can transform from Alice to Bob and vice versa; and unidirectional, i.e., the proxy can only transform in one direction. Following the second method, the PRE schemes are classified into multi-use, i.e., the ciphertext can be transformed from Alice to Bob to Carol and so on; and single-use, i.e., the ciphertext can be transformed only once.

Due to its transformation property, PRE has been used in many applications, including encrypted email forwarding 1, key escrow 4, distributed file systems 2, 3, security in publish/subscribe systems 5, multicast 6, secure certified email mailing lists 7, 8, the DRM of Apple's iTunes 9, interoperable architecture of DRM 10, access control 11, and privacy for public transportation 12. Recently, Hohenberger et al. got a result of securely obfuscating re-encryption 13, which is the first positive result for obfuscating an encryption functionality and against a series of impossibility results 14–16. As mentioned in Reference 17, chosen plaintext security (CPA security), guaranteeing that the adversary without decryption oracle cannot effectively distinguish between the encryption of two messages of his choosing, is not enough for many applications. Consider the following PRE-based access control system.

In this access control system, there are four entities: the gateway, the central authority, the temper-resistant smart card, and the user. They play the roles of encryptor, proxy, delegator, and delegatee in PRE, respectively. In the beginning, the central authority gives the user a smart card with a re-encryption key rk corresponding to the public keys of the central authority and the user. When the user wants to access the system, he sends out a login message to the gateway, who responses with a ciphertext under the central authority's public key. Upon receiving the ciphertext, the user firstly uses the smart card to transform the ciphertext to another ciphertext under his own public key, and then uses his own private key to obtain the plaintext, which is returned to the gateway. If the received plaintext is corresponding to the ciphertext it sent out before, the gateway lets the user access the system. The advantages in this access control system are two folds. One is that the gateway only needs to know the central authority's public key, which makes the gateway easily to be implemented. The other is that the user can access the system anonymously, since he does not reveal any information related to himself during the access process.

The key point in the above PRE-based access control system is the method of proving the access rights: the user decrypts a random challenge ciphertext with the help of the smart card. However, this leaves him open a secret leaking door to an adversary who sends ciphertexts in the guise of challenges and obtains the corresponding plaintexts. If this attack was to reveal the private key, the adversary could access the system, since he would now possess the ability to decrypt the challenges sent by others. Based on this and other such applications, it is desired to design PRE schemes that are secure against chosen ciphertext attack, i.e., CCA security.

Though there have been many papers 1, 2, 4, 17–201 that have proposed different PRE schemes with different properties, only two schemes 17, 20 are CCA-secure 20. The difficulty in constructing a CCA-secure PRE scheme is to provide public verifiability to the ciphertext. The public verifiability allows the proxy to check the validity of the ciphertext before transforming it, which guarantees that the delegatee cannot make use of the proxy as an oracle. One-time signature and signature of knowledge 21, 22 are used in References 17, 20 to obtain public verifiability, respectively.

Furthermore, many existing PRE schemes, such as References 17, 18, suffer from the collusion attack, i.e., Bob can collude with the proxy to reveal Alice's private key. In this case, the delegator cannot delegate decryption rights, while keeping signing rights for the same public key. As a result, the non-repudiation property of Alice's signature does no longer exist. Still consider the above PRE-based access control system. If the central authority also uses the same private key to sign messages to authorize another kind of users, then the PRE schemes suffering from collusion attack cannot be used, since the user would reveal the re-encryption key from the smart card by some method, and obtains the central authority's private key. Though the central authority can always use two public keys for encryption and signatures, it is still theoretically interesting. To the best of our knowledge, there are only three existing collusion resistant schemes 2, 19, 20, but only the scheme in Reference 20 is CCA-secure.

There are many applications require CCA-secure, collusion resistant PRE, but there is only one choice for us. It is desired to design more CCA-secure and collusion resistant PRE schemes.

The concept of identity-based cryptography is proposed by Shamir 23, where the public key is the user's identity, hence solving several key-distribution issues in traditional public key cryptography. In Reference 18, Green and Ateniese extended the notion of PRE to the area of identity-based encryption (IBE), i.e., ID-based PRE (IBPRE), where the proxy can transform a ciphertext under Alice's identity into another ciphertext under Bob's identity. IBPRE can be applied in secure email with IBE, attribute-based delegations, bridging IBE and PKE, and access control in networked file storage 18. However, till now, there is no CCA-secure IBPRE scheme 18,2 and no existing collusion resistant IBPRE scheme.

Due to the usefulness and the lack of CCA-secure PRE schemes, and CCA-secure and collusion resistant PRE schemes, and CCA-secure and collusion resistant IBPRE schemes, we would like propose the first generic constructions for these three kinds of PRE schemes. Besides obtaining a series of these three kinds of PRE schemes, we can get other benefits from generic constructions as follows:

  • A real application environment might be distributed and heterogeneous that different computation methods are used. Some applications use the computation method of RSA, since it is an industrial standard, while some applications use the computation method on ellipse curves due to the requirement of short parameters. Generic construction can suit the different situations well, while concrete schemes cannot.
  • Generic construction allows the resulting CCA-secure schemes to build upon different complexity assumptions, even the computational Diffie-Hellman assumption. As a result, we can get more secure PRE schemes than the existing concrete schemes from the viewpoint of the underlying complexity assumption.3
  • Generic construction allows new technologies to be incrementally deployed. For instance, the computational speed of modular exponentiation is improved, we can apply it in the generic construction, since following the generic construction, we can get a scheme whose computational overhead is mainly related to modular exponentiation computation. However, the improvement of modular exponentiation computation cannot increase the computational efficiency of most of the existing CCA-secure schemes 17, 19, since they are built on bilinear maps where pairing computation is the main concern.

However, to obtain generic constructions for those three kinds of PRE, we should take the following more new challenges.

  • The methods for public verifiability and collusion-resistance should be universal, which cannot build upon some specific mathematical structures, such as the groups where the computational problem (computational Diffie-Hellman problem) is hard, but the decisional problem (decisional Diffie-Hellman problem) is easy.
  • We cannot directly make use of the existing paradigms for transforming CPA security to CCA security, such as the FO conversion, the CHK conversion, to obtain CCA-secure PRE.
  • There is no existing paradigm for achieving collusion-resistance in any encryption-type cryptographic primitives.

After investigating the above challenges and the characteristics of PRE, we obtain the following observations:

  • In PRE, the delegator delegates the decryption rights to the delegatee via the proxy. In other words, the delegatee and the proxy definitely can cooperate to decrypt the ciphertexts for the delegator. There exists a similar situation in the threshold cryptosystem, where a group of threshold number decryption servers can cooperate to decrypt the ciphertexts.
  • For the public verifiability, there also exists a similar situation in CCA-secure threshold cryptosystem, i.e., the decryption server should check the ciphertext's validity before he performs decryption.
  • A natural method to obtain collusion-resistance is to use a decryption key (but not the private key) to decrypt the ciphertext, and the decryption key can be computed from the private key, but the reverse does not work. There exists a similar situation in IBE. In IBE, the private key generator (PKG) holding a master key generates the user's private key, while from the private key, the user cannot reveal the master key.

The first two observations show that we can use CCA-secure (2, 2) threshold cryptosystem to obtain public verifiability, and the last observation shows that we can use the method of key management in IBE to resist collusion attack. Hence, we design the generic constructions based on the following three basic tools: CCA-secure (2, 2) threshold cryptosystem, CCA-secure ID-based (2, 2) threshold cryptosystem, CCA-secure 2-level hierarchical ID-based (2, 2) threshold cryptosystem. In particular, we use the first one, the second one, and the third one to obtain the generic constructions for CCA-secure PRE, CCA-secure and collusion resistant PRE, and CCA-secure and collusion resistant IBPRE, respectively.

1.1 Related work

The first PRE scheme is proposed by Blaze et al. 1. However, it suffers from collusion attacks and it is bidirectional. Note that unidirectional PRE is more powerful than bidirectional one, since a bidirectional scheme can always be implemented by a unidirectional one in two directions. As a result, many researcher recently tried to design unidirectional PRE. Jakobsson 25, and Zhou et al. 26 gave a partial solution by proposing a quorum-based protocol where the proxy is divided into sub-components. Based on key sharing technique, Ivan and Dodis 4 proposed a generic construction that can convert any public key encryption scheme to a unidirectional PRE scheme. By using modified Ivan-Dodis key sharing technique, Green and Ateninese 18, Chu and Tzeng 27, Deng et al. 24, and Kirtane and Rangan 28 proposed several unidirectional PRE schemes with different properties, such as ID-based 18, 27, without pairings24, 28. However, all above PRE schemes are neither CCA-secure 20 nor collusion resistant. To the best of our knowledge, only the scheme in Reference 17 is proven-secure against chosen-ciphertext attacks in the standard model, but it is a bidirectional scheme, and not collusion resistant.

Regarding the collusion resistant PRE, the first one is proposed by Ateniese et al. 2, 3 by using pairings, however, this scheme is only CPA-secure. Later, based on Ateniese et al.'s scheme, Libert and Vergnaud 19 proposed a replayable chosen-ciphertext (RCCA) secure and collusion resistant unidirectional PRE scheme in the standard model. Recently, based on scheme BCP03 29, we proposed the first CCA secure and collusion resistant unidirectional PRE scheme by using signature of knowledge 21, 22 and Fujisaki–Okamoto conversion 30, 31.

1.2 Our contribution

In this paper, based on threshold cryptosystem, we first propose a generic construction for CCA-secure, single-use, unidirectional PRE. In particular, we treat the delegator (Alice) as the trusted dealer in the (2, 2) threshold cryptosystem, and the proxy and the delegatee (Bob) as these two decryption servers in the (2, 2) threshold cryptosystem. Only if the underlying (2, 2) threshold cryptosystem is CCA-secure, we can obtain that the resulting unidirectional PRE scheme is CCA-secure. As we know, there are many CCA-secure (2, 2) threshold cryptosytems in the random oracle model or the standard model based on various assumptions, so we can easily obtain CCA-secure unidirectional PRE schemes in the random oracle model or the standard model based on various assumptions. Note that a CCA-secure (2, 2) threshold cryptosystem cannot be implemented by simply dividing a secret into two shares whose sum (or ‘XOR’) are the secret, since there is no public verifiability in this case. Public verifiability is very important in threshold cryptosystem, which is the basic requirement of CCA-secure threshold cryptosystem 32.

It is easy to see that the above generic construction suffers from the collusion attack, i.e., the proxy and the delegatee can cooperate to get the delegator's private key. Fortunately, we can use the key management technique in IBE to resist this attack. In particular, the user acts as PKG in IBE to generate a decryption key corresponding to his identity, and shares this key between the proxy and the delegatee. Furthermore, the encryption key changes to the original public key and the receiver's identity. More precise, the underlying (2, 2) threshold cryptosystem changes to the ID-based (2, 2) threshold cryptosystem. As a result, we can get the first unidirectional PRE which is CCA-secure and collusion resistant in the standard model, only if the underlying ID-based threshold cryptosystem is CCA-secure in the standard model. By using the similar method, we can get the first CCA-secure, collusion resistant, unidirectional IBPRE schemes in the standard model.

1.3 Organization

The remaining paper is organized as follows. In Section 2, we review the definitions related to our proposal. In Section 3, we propose our generic construction for CCA-secure PRE and its security proof. An example of the generic construction is also presented in Section 3. In Section 4, we give some extensions on the generic construction, including CCA-secure and collusion resistant (IB)PRE, and the generalized unidirectional PRE. Finally, we conclude the paper in Section 5.

2 PRELIMINARIES

In this section, we briefly review the definitions related to our proposal, the similar content can be found in 2, 3, 17, 20, 32.

2.1 Public key encryption

Definition 1 (Public Key Encryption (PKE)).A public key encryption scheme PKE is a triple of PPT algorithms (KeyGen, Enc, Dec):

  • PKE.KeyGenequation image. On input the security parameter 1k, the key generation algorithm PKE.KeyGen outputs a public key pk and a private key sk.
  • PKE.Encequation image. On input a public key pk and a message m in the message space, the encryption algorithm PKE.Enc outputs a ciphertext C.
  • PKE.Decequation image. On input a private key sk and a ciphertext C, the decryption algorithm Dec outputs a message m in the message space or equation image that is not in the message space.

Correctness. The correctness property is that for any message m in the message space and any key pair equation image. Then the following condition must hold: equation image.

2.2 Threshold cryptosystem

In a t out of n threshold cryptosystem, there are a trusted dealer and a set equation image of decryption servers. In order to understand our generic construction easily, we modify the definitions in Reference 32 a little, in particular, we divide key generation algorithm into two parts: setup algorithm and key sharing algorithm.

Definition 2 (Threshold Cryptosystem (TPKE)).A (t, n) threshold cryptosystem TPKE consists of the following algorithms.

  • TPKE.Setupequation image. On input the security parameter 1k, the setup algorithm TPKE.Setup outputs a public key pk and a private key sk for the trusted dealer.
  • TPKE.KShaequation image. On input the key pair (pk, sk), the number n ≥ 1 of decryption servers and the threshold parameter t (equation image); the key sharing algorithm TPKE.KSha outputs the public verification key VK, and decryption servers' private keys equation image. Note that the public verification key VK may be a vector corresponding to SK.
  • TPKE.Encequation image. On input a public key pk and a message m in the message space, the encryption algorithm PKE.Enc outputs a ciphertext C.
  • TPKE.PDecequation image. On input a decryption server's private key ski and a ciphertext C, the partial decryption algorithm TPKE.PDec outputs a partial plaintext mi if C is well formed; otherwise, output equation image.
  • TPKE.PVerequation image. On input the verification key VK, a ciphertext C, and partial plaintext mi, the partial plaintext verification algorithm outputs 1 if the verification passes; otherwise 0.
  • TPKE.CDecequation image. On input the public verification key VK, a ciphertext C, and t partial plaintext equation image, the combining decryption algorithm outputs a plaintext m. The combining decryption algorithm may output a special symbol equation image that is distinct from all possible messages, if one of the input partial plaintexts is invalid.

Correctness. There are two requirements should be satisfied in a (t, n) threshold cryptosystem. For any output (pk, VK, SK) of TPKE.KeyShaequation image, the following conditions should hold.

  • 1.Any genuine partial plaintext of a ciphertext C is also a valid partial plaintext of C.
  • 2.TPKE.CDecequation image, where equation image is any t partial plaintext TPKE.PDecequation image's.

Chosen Ciphertext Security for Threshold Cryptosystem. A threshold cryptosystem TPKE is semantically secure against an adaptive chosen ciphertext attack if no polynomial bounded adversary equation image has a non-negligible advantage against the Challenger in the T-CCA game.

Phase 1: The Challenger runs TPKE.Setup(1k) to get the key pair (pk, sk), and sends pk to the adversary equation image but keeps sk secret. After receiving pk, the adversary equation image chooses to corrupt a fixed set of t – 1 decryption servers, w.l.o.g, the corrupted decryption servers are equation image. And then equation image issues queries equation image where query qi is one of:

  • Key Sharing oracleequation image: The private keys of the corrupted servers are given to equation image, while the other private keys are kept secret from equation image. Furthermore, the public verification key is also given to equation image.
  • Partial Decryption oracleequation image: equation image sends a ciphertext C and i to the Challenger, the Challenger returns a partial plaintext mi corresponding to Pi.

These queries may be asked adaptively, that is, each query qi may depend on the replies to equation image.

Challenge: Once equation image decides that Phase 1 is over, it outputs two equal length plaintexts m0, m1 from the message space, then the Challenger picks a random bit equation image and sets equation image. It sends C* as the challenge ciphertext to equation image.

Phase 2: The adversary equation image issues more queries equation image where query qi is one of:

  • Partial Decryption oracleequation image: equation image sends a ciphertext C and i (equation image) to the Challenger, the Challenger returns a partial plaintext mi corresponding to Pi. Note that C cannot equal to C*.

Guess: Finally, the adversary equation image outputs a guess equation image and wins the game if equation image.

We refer to such an adversary equation image as a T-CCA adversary. We define adversary equation image's advantage in attacking TPKE as the following function of the security parameter equation image.

Using the T-CCA game we can define chosen ciphertext security for threshold cryptosystems.

Definition 3 (T-CCA security).A threshold crpytosystem TPKE is semantically secure against an adaptive chosen ciphertext attack if for any polynomial time T-CCA adversaryequation imagethe functionequation imageis negligible. As shorthand, we say that TPKE is T-CCA-secure.

2.3 Unidirectional proxy re-encryption

Definition 4 (Unidirectional PRE).A unidirectional PRE scheme UniPRE is a tuple of PPT algorithms:

  • UniPRE.KGen, UniPRE.Enc, UniPRE.Dec: Identical to those in PKE.
  • UniPRE.RKGenequation image. On input a key pair (pk1, sk1) and a public key pk2, the re-encryption key generation algorithm UniPRE.RKGen output a unidirectional re-encryption key rk12.
  • UniPRE.ReEncequation image. On input a re-encryption key rk12 and a ciphertext C1, the re-encryption algorithm UniPRE.ReEnc outputs a re-encrypted ciphertext C2 or equation image which is not in the ciphertext space.

Correctness. A correct unidirectional PRE scheme should satisfy two requirements: for any key pairs (pk, sk) and (equation image, equation image) from UniPRE.KGen(1k), we have

  • 1.UniPRE.Dec (sk, UniPRE.Enc(pk, m)) = m,
  • 2.UniPRE.Dec(sk', UniPRE.RKGen((pk, sk), C)) = m, where C is the ciphertext for message m under pk from algorithm UniPRE.Enc or algorithm UniPRE.ReEnc.

Chosen Ciphertext Security for Unidirectional PRE. A unidirectional PRE scheme UniPRE is semantically secure against an adaptive chosen ciphertext attack if no polynomial bounded adversary equation image has a non-negligible advantage against the Challenger in the Uni-PRE-CCA game 17. Note that the static model is assumed in the Uni-PRE-CCA game, i.e., the adversary requires to determine the corrupted users before the game starts, and is not allowed adaptive corruption proxies between corrupted and uncorrupted users.

Phase 1: The adversary equation image issues queries equation image where query qi is one of:

  • Public key generation oracleequation image: On input an index i, the Challenger takes a security parameter k, and responds by running algorithm UniPRE.KGen(1k) to generate a key pair (pki, ski), gives pki to equation image and records (pki, ski) in table Tk.
  • private key generation oracleequation image: On input pki by equation image, where pki is from equation image. If pki is corrupted, the Challenger searches pki in table Tk and returns ski. Otherwise, the Challenger aborts.
  • Re-encryption key generation oracleequation image: On input (pk, equation image) by equation image, where pk, equation image are from equation image. If pk and equation image are both corrupted or both uncorrupted, the Challenger returns the re-encryption key equation image, where sk is the private key corresponding to pk. Otherwise, the Challenger aborts.
  • Re-encryption oracleequation image: On input (pk, equation image, C) by equation image, where pk, equation image are from equation image, the Challenger returns the re-encrypted ciphertext equation image, where sk is the private key corresponding to pk.
  • Decryption oracleequation image: On input (pk, C), where pk is from equation image, the Challenger returns UniPRE.Dec(sk, C), where sk is the private key corresponding to pk.

Note that in our generic construction, we will use the same encryption algorithm to encrypt one of delegator's decryption key partial. If a proxy can get this partial, he can combine it with his own partial to get the delegator's decryption key. Hence, we do not allow the adversary to query this kind of ciphertexts to equation image or equation image. To achieve this, we use different public keys to encrypt messages and delegator's private key partial, and equation image and equation image only respond the queries whose ciphertext is under the public key used to encrypt messages.

These queries may be asked adaptively, that is, each query qi may depend on the replies to equation image.

Challenge: Once the adversary equation image decides that Phase 1 is over, it outputs two equal length plaintexts m0, m1 from the message space, and a public key pk* on which it wishes to be challenged. The public key pk* is required to be uncorrupted. The Challenger picks a random bit equation image and sets equation image. It sends C* as the challenge ciphertext to equation image.

Phase 2: The adversary equation image issues more queries equation image where query qi is one of:

  • equation image, equation image, equation image: The Challenger responds as in Phase 1.
  • equation image: On input (pki, pkj, C), if pkj is corrupted, and (pki, C) is a derivative4 of (pk*, C*), then the Challenger aborts. Otherwise, responds as in Phase 1.
  • equation image: On input (pk, C), if (pk, C) is not a derivative of (pk*, C*), the Challenger responds as in Phase 1; otherwise, the Challenger aborts the game.

These queries may be also asked adaptively.

Guess: Finally, the adversary equation image outputs a guess equation image and wins the game if equation image.

We refer to such an adversary equation image as a Uni-PRE-CCA adversary. We define adversary equation image's advantage in attacking UniPRE as the following function of the security parameter k: equation image

Using the Uni-PRE-CCA game we can define chosen ciphertext security for unidirectional PRE schemes.

Definition 5 (Uni-PRE-CCA security).We say that the unidirectional PRE scheme UniPRE is semantically secure against an adaptive chosen ciphertext attack if for any polynomial time Uni-PRE-CCA adversaryequation imagethe functionequation imageis negligible. As shorthand, we say that UniPRE is Uni-PRE-CCA-secure.

Definition 6 (Uni-PRE-CR security).This security notion is defined for resisting collusion attack. We say that a unidirectional PRE scheme PRE is collusion resistant if for any polynomial bounded adversaryequation image, the following probability is negligible.

equation image

3 THRESHOLD CRYPTOSYSTEM-BASED UNIDIRECTIONAL PROXY RE-ENCRYPTION

In this section, we will propose a generic construction for CCA-secure unidirectional PRE by using CCA-secure threshold cryptosystem, particularly the CCA-secure (2, 2) threshold cryptosystem.

3.1 The generic construction equation image

Suppose we have a (2, 2) threshold cryptosystem TPKE, then we can construct a unidirectional PRE scheme as follows. We also assume that the underlying public key encryption of TPKE is PKE. Hence, we have TPKE.Encequation image PKE.Enc, and TPKE.PDecequation image TPKE.CDecequation image PKE.Dec.

The proposed generic construction equation image is as follows.

UniPRE.KGen: On input the security parameter 1k, it runs TPKE.Setup(1k) twice and outputs equation image.

UniPRE.RKGen: On input one of the delegator's key pairs equation image and one of the delegatee's public keys equation image, UniPRE.RKGen first runs

equation image

to get VK and equation image. Then UniPRE.RKGen encrypts sk12 and VK by using

equation image

At last, UniPRE.RKGen outputs the re-encryption key equation image.

UniPRE.Enc: On input a public key pk and a message m, it outputs TPKE.Enc(pk,m).

UniPRE.ReEnc: On input a re-encryption key equation image from the public key equation image to the public key equation image, a ciphertext C under public key pk1, it outputs a re-encrypted ciphertext

equation image

UniPRE.Dec: On input private keys equation image and a ciphertext C, UniPRE.Dec does:

  • If C contains only one complete ciphertext of TPKE, then it runs equation image.
  • If C contains two complete ciphertexts of TPKE (C1 and C3), and one partial plaintext of TPKE (C2), such that equation image, then the decryptor first runs
    equation image
    Secondly, the decryptor checks the consistency between VK and sk12, and
    equation image
    If they do not both hold, the decryptor outputs equation image; otherwise, the decryptor runs
    equation image
  • If C does not satisfy any one of the above situations, it outputs equation image.

Note that the above PRE scheme is single-use and unidirectional.

Correctness. Now, we check the requirements of the correctness.

equation image
equation image
equation image
equation image
equation image
equation image
equation image
equation image
equation image
equation image
equation image
equation image
equation image

where equation image, and equation image.

As a result, our generic construction holds the correctness.

Theorem 1.If the underlying TPKE is a CCA-secure (2, 2) threshold cryptosystem, then the proposed UniPRE is also CCA-secure.For the proof of Theorem 1, see the Appendix.

3.2 Example: based on SG1 threshold cryptosystem

In this subsection, we give an example of our generic construction, named SG-UniPRE, which is based on SG1 threshold cryptosystem 32.

The public parameters of this illustration are p, q, g, H1, H2, H3, H4, where p, q are big primes, equation image, and g is a generator of a subgroup equation image of equation image with order q, equation image, equation image, equation image.

Note that we omit mod p for the computation in equation image in the following expressions.

UniPRE.KGen: The user's private key is equation image, and the public key is equation image.

UniPRE.RKGen: On input one of the delegator's key pairs equation image and one of the delegatee's public keys equation image. The delegator chooses a polynomial equation image, where equation image, and for equation image, sets equation image and equation image. And then the delegator chooses equation image at random, and computes

equation image
equation image
equation image
equation image

Then the re-encryption key is equation imageequation image.

UniPRE.Enc: On input a public key equation image and a message equation image, it chooses equation image at random, and computes

equation image
equation image

The ciphertext is equation image.

UniPRE.ReEnc: On input a re-encryption key equation image from the public key pk1 to the public key pk2, a ciphertext equation image under public key equation image. The proxy first checks if

equation image
equation image

If this condition does not hold, it outputs equation image. Otherwise, it chooses equation image at random, and computes

equation image
equation image

The re-encrypted ciphertext is equation image.

UniPRE.Dec: On input a private key equation image and a ciphertext C, UniPRE.Dec does:

  • If equation image, then the decryptor first checks if
    equation image
    If this condition does not hold, it outputs equation image. Otherwise, it computes equation image.
  • If equation image, then the decryptor first checks
    equation image
    and
    equation image
    If any of above two conditions does not hold, it outputs equation image. Otherwise, it computes equation image, and checks
    equation image
    and
    equation image
    If any of above three conditions does not hold, it outputs equation image. Otherwise, it computes equation image. Note that compared to the original SG1, we omit the computation of equation image and equation image for efficiency.
  • If C does not satisfy any one of the above situations, it outputs equation image.

Theorem 2 (Theorem 1 in Reference 32).In the random oracle model, the SG1 threshold cryptosystem is secure against chosen ciphertext attack based on the computational Diffie-Hellman assumption.

Combining Theorem 2 and Theorem 1, we have the following theorem.

Theorem 3.In the random oracle model, the SG-UniPRE is secure against chosen ciphertext attack based on the computational Diffie-Hellman assumption.

3.3 Based on other assumptions

To the best of our knowledge, there are many threshold cryptosystems based on other assumptions besides computational Diffie-Hellman assumption. By using our generic construction, we can get CCA-secure UniPRE schemes proven-secure in the standard model based on decisional Bilinear Diffie-Hellman assumption 33, proven-secure in the random oracle model based on decisional Diffie-Hellman assumption 32, 34, quadratic residuosity assumption 35, 36, 37, and integer factoring assumption 37.

At the first glance, one may obtain the first CCA-secure unidirectional PRE scheme without pairings, proven-secure in the standard model, by using the threshold cryptosystem in 38. Unfortunately, it is not true. Note that in our generic construction, it requires the underlying CCA-secure (t, n) threshold cryptosystem to satisfy equation image. However, in Reference 38, it requires equation image. Here, we left the problem to build such a unidirectional PRE scheme as future research.

4 CONSTRUCTING COLLUSION RESISTANT PRE SCHEMES

4.1 How to add collusion-resistance into equation image

It is easy to see that our generic construction suffers from collusion attacks. However, we can use the technique in IBE to achieve collusion resistance. In particular, the delegator acts as PKG to generate a sub-private key corresponding to its identity. In the encryption algorithm, the encryptor encrypts the message using the receiver's public key and its identity, which is very similar with that in IBE, where the encryptor encrypts the message using the PKG's public key and the receiver's identity. In the re-encryption key generation algorithm, the input delegatee's secret is the decryption key instead of the real private key. The rest algorithms do not need to be modified.

More precise, we use a CCA-secure ID-based (2,2) threshold cryptosystem to implement such a unidirectional PRE scheme. An ID-based threshold cryptosystem consists the following algorithms: IBTPKE.Setup, IBTPKE.Ext, IBTPKE.KSha, IBTPKE.Enc, IBTPKE.PDec, IBTPKE.PVer, and IBTPKE.CDec.

  • IBTPKE.Setupequation image: On input a security parameter k, the algorithm IBTPKE. Setup outputs a key pair equation image for the PKG.
  • IBTPKE.Extequation image: On input the PKG's key pair equation image and an identity ID, the algorithm IBTPKE.Ext output a private key sk corresponding to ID.
  • The rest algorithms are almost the same as those in TPKE, except that the PKG's public key mpk and the user's identity ID instead of the user's public key.

Now, we can get a generic construction for unidirectional PRE as follows. Assume that the underlying IBE scheme of IBTPKE is IBE. Hence, we have IBTPKE.Encequation image IBE.Enc and IBTPKE.PDecequation image IBTPKE.CDecequation image IBE.Dec.

UniPRE.KGen: On input the security parameter 1k, it runs IBTPKE.Setup(1k).

UniPRE.RKGen: On input the delegator's key pair equation image and its identity ID1 and the delegatee's public key pk2 and its identity ID2, UniPRE.RKGen first runs

equation image

to get VK and equation image. Then UniPRE.RKGen encrypts sk12 and VK by using

equation image

At last, UniPRE.RKGen outputs the re-encryption key equation image.

UniPRE.Enc: On input a public key pk and its corresponding identity ID and a message m, it outputs IBTPKE.Encequation image.

UniPRE.ReEnc: On input a re-encryption key equation image from the public key equation image to the public key equation image, a ciphertext C under public key equation image, it outputs a re-encrypted ciphertext equation image.

UniPRE.Dec: On input a private key sk and a ciphertext C, UniPRE.Dec does:

  • If C contains only one complete ciphertext of IBTPKE, then it runs
    equation image
  • If C contains two complete ciphertexts of IBTPKE (C1 and C3), and one partial plaintext of IBTPKE (C2), such that equation image, then the decryptor runs
    equation image
    and checks the consistency between VK and sk12. If it does not holds, the decryptor outputs equation image; otherwise, the decryptor runs
    equation image
  • If C does not satisfy any one of the above situations, it outputs equation image.

We can get the CCA security of the above generic construction by the same method in Section 3, and the collusion resistance is obtained directly from the underlying IBTPKE due to IBTPKE.Ext.

A CCA-secure ID-based threshold cryptosystem in the standard model can be obtained by the methods in References 39 and 40, hence, we obtain a CCA-secure, collusion resistant, unidirectional PRE scheme in the standard model. We do the comparison between the resulting scheme and the scheme in Reference 19 in Table I, where equation image, equation image, Sign and Ver denote the timing of one modular exponentiation computation, one pairing computation, singing computation and verifying computation of a one-time signature scheme, respectively. From Table I, we can see that our scheme is a little less efficient than the scheme in Reference 19, but with higher security from the viewpoint of the underlying assumption and holding security level.

Table I. Comparison.
 Based on waters 39LV08 19
Computation cost
 RKGenequation imageequation image
 Encequation imageequation image
 ReEncequation imageequation image
 Decequation imageequation image
Security levelCCA-secure and collusion resistantRCCA-secure and collusion resistant
AssumptionDBDH3-QDBDH

Note that the resulting scheme can be easily extended to a PRE scheme with temporary delegation, which means that the re-encryption key can be revoked. The only modification needs to do is to compute equation image instead of equation image.

4.2 Case study

In this section, we show how the scheme in the Section 4.1 is used in the PRE-based access control system in Section 1. The high level description is shown in Figure 1.

Figure 1.

PRE-based access control system.

Initially, the central authority chooses the system parameters as that in the above scheme. And then the central authority and the user generate their own public/private keys equation image and equation image by running UniPRE.KGen, respectively. The central authority authenticates the user by some physical method, such as the identity card, and sends a smart card with a re-encryption key rk which is from UniPRE.RKGenequation image. When the user wants to access the system, he firstly sends out a login message to the gateway, who responses with a ciphertext C which is generated from UniPRE.Enc(pkc, m), where m is a random number. Upon receiving the ciphertext, the user first inputs C into the smart card, who will return another ciphertext equation image which is from UniPRE.ReEnc(rk, C). Then the user obtains equation image by running UniPRE.Dec(sku, equation image), and returns it to the gateway. The gateway lets the user access the system if equation image.

Furthermore, due to the collusion-resistance, the central authority can use skc to sign messages to authorize another kind of users.

4.3 Generic construction for CCA-secure and collusion resistant IBPRE

A unidirectional ID-based PRE 18 consists the following algorithms: IBUniPRE.Setup, IBUniPRE.Ext, IBUni PRE. Rekey, IBUniPRE. ReEnc IBUniPRE. Enc, and IBUniPRE.Dec.

  • IBUniPRE.Setupequation image: On input the security parameter 1k, the algorithm IBUniPRE.Setup outputs the system parameters and a key pair (mpk, msk) for the PKG.
  • IBUniPRE.Extequation image: On input the PKG's key pair (mpk, msk) and an identity ID, the algorithm IBUniPRE.Ext outputs a user's private key sk corresponding to ID.
  • The rest algorithms are almost the same as those in UniPRE, except that the PKG's master public key and the user's identity instead of the user's public key.

As in Section 4.1, we can get another generic construction for CCA-secure, collusion resistant, unidirectional IBPRE via CCA-secure hierarchical ID-based threshold cryptosystem, in particular, CCA-secure 2-level hierarchical ID-based (2, 2) threshold cryptosystem, which is the threshold extension of hierarchical ID-based encryption (HIBE) 41, 42. In this generic construction, the delegator acts as the second level PKG in 2-level hierarchical ID-based threshold cryptosystem to generate a sub-private key.

A 2-level hierarchical ID-based threshold cryptosystem consists the following algorithms: 2HIBTPKE.Setup, 2HIBTPKE.Ext, equation image, 2HIBTPKE.KSha, 2HIBTPKE.Enc, 2HIBTPKE.PDec, 2HIBTPKE.PVer, and 2HIBTPKE.CDec. Note that in 2HIBE, the user has a corresponding ID-pair (ID1, ID2)

  • 2HIBTPKE.Setupequation image: On input a security parameter k, the algorithm 2HIBTPKE.Setup outputs a key pair (mpk, msk) for the first level PKG.
  • equation image: In the algorithm 2HIBTPKE.Ext, a second level PKG with an identity ID1 may compute a private key equation image for any of its children with an ID-pair (ID1, ID2) by using the system parameters and its secret information sk.
  • The rest algorithms are almost the same as those in IBTPKE, except that the user's identity ID-pair instead of the user's ID.

Now, we can get a generic construction for unidirectional IBPRE as follows.

IBUniPRE.Setup: On input the security parameter 1k, it outputs equation image.

IBUniPRE.KeyGen: On input an identity ID, it outputs equation image.

IBUniPRE.RKGen: On input the delegator's private key sk1 and its identity ID1 and the delegatee's identity ID2, IBUniPRE.RKGen first runs5

equation image

to get VK and SK = (sk11, sk12). Then IBUniPRE.RKGen encrypts sk12 and VK by using

equation image

At last, IBUniPRE.RKGen outputs the re-encryption key (sk11, 2HIBTPKE.Enc((mpk, ID2, ID2 || 1),(sk11 || VK))).

IBUniPRE.Enc: On input an identity ID and a message m, it outputs 2HIBTPKE.Enc((mpk, ID, ID || 0), m).

IBUniPRE.ReEnc: On input a re-encryption key equation image from the identity ID1 to the identity ID2, a ciphertext C under public key ID1, it outputs a re-encrypted ciphertext

equation image

IBUniPRE.Dec: On input a private key msk and a ciphertext C, IBUniPRE.Dec does:

  • If C contains only one complete ciphertext of 2HIBTPKE, then it runs
    equation image
  • If C contains two complete ciphertexts of 2HIBTPKE (C1 and C3), and one partial plaintext of 2HIBTPKE (C2), such that equation image, then the decryptor runs
    equation image
    and checks the consistency between VK and sk12. If it does not holds, the decryptor outputs equation image; otherwise, the decryptor runs
    equation image
  • If C does not satisfy any one of the above situations, it outputs equation image.

The correctness and security of the above generic construction can be obtained from the underlying CCA-secure 2-level hierarchical identity-based (2, 2) threshold cryptosystem by the same method in Section 4.1. A CCA-secure 2-level hierarchical identity-based (2, 2) threshold cryptosystem can be obtained by extending the HIBE schemes in References 41, 42, 43 with the same method in Reference 40. To the best of our knowledge, the resulting schemes from the generic construction are the first IBPRE schemes with CCA security and collusion-resistance in the random oracle model or the standard model.

4.4 Generalized unidirectional proxy re-encryption

In some cases, there are np proxies and nd delegatees, and the delegatees can get the plaintext if and only if at least equation image delegatees cooperate to decrypt the re-encrypted ciphertext which is re-encrypted by at least equation image proxies. Based on equation image, we can get the generic construction for this generalized unidirectional PRE. The main change is that we re-distribute equation image in equation image among np proxies via a (tp, np) threshold cryptosystem and re-distribute sk12 in equation image among np proxies via a (tp, np) threshold cryptosystem. As a result, at least td proxies and tp delegatees can cooperate to get the plaintext.

Similarly, we can get CCA-secure and collusion resistant generalized (IB)PRE.

5 CONCLUSIONS

PRE is a very useful cryptographic primitive in many applications, where it demands that the underlying PRE scheme is CCA-secure and collusion resistant. In this paper, we first proposed a generic construction for CCA-secure unidirectional PRE by a CCA-secure (2, 2) threshold cryptosystem. And then, by using the key management technique in IBE, we add collusion-resistance to the proposed generic construction. Hence, the first CCA-secure and collusion resistant unidirectional PRE schemes in the standard model is obtained. At last, following the similar method in above generic construction, we give a generic construction for unidirectional IBPRE schemes with CCA security and collusion-resistance based on CCA-secure 2-level hierarchical ID-based (2, 2) threshold cryptosystem.

Note that our generic constructions do not solve all problems in PRE, including building a multi-use unidirectional PRE scheme, building a CCA-secure PRE scheme without pairings in the standard model. Here, we left these problems for future research.

Acknowledgements

This work was supported by National Natural Science Foundation of China, No. 60673079, No. 60773086 and No. 60873217, Research Fund for the Doctoral Program of Higher Education of China, No. 20060248008.

  • 1

    For the complete list of papers on PRE, the reader can refer to http://tdt.sjtu.edu.cn/∼jshao/prcbib.htm.

  • 2

    In Reference 20, we showed that none of existing IBPRE scheme is CCA-secure.

  • 3

    Recently, Deng et al. 24 proposed a PRE scheme based on the computational Diffie-Hellman assumption.

  • 4

    Derivatives of (pk*, C*) are defined as follows 17:1. (pk*, C*) is a derivative of itself.2. If (pk, C) is a derivative of (pk*, C*) and (equation image, equation image) is a derivative of (pk, C), then (equation image, equation image) is a derivative of (pk*, C*).3. If equation image has queried equation image on input (pk, equation image, C) and obtained (equation image, equation image), then (equation image, equation image) is a derivative of (pk, C).4. If equation image has queried equation image on input (pk, equation image), and equation image, then (equation image, equation image) is a derivative of (pk, C).

  • 5

    Note that in the HIBE scheme in Reference 41, sk1 should be a secret that is only known to the current PKG, while here we do not need this property. It is because the delegator itself is the second level PKG. As a result, sk1 can be computed by 2HIBTPKE.Ext((mpk, msk), ID1).

  • 6

    It happens when the input is a derivative of equation image

APPENDIX: PROOF OF THEOREM 1

Proof. If there exists an adversary equation image that breaks the proposed UniPRE with advantage equation image, then we can construct an algorithm equation image that uses equation image to break the underlying TPKE with the same advantage equation image.

equation image interacts with equation image in a Uni-PRE-CCA game as follows (equation image simulates the Challenger for equation image.)

Phase 1: equation image answers the following queries as follows.

  • Key Generation Oracle: If the user is corrupted, then equation image selects two random numbers equation image from the private key space, and computes equation image as desired. equation image responds equation image with equation image and records equation image in table Tk. If the user is uncorrupted, equation image asks its T-CCA Challenger two Setup queries to get two public keys equation image, and then equation image responds equation image with equation image and records equation image in table Tk.
  • equation image: On input equation image, equation image first checks whether equation image and equation image both exist in table Tk. If not, equation image aborts. Otherwise, equation image does the following performances.
    • If equation image and equation image are both corrupted, equation image responds equation image with equation image.

    • If equation image and equation image are both uncorrupted, equation image sends a Key Sharing query to its T-CCA Challenger with equation image, and gets a corrupted private key share equation image, and the public verification key VK. And then, equation image chooses a random number equation image from the private key share space, and running UniPRE.Encequation image. At last, equation image responds equation image with equation image, and records equation image in table equation image.

    • Else, equation image aborts.

  • equation image: On input equation image, equation image first checks whether pki and pkj both exist table Tk. If not, equation image aborts. Otherwise, equation image does the following performances.
    • If equation image is uncorrupted and equation image is corrupted, equation image sends a Partial Decryption query to its T-CCA Challenger with equation image to get a partial plaintext C1, then equation image additionally queries a Key Sharing query to its T-CCA Challenger with equation image to get a corrupted private key share equation image and the public verification key VK, and runs TPKE.Encequation image. At last, equation image responds equation image with equation image.

    • If pki is corrupted and pkj is uncorrupted, equation image responds equation image with equation image.

    • If equation image and equation image are both uncorrupted or both corrupted, equation image queries equation image to get the re-encryption key equation image, and uses it to re-encrypt C as the algorithm UniPRE.ReEnc specifies.

  • equation image: On input equation image, equation image checks whether equation image exists in table Tk. If not, equation image aborts. Otherwise, equation image parses C.
    • If C is a complete ciphertext of TPKE, then equation image performs

      • If equation image is corrupted, then equation image responds equation image with equation image.

      • If equation image is uncorrupted, equation image asks its T-CCA Challenger with Partial Decryption queries to get 2 partial plaintexts, and runs TPKE.CDec to get m.

    • If equation image, where C1 and C3 are two complete ciphertexts of TPKE, and C2 is a partial plaintext of TPKE, then equation image checks whether equation image exists in table equation image.

      • If it does exist, equation image sends its T-CCA Challenger a Partial Decryption query with equation image to get a partial plaintext equation image. Then equation image runs TPKE.CDecequation image to get m.

      • If it does not exist and equation image is corrupted, then equation image responds equation image to equation image.

      • If it does not exist and equation image is uncorrupted, then equation image asks its T-CCA Challenger with Partial Decryption queries to get 2 partial plaintexts, and runs TPKE.CDec to get equation image. equation image checks the consistency between VK and equation image, and equation image. If they do not both hold, equation image outputs equation image; otherwise, equation image runs equation image to get m.

    • Else, output equation image.

Challenge: At some point, equation image outputs a challenge tuple equation image. If equation image is not in table Tk or equation image is corrupted, then equation image aborts. Otherwise, equation image sends a challenge to its T-CCA Challenger with equation image, and get the challenge ciphertext C*. At last, equation image responds equation image with C*.

Phase 2:equation image continues to answer the following oracles.

  • Key Generation Oracle, equation image: equation image responds as in Phase 1.
  • equation image: On input equation image, if equation image is corrupted, and equation image, then equation image aborts. Otherwise, equation image responds almost the same as in Phase 1, except when equation image is uncorrupted, and equation image, equation image additionally records the re-encrypted ciphertext in table equation image.
  • equation image: On input equation image, if one of following conditions is satisfied6, equation image aborts; otherwise, equation image responds as in Phase 1.
    • equation image;

    • equation image is in table equation image;

    • equation image and equation image is in table equation image and equation image.

Guess: Finally, equation image outputs a correct guess equation image with probability equation image, and equation image outputs the same value equation image to its T-CCA Challenger.

Since the above simulation is perfect, equation image wins T-CCA game with advantage equation image as expected.

Ancillary