Multi-use unidirectional identity-based proxy re-encryption from hierarchical identity-based encryption

doi:10.1016/j.ins.2012.04.013

Information Sciences

Volume 206, 5 November 2012, Pages 83-95

https://doi.org/10.1016/j.ins.2012.04.013 Get rights and content

Abstract

At ACNS 2007, Ateniese and Green proposed the concept of ID-based proxy re-encryption (IBPRE), where a semi-trusted proxy with some information (a.k.a. re-encryption key), can transform a ciphertext under an identity to another ciphertext under another identity with the same plaintext. However, the proxy cannot obtain the plaintext. Recently, Wang et al. revisited this primitive by allowing the chosen ciphertext attack when the ciphertext could be transformed several times. They also proposed a concrete multi-use unidirectional ID-based proxy re-encryption (MUIBPRE) scheme, which is proven secure in the random oracle. Nonetheless, they left the problem of constructing a multi-use unidirectional IBPRE scheme in the standard model. What is worse, their scheme cannot resist the collusion attack, which is an important security requirement for unidirectional proxy re-encryption.

To solve this problem, in this paper we present a conversion from non-anonymous hierarchical identity-based encryption (NaHIBE) with strongly CPA security to CCA-secure and collusion-resistant MUIBPRE. Furthermore, based on the NaHIBE scheme proposed by Waters at Crypto’09, we give the first CCA-secure and collusion-resistant MUIBPRE scheme in the standard model.

Introduction

In public key encryption setting, to ensure email’s secrecy, the sender always encrypts emails with the receiver’s public key. Let us consider the following situation. A company manager Alice would be absent for several days for some reasons, such as on vacation. To keep the company going, Alice would delegate her decryption rights of the company emails to the vice-manager Bob via a proxy (email server). The above system could be easily implemented if the email content could be revealed during the delegation process. For example, Alice gives her decryption key to the proxy. The proxy first decrypts the email sent to Alice, and then encrypts the email content with Bob’s public key. However, in most of cases, the proxy is not allowed to get the email content for some business reasons. In other words, the plaintext is not allowed to be revealed during the delegation process.

To solve the above problem, Blaze et al. [3] proposed the concept of proxy re-encryption (PRE). This new cryptographic primitive allows a semi-trusted proxy with specific information (a.k.a. re-encryption key) to transform a ciphertext under a public key into another ciphertext with the same plaintext under another public key. However, the proxy cannot get the plaintext. Blaze et al. gave two methods to classify PRE schemes. One is according to the allowed times of transformation. If the ciphertext can be transformed from Alice to Bob, then from Bob to Carol, and so on, then the PRE scheme is multi-use; otherwise, it is single-use. The other method is according to the allowed direction of transformation. If the re-encryption key can be used to transform the ciphertext from Alice to Bob, and vice versa, then the PRE scheme is bidirectional; otherwise, it is unidirectional.

The unidirectional PRE is better than the bidirectional PRE in many cases. For example, the delegator delegates his decryption rights to the delegatee, the delegatee does not always want to do the reverse delegation. Furthermore, any unidirectional scheme can be easily transformed to a bidirectional one by running the former in both directions, while whether the reverse holds is unknown.

Moreover, there are many cases that the underlying PRE scheme should be multi-use. Let us still consider the above email application. After Bob receives emails delegated from Alice, he might be unable to handle all the extra work for some reasons, such as health problem. In this case, Bob would need to delegate his decryption rights of some emails (including those delegated from Alice) to his secretary Carol. If the underlying PRE scheme is single-use, then the proxy cannot transform the emails delegated from Alice to Bob to a form Carol can decrypt, hence Carol cannot deal with them without Bob’s decryption. As a result, the multi-use PRE scheme is desired.

Nevertheless, the multi-use unidirectional PRE does not solve all the problems in the email applications. For example, the email sender might not know Alice’s public key but only know Alice’s email address. In this case, the email sender cannot encrypt the email content, hence the secrecy of the email content will be lost. To solve this problem, Green and Ateniese [9] proposed the concept of multi-use unidirectional identity-based proxy re-encryption (MUIBPRE), where the ciphertext is encrypted under the user’s identity, such as the email address, and the user’s private key is generated by a trusted party, named private key generator (PKG).

Generally speaking, there are two main security notions for MUIBPRE.

–
CCA security: If the adversary is not the intended receiver, he/she cannot get the plaintext even if he can access the decryption oracle. Corresponding to the email application, only the following users can get the email content sent to Alice: (1) Alice, (2) Bob cooperating with the corresponding proxy.
–
Collusion resistance: The delegatee colluding with the proxy should be able to decrypt the ciphertexts encrypted by the delegator’s identity, but cannot obtain the delegator’s private key. Corresponding to the email application, Bob colluding with his proxy cannot obtain Alice’s private key, and Carol colluding with his proxy cannot obtain Bob’s private key.
In many cases, users use the same private key to do decryption and signing. If the underlying MUIBPRE scheme does not hold collusion resistance, the non-repudiation of the delegator will lost since the delegatee and proxy can collude to obtain the delegator’s signing key. Hence, collusion resistance is required.

However, to the best of our knowledge, no existing MUIBPRE scheme satisfies the above two security requirements simultaneously. In this paper, we try to take this challenge.

Since the introduction of proxy re-encryption by Blaze et al. [3], there have been many papers [1], [2], [3], [5], [9], [11], [13], [15], [16], [20] that have proposed different PRE schemes with different properties. These schemes can be roughly categorized into two classes: public key infrastructure based (PKI-based), and identity based (ID-based).

The first PKI-based PRE scheme was proposed by Blaze et al. [3]; the scheme is proven-secure against chosen-plaintext attacks (CPA). Based on the modified CHK conversion [4], Canetti and Hohenberger [5] proposed the first chosen ciphertext secure (CCA-secure) multi-use bidirectional PRE scheme in the standard model. Recently, Matsuda et al. [14] proposed a new CCA-secure multi-use bidirectional PRE scheme without pairings in the standard model. However, there is no unidirectional PRE scheme proposed in [3], [5], [14], and these three bidirectional schemes suffer from collusion attacks.

By using key sharing technique, two efficient single-use unidirectional PRE schemes are proposed in [9], [21]. However, they suffer from collusion attacks. The first collusion-resistant PRE schemes are proposed by Ateniese et al. [1], [2] based on public key encryption with double trapdoors (strong and weak private keys). However, the schemes in [1], [2] are only CPA-secure. Recently, Libert and Vergnaud [13] proposed the first replayable chosen ciphertext secure (RCCA-secure) and collusion-resistant PRE scheme in the standard model. Shao and Cao [15], and Chow et al. [6] proposed CCA-secure and collusion-resistant PRE schemes in the random oracle model. Shao et al. [16] and Weng et al. [20] proposed CCA-secure and collusion-resistant PRE schemes in the standard model. However, all these schemes are single-use and unidirectional.

Regarding the ID-based PRE, Green and Ateniese [9] proposed the first unidirectional IBPRE schemes, which are CCA-secure with single-useability and CPA-secure with multi-useability. They left that designing a CCA-secure multi-use unidirectional IBPRE (MUIBPRE) scheme as a problem. Later, Chu and Tzeng [7] proposed a RCCA-secure MUIBPRE scheme. Recently, Wang et al. [18] proposed the first CCA-secure MUIBPRE scheme in the random oracle model. However, all the above three MUIBPRE schemes suffer from the collusion attack, and none of them is CCA-secure in the standard model. In this paper, we will propose an MUIBPRE scheme with CCA security and collusion resistance in the standard model.

We have made one major contribution and one minor contribution in this paper. The major contribution is that we give a conversion from strongly CPA-secure and non-anonymous hierarchical identity-based encryption to CCA-secure and collusion-resistant MUIBPRE. The resulting scheme from the conversion gives answers to the problem proposed in [9], [18]. That is, we propose the first CCA-secure and collusion-resistant MUIBPRE scheme in the standard model. The minor contribution is that we refine the security definition for MUIBPRE. In particular, our security definition contains the CCA security and collusion resistance.

Section snippets

Definitions and security models

In this section, we review some basic knowledge we use in this paper.

The WCW paradigm

The idea behind our construction begins with the WCW paradigm [18] for constructing a CCA-secure MUIBPRE scheme from a CCA-secure identity based encryption (IBE) scheme.

The description of conversion MUIBPRE

Setup. The system parameters are (NaHIBE, SIG, SKE), where NaHIBE is a strongly CPA-secure NaHIBE scheme, SIG is a strongly unforgeable one-time signature scheme, and SKE is a CCA-secure one-time symmetric key encryption.
KeyGen. On input the security parameter 1^λ, NaHIBE.KeyGen(1^λ) → (mpk, msk).
Extract. On input an identity ID, NaHIBE.Extract(ID) → d_ID.
ReKeyGen. On input a private key d_ID, an identity ID′, it first runs NaHIBE.Delegate(d_ID,ID) → d_ID,ID, and then chooses $d_{ID, ID}^{(1)}, d_{ID, ID}^{(2)}$ such that $F (d_{ID})$

An example based on Waters’ NaHIBE

In this section, we give a concrete scheme of our construction based on the NaHIBE scheme, named scheme Waters09, proposed by Waters [19].

Setup. The system parameters are $(G, G_{T}, q, SIG, SKE)$ , where $G, G_{T}$ are bilinear groups with prime order q, SIG is a strong unforgeable one-time signature scheme, and SKE is a CCA-secure one-time symmetric key encryption.
KeyGen. It is almost the same as that in scheme Waters09, except that we only need 3 levels for the HIBE scheme.
On input the security parameter,

Conclusions

In this paper, we presented a conversion from a strongly CPA-secure NaHIBE to a CCA-secure and collusion-resistant MUIBPRE. By following the proposed conversion, we proposed the first concrete CCA-secure and collusion-resistant MUIBPRE scheme in the standard model based on scheme Waters09. This concrete scheme is an answer for the problem proposed in [9], [18].

This work motivates some interesting open questions.

–
Design more efficient CCA-secure and collusion-resistant MUIBPRE schemes than the

Acknowledgements

The authors thank the anonymous reviewers for their insightful comments and helpful suggestions. This work was supported by NSFC Nos. 61003308, 61161140320, 61033014, and 60972034, and ECZJF No. Y201017312.

References (21)

H. Wang et al.
Multi-use unidirectional identity-based proxy re-encryption
Information Sciences
(2010)
G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy re-encryption schemes with applications to secure...
G. Ateniese et al.
Improved proxy re-encryption schemes with applications to secure distributed storage
ACM Transactions on Information and System Security (TISSEC)
(2006)
M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: EUROCRYPT 1998, LNCS, vol....
R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in: EUROCRYPT 2004, LNCS,...
R. Canetti, S. Hohenberger, Chosen-ciphertext secure proxy re-encryption, in: ACM CCS 2007, 2007 (full version:...
S. Chow, J. Weng, Y. Yang, R. Deng, Efficient unidirectional proxy re-encryption, in: Africacrypt 2010, LNCS, vol....
C. Chu, W. Tzeng, Identity-based proxy re-encryption without random oracles, in: ISC 2007, LNCS, vol. 4779, 2007, pp....
R. Cramer et al.
Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack
SIAM Journal on Computing
(2003)
M. Green, G. Ateniese, Identity-based proxy re-encryption, in: ACNS 2007, LNCS, vol. 4521, 2007, pp. 288–306 (full...

There are more references available in the full text version of this article.

Cited by (64)

CCA secure and efficient proxy re-encryption scheme without bilinear pairing
2021, Journal of Information Security and Applications
Citation Excerpt :
Their scheme is not collusion free as shown in [31]. Shao and Cao [32] constructed CCA secure collusion safe identity based PRE scheme, their scheme is multi-use but the ciphertext size increases as the number of re-encryption increases. K. Liang et al. [33] designed multi-use identity based PRE scheme with CCA security.
Proxy re-encryption enables the conversion of ciphertext of a message encrypted with one users public key into a ciphertext that could be decrypted by another users private key. Proxy re-encryption can be used as tool for delegation in wide variety of applications. Since proxy re-encryption is used as a primitive for delegation in varied applications, the primitive should be secure and efficient. Also, depending on application scenario, it should satisfy various properties. The proxy re-encryption scheme without bilinear pairing are preferred, as the bilinear pairing is costly operation. We propose an efficient proxy re-encryption scheme without bilinear pairing. The proposed scheme is unidirectional, key optimal, collusion safe, non-interactive, non-transitive, proxy visible, provides original access and satisfies temporary property. The scheme handles the temporary property elegantly compared to the existing schemes without affecting the signing capability of the delegator. Also, the proxy visible property allows the delegatee to prioritize his responses. The proposed scheme is proved to be secure against the chosen ciphertext attack under random oracle model. The proposed scheme is shown to be efficient than the existing schemes.
Constant-size CCA-secure multi-hop unidirectional proxy re-encryption from indistinguishability obfuscation
2020, Theoretical Computer Science
In ACM CCS 2007, Canetti and Hohenberger left an open problem of how to construct a multi-hop unidirectional proxy re-encryption scheme secure against chosen-ciphertext attacks (CCA). To resolve this problem, we utilize the recent advances in indistinguishability obfuscation, overcome several obstacles and propose a multi-hop unidirectional proxy re-encryption scheme. The proposed scheme is proved to be CCA-secure in the standard model (i.e., without using the random oracle heuristic), and its ciphertext remains constant-size regardless of how many times it has been transformed. It is worth noting that, our techniques proposed in this paper can also be used to construct an identity-based multi-hop unidirectional PRE scheme with constant-size ciphertexts and CCA-security in the standard model.
Proxy re-encryption for fine-grained access control: Its applicability, security under stronger notions and performance
2020, Journal of Information Security and Applications
Proxy Re-encryption (PRE) offers an efficient solution for enforcing access control on outsourced data through delegation of decryption rights of a delegator to a delegatee. However, to meet practical security requirements of an access control model, the delegator must control these delegations such that a re-encryption key enables the delegation of decryption rights of only a subset of the delegator’s ciphertexts. In this paper, we focus on a category of PRE-based primitives, which we refer to as “PRE with controlled delegation”. In these primitives, instead of the re-encryption key alone, the re-encryption key and authorization of the delegatee for a data item collectively determine whether the ciphertext transformation results in a valid re-encrypted ciphertext under the delegatee’s public key. This paper provides an exhaustive functional, security and performance analysis of all the existing schemes for PRE with controlled delegation in a concrete fine-grained access control model. We show that the traditional PRE security notions are insufficient to address all the security aspects of the access control model. Motivated by our analysis, we formulate stronger security notions and state the desirable efficiency requirements for PRE schemes applicable in the concrete fine-grained access control model. We show the validity of the proposed security notions by formally proving the insecurity of a conventional PRE scheme and security of one of the PRE schemes with controlled delegation under the proposed stronger PRE security notions. We critically analyze all schemes for PRE with controlled delegation under the proposed stronger security notions and with respect to the efficiency requirements. We show that no scheme for PRE with controlled delegation simultaneously satisfies the efficiency and security requirements formulated in this paper. Finally, we present possible future research directions to obtain a PRE-based solution that is secure under the proposed stronger security notions and satisfies all desirable performance requirements in a fine-grained access control model.
Secure server-aided data sharing clique with attestation
2020, Information Sciences
Citation Excerpt :
Then, Chu and Tzeng [5] considered ID-PRE schemes that are proved to be secure in the standard model. Multi-use and unidirectional ID-PRE schemes were investigated in [30] and [25]; the security of the former is proved in the random oracle and the latter in the standard model. In [42], Zhou et al. proposed a mechanism to allow an authorized proxy to convert a ciphertext in an identity-based broadcast encryption scheme into a ciphertext in an identity-based encryption scheme.
In this paper, we consider the security issues in data sharing cliques via remote server. We present a public key re-encryption scheme with delegated equality test on ciphertexts (PRE-DET). The scheme allows users to share outsourced data on the server without performing decryption-then-encryption procedures, allows new users to dynamically join the clique, allows clique users to attest the message underlying a ciphertext, and enables the server to partition outsourced user data without any further help of users after being delegated. We introduce the PRE-DET framework, propose a concrete construction and formally prove its security against five types of adversaries regarding two security requirements on message confidentiality and unforgeability of attestation against the server. We also theoretically analyze and compare the proposed PRE-DET construction with related schemes in terms of ciphertext sizes and computation costs of encryption, decryption, ciphertext equality testing and re-encryption, which confirms the practicality of our construction.
Flexible attribute-based proxy re-encryption for efficient data sharing
2020, Information Sciences
An increasing number of people are sharing their data through third-party platforms. Attribute-based encryption (ABE) is a promising primitive that allows enforcing fine-grained access control on the data to be shared. An issue in ABE is that a priori access policies should be determined during the system setup or encryption phase, but these policies will become obsolete over time. Another issue is that the decryption of ABE generally requires complicated and expensive computations, which may be unaffordable for resource-limited users (e.g., mobile-device users). To address these issues, we propose a new paradigm called hybrid attribute-based proxy re-encryption (HAPRE). In HAPRE, a semitrusted proxy can be authorized to convert ciphertexts of an ABE scheme into ciphertexts of an identity-based encryption (IBE) scheme without letting the proxy know the underlying messages. With these features, HAPRE enables resource-limited users to efficiently access the data previously encrypted by ABE. We construct two HAPRE schemes by utilizing a compact IBE scheme and a key rerandomization technique, and then we prove that the schemes are semantically secure and collusion resistant. Theoretical and experimental analyses demonstrate the efficiency of the HAPRE schemes.
Efficient identity-based multi-bit proxy re-encryption over lattice in the standard model
2019, Journal of Information Security and Applications
Proxy re-encryption (PRE) can share ciphertext data without leaking the decryption key of the data owner in cloud computing. Because of the special property, PRE achieves good reliability and secrecy. Nevertheless, most of the proposed proxy re-encryption schemes are based on the number theoretic problem and cannot resist quantum attacks. In addition, most existing researches over lattice focus on the single bit encryption, which leads to low efficiency. Therefore, according to these problems, an efficient identity-based multi-bit proxy re-encryption over lattice in the standard model is constructed, which enlarges the plaintext space and improves the efficiency. What's more, the proposed multi-use and bidirectional scheme is proved to be CPA secure in the standard model.

View all citing articles on Scopus

View full text