Conditional Proxy Re-Encryption Secure against Chosen-Ciphertext Attack

Transcription

1 Conditional Proxy Re-Encryption Secure against Chosen-Ciphertext Attack ABSTRACT In a proxy re-encryption (PRE) scheme [4] a proxy authorized by Alice transforms messages encrypted under Alice s public key into encryptions under Bob s public key without knowing the messages Proxy re-encryption can be used applications requiring delegation such as delegated processing However it is inadequate to handle scenarios where a fine-grained delegation is demanded For example Bob is only allowed Alice s encrypted s containing a specific keyword To overcome the limitation of existing PRE we introduce the notion of conditional proxy re-encryption (or C-PRE) whereby only ciphertext satisfying one condition set by Alice can be transformed by the proxy and then decrypted by Bob We formalize its security model and propose an efficient C-PRE scheme whose chosen-ciphertext security is proven under the 3-quotient bilinear Diffie-Hellman assumption We further extend the construction to allow multiple conditions with a slightly higher overhead INTRODUCTION The notion of proxy re-encryption (PRE) was initially introduced by Blaze Bleumer and Strauss introduced in [4] In a PRE system Bob is allowed to decipher public key encryptions for Alice with the assistance from an authorized proxy Specifically Alice authorizes the proxy by giving it a re-encryption key The proxy can then convert any ciphertext under Alice s public key into ciphertext under Bob s public key The requirement is that the semantic security of encryptions for Alice is preserved throughout the conversion such that the proxy gains no information about the involved plaintext messages Proxy re-encryption has found many practical applications such as encrypted forwarding secure distributed file systems and outsourced filtering of encrypted spam We use the encrypted forwarding as an example to illustrate the usage of PRE and to motivate our work as well Imagine that a department manager Alice is to take a vacation She delegates her secretary Bob to process her routine s Among the incoming s some could be encrypted under Alice s public key Traditional public key encryption schemes does not allow Bob to process such s following the security norm that one s private key should never be shared with other With a PRE system Alice can simply give the server a re-encryption key For an encrypted incoming the server (ie the proxy in PRE s jargon) transforms it into an encryption for Bob Then Bob can read this using his secret key When Alice is back she instructs the server to stop the transformation The existing notion of PRE does not facilitate flexible delegation Suppose that Alice instructs Bob to process s only when its subject contains the keyword urgent For other s Alice prefers to read them by herself after back to office Obviously the existing PRE schemes do not meet such needs To show further motivation we consider the case that Alice wants Bob to process only s with keyword market and prefers Charlie to process s only with keyword sales Using existing PRE mandates an escalated trust on the server since the server is trusted to enforce the access control policy specified by Alice We observe that such trust model is unrealistic in many applications In this paper we introduce the notion of conditional proxy re-encryption or C-PRE whereby Alice has a fine-grained control over the delegation As a result Alice can flexibly assign her delegate (Bob) the decryption capability based on the conditions attached to the messages using a proxy with no higher trust than in existing PRE schemes Our Results Our contribution includes a formal definition of conditional proxy re-encryption and its security notion Briefly speaking a C-PRE scheme involves three principals: a delegator (say user U i) a proxy and a delegatee (say user U j) similar to existing PRE systems A message sent to U i with condition w is encrypted by the sender using both U i s public key and w To authorize U j to decrypt such an encryption associated with w U i gives the proxy a partial re-encryption key rk ij and a condition key ck iw corresponding to the condition w These two keys form the secret trapdoor used by the proxy to perform ciphertext translation The proxy is unable to translate those ciphertext whose corresponding condition keys are not available Therefore U i has a flexible control on delegation by releasing condition keys properly We also construct a concrete C-PRE scheme using bilinear

2 pairings Under the 3-Quotient Bilinear Diffie-Hellman (3- QBDH) assumption we prove its chosen-ciphertext security in the random oracle model We further extend this basic scheme to a conditional proxy re-encryption with multiple conditions (MC-PRE) In the MC-PRE system a proxy with a partial re-encryption key can translate a ciphertext associated with multiple conditions if and only if he has all the required condition keys The proposed MC-PRE scheme is efficient since the number of bilinear pairings in use is independent of the number of the conditions 2 Related Work In the pioneer work due to Blaze Bleumer and Strauss [4] they presented the first bidirectional PRE scheme (refer to Remark for the definitions of bidirectional/unidirectional PRE) In 2005 Ateniese et al [ 2] presented a unidirectional PRE scheme based on bilinear pairings Both of these schemes are only secure against chosen-plaintext attack (CPA) However applications often require security against chosen-ciphertext attacks (CCA) To fill this gap Canetti and Hohenberger [] presented a construction of CCA-secure bidirectional PRE scheme from bilinear pairings Later Libert and Vergnaud [23] presented a CCAsecrue unidirectional PRE scheme from bilinear pairings Recently Deng et al [5] proposed a CCA-secure bidirectional PRE scheme without pairings All these constructions are standard PRE schemes and hence can not control the proxy at a fine-grained level In Pairing 08 Libert and Vergnaud [24] introduced the notion of traceable proxy re-encryption where malicious proxies leaking their re-encryption keys can be identified Proxy re-encryption has also been studied in identity-based scenarios Based on the ElGamal-type public key encryption system [6] and Boneh-Boyen s identity-based encryption system [3] Boneh Goh and Matsuo [7] described a hybrid proxy re-encryption system Based on Boneh and Franklin s identity-based encryption system [6] Green and Ateniese [8] presented CPA and CCA-secure identity-based proxy re-encryption (IB-PRE) schemes in the random oracle model Chu and Tzeng [3] presented the constructions of CPA and CCA-secure IB-PRE schemes without random oracles Another related work is the proxy encryption cryptosystem introduced by Mambo and Okamoto [26] In a proxy encryption scheme [4 2 26] A delegator allows a delegatee to decrypt ciphertext intended for her with the help of a proxy: an encryption for the delegator is first partially decrypted by the proxy and then fully decrypted by the delegatee However this scheme requires the delegatee to possess an additional secret for each delegation from Alice In contrast the delegatee in proxy re-encryption systems only needs his own private key as in a standard PKE Proxy re-encryption should not be confused with the universal re-encryption [9] in which ciphertext is only rerandomized instead of replacing the public keys 3 Organization The rest of the paper is organized as follows Section 2 gives an introduction to bilinear pairings and related complexity assumptions In Section 3 we formalize the definition and security notions for C-PRE systems In Section 4 we propose a C-PRE scheme and prove its chosen-ciphertext security under the 3-QBDH assumption In Section 5 we further extend our C-PRE scheme to obtain a conditional proxy re-encryption scheme with multiple conditions Finally Section 6 lists some open problems and concludes this paper 2 PRELIMINARIES 2 Notations Throughout this paper for a prime q let Z q denote {0 2 q } and Z q denote Z q\{0} For a finite set S x $ S means choosing an element x from S with a uniform distribution Finally a function f : N [0 ] is said to be negligible if for all c N there exists a k c N such that f(k) < k c for all k > k c 22 Bilinear Groups and Bilinear Pairings Let G and G T be two cyclic multiplicative groups with the same prime order q A bilinear pairing is a map e : G G G T with the following properties: Bilinearity: g g 2 G a b Z q we have e(g a g b 2) = e(g g 2) ab ; Non-degeneracy: There exist g g 2 G such that e(g g 2) GT ; Computability: There exists an efficient algorithm to compute e(g g 2) for g g 2 G 23 Complexity Assumptions The security of our proposed schemes is based on a complexity assumption called 3-Quotient Bilinear Diffie-Hellman (3- QBDH) assumption The decisional version of this assumption was recently used to construct a unidirectional proxy reencryption with chosen-ciphertext security [23] We briefly review the n-qbdh assumption a generalized version of 3-QBDH The n-qbdh problem in groups (G G T ) is given a tuple (g g /a g a g (an ) g b ) G n+2 with unknown a b $ Z q to compute e(g g) b a 2 A polynomial-time algorithm B has advantage ɛ in solving the n-qbdh problem in groups (G G T ) if Pr[B(g g a g a g (an ) g b ) = e(g g) b a 2 ] ɛ where the probability is taken over the random choices of a b in Z q the random choice of g in G and the random bits consumed by B Definition We say that the (t ɛ)-n-qbdh assumption holds in groups (G G T ) if no t-time adversary B has advantage at least ɛ in solving the n-qbdh problem in groups (G G T ) 3 MODEL OF CONDITIONAL PROXY RE- ENCRYPTION In this section we formalize the definition and security notions for C-PRE systems

3 3 Definition of C-PRE systems Formally a C-PRE scheme consists of the following seven algorithms: GlobalSetup(λ): The key generation algorithm takes as input a security parameter λ It generates the global parameters param 32 Security Notions In plain words the semantic security of a C-PRE encryption should be preserved against both the delegate and the proxy if they do not possess the proper condition key More formally the semantic security against chose-ciphertext attacks for a C-PRE scheme Π can be defined via the following game between an adversary A and a challenger C: KeyGen(i): The key generation algorithm generates the public/secret key pair (pk i sk i) for user U i RKeyGen(sk i pk j): The partial re-encryption key generation algorithm run by U i takes as input a secret key sk i and another public key pk j It outputs a partial re-encryption key rk ij CKeyGen(sk i w): The condition key generation algorithm run by user i takes as input a secret key sk i and a condition w It outputs a condition key ck iw Encrypt(pk m w): The encryption algorithm takes as input a public key pk a plaintext m M and a condition w It outputs ciphertext CT associated with w under pk Here M denotes the message space ReEncrypt(CT i rk ij ck iw): The re-encryption algorithm run by the proxy takes as input a ciphertext CT i associated with w under public key pk i a partial reencryption key rk ij and a condition key ck iw It outputs a re-encrypted ciphertext CT j under public key pk j Decrypt(CT sk): The decryption algorithm takes as input a secret key sk and a cipertext CT It outputs a message m M or the error symbol The correctness of C-PRE means that for any condition w any m M any (pk i sk i) KeyGen(i) (pk j sk j) KeyGen(j) and CT i = Encrypt(pk i m w) while for any other condition w and user j with w w and j j we have Remark Blaze Bleumer and Strauss [4] differentiated two types of proxy re-encryption systems: bidirectional PRE and unidirectional PRE In bidirectional PRE systems the re-encryption key allows the proxy to translate Alice s ciphertext to Bob s and vice versa In unidirectional PRE systems the re-encryption key can used only for one direction In general unidirectional PRE systems are preferable to bidirectional ones since (i) any unidirectional scheme can be easily transformed to a bidirectional one [] and (ii) in bidirectional PRE systems if the proxy and the delegatee collude they can recover the delegator s secret key The same argument applies to C-PRE systems Therefore in this paper we only consider unidirectional C-PRE Setup Challenger C runs algorithm GlobalSetup(λ) and gives the global parameters param to A Phase A adaptively issues queries q q m where query q i is one of the following: Uncorrupted key generation query i : C first runs algorithm KeyGen(i) to obtain a public/secret key pair (pk i sk i) and then sends pk i to A Corrupted key generation query j : C first runs algorithm KeyGen(j) to obtain a public/secret key pair (pk j sk j) and then gives (pk j sk j) to A Partial re-encryption key query pk i pk j : C runs algorithm RKeyGen(sk i pk j) to generate a partial re-encryption key rk ij and returns it to A Here sk i is the secret key with respect to pk i It is required that pk i and pk j were generated beforehand by algorithm KeyGen Condition key query pk i w : C runs algorithm CKeyGen(sk i w) to generate a condition key ck iw and returns it to A It is required that pk i was generated beforehand by algorithm KeyGen Re-encryption query pk i pk j (w CT i) : To reply this query challenger C runs algorithm ReEncrypt(CT i R and returns the resulting ciphertext CT j to A It is required that pk i and pk j were generated beforehand by algorithm KeyGen Decryption query pk (w CT) or pk j CT j : Here pk (w CT) and pk CT denote the queries on original ciphertexts and re-encrypted ciphertexts respectively Challenger C returns the result of Decrypt(CT sk) to A It is required that pk was generated beforehand by algorithm KeyGen PrˆDecrypt(CT i sk i) = m = and Challenge Once A decides that Phase is over it outputs PrˆDecrypt (ReEncrypt(CT i RKeyGen(sk i pk j) CKeyGen(sk i w)) sk j) = m = ; a target public key pk i a target condition w and two equal-length plaintexts m 0 m M C flips a random coin δ {0 } and sets the challenge ciphertext to be CT = Encrypt(pk i m δ w ) which is sent to A PrˆDecrypt `ReEncrypt(CT i RKeyGen(sk i pk j) CKeyGen(sk i w )) Phase sk j = 2 = neg(λ) PrˆDecrypt (ReEncrypt(CT i RKeyGen(sk i pk j ) CKeyGen(sk i w)) sk j) = A adaptively issues queries as in Phase and C answers = them neg(λ) as before Guess Finally A outputs a guess δ {0 } and wins the game if δ = δ During the above game adversary A is subject to the following restrictions: (i) A can not issue corrupted key generation queries on i to obtain the target secret key sk i (ii) A can issue decryption queries on neither pk i (w CT ) nor pk j ReEncrypt(CT rk i j ck i w ) (iii) A can not issue re-encryption queries on pk i pk j (w CT ) if pk j appears in a previous corrupted key generation query

4 (iv) A can not obtain both the condition key ck i w and the partial re-encryption key rk i j if pk j appears in a previous corrupted key generation query Remark 3 The above four restrictions rule out cases where A can trivially win the game To illustrate this we use the restriction (iv) as an example Suppose A obtains both the condition key ck i w and the partial re-encryption key rk i j with j is a corrupted user then she can run algorithm ReEncrypt(CT i rk i j ck i w ) to obtain a re-encrypted ciphertext CT j under public key pk j Using the secret key sk j A can decrypt the ciphertext to recover m δ and hence break the challenge We refer to the above adversary A as an IND-CPRE-CCA adversary His advantage in attacking scheme Π is defined as Adv IND-CPRE-CCA ΠA = Pr[δ = δ] /2 For the sake of an easy understanding of the security proofs for our proposed C-PRE scheme we differentiate two subcases of restriction (iv) described in the above IND-CPRE- CCA game and distinguish between two types of IND-CPRE- CCA adversaries: Type I IND-CPRE-CCA adversary: During the IND- CPRE-CCA game adversary A does not obtain the partial re-encryption key rk i j with pk j is corrupted Type II IND-CPRE-CCA adversary: During the IND- CPRE-CCA game adversary A does not obtain the condition key ck i w Note that these cases are mutually exclusive (by definition) and complete Therefore the IND-CPRE-CCA security of a C-PRE scheme can be proven by showing that neither Type I nor Type II IND-CPRE-CCA adversary can win with a non-negligible advantage GlobalSetup(λ): The setup algorithm takes as input a security parameter λ It first generates (q G G T e) where q is a λ-bit prime G and G T are two cyclic groups with prime order q and e is the bilinear pairing e : G G G T Next it chooses g g f f $ G and five hash functions H H 2 H 3 H 4 and H 5 such that H : {0 } Z q H 2 : G T {0 } l 0+l H 3 : {0 } G H 4 : G T {0 } l 0+l and H 5 : {0 } Z q Here l 0 and l are determined by the security parameter and the message space is {0 } l 0 The global parameters are param = ((q G G T e) g g f f H H 5) KeyGen(i): To generate the public/secret key pair for user U i it picks x $ i Z q and sets the public key and secret key to be pk i = (P i Q i) = (g x i g /x i ) and sk i = x i respectively where the probability is taken over the random coins consumed by the challenger and the adversary RKeyGen(sk i pk j): On input a secret key sk i = x i and a public key pk j = (P j Q j) = (g x j g /x j ) it outputs the partial re-encryption key rk ij = P /x i j = g x j /x i Definition 2 A C-PRE scheme Π is (t q u q c q rk q ck q re q d ɛ) CKeyGen(sk i w): On input a secret key sk i = x i and a IND-CPRE-CCA secure if and only if for any t-time IND- condition w {0 } it outputs the condition key CPRE-CCA adversary A that makes at most q u uncorrupted ck iw = H 3(w pk i) /x i key generation queries at most q c corrupted key generation queries at most q rk partial re-encryption key queries Encrypt(pk i m w): On input a public key pk i = (P i Q i) a at most q ck condition key queries at most q re re-encryption condition w and a message m {0 } l 0 it works as queries and at most q d decryption queries Adv IND-CPRE-CCA ΠA following: ɛ Pick r $ {0 } l and compute r = H (m r w) 2 Compute and output the ciphertext CT = (A B C D) as: A = g r B = P r i C = H 2 (e(g g) r ) (m r ) H 4 (e(q i H 3( () ReEncrypt(CT i rk ij ck iw): On input the ciphertext CT i associated with condition w under public key pk i a condition key ck iw and a partial re-encryption key rk ij this algorithm generates the re-encrypted ciphertext under key pk j as follows: Parse pk i as (P i Q i) and CT i as (A B C D) 2 Check whether both of the following equalities hold: e(a P i) = e(g B) e(a f H5(ABC) f ) = e(g D) (2) If not output ; otherwise output the re-encrypted ciphertext CT j = (B C ) as B = e(b rk ij) C = C H 4(e(A ck iw)) (3) 4 A SECURE C-PRE SCHEME In this section we first present our C-PRE scheme and then briefly explain the intuition behind the construction Finally based on the 3-QBDH assumption we prove the security for the proposed scheme 4 Construction The proposed C-PRE scheme consists of the following seven algorithms: Indeed the re-encrypted ciphertext CT j = (B C ) is of the following forms: B = e(g g sk j ) r C = H 2(e(g g) r ) (m r ) (4) where r = H (m r w) Decrypt(CT i sk i): On input a secret key sk i = x i and a ciphertext CT i under public key pk i = (P i Q i) this algorithm works according to two cases:

5 CT is an original ciphertext associated with a condition w ie CT = (A B C D): If Eq (2) does not hold output ; otherwise compute (m r ) = C H 4(e(A H 3(w pk i) /x i )) H 2(e(B g) /x i ) and return m if g x i H (mr w) = B holds and otherwise CT is a re-encrypted ciphertext ie CT = (B C ): Compute (m r ) = C H 2(B x i ) and return m if e(g g) x i H (mr w) = B holds and otherwise Correctness: It can be verified that all the correctly generated original/re-encrypted ciphertexts can be correctly decrypted We here explain why a re-encrypted ciphertext generated by a proxy who does not have both the right partial re-encryption key and the right condition key can not be decrypted by the delegatee with non-neglibible probability For example given an original ciphertext CT i = (A B C D) associated with condition w under public key pk i = (P i Q i) as in Eq () Suppose a proxy who has a partial re-encryption key rk ij = g x j /x i and a condition key ck iw = H 3(w pk i) /x i with w w runs ReEncrypt to translate ciphertext CT i into a ciphertext intended for U j Obviously CT i can pass the validity check of Eq (2) and hence he generates the re-encrypted ciphertext CT j = (B C ) as B = e(b rk ij) = e(p r i g x j /x i ) = e(g x ir g x j /x i ) = e(g g) x j r C = C H 4(e(A ck iw )) = H 2 (e(g g) r ) (m r ) H 4 (e(q i H 3(w pk i)) r ) H 4(e(A ck iw )) Hash Oracle = H 2 (e(g g) r ) (m r ) H 4 (e(q i H 3(w pk i)) r ) H 4 `e(qi H 3(w pk r Queries At any time adversary A can issue the random i)) oracle queries H i with i { 5} Algorithm Since w w the term H 4 (e(q i H 3(w pk i)) r ) in component C can not be canceled by H 4 (e(q i H 3(w pk i)) r ) are initially empty and responds as below: B maintains five hash lists Hi list with i { 5} which with overwhelming probability So when user j with secret key sk j = x j receives the above re-encrypted ciphertext H queries: On receipt of an H query (m r w) CT j he computes C H 2(B /x j ) and obtains (m r ) H 4 (e(q i H 3(w pk i)) r ) H 4 (e(q i H 3(w pk i)) r ) instead of if this query already appears on the H list in a tuple (m r w r) return the predefined value r Otherwise (m r ) Obviously this resulting value can not pass the validity check as shown in algorithm Decrypt Therefore re- and respond with H (m w r ) = r choose r $ Z q add the tuple (m r w r) to the H list encrypted ciphertext CT j can not be decrypted by U j with overwhelming probability H 2 queries: On receipt of an H 2 query U G T if this query already appears on the H2 list in a tuple (U β) Security Intuitions: Next we briefly explain why the proposed scheme can ensure the chosen-ciphertext security It follows two important facts First the re-encrypted ciphertext given in Eq (4) is indeed a ciphertext of the hashed CCA-secure ElGamal encryption [9 6 7] using the bilinear pairings and hence it is impossible for the adversary to gain any advantage through malicious manipulating the re-encrypted ciphertext Second the validity of the original ciphertext given in Eq () can be publicly verified by checking Eq (2) Thus it is also impossible for the adversary to maliciously manipulate the original ciphertext In the next subsection we show detailed security proofs 42 Security The proposed C-PRE scheme is IND-CPRE-CCA secure in the random oracle model as stated below Theorem Our C-PRE scheme is IND-CPRE-CCA secure in the random oracle model assuming the 3-QBDH assumption holds in groups (G G T ) Theorem follows directly from the following Lemma and 2 Lemma If there exists a (t q H q H2 q H3 q H4 q H5 q u q c q rk q ck q Type I IND-CPRE-CCA adversary A against our scheme then there exists an algorithm B which can solve the (t ɛ )- 3-QBDH problem in groups (G G T ) with ɛ ɛ q H2 e( + q rk ) qh ( + q d ) qre + q d 2 l 0+l q t t + (q H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q d + (2q u + 2q c + q rk + q ck + q re + q H q re + 2q H q d + 3)t e + (6q re + where t e denotes the running time of an exponentiation in group G t p denotes the running time of a pairing in groups (G G T ) q Hi (i = 5) denotes the number of oracle queries to H i and q u q c q rk q ck q re and q d have the same meaning as those in Definition 2 Proof Suppose B is given as input a 3-QBDH challenge tuple (g g /a g a g (a2) g b ) with unknown a b $ Z q Algorithm B s goal is to output e(g g) b a 2 Algorithm B first picks u α α $ 2 Z q defines g = `g ) u (a2 f = `g (a2 ) α f = `g(a 2 ) α 2 and gives (g g f f ) to A Next B acts as a challenger and plays the IND-CPRE-CCA game with adversary A in the following way: return the predefined value β Otherwise choose β $ {0 } l 0+l add the tuple (U β) to the list H2 list and respond with H 2(U) = β H 3 queries: On receipt of an H 3 query (w pk i) if this query already appears on the H3 list in a tuple (w pk i s S) return the predefined value S Otherwise choose s $ Z q compute S = (g a ) s add the tuple (w pk i s S) to the H3 list and respond with H 3(w pk i) = S H 4 queries: On receipt of an H 4 query V G T if this query already appears on the H4 list in a tuple (V γ) return the predefined value γ Otherwise choose γ $ {0 } l 0+l add the tuple (V γ) to the H4 list and respond with H 4(V ) = γ H 5 queries: On receipt of an H 5 query (A B C) if this query already appears on the H5 list in a tuple (A B C η) return the predefined value η Otherwise choose η $ Z q add the tuple (A B C η) to the H list 5 and respond with H 5(A B C) = η

6 Phase In this phase adversary A issues a series of queries subject to the restrictions of the Type I IND-CPRE-CCA game B answers these queries for A as follows: Uncorrupted key generation query i : Algorithm B first picks x $ i Z q Next as in Coronaŕs proof technique [2] it flips a biased coin coin i {0 } that yields 0 with probability θ and with probability θ If coin i = 0 define pk i = (P i Q i) = (g a2 x i a g 2 x i ) = ((g (a2) ) x i x g u i ); else define pk i = (P i Q i) = (g ax i ax g i ) = ((g a ) x i (g a x ) u i ) Finally it returns pk i to adversary A and adds the tuple (pk i x i coin i) to the K list Corrupted key generation query j : Algorithm B first picks x j $ Z q and defines pk j = (P j Q j) = (g x j `g (a2 ) u/x j ) and coin j = Next it adds the tuple (pk j x j coin j) to the K list and returns (pk j x j) to adversary A Partial re-encryption key query pk i pk j : B first parses pk j as (P j Q j) and recovers tuples (pk i x i coin i) and (pk j x j coin j) from the K list Next it constructs the partial re-encryption key rk ij for adversary A according to the following situations: If coin i = it means that sk i = x i Algorithm B simply outputs rk ij = P /x i j If (coin i = coin j = 0) it means that sk i = ax i and sk j = a 2 x j B returns rk ij = (g a x ) i Note that this is a valid partial re-encryption key since (g a x j x ) i a 2 x j ax = g i sk i j = P If (coin i = coin j = ) or (coin i = 0 coin j = 0) algorithm B returns rk ij = g x j /x i If (coin i = coin j = ) or (coin i = 0 coin j = ) B returns rk ij = g /a xj /x i If (coin i = 0 coin j = ) B outputs failure and aborts Condition key query pk i w : Algorithm B first recovers tuple (pk i x i coin i) from the K list and tuple (w pk i s S) from the H3 list Next it constructs the condition key ck iw for adversary A according to the following cases: If coin i = it means that sk i = x i: Algorithm B responds with ck iw = S /x i If coin i = it means that sk i = ax i: Algorithm B responds with ck iw = g s/x i Note that this is x indeed a valid condition key since g s i ax = g as i = (g as ax ) i = H(w pk i) sk i If coin i = 0 it means that sk i = a 2 x i: B responds s/xi with ck iw = g /a Note that this is indeed s a valid condition key since g /a as xi = g a 2 x i = (g as ) a 2 x i = H(w pk i) sk i Re-encryption query pk i pk j (w CT i) : Algorithm B parses CT i as CT i = (A B C D) If Eq (2) does not hold it outputs ; otherwise it works as follows: Recover tuples (pk i x i coin i) and (pk j x j coin j) from the K list x j 2 Issue a condition key query pk i w to obtain the condition key ck iw 3 Finally generate the re-encrypted ciphertext according to the following two cases: coin i = 0 coin j = : search whether there exists a tuple (m r w r) H list such that g r = A and w = w If yes compute B = e(g Pj r ) C = C H 4(e(A ck iw )) and return CT j = (B C ) as the re-encrypted ciphertext to A; otherwise return Otherwise: Algorithm B first constructs the partial re-encryption key rk ij as in the partial re-encryption key queries and then runs algorithm ReEncrypt(CT i rk ij ck iw ) and finally returns the resulting re-encrypted ciphertext CT j to A Decryption query pk i (w CT) or pk i CT : Algorithm B parses pk i as pk i = (P i Q i) and then recovers tuple (pk i x i coin i) from the K list If coin i = (meaning sk i = x i) algorithm B decrypts the ciphertext using x i and returns the plaintext to A Otherwise it proceeds as follows Parse CT as CT = (A B C D) or CT = (B C) When CT = (A B C D) work as follows: if Eq (2) does not hold return else construct the condition key ck iw as in the condition key query and define C = C H 4(e(A ck iw )) 2 Search lists H list and H2 list to see whether there exist tuples (m r w r) H list and (U β) H2 list such that w = w P r i = B β (m r ) = C and U = e(g g) r If yes return m to A Otherwise return Challenge When A decides that Phase is over it outputs a target public key pk i a condition w and two equallength messages m 0 m {0 } l 0 Algorithm B responds as follows: Recover tuple (pk i x coin ) from the K list If coin 0 output failure and abort Otherwise (meaning sk i = a 2 x ) algorithm B continues to execute the following steps 2 Pick y $ Z q C $ {0 } l 0+l and define A = g uby B = g bx y D = g by (α H 5 (A B C )+α 2 ) 3 Construct the condition key ck i w as in the condition key query 4 Pick a random bit δ $ {0 } r $ {0 } l Implicitly define H (m δ r w ) = by and H a 2(e(g g) by 2 a 2 ) = C (m δ r ) H 4(e(A ck i w )) (note that B knows neither by nor e(g g) by a 2 a 2 ) 5 Return CT = (A B C D ) as the challenged ciphertext to adversary A Note that by the construction given above if let r by a 2 we can see that the challenged ciphertext CT has the same distribution as the real one since H 2 acts as a random oracle and

7 The simulation of the decryption oracle is perfect with the A = g uby = `g u) (a2 by a 2 = g r B = g bx y = `g exception a2 x by that simulation errors may occur in rejecting some a 2 = Pi r C = C `(m δ r ) H 4(e(A ck ) i w `(m valid ciphertexts However these errors are not significant as δ r ) H 4(e(A shown ck below: i w ) Suppose a ciphertext CT has been queried to = `C (m δ r ) H 4(e(A ck ) i w `(m the decryption oracle Even if CT is a valid ciphertext there δ r ) H 4(e(Q i is Ha 3(w possibility pk i ) ) r that CT can be produced without querying = H 2(e(g g) by a 2 ) `(m e(g g) δ r ) H 4(e(Q i H 3(w pk i ) ) r to H 2 where r = H (m r w) Let Valid be an r event that CT is valid Let AskH 2 and AskH respectively = H 2(e(g g) r ) (m δ r ) H 4(e(Q i H 3(w pk i ) r ) be events that e(g g) r has been queried to H 2 and (m r w) D = g by (α H 5 (A B C )+α 2 ) = g a2 α H 5 (A B C ) by has been queried to H g a2 α 2 a 2 = f H 5(A B C ) r We then have Pr[Valid AskH f 2] Pr[Valid AskH AskH 2] + Pr[Valid AskH Phase 2 A continues to issue the rest of queries as in Phase with the restrictions described in the Type I IND-CPRE- CCA game Algorithm B responds to these queries as in Phase Guees Eventually adversary A returns a guess δ {0 } to B Algorithm B randomly picks a tuple (U β) from the list H2 list and outputs U /y as the solution to the given 3-QBDH instance Analysis Now let s analyze the simulation The main idea of the analysis is borrowed from [9] We first evaluate the simulations of the random oracles From the constructions of H 3 H 4 and H 5 it is clear that the simulations of these oracles are perfect As long as adversary A does not query (m δ r w ) to H nor e(g g) by a 2 to H 2 where δ and r are chosen by B in the Challenge phase the simulations of H and H 2 are perfect By AskH we denote the event that (m δ r w ) has been queried to H Also by AskH 2 we denote the event that e(g g) by a 2 has been queried to H 2 As argued before the challenged ciphertext provided for A is identically distributed as the real one from the construction From the description of the simulation it can be seen that the responses to A s uncorrupted key generation queries corrupted key generation queries condition key queries are also perfect Next we analyze the simulation of the partial re-encryption key oracle and the Challenge phase Obviously if B does not abort during the simulation of the partial re-encryption key queries the response to A s partial re-encryption key queries is perfect Similarly if B does not abort in the Challenge phase the Challenge phase is also perfect Let Abort denote the event of B s aborting during the whole simulation Then we have Pr[ Abort] θ q rk ( θ) which is maximized at θ opt = q rk least +q rk Using θ opt the probability Pr[ Abort] is at e(+q rk ) We proceed to analyze the simulation of the re-encryption oracle The responses to adversary A s re-encryption queries are perfect unless A can submit valid original ciphertexts without querying hash function H (denote this event by ReEncErr) However since H acts as a random oracle and adversary A issues at most q re re-encryption queries we have Pr[ReEncErr] qre q Now we evaluate the simulation of the decryption oracle Pr[AskH AskH 2] + Pr[Valid AskH AskH Let DecErr be the event that Valid AskH 2 happens during the entire simulation Then since q d decryption oracles are issued we have Pr[DecErr] q H q d 2 l 0 +l + q d q Now let Good denote the event (AskH 2 (AskH AskH 2) ReEncErr DecErr) Abort If event Good does not happen due to the randomness of the output of the random oracle H 2 it is clear that adversary A can not gain any advantage greater than in guessing δ Namely we have 2 Pr[δ = δ Good] = Hence by splitting 2 Pr[δ = δ] we have Pr[δ = δ] = Pr[δ = δ Good]Pr[ Good] + Pr[δ = δ Good]Pr[Good 2 Pr[ Good] + Pr[Good] = ( Pr[Good]) + Pr[Good 2 and Pr[δ = δ] Pr[δ = δ Good]Pr[ Good] = 2 ( Pr[Good]) = 2 2 P By definition of the advantage for the Type I IND-CPRE- CCA adversary we then have ɛ = 2 Pr[δ = δ] Pr[Good] = Pr[(AskH 2 (AskH AskH 2) ReEncErr DecErr) = (Pr[AskH 2] + Pr[AskH AskH 2] + Pr[ReEncErr + Pr[DecErr]) Pr[ Abort] Since Pr[AskH AskH 2] q H Pr[DecErr] q H q d + q 2 l 0 +l 2 l 0 +l d q Pr[ReEncErr] qre and Pr[ Abort] q e(+q rk we obtain ) Pr[AskH 2] Pr[ Abort] ɛ Pr[AskH AskH 2] Pr[DecErr] Pr[ ɛ e( + q rk ) qh qh q d q d 2 l 0+l 2 l 0+l q qre q = ɛ e( + q rk ) Meanwhile if event AskH 2 happens algorithm B will be able to solve the 3-QBDH instance by picking e(g g) by /y a 2 from the list H list 2 Consequently we obtain ɛ Pr[AskH 2] ɛ q H2 q H2 e( + q rk ) qh ( + q d ) qre + q d 2 l 0+l q

8 From the description of the simulation the running time of algorithm B can be bounded by t hold: t + (q H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q d )O() + (2q u + 2q c + q rk + q ck + q re + q H q re + 2q H q d + 3)t e + (6q re + 5qe(A d + )t P i) p = e(g B) This completes the proof of Lemma Next we prove that under the 2-QBDH assumption there exists no Type II IND-CPRE-CCA adversary A against our scheme with non-negligible probability Note that the 2- QBDH assumption is weaker than the 3-QBDH assumption and is implied by the latter Lemma 2 If there exists a (t q H q H2 q H3 q u q c q rk q ck q re q d ɛ) Type II IND-CPRE-CCA adversary A against our scheme then there exists an algorithm B which can solve the (t ɛ )- 2-QBDH problem in groups (G G T ) with ɛ ɛ q H4 e( + q ck ) qh ( + q d ) qre + q d 2 l 0+l q t If B = e(g g) x H (mr {w t } t {k kn}) return t + (q H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q d )O() m else return + (2q u + 2q c + q rk + q ck + 2q re + q H q re + 2q H q d + 3)t e + (6q re + 4q d + q H q d + )t p where t e t p q Hi (i = 5) q u q c q rk q ck q re and q d have the same meaning as Lemma The proof is in Appendix A 5 EXTENSIONS In this section we extend our C-PRE scheme to obtain a conditional proxy re-encryption system with multiple conditions (MC-PRE) In a MC-PRE system the proxy with a partial re-encryption key rk ij can translate ciphertexts associated with a set of conditions {w t} t {k k n} from user U i to user U j if and only if he has all the condition keys {ck iwt } t {k k n} with respect to these conditions Based on the C-PRE scheme in Section 4 we present a MC-PRE scheme The proposed MC-PRE scheme consists of seven algorithms where GlobalSetup KeyGen RKeyGen and CKeyGen are the same as those in the C-PRE scheme and the other three algorithms are specified as below: Encrypt(pk m {w t} t {k k n}): On input a public key pk = (P Q) a plaintext m {0 } l 0 and a set of conditions {w t} t {k k n} this algorithm works as below: Pick r $ {0 } l and compute r = H (m r {w t} t {k This k n}) research is supported by the Office of Research Singapore Management University 2 Compute A = g r B = P r C = H 2 (e(g g) r ) (m r ) H 4 e`q ` Q H 3(w t pk) r and t {k k n} r D = f H5(ABC) f 3 Output the original ciphertext CT = (A B C D) ReEncrypt(CT i rk ij {ck iwt } t {k k n}): On input a ciphertext CT i associated with a set of conditions {w t} t {k k n} under public key pk i a partial re-encryption key rk ij and a set of condition key {ck iwt } t {k k n} it generates the ciphertext under key pk j as follows: Parse pk i = (P i Q i) and CT i = (A B C D) 2 Check whether both of the following equalities e(a f H5(ABC) f ) = e(g D) (5) If not output ; otherwise compute B = e(b rk ij) C = C H 4 e(a Q t {k k n} ck iwt ) and output the re-encrypted ciphertext CT j = (B C ) Decrypt(CT sk): On input a secret key sk = x and a ciphertext CT under public key pk this algorithm works according to two cases: CT is an original ciphertext associated with a set of conditions {w t} t {k k n} ie CT = (A B C D): Check whether Eq (5) holds If not output Otherwise compute (m r Q ) = C H 4 e(a H 3(w t {k k n} H 2`e(B g) /x and if B = g x H (mr {w t } t {k kn}) return m else return CT = (B C ): Compute (m r ) = C H 2(B /x ) Interestingly the number of bilinear pairings needed in the above MC-PRE scheme is independent of the number of conditions and the efficiency of this MC-PRE scheme is comparable to that of the C-PRE scheme in Section 4 Similarly to the C-PRE scheme the chosen-ciphertext security of the proposed scheme can be proved under the 3- QBDH assumption Of course the security model should be slightly modified to address the situations under multiple conditions Due to the space limit we omit the security model and proofs 6 CONCLUSIONS AND OPEN QUESTIONS In this paper we tackle the problem of how to control the proxy in PRE systems at a fine-grained level We introduce the concept of conditional proxy re-encryption We formalize its definition and its security notions and propose a CCA-secure C-PRE scheme We further extend this C- PRE scheme to support multiple conditions with reasonable overhead The conditions in our proposed solution are limited to keywords It remains as an interesting open problem how to construct CCA-secure C-PRE schemes with anonymous conditions or boolean predicates Acknowledgment 7 REFERENCES [] G Ateniese K Fu M Green and S Hohenberger Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage In Proc of NDSS 2005 pp [2] G Ateniese K Fu M Green and S Hohenberger Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage ACM Transactions on Information and System Security (TISSEC) 9():-30 February 2006

9 [3] D Boneh and X Boyen Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles In advances in Cryptology-Eurocrypt 04 LNCS 3027 pp Springer-Verlag 2004 [4] M Blaze G Bleumer and M Strauss Divertible Protocols and Atomic Proxy Cryptography In advances in Cryptology-Eurocrypt 98 LNCS 403 pp Springer-Verlag 998 [5] D Boneh G D Crescenzo R Ostrovsky and G Persiano Public Key Encryption with Keyword Search In Advanecs in Cryptology-Eurocrypt 04 LNCS 3027 pp Springer-Verlag 2004 [6] D Boneh and M Franklin Identity based encryption from the Weil pairing In Advanecs in Cryptology-Crypto 0 LNCS 239 pp Springer-Verlag 200 [7] D Boneh E-J Goh and T Matsuo Proposal for P3633 Proxy Re-encryption [8] D Boneh E-J Goh K Nissim Evaluating 2-DNF Formulas on Ciphertexts In Proc of TCC 05 LNCS 3378 pp Springer-Verlag 2005 [9] J Baek R Safavi-Naini and W Susilo Certificatless Public Key Encryption without Pairing In Proc of ISC 05 LNCS 3650 pp Springer-Verlag 2005 [0] D Boneh B Waters Conjunctive Subset and Range Queries on Encrypted Data In Proc of TCC 07 LNCS 4392 pp Springer-Verlag 2007 [] R Caneti and S Hohenberger Chosen-Ciphertext Secure Proxy Re-Encryption In Proc of ACM CCS 2007 pp ACM Press 2007 [2] J-S Coron On the Exact Security of Full Domain Hash In advances in Cryptology-Crypto 00 LNCS 880 pp Springer-Verlag 2000 [3] C Chu and W Tzeng Identity-Based Proxy Re-Encryption without Random Oracles In Proc of ISC 07 LNCS 4779 pp Springer-Verlag 2007 [4] Y Dodis and A-A Ivan Proxy Cryptography Revisited In Proc of NDSS [5] R H Deng J Weng S Liu K Chen Chosen-Cipertext Secure Proxy Re-Encryption without Pairings To appear in CANS 08 Springer-Verlag 2008 [6] T ElGamal A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology-Crypto 84 LNCS 96 pp0-8 Springer-Verlag 984 [7] E Fujisaki and T Okamoto Secure Integration of Asymmetric and Symmetric Encryption Schemes In Advances in Cryptology-Crypto 99 LNCS 666 pp Springer-Verlag 999 [8] M Green and G Ateniese Identity-Based Proxy Re-Encryption In Proc of ACNS 07 LNCS 452 pp Springer-Verlag 2007 [9] P Golle M Jakobsson A Juels and P F Syverson Universal Re-Encryption for Mixnets In Proc of CT-RSA 04 LNCS 2964 pp Springer-Verlag 2004 [20] P Golle J Staddon and B Waters Secure Conjunctive Keyword Search over Encrypted Data In Proc of ACNS 04 LNCS 3089 pp 3-45 Springer-Verlag 2004 [2] M Jakobsson On Quorum Controlled Asummetric Proxy Re-Encryption In Proc of PKC 99 LNCS 560 pp 2-2 Springer-Verlag 999 [22] J Katz A Sahai and B Waters: Predicate Encryption Supporting Disjunctions Polynomial Equations and Inner Products In advances in Cryptology-Eurocrypt 08 LNCS 4965 pp Springer-Verlag 2008 [23] B Libert and D Vergnaud Unidirectional Chosen-Ciphertext Secure Proxy Re-encryption In Proc of PKC 08 LNCS 4929 pp Springer-Verlag 2008 [24] B Libert and D Vergnaud Tracing Malicious Proxies in Proxy Re-Encryption In Proc of Pairing 08 LNCS 5209 pp Springer-Verlag 2008 [25] T Matsuo Proxy Re-Encryption Systems for Identity-Based Encryption In Proc of Paring 07 LNCS 4575 PP Springer-Verlag 2007 [26] Masahiro Mambo and Eiji Okamoto Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts IEICE Trans Fund Electronics Communications and Computer Science E80-A/: [27] E Shi B Waters: Delegating Capabilities in Predicate Encryption Systems In Proc of ICALP (2) 2008 LNCS 526 pp Springer-Verlag 2008 Appendix A Proof of Lemma 2 Proof Suppose B is given as input a 2-QBDH challenge tuple (g g /a g a g b ) with unknown a b $ Z q Algorithm B s goal is to output e(g g) b/a2 Algorithm B first picks u α α 2 $ Z q defines g = g u f = (g a ) α f = (g a ) α 2 and gives (g g f f ) to A Next B acts as a challenger and plays the Type II IND-CPRE-CCA game with adversary A in the following way: Hash Oracle Queries B maintains five hash lists H list i with i { 5} and responds in the same way as in the proof of Lemma except that H 3 queries are conducted in the following way: H 3 queries: On receipt of an H 3 query (w pk i) if this query already appears on the H3 list in a tuple (w pk i s S coin) return the predefined value S Otherwise pick s $ Z q and flip a random biased coin coin {0 } that yields 0 with probability θ and with probability θ If coin = 0 then the hash value H 3(w pk i) is defined as S = g s else S = g bs Finally S is returned to A and (w pk i s S coin) is added to the H3 list Phase In this phase A issues a series of queries subject to the restrictions of the Type II IND-CPRE-CCA game B maintains a list K list and answers these queries as follows: Uncorrupted key generation query i : B first picks x $ i Z q and defines pk i = (P i Q i) = (g ax i ax g i ) = ((g a ) x i (g a u ) xi ) Next it defines c i = 0 adds the tuple (pk i x i c i) to the K list and returns pk i to adversary A Here the bit c i is used to denote whether the secret key with respect to pk i is corrupted ie c i = 0 indicates uncorrupted and c i = means corrupted Corrupted key generation query j : B first picks x j Z q and defines pk j = (P j Q j) = (g x j x g u j ) c j = Next it adds the tuple (pk j x j c j) to the K list and returns (pk j x j) to A Partial re-encryption key query pk i pk j : B recovers tuples (pk i x i c i) and (pk j x j c j) from the K list and constructs the partial re-encryption key rk ij for A according to the following cases: If c i = c j Respond with rk ij = g x j /x i If c i = c j = 0 Respond with rk ij = (g a ) x j /x i xj If c i = 0 c j = Respond with rk ij = g /a /x i $

10 Condition key query pk i w : B first recovers the tuple 4 Pick δ $ {0 } and r $ {0 } l Implicitly define (pk i x i c i) from the K list and the tuple (w pk i s S coin) from the H3 list H Next it constructs the condition key (m δ r w ) = y and H4(e(g g) ubs y a a x ) = C ck iw for adversary A according to the following cases: (m δ r ) H 2(e(g g a ) y ) (note that algorithm B knows If c i = it means that sk i = x i Algorithm B neither y responds with ck iw = S /x i y a a x ) 5 Return CT = (A B C D ) as the challenged ciphertext to adversary A If c i = 0 coin = 0 it means that sk i = ax i and H 3(w pk i) = g s i Algorithm B responds with si ck iw = g /a /x i Note that by the construction given above if let r y a If c i = 0 coin = it means that sk i = ax i and we can see that the challenged ciphertext CT has the same H 3(w pk i) = g bs i Algorithm B outputs failure and aborts distribution as the real one since H 2 and H 4 act as random oracles and Re-encryption query pk i pk j (w CT i) : B parses pk i = A (P i Q i) pk j = (P j Q j) and CT i = (A B C D) If Eq = `g /a uy = `g u y /a = g r (2) does not hold it outputs ; otherwise it acts as B = g x y = `g ax y /a = Pi r follows: Recover tuples (pk i x i c i) and (pk j x j c j) from C = (m δ r ) H 2(e(g g /a ) y ) `C (m δ r ) H 2(e(g g /a ) y ) the K list 2 Issue a partial re-encryption key query to obtain = (m δ r ) H 2(e(g g) y a ) H4(e(g g) ubs y a 2 x ) the partial re-encryption key rk ij 3 Recover the tuple (w pk i s S coin) from the H3 list = (m δ r ) H 2(e(g g) y a ) H4(e((g u ) ax g bs ) y a ) and produce the re-encrypted ciphertext according = (m δ r ) H 2(e(g g) r ) H 4(e(Q i H 3(w pk i ) r ) to the following two cases: c i = 0 coin = : Search whether there exists a D = g (α H 5 (A B C )+α 2 )y = `g a(α H 5 (A B C )+α 2 ) y /a = `f H 5( tuple (m r w r) H list such that g r = A and w = w If yes compute B = e(g Pj r ) C = Phase 2 Adversary A continues to issue the rest of queries C H 4(e(Q i S r )) and return CT j = (B C ) as in Phase with the restrictions described in the Type II as the re-encrypted ciphertext to A; otherwise IND-CPRE-CCA game B responds to these queries as in return Otherwise: Algorithm B first constructs the Phase condition key ck iw as in the condition key queries and then returns ReEncrypt(CT i rk ij ck iw ) Guees Eventually adversary A outputs a guess δ {0 } to A Algorithm B randomly picks a tuple (V γ) from the list H4 list Decryption query pk i (w CT) or pk i CT : Algorithm B responds as follows: instance and outputs V x us y as the solution to the given 2-QBDH Parse pk i as (P i Q i) Recover the tuple (pk i x i c i) from the K list If c i = (ie sk i = x i) decrypt CT using x i and return the resulting plaintext to Analysis Similarly to the analysis in Lemma it can be A seen that B s advantage against the 2-QBDH problem is at 2 Parse CT as CT = (A B C D) or CT = (B C) least When CT = (A B C D) return if Eq (2) does ɛ ɛ not hold q 3 Search lists H list and H2 list H4 e( + q ck ) qh ( + q d ) qre + q d 2 l 0+l q to see whether there exist tuples (m r w r) H list and (U β) H2 list and B s running time is bounded by such that t t + (q j Pi r = B U = e(g g) r w = w H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q β (m r + (2q ) = C If CT=(A B C D); u + 2q c + q rk + q ck + 2q re + q H q re + 2q H q d + 3)t e + (6q re and β (m r ) H 4(e(Q i H 3(w pk i)) r ) = C If CT=(B C) If yes return m to A Otherwise return This completes the proof of Lemma 2 Challenge When A decides that Phase is over it outputs a target public key pk i = (P i Q i ) a condition w and two equal-length messages m 0 m {0 } l 0 Algorithm B responds as follows: Recover the tuple (w pk i s S coin ) from the H list 3 If coin = 0 output failure and abort Otherwise (meaning that H 3(w pk i ) = g bs ) continue to execute the rest steps 2 Recover the tuple (pk i x c ) from the K list 3 Pick y $ Z q and C $ {0 } l 0+l Define A = g /a uy B = g x y D = g (α H 5 (A B C )+α 2 )y