International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
EFFICIENT CONDITIONAL PROXY RE ENCRYPTION WITH CHOSEN CIPHER TEXT SECURITY
S. Sree Vivek ^{1} , S. Sharmila Deva Selvi ^{1} , V. Radhakishan ^{2} , C. Pandu Rangan ^{1}
^{1} Department of Computer Science and Engineering, Indian Institute of Technology Madras
svivek@cse.iitm.ac.in, sharmila@cse.iitm.ac.in, prangan@iitm.ac.in
^{2} National Institute of Technology Trichy, India
vrkishan@gmail.com
ABSTRACT
In a proxy reencryption (PRE) scheme, Alice gives a special information to a proxy that allows it to transform messages encrypted under Alice's public key into a encryption under Bob's public key such that the message is not revealed to the proxy. In [14], Jian Weng and others introduced the notion of conditional proxy reencryption (CPRE) with bilinear pairings. Later, a break for the same was published in [17] and a new CPRE scheme with bilinear pairings was introduced. In CPRE, the proxy also needs to have the right condition key to transform the ciphertext (associated with a condition set by Alice) under Alice's public key into ciphertext under Bob's public key, so that Bob can decrypt it. In this paper, we propose an efficient CPRE scheme which uses substantially less number of bilinear pairings when compared to the existing one [17]. We then prove its chosenciphertext security under modified Computational DiffieHellman (mCDH) and modified Computational Bilinear DiffieHellman (mCBDH) assumptions in the random oracle model.
KEYWORDS
Random Oracle Model, Proxy ReCryptography, Conditional Proxy Reencryption, Chosen Ciphertext Security.
1. INTRODUCTION
Encryption is used as a building block of any application requiring confidentiality. Let pk _{i} and pk _{j} be two independent public keys. As pointed out by Mambo and Okamato in [15], it is a common situation in practice where a data encrypted under pk _{i} is required to be encrypted under pk _{j} (j ≠ i). When the holder of sk _{i} is online, E _{i} (m) is decrypted using sk _{i} and then message m is encrypted under pk _{j} giving E _{j} (m). But in many applications like encrypted mail forwarding, secure distributed file systems, and outsourced filtering of encrypted spam, when the holder of sk _{i} is not online, this has to be done by an untrusted party.
In 1998 Blaze, Bleumar, and Strauss [9] introduced the concept of proxy reencryption (PRE).
A reencryption key (rk _{i}_{,}_{j} ) is given to a potentially untrusted proxy so that the proxy can
transform a message m encrypted under public key pk _{i} into an encryption of the same message
m under a different public key pk _{j} without knowing the message. A PRE scheme can be of two
types  unidirectional and bidirectional. The former is a scheme in which a reencryption key (rk _{i} _{→} _{j} ) can be used to transform from pk _{i} to pk _{j} but not vice versa and the latter is a scheme in which the same reencryption key (rk _{i} _{↔} _{j} ) can be used to transform from pk _{i} to pk _{j} and vice versa. The reencryption algorithm can be of two types  single hop, in which the reencrypted ciphertext cannot be further reencrypted and multi hop, in which the reencrypted ciphertext can be further reencrypted.
DOI : 10.5121/ijnsa.2012.4214
179
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
PRE can be used in many applications, including simplification of key distribution [9], key escrow [13], multicast [19], distributed file systems [3, 5], security in publish/subscribe systems [4], secure certified email mailing lists [20, 23], the DRM of Apple's iTunes [22], interoperable architecture of DRM [21], access control [11], and privacy for public transportation [7]. Hohenberger and others published a result of securely obfuscating reencryption [16], which is the first positive result for obfuscating an encryption functionality. Shao and Cao have proposed a unidirectional PRE scheme without pairing [2]. Matthew Green and Giuseppe Ateniese have proposed a PRE scheme for IDbased cryptosystems [18].
Ran Canetti and Susan Hohenberger proposed a definition of security against chosenciphertext attacks for PRE schemes and presented a scheme that satisfied the definition [1]. In 2009, Jian Weng and others [14] introduced the concept of CPRE, whereby Alice has a finegrained control over the delegation. As a result, Alice can flexibly assign Bob the decryption capability based on the conditions attached to the messages using a proxy. For example, suppose Alice is on a vacation. She can make Bob to read only those messages which have the keyword “urgent” in their subject. This flexible delegation is obviously not possible with PRE schemes. In this paper, two separate keys are used  a partial reencryption key and a condition key. The message can be delegated by the proxy only if both the keys are known.
Later in 2009, Jian Weng and others published a break of the scheme in [14] and gave a new scheme for CPRE [17], which combines the reencryption key and the condition key into a single key, which is then used for reencryption. Also ChengKang Chu and others in [8] introduced a generalized version of CPRE named conditional proxy broadcast reencryption (CPBRE), in which the proxy can reencrypt the ciphertexts for a set of users at a time.
In this paper, we propose an efficient CPRE scheme (singlehop and unidirectional) which uses significantly less number of bilinear pairings when compared to the existing schemes in [14] and [17]. Our scheme, as in [14], uses two separate keys for reencryption.
1.1. Our Results
Let us briefly describe a CPRE scheme. A CPRE scheme involves a delegator (say user U _{i} ), a delegatee (say user U _{j} ) and a proxy. A message sent to U _{i} with condition w is encrypted by the sender using both U _{i} ’s public key and w. To reencrypt the message to U _{j} , the proxy is given the reencryption key (rk _{i} _{→} _{j} ) and the condition key (ck _{i}_{,}_{w} ) corresponding to w. Both the keys can be generated only by U _{i} . These two keys form the secret trapdoor to be used by the proxy to perform translation. Proxy will not be able to reencrypt cipher texts for which the right condition key is not available. Thus U _{i} can flexibly assign U _{j} the decryption rights by setting condition keys properly. The scheme works in practice as follows: the message encrypted for U _{i} is first handled by proxy and under appropriate conditions the proxy transforms the ciphertext into a ciphertext for U _{j} . However, proxy will obtain no information about the original message. While it is some what easier to design a PRE without pairing, designing CPRE requires pairing based operations crucially. We have used a few constructions from [12] which drastically reduces the number of bilinear pairings. Table 1 compares the number of bilinear pairings and exponentiations between the scheme in [17] and our scheme.
Table 1. Computational Complexity Comparison
Algorithm 
Scheme in [17] 
Our Scheme 

BP 
EXP 
BP 
EXP 

Encryption case 1 
1 
4 
0 
0 
Encryption case 2 
1 
3 
1 
6 
ReEncryption 
3 
4 
1 
3 
Decryption case 1 
3 
3 
1 
4 
Decryption case 2 
1 
1 
0 
6 
Total 
9 
15 
3 
19 
BP − Bilinear Pairings, EXP − Exponentiations.
180
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
Encryption case 1 refers to the encryption without the condition. Encryption case 2 refers to the encryption with the condition. Decryption case 1 refers to the decryption of the reencrypted ciphertext (first level ciphertext) and Decryption case 2 refers to the decryption of the encrypted ciphertext (second level ciphertext).
Although the number of exponentiations in our scheme is slightly more, it is insignificant when compared to the reduction in number of bilinear pairings. Thus, our scheme is more efficient than the existing one. We then formally prove the security of our scheme. We have slightly modified the security model in [14], as discussed in Section 3.
The CPRE scheme in [14] has a break as given in [17]. Scheme in [17] has combined the two keys into a single key. Having the keys separate has an advantage. The delegation power of the proxy can be controlled. One of the two keys can be given to the proxy for partial reencryption and the other key can be given to a third party for full reencryption. Since the scheme in [14] has a break, our scheme is the only existing scheme having this unique property.
2. PRELIMINARIES
Bilinear Groups and Bilinear Pairings: Let G and G _{T} be two cyclic multiplicative groups with the same prime order q. A bilinear pairing is a map e : G × G → G _{T} with the following properties.
− Bilinearity: We have
, g
− Nondegeneracy: There exist g _{1} , g _{2} ∈ G such that _{e}_{ˆ}_{(}_{g} _{,} _{g} _{)}
eˆ(g
a
1
b
2
)
=
eˆ(g , g
1
2
)
ab
∀
g , g
1
2
∈ G
1
and
∀ a,b ∈Z
2
≠ _{1} ;
− Computability: There exists an efficient algorithm to compute
eˆ(g ,g
1
2
)
*
q
;
∀
g ,g
1
2
∈ G
.
Modified Computational DiffieHellman Problem: Let G be a cyclic multiplicative group with a prime order q. Let g be the generator of G, The mCDH problem in G is as follows:
An algorithm A has an
advantage ε in solving mCDH in G if
1
Given (g,g ,g ,g
a
)
a
b
for
some a,
b
∈
Z
*
q
, compute W =
g ^{a}^{b}
∈ G.
Pr
^{} A
(g, g
1
a
, g
a
, g
b
)
=
g
ab
≥
ε
where the probability is over the random choice of a, b ∈
the random bits of A.
Z
*
q
, the random choice of g ∈ G and
Modified Computational Bilinear DiffieHellman Problem: Let G and G _{T} be two cyclic multiplicative groups with the same prime order q. Let e : G × G → G _{T} be an admissible bilinear map and let g be the generator of G. The mCBDH problem in (G, G _{T} , e) is as follows:
_{G}_{i}_{v}_{e}_{n} (g,g
∈ G _{T} . An algorithm A
has an advantage ∈ in solving mCBDH in (G, G _{T} , e) if
1
a
,g
a
,g
b
,g
c
)
for some a, b, c ∈
Z
*
q
, compute W =
eˆ(g, g)
abc
Pr[ (g,g
A
1
a
,g
a
,g
b
,g
c
)
=
eˆ(g,g)
abc
]
≥ ε
where the probability is over the random choice of a, b, c ∈
and the random bits of A.
Z *
q
, the random choice of g ∈ G
3. MODEL OF CONDITIONAL PROXY REENCRYPTION
We give the definitions and security notions for CPRE systems in this section.
3.1. Definition of CPRE systems
A unidirectional CPRE scheme consists of seven algorithms which are described as follows:
181
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
Global Setup (λ): The global setup algorithm takes a security parameter λ as input and outputs the global parameters param. The parameters in param are implicitly given as input to the following algorithms.
KeyGen (i): The key generation algorithm takes the user index i as input and generates a public key(pk _{i} ) and a secret key(sk _{i} ) for user U _{i} .
ReKeyGen (sk _{i} , pk _{j} ): The partial reencryption key generation algorithm takes a secret key sk _{i} and another public key pk _{j} as input and outputs the partial reencryption key rk _{i} _{→} _{j} . This algorithm is run by U _{i} . Here sk _{j} is not taken as input which indeed makes the scheme unidirectional.
CKeyGen (sk _{i} , w): The condition key generation algorithm takes a secret key sk _{i} and a condition w as input and outputs the condition key ck _{i}_{,} _{w} . This algorithm is run by U _{i} .
Encrypt (pk, m, w): The encryption algorithm takes a public key pk, a message m and a condition w as input and outputs the ciphertext ζ associated with w under pk. Here m ∈ M where M denotes the message space.
ReEncrypt (rk _{i} _{→} _{j} , ck _{i}_{,} _{w} ,ζ _{i} ): The reencryption algorithm takes a partial reencryption key rk _{i} _{→} _{j} , a condition key ck _{i}_{,} _{w} associated with condition w and a ciphertext ζ _{i} under the public key pk _{i} as input and outputs the reencrypted ciphertext ζ _{j} under the public key pk _{j} . This algorithm is run by the proxy.
Decrypt (sk, ζ): The decryption algorithm takes a secret key sk and a ciphertext ζ as input and outputs either a message m ∈ M or the error symbol ⊥.
Correctness: For any m ∈ M, any condition w, any (pk _{i} , sk _{i} ) ← KeyGen (i), (pk _{j} , sk _{j} ) ← KeyGen (j), and ζ _{i} = Encrypt (pk _{i} , m, w), Pr [Decrypt(sk _{i} , ζ _{i} ) = m] = 1, and Pr [Decrypt(sk _{j} , ReEncrypt (rk _{i}_{,} _{j} , ck _{i}_{,} _{w} , ζ _{i} )) = m] = 1. while for any other condition w′ and user j′ with w′ ≠ w and j′ ≠ j, we have Pr [Decrypt(sk _{j} , ReEncrypt (rk _{i}_{,} _{j} , ck _{i}_{,} _{w}_{′} , ζ _{i} )) = ⊥] = 1−neg(λ) Pr [Decrypt(sk _{j} , ReEncrypt (rk _{i}_{,} _{j}_{′} , ck _{i}_{,} _{w} , ζ _{i} )) = ⊥] = 1−neg(λ).
3.2 Security Notions
The following game between an adversary A and a challenger C is used to define the semantic security of our CPRE scheme against chosen ciphertext attacks.
Setup. C takes a security parameter λ and runs the algorithm GlobalSetup(λ) and gives the resulting global parameters param to A. Phase 1. A adaptively issues queries q _{1} , …, q _{m} where q _{i} is one of the following:
− Uncorrupted key generation query: C first runs algorithm KeyGen (i) to obtain the public/secret key pair (pk _{i} , sk _{i} ), and then gives pk _{i} to A.
− Corrupted key generation query: C first runs algorithm KeyGen (j) to obtain the public/secret key pair (pk _{j} , sk _{j} ), and then gives (pk _{j} , sk _{j} ) to A.
− Partial reencryption key generation query (pk _{i} , pk _{j} ): C runs the algorithm ReKeyGen(sk _{i} , pk _{j} ) and returns the generated reencryption key rk _{i} _{→} _{j} to A. Here sk _{i} is the secret key corresponding to pk _{i} .
− Condition key generation query (pk _{i} , w): C runs the algorithm CKeyGen(sk _{i} , w) and returns the generated condition key ck _{i}_{,} _{w} to A.
182
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
− Reencryption query (pk _{i} , pk _{j} , w, ζ _{i} ): C runs the algorithm ReEncrypt(ReKeyGen(sk _{i} , pk _{j} ), CKeyGen(sk _{i} , w), ζ _{i} ) and returns the generated ciphertext ζ _{j} to A.
− Decryption query (pk, w, ζ) or (p _{k} , ζ): C runs the algorithm Decrypt(sk, ζ) and returns its result to A. Here (pk, w, ζ) and (pk, ζ) are queries on original ciphertexts and reencrypted ciphertexts respectively.
For the last four queries it is required that pk, pk _{i} and pk _{j} are generated beforehand by the KeyGen algorithm.
Challenge. Once A decides Phase 1 is over, it outputs a target public key pk _{i}_{*} , a target condition w ^{*} and two equallength plaintexts m _{0} , m _{1} ∈ M. C flips a random coin δ ∈ {0, 1}, and sets the challenge ciphertext to be ζ ^{*} = Encrypt(pk _{i}_{*} , m _{δ} , w ^{*} ), which is sent to A.
Phase 2: A adaptively issues queries as in Phase 1, and C answers them as before.
Guess: Finally, A outputs a guess δ′ ∈ {0, 1} and wins the game if δ′ = δ. Adversary A is subject to the following restrictions during the above game.
1. A cannot issue corrupted key generation queries on i* to obtain the target secret key sk _{i}_{*} .
2. A can issue decryption queries on neither (pk _{i}_{*} , w ^{*} , ζ ^{*} ) nor (pk _{j} , ReEncrypt(rk _{i}_{*} → j, ck i*,w* , ζ ^{*} )).
3. A cannot issue reencryption queries on (pk _{i}_{*} , pk _{j} , w ^{*} , ζ ^{*} ) if pk _{j} appears in a previous corrupted key generation query.
4. A cannot obtain the partial reencryption key rk _{i}_{*} _{→} _{j} if pk _{j} appears in a previous corrupted key generation query.
We refer to the above adversary A as an INDCPRECCA adversary. A’s advantage in attacking
our CPRE scheme is defined as
taken over the random coins consumed by the adversary and the challenger. As in [14], we also distinguish between two types of INDCPRECCA adversaries as follows:
where the probability is
Adv
C
−
−
PRE,
A
−
IND
CPRE
CCA
=
[
Pr δ
′ =
δ
]
−
1/2
,
− Type I INDCPRECCA adversary: In the game, adversary A does not obtain the re encryption key rk _{i}_{*} _{→} _{j} with pk _{j} corrupted.
− Type II INDCPRECCA adversary: In the game, adversary A does not obtain both the condition key ck _{i}_{*}_{,} _{w}_{*} and the reencryption key rk _{i}_{*} _{→} _{j} with pk _{j} corrupted.
4. AN EFFICIENT CPRE SCHEME
Here we present our efficient CPRE scheme and then prove its security.
4.1 Construction
Our proposed scheme consists of the following seven main algorithms and one auxiliary algorithm for checking the validity of the ciphertext.
Global Setup (λ) : This algorithm takes the security parameter λ as input. Then two primes p and q are chosen such that q  p−1 where q is a λ bit prime. Then the algorithm generates (q, G, G _{T} , e) where G and G _{T} are two cyclic groups with prime order q and e is a bilinear pairing e : G
with order q. Choose
hash functions as follows:
× G → G _{T} . Let g be the generator of group G, which is a subgroup of
Z *
q
183
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
H :{0,1}
H
l
0
×
1
5
: G → Z
*
q
{0,1}
,
H
6
l
1
→ Z
:{0,1}
*
q
*
,
H
2
:{0,1}
*
→ Z
*
q
×G ×G → G
, and
H
7
,
:
G
H
T
3
:
→
G →
{0,1}
{0,1}
l
0
+l
1
.
l
0
+l
1
,
H
4
:{0,1}
*
→ Z
*
q
,
param = ((q, G, G _{T} , e), g, H _{1} ,
{0,1}
l
0
.
, H _{7} ). l _{0} and l _{1} are determined by λ and the message space M is
KeyGen (i): This algorithm randomly picks sk _{i} = (x _{i}_{,}_{1} , x _{i}_{,}_{2}
$
← Z
*
q
)
and sets pk _{i} = _{(}_{g}
x
i ,1
_{,} _{g}
x
i 2
_{)}_{.}
ReKeyGen(sk _{i} , pk _{j} ) : The reencryption key rk _{i} _{→} _{j} is generated as follows:
$
←
$
←
1.
2. Compute V = g ^{v} and W = H _{3} (
Pick
h
{0,1}
l
0
and
π
{0,1}
l 1 and compute v = H _{1} (h, π).
pk
v
j,2
) ⊕ (h  π).
3.
Compute
rk
(1)
→
i
j
=
h
x
i,1
H (pk
5
i,2
)
+
x
i,2
_{a}_{n}_{d} _{r}_{e}_{t}_{u}_{r}_{n} rk
i→j
=
(rk
(1)
i→j
, V,W).
1
x i,1
. Encrypt(pk _{i} , m, w) : This algorithm encrypts a message m with condition w for pk _{i} as follows:
CKeyGen(sk _{i} , w) : This algorithm outputs the condition key ck _{i}_{,} _{w} = H (w,pk )
6
i
1.
Pick s,
$
z ← Z
*
q
and compute B =
pk
s
i,1
and D =
pk
z
i,1
.
r
$
′←
2. Pick
3. Compute C = H _{3} (g ^{r} ) ⊕ (m  r′) ⊕ _{H}
4. Compute E = s + zH _{4} (A, B, C, D) mod q.
5. Output the ciphertext ζ _{i} = (A, B, C, D, E).
{0,1}
l
1
. Compute r = H _{2} (m, r′, pk _{i} , w) and A
_{(}_{w}_{,} _{p}_{k} _{)}_{)}
7
_{(}_{e}_{ˆ}_{(}_{g}_{,} _{H}
6
i
=
s
_{)}_{.}
(pk
H (pk
5
i,1
i,2
)
pk
i,2
)
r
.
Validity(): This algorithm implicitly takes all the inputs of the calling algorithm as its input and works as follows:
If
pk
E
i,1
≠ B.D
H (A,B,C,D)
4
return ⊥.
ReEncrypt(rk _{i} _{→} _{j} , ck _{i}_{,} _{w} , ζ _{i} , pk _{i} , pk _{j} ): This algorithm reencrypts ζ _{i} to ζ _{j} as follows:
1. Return ⊥ if Validity() returns ⊥.
2.
3. Output the transformed ciphertext as ζ _{j} = (A′, C′, V, W).
Compute A′ =
A
rk
(1)
i
→
j
_{a}_{n}_{d} _{C}_{′} _{=} _{C} _{⊕} H (eˆ(B,ck
7
i,w
)) .
Decrypt(sk _{i} , ζ _{i} ): Parse the ciphertext ζ _{i} . Decryption of ζ _{i} is done as follows:
− ζ is the original ciphertext in the form ζ = (A, B, C, D, E).
1.
2.
3.
Return ⊥ if Validity() returns ⊥.
Compute (m  r′) = C ⊕ H (A
If
1
H
2
3
x
i,1
′
(m,r ,pk ,w)
i
5
i,2
+
x
i,2
)
⊕
H (eˆ(B, H (w, pk ))
7
6
i
holds, return m; else return ⊥.
H
(pk
)
)
− ζ is the reencrypted ciphertext in the form ζ = (A′, C′, V, W).
A
=
(pk
H (pk
5
i,1
i,2
)
pk
i,2
x
1
i,1
1. Compute (h  π) = W ⊕ _{H} _{(}_{V}
2.
sk
i,2
_{)}
3
If
V = g
1
H (h,π)
and
A
′ =
g
′
hH (m,r ,pk ,w)
2
i
and (m  r′) = C′ ⊕ H
3
(A
′
1
h
) .
hold, return m; else return ⊥.
)
.
184
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
Correctness: The proxy must have both the right reencryption key and the condition key to re encrypt a ciphertext to the delegatee. Otherwise, the delegatee will not be able to decrypt the ciphertext with nonnegligible probability. Suppose a proxy has the reencryption key rk _{i} _{→} _{j} and the condition key ck _{i}_{,} _{w}_{′} (w′ ≠ w), he will generate the reencrypted ciphertext ζ _{j} = (A′, C′, V, W) as
A′
C′
= g ^{r}^{h} = H _{3} (g ^{r} ) ⊕ (m  r′) ⊕
H
= H _{3} (g ^{r} ) ⊕ (m  r′) ⊕
= H _{3} (g ^{r} ) ⊕ (m  r′) ⊕
H
H
V = g ^{v}
_{W} _{=} H
3
(pk
v
j,2
)
⊕ (h  π).
7
7
7
(eˆ(g, H (w,pk )) )
6
i
s
(eˆ(g, H
(eˆ(g, H (w,pk )) )
)
6
6
(w, pk ))
i
i
s
s
⊕ H (eˆ(B,ck
7
⊕
⊕
H (eˆ(g
7
sx
i,1
H
7
(eˆ(g, H
6
i,w′
, H
))
6
′
(w , pk )
i
(w ,pk )) )
i
′
s
x
1
i,1
))
1
in the
decryption algorithm will not reveal the message m with overwhelming probability. The resulting value will also not pass the condition checks. Hence the delegatee cannot decrypt the reencrypted ciphertext with high probability.
Note that the two H _{7} terms do not cancel each other implying that C′ ⊕ H (A )
′
g
3
Security intuitions: It is impossible for the adversary to manipulate the ciphertext. This is because the validity of the original ciphertext can be publicly verified by the Validity() algorithm. Thus our scheme can ensure chosenciphertext security. Even if the conditional key w is changed to another value w′ by the adversary, the scheme is secure because w is a parameter for H _{2} and when w changes the value of r also changes.
4.2. Security
The proposed CPRE scheme is INDCPRECCA secure in random oracle model. This follows directly from Theorem 1 and Theorem 2.
Theorem 1. Our scheme is INDCPRECCA secure in the random oracle model, assuming the mCDH assumption holds in group G and the Schnorr signature is EUFCMA secure.
Concretely, if there exists a Type I adversary A, who asks at most
, 7}, and breaks the (t, q _{u} , q _{c} , q _{r}_{k} , q _{c}_{k} , q _{r}_{e} , q _{d} , ε)INDCPRECCA of our
scheme, then, for any 0 < ψ < ε, there exists
H _{i} with i ∈ {1, 2,
H random oracle queries to
i
q
1.
2.
either an algorithm B which can break the (t′, ε′)mCDH assumption in G with
O
t
′ ≤
t
ε ′ ≥
+
+
1
(q
(2q
H
1
c
q
+
ε ψ
+
+
H
2
2q
−
u
+
q
H
3
+
q
H
4
+
q
H
5
+
q
H
6
+
q
H
7
6q
rk
q
H
+
q
ck
2
+
q
H
+
4
(q
re
+
(q
+
H
2
+
1)(2q
q
d
+
H
3
)(q
+
q
(2q
+
re
u
+
q
c
+
q
rk
+
H
2
q
d
+
)
2q
H
3
)q
d
2(q
re
+
−
2
l
0
+
l
1
−
+
q
)) t
q
d
ck
exp
)
q
+
re
+
q
d
(q
re
+
d
)
q
q
H
3
ε(1 q )
+
rk
q
(1)
) t
p
where t _{e}_{x}_{p} denotes the running time of an exponentiation in group G and t _{p} denotes the running time of a pairing in groups (G, G _{T} ).
or an attacker who breaks the EUFCMA security of the Schnorr signature with advantage ψ within time t′.
185
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
PROOF. Without loss of generality, we assume that the Schnorr signature is (t′, ψ)EUFCMA secure for some probability 0 < ψ < ε. If there exists a ttime adversary A who can break the INDCPRECCA security of our scheme with advantage εψ, then we show how to construct an
the
algorithm
(t′, ε′)mCDH assumption in G. Suppose B is given as input a challenge tuple (g,g ,g ,g )
B
which
can
break
1
a
a
b
$
*
q
a, b ←Z
with unknown
H _{1} ,
adversary A in the following way:
. Algorithm B′s goal is to output g ^{a}^{b} . Algorithm B first gives (q, G, g,
, H _{7} , l _{0} , l _{1} ) to A. Next, B acts as a challenger and plays the INDCPRECCA game with
Hash Oracle Queries: At any time adversary A can issue random oracle queries H _{i} with i ∈ {1,
7}. Algorithm B maintains seven hash lists and responds as below:
7} which are initially empty,
H
list
i
with i ∈ {1,
,
,
1. H _{1} queries: If H _{1} (h, π) has appeared on the
H
list
i
in a tuple (h, π, v), return the predefined
value v. Otherwise, choose
π) = v.
$
*
q
v ← Z
and add tuple (h, π, v) to
H
list
i
and respond with H _{1} (h,
2. H _{2} queries: If H _{2} (m, r′, pk _{i} , w) has appeared on the
H list
2
in a tuple (m, r′, pk _{i} , w, r), return
the predefined value r. Otherwise, choose
and respond with H _{2} (m, r′, pk _{i} , w) = r.
$
r ←Z
3. H _{3} queries: If H _{3} (R) has appeared on the
H list
3
*
q
and add tuple (m, r′, pk _{i} , w, r) to
H
list
2
[R
∈
G]
in
a
tuple (R, β), return the
predefined value β. Otherwise, choose
with H _{3} (R) = β.
β
$ l
←
{0,1}
0
+l
1
4. H _{4} queries: If H _{4} (A, B, C, D) has appeared on the
, add tuple (R, β) to
H
list
3
and respond
H list
4
in a tuple (A, B, C, D, γ), return
the predefined value γ. Otherwise, choose
respond with H _{4} (A, B, C, D) = γ.
5. H _{5} queries: If H _{5} (pk) has appeared on the
$
*
q
γ ← Z
, add tuple (A, B, C, D, γ) to
H
list
4
and
H
list in a tuple (pk, τ), return the predefined
5
value τ. Otherwise, choose
τ.
$
*
q
τ ←Z
, add tuple (pk, τ) to
H
list
5
and respond with H _{5} (pk) =
6. H _{6} queries: If H _{6} (w, pk) has appeared on the
H list
6
in
a tuple
(w, pk, t,
S), return the
$
*
q
t ← Z
predefined value S. Otherwise, choose
to
H list
6
and respond with H _{6} (w, pk) = S.
, compute S = g ^{t} , add the tuple (w, pk, t, S)
7. H _{7} queries: If H _{7} (U) has appeared on the
predefined value η. Otherwise, choose respond with H _{7} (U) = η.
η
H
list [U ∈ G _{T} ] in a tuple (U, η), return the
7
$ +l
←
{0,1}
l
0
1
,
add tuple (U,
η)
to
H
list
7
and
Phase 1. In this phase, adversary A issues a series of queries subject to the restrictions of the Type I INDCPRECCA game. B maintains three lists K ^{l}^{i}^{s}^{t} , R ^{l}^{i}^{s}^{t} and C ^{l}^{i}^{s}^{t} which are initially empty, and answers these queries for A as follows:
186
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
x
i,1
, x
i,2
$
*
q
←Z
i,2
, x
_{)}
i,2
; else pk
$
←Z
_{i} =
. Next, using the Coron's
technique [6], it flips a biased coin c _{i} ∈ {0, 1} that yields 1 with probability θ and 0
otherwise. If c _{i} = 1, it defines _{p}_{k}
Then, it
adds the tuple (pk _{i} , x _{i}_{,} _{1} , x _{i}_{,} _{2} , c _{i} ) to K ^{l}^{i}^{s}^{t} and returns pk _{i} .
_{)} , c _{i}
= ‘−’. Then, it adds the tuple (pk _{i} , x _{i}_{,} _{1} , x _{i}_{,} _{2} , c _{i} ) to K ^{l}^{i}^{s}^{t} and returns (pk _{i} , (x _{i}_{,} _{1} , x _{i}_{,} _{2} )).
− Reencryption key generation query (pk _{i} , pk _{j} ). If R ^{l}^{i}^{s}^{t} has an entry for (pk _{i} , pk _{j} ), return the predefined reencryption key to A. Otherwise, algorithm B acts as follows:
− Uncorrupted key generation query. B picks
_{(}_{g}
x
i,1
_{,} _{g}
x
((g
1 1
a )
x
i,1
,(g
a
)
i ^{=}
x
i,2
_{(}_{g}
)
x
.
i,1
i ^{=}
− Corrupted key generation query. B picks
x
i,1
*
q
and defines _{p}_{k}
_{,} _{g}
x
i,2
1. Recover tuples (pk _{i} , x _{i}_{,} _{1} , x _{i}_{,} _{2} , c _{i} ) and (pk _{j} , x _{j}_{,} _{1} , x _{j}_{,} _{2} , c _{j} ) from K ^{l}^{i}^{s}^{t} .
2.
$
$
←
Pick
⊕ (h  π).
←
h
{0,1}
l
0
and
π
{0,1}
l
1
; compute v = H _{1} (h, π), V = g ^{v} and W = H (pk
3
v
j,2
)
3. Construct the first component
rk
(1)
→
i
j
according to the following cases:
•
c _{i} = 1 or c _{i} = ‘−’: Define
rk
(1)
→
i
j
=
h
x
i,1
H (pk
5
i,2
)
+
x
i,2
.
•
• (c _{i} = 0 ∧ c _{j} = ‘−’): Output “failure” and abort.
(c _{i} = 0 ∧ c _{j} = 1) or (c _{i} = 0 ∧ c _{j} = 0): Pick
rk
(1)
→
i
j
$
← Z
*
q
.
4. If B does not abort, add (pk , pk , (rk
i
j
(1)
i→j
, V, W),h)
into list R ^{l}^{i}^{s}^{t} , return
(rk
(1)
i→j
, V, W)
.
− Condition key query (pk _{i} , w). If C ^{l}^{i}^{s}^{t} has an entry for (pk _{i} , w), return the predefined condition key ck _{i}_{,} _{w} to A. Otherwise algorithm B acts as follows:
1. Recover tuples (pk _{i} , x _{i}_{,}_{1} , x _{i}_{,}_{2} , c _{i} ) from K ^{l}^{i}^{s}^{t} and (w, pk _{i} , t, S) from
2. It constructs the condition key ck _{i}_{,}_{w} for adversary A according to the following cases:
H list
6
.
S
x
1
i,1
.
• c _{i} = 1 or c _{i} = ‘−’: Algorithm B responds with ck _{i}_{,}_{w} =
• c _{i} = 0: Algorithm B responds with ck _{i}_{,}_{w} =
(g
a
)
x
1
i,1
which is same as
3. Add (pk _{i} , w, ck _{i}_{,}_{w} ) to C ^{l}^{i}^{s}^{t} .
1
S
sk
i,1
.
− Reencryption query (pk _{i} , pk _{j} , w, ζ _{i} )}. Algorithm B parses ζ _{i} = (A, B, C, D, E). Return ⊥ if
Validity() returns ⊥. Otherwise it constructs the condition key ck _{i}_{,}_{w} by issuing a condition key query (pk _{i} , w) and does the following:
1. Recover tuples (pk _{i} , x _{i}_{,}_{1} , x _{i}_{,}_{2} , c _{i} ) and (pk _{j} , x _{j}_{,}_{1} , x _{j}_{,}_{2} , c _{j} ) from K ^{l}^{i}^{s}^{t} .
2. If (c _{i} = 0 ∧ c _{j} = ‘−’) does not hold, issue a reencryption key generation query (pk _{i} , pk _{j} ) to obtain rk _{i} _{→} _{j} , and then ReEncrypt(rk _{i} _{→} _{j} , ck _{i}_{,}_{w} , ζ _{i} , pk _{i} , pk _{j} ) to A.
3. Else B does the following.
$
←
$
←
•
• Compute V = g ^{v} and W = H (pk
Pick
h
{0,1}
l
0
and
π
{0,1}
l 1 and compute v = H _{1} (h, π).
3
v
j,2
)
⊕ (h  π).
• Since the ciphertext is valid, issue a decryption query (pk _{i} , ζ _{i} ) and get message m.
•
• Compute A′ = g ^{r}^{h} and C′ = H _{3} (g ^{r} ) ⊕ (m  r′).
$
′←
Pick
r
{0,1}
l 1 . Compute r = H _{2} (m, r′, pk _{i} , w).
187
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
• Add tuple (h, π, v) to
H
list
i
and tuple (m, r′, pk _{i} , w, r) to
present in their respective lists.
H
list
2
, if they are not
• Return (A′, C′, V, W) to A as the reencrypted ciphertext.
− Decryption query (pk _{i} , w′, ζ _{i} ) or (pk _{i} , ζ _{i} ). B recovers tuple (pk _{i} , x _{i}_{,}_{1} , x _{i}_{,}_{2} , c) from K ^{l}^{i}^{s}^{t} . If c =
and returns the result to A.
1 or
Otherwise, algorithm B works according to the following two cases:
c = ‘−’, algorithm B
runs Decrypt((x _{i}_{,}_{1} , x _{i}_{,}_{2} ), ζ _{i} ))
• ζ _{i} is an original ciphertext ζ _{I} = (A, B, C, D, E):
1. Return ⊥ if Validity() returns ⊥.
2. Construct condition key ck _{i}_{,}_{w}_{′} as in the condition key query and define C = C′ ⊕
H (eˆ(B,ck
7
i,w′
))
^{.}
3. Search tuples (m, r′, pk, w, r) ∈
H
list
2
and (R, β) ∈
w′, β ⊕ (m  r′) = C, g ^{r} = R and _{(}_{p}_{k}
H (pk
5
i,1
i,2
)
_{p}_{k}
i,2
_{)}
r
=
H list
3
_{A}
.
such that pk _{i} = pk, w =
4. If yes, return m to A. Otherwise, return ⊥.
• ζ _{i} is a reencrypted ciphertext ζ _{i} = (A′, C′, V, W):
1. Search tuples (m, r′, pk, w, r) ∈
β′) ∈
β′ ⊕ (h  π) = W and
H list
3
_{p}_{k}
v
i,2
^{=}
_{R}
′ .
and (R′,
such that pk _{i} = pk, w = w′, g ^{r}^{h} = A′, g ^{r} = R, β ⊕ (m  r′) = C′, g ^{v} = V,
H list
2
, (h, π, v) ∈
H list
1
, (R, β) ∈
H
list
3
2. If yes, return m to A. Otherwise, return ⊥.
Challenge. When A decides that Phase 1 is over, it outputs a public key pk _{i}_{*} = (pk _{i}_{*}_{,}_{1} , pk _{i}_{*}_{,}_{2} ), a
condition w ^{*} and two equallength messages m _{0} , m _{1} ∈ follows:
. Algorithm B responds as
{0,1} ^{l} ^{+}^{l}
0
1
1. Recover tuple (pk _{i}_{*} , x _{i}_{*}_{,}_{1} , x _{i}_{*}_{,}_{2} , c ^{*} ) from K ^{l}^{i}^{s}^{t} . If c ^{*} ≠ 0, B outputs “failure” and aborts.
Otherwise, B proceeds to execute the following steps.
*
*
, z
$
*
$
*
q
←Z
←
{0,1}
A
*
=
(g
2. Pick
Pick
s
C
and compute
l
0
+l
1
b
)
.
x i*,1
H (pk
5
i*,2
)
+ x
i*,2
B
*
1
= (g
* *
a )
s x
i*,1
and
)
z x
i*,1
.
D
*
= (g
1
a
3.
4. Compute
5. Construct the condition key ck _{i}_{*}_{,}_{w}_{*} , as in the condition key query.
and E ^{*} = s ^{*} + z ^{*} H _{4} (A ^{*} , B ^{*} , C ^{*} , D ^{*} ) mod q.
$ 
$ 

6. Pick a random bit δ and 
← 
{0,1} 
and 
r 
′ ← 
{0,1} 
l 1 . Implicitly define H _{2} (m _{δ} , r′, pk _{i}_{*} , w ^{*} ) = ab 
H _{3} (g ^{a}^{b} ) = C ^{*} ⊕
(m _{δ}  r′) ⊕ _{H}
7
*
_{(}_{e}_{ˆ}_{(}_{B} _{,} _{c}_{k}
i*,w*
_{)}_{)}
(note that B knows neither ab nor g ^{a}^{b} ).
7. Return ζ ^{*} = (A ^{*} , B ^{*} , C ^{*} , D ^{*} , E ^{*} ) as the challenged ciphertext to adversary A.
Observe that the challenge ciphertext ζ ^{*} is identically distributed as the real one from the construction. To see this, letting r ^{*} = ab, we have
A ^{*} =
=
B ^{*} =
C ^{*} = H _{3} (g ^{a}^{b} ) ⊕ (m _{δ}  r′) ⊕
(g
b
)
x
i*,1
H (pk
5
i*,2
)
+
x
i*,2
(pk
((g
H (pk
5
i*,1
i*,2
1
a
)
s*x
i*,1
)
pk
i*,2
)
r*
=
pk
s*
i*,1
=
= H _{3} (g ^{a}^{b} ) ⊕ (m _{δ}  r′) ⊕
((g
_{H}
H
7
7
1
a
)
x
i*,1
H (pk
5
i*,2
)+x
i*,2
*
_{(}_{e}_{ˆ}_{(}_{B} _{,} _{c}_{k}
i*,w*
_{)}_{)}
1
(eˆ((g )
a
s*x
i*,1
, (g
a
)
ab
1
)
x
i*,1
))
188
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
= H _{3} (g ^{a}^{b} ) ⊕ (m _{δ}  r′) ⊕
= H _{3} (g ^{r}^{*} ) ⊕ (m _{δ}  r′) ⊕
_{H}
H
7
7
_{(}_{e}_{ˆ}_{(}_{g}_{,} _{g}
y
(eˆ(g, H
6
D ^{*} = E ^{*}
(g
1 z*x
a
)
i*,1
=
pk
z*
i*,1
= s ^{*} + z ^{*} H _{4} (A ^{*} , B ^{*} , C ^{*} , D ^{*} ) mod q
_{)}
s*
_{)}
(w
*
, pk
i*,w*
))
s*
)
Phase 2. Adversary A continues to issue queries as in Phase 1, with the restrictions prescribed in the INDCPRECCA game. Algorithm B responds to these queries for A as in Phase 1.
Guess. Eventually, adversary A returns a guess δ′ ∈ {0, 1} B. Algorithm B randomly picks a
tuple (R, β) from the
H list
3
and outputs R as the solution to the given problem instance.
Analysis. Now let's analyse the simulation. From the constructions of H _{1} , H _{5} , H _{6} and H _{7} , it is
be the event that A queried
clear that the simulations of these oracles are perfect. Let
(A ^{*} , B ^{*} , C ^{*} , D ^{*} ) to H _{4} before challenge phase. The simulation of H _{4} is perfect as long as
did not occur. Since C ^{*} is randomly chosen from
by the challenger in the challenge
AskH
*
4
AskH
*
4
{0,1} ^{l} ^{+}^{l}
0
1
phase, we have
*
Pr[AskH ] =
4
q
H
4
2
l
0
+l
1
. Let
AskH
*
2
be the event that (m _{δ} ,r′, pk _{i}_{*} , w ^{*} ) has been
queried to H _{2} and
and H _{3} are perfect as long as in the challenge phase.
AskH be the event that g ^{a}^{b} has been queried to H _{3} . The simulations of H _{2}
did not occur, where δ and r′ are chosen by B
*
3
AskH
*
2
and
AskH
*
3
B’s responses to A’s uncorrupted/corrupted key generation queries are perfect. Let Abort denote the event of B’s aborting during the simulation of the reencryption key queries or in the
.
challenge phase. We have Pr[¬Abort] ≥ _{θ}
q
rk
_{(}_{1}
−
_{θ}_{)}
, which is maximized at
θ
opt
=
q rk
1
+
q
rk
1
Using θ _{o}_{p}_{t} , the probability Pr[¬Abort] is at least e(1
+ q
rk
)
.
The simulation of the reencryption key queries is same as the real one, except for the case (c _{i} =
is randomly chosen. If Abort does
0 ∧ c _{j} = 1) or (c _{i} = 0 ∧ c _{j} = 0), in which the component
not happen, this is computationally indistinguishable from the real world because:
rk
(1)
i
→
j
1. Secret key sk _{j} is unknown to A since c _{j} ≠ ‘−’.
2. h is encrypted under pk _{j} using the “hashed” ElGamal encryption scheme. So, if A can
, it means that A can determine (V, W) is an encryption of h
distinguish rk _{i} _{→} _{j} from
or h′, which breaks the CCA security of the “hashed” ElGamal based on the CDH assumption.
rk ′
i
→
j
The reencryption queries are also perfect, unless A can submit valid original ciphertexts without querying H _{2} or H _{3} (denote this event by REErr). This is because we issue a decryption query in the third case of the reencryption query. We will calculate Pr[REErr] shortly.
The simulation of the decryption oracle is perfect, with the exception that simulation errors may occur in rejecting some valid ciphertexts. A can submit valid original ciphertexts without querying H _{2} or H _{3} (denote this event by DErr). Let Valid be the event that the ciphertext is
189
International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012
valid. Let AskH _{3} and AskH _{2} be the events g ^{r} has been queried to H _{3} and (m, r′, w) has been queried to H _{2} respectively. We have,
Pr[Valid 
¬
AskH ]
2
=
≤
∧
Pr[AskH 
Pr[Valid
3
AshH 
¬
3
¬
AskH ]
2
AskH ]
+
2
+
Pr[Valid
¬
AskH
3
∧ ¬
AskH 
3
¬
∧ ¬
AskH ]
2
Pr[Valid 
≤
q
H
3
Viel mehr als nur Dokumente.
Entdecken, was Scribd alles zu bieten hat, inklusive Bücher und Hörbücher von großen Verlagen.
Jederzeit kündbar.