Abstract
Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re-encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.
The author was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
As the value B is unique for each ciphertext, retaining B for one ciphertext does not allow a different ciphertext to be re-encrypted whereas the update token can re-encrypt any ciphertext in either direction. This further demonstrates why token robustness is a necessary requirement.
References
Amazon Web Services: Protecting data using client-side encryption (2017). http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
Ateniese, G., Benson, K., Hohenberger, S.: Key-private proxy re-encryption. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 279–294. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_19
Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006). https://doi.org/10.1145/1127345.1127346
Berners-Lee, E.: Improved security notions for proxy re-encryption to enforce access control. Cryptology ePrint Archive, Report 2017/824 (2017). http://eprint.iacr.org/2017/824
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122
Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key Homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_23
Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, 28–31 October 2007, pp. 185–194. ACM (2007). https://doi.org/10.1145/1315245.1315269
Chow, S.S.M., Weng, J., Yang, Y., Deng, R.H.: Efficient unidirectional proxy re-encryption. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 316–332. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9_19
Cohn-Gordon, K., Cremers, C.J.F., Garratt, L.: On post-compromise security. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, 27 June – July 1 (2016), pp. 164–178. IEEE Computer Society (2016). https://doi.org/10.1109/CSF.2016.19
van Dijk, M., Juels, A., Oprea, A., Rivest, R.L., Stefanov, E., Triandopoulos, N.: Hourglass schemes: how to prove that cloud files are encrypted. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) The ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, 16–18 October 2012, pp. 265–280. ACM (2012). https://doi.org/10.1145/2382196.2382227
Everspaugh, A., Paterson, K.G., Ristenpart, T., Scott, S.: Key rotation for authenticated encryption. IACR Cryptology ePrint Archive 2017, 527 (2017). http://eprint.iacr.org/2017/527
Hohenberger, S., Rothblum, G.N., Shelat, A., Vaikuntanathan, V.: Securely obfuscating re-encryption. J. Cryptol. 24(4), 694–719 (2011)
Ivan, A., Dodis, Y.: Proxy cryptography revisited. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA. The Internet Society (2003). http://www.isoc.org/isoc/conferences/ndss/03/proceedings/papers/14.pdf
Liang, X., Cao, Z., Lin, H., Shao, J.: Attribute based proxy re-encryption with delegating capabilities. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, 10–12 March 2009, pp. 276–286. ACM (2009). https://doi.org/10.1145/1533057.1533094
Libert, B., Vergnaud, D.: Multi-use unidirectional proxy re-signatures. In: Ning, P., Syverson, P.F., Jha, S. (eds.) Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, 27–31 October 2008, pp. 511–520. ACM (2008). https://doi.org/10.1145/1455770.1455835
Libert, B., Vergnaud, D.: Unidirectional Chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_21
Polyakov, Y., Rohloff, K., Sahu, G., Vaikuntanthan, V.: Fast proxy re-encryption for publish/subscribe systems. IACR Cryptology ePrint Archive 2017, 410 (2017). http://eprint.iacr.org/2017/410
Shao, J., Cao, Z.: CCA-secure proxy re-encryption without pairings. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 357–376. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_20
Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) \(<<\) cost(signature) + cost(encryption). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052234
Acknowledgements
Many thanks to my supervisor Keith Martin for guiding my ideas into a worthwhile piece of work and helping me improve my writing. Also many thanks to those who gave up their time to proofread my work and taught me how to better explain technical definitions, especially Christian Janson, Kenny Paterson, Martin Albrecht and James Alderman.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Common Definitions for Confidentiality in PRE
Since [7], the main notion for security in PRE schemes is against chosen-ciphertext attacks (CCA) as opposed to chosen-plaintext (CPA) attacks. However since the focus of this paper is to revisit definitions with respect to unauthorised re-encryptions, for simplicity we restrict security to CPA and leave IND-CCA to future work. We further note that since authors of recent practical unidirectional and multi-hop schemes focus on CPA security [17], this not a significant weakening of security in comparison with existing practical schemes.
The following definition is a formalism of the preservation of indistinguishability introduced in [7] adapted to CPA security. We note that this definition does not consider compromised keys.
Definition 8
A PRE scheme \({\mathcal {PRE}}\) preserves IND-CPA if for all algorithms there exists a negligible function such that:
where is given in Fig. 4.
Informally, the PRE scheme is still IND-CPA secure even when the adversary is given access to a re-encryption and token generation oracle. Clearly the underlying PKE scheme must be IND-CPA in order for the PRE scheme to be pres-IND-CPA.
Observe that the above definition applies whether or not the PRE scheme is ciphertext-dependent or unidirectional. It can be easily extended to symmetric PRE by providing the adversary with encryption oracles for both keys, see [11].
B A Secure PRE Scheme in the Malicious Model
Recall that PRE suitable for access control must be multi-hop. For the malicious model we require a unidirectional and token robust scheme. A multi-hop, ciphertext dependent scheme is given in Fig. 5. We use Definitions 4 and 5 to assess the unidirectionality and token robustness.
Correctness: Let \(C_i = (g^y, m \cdot g^{x_i y})\) be an encryption of m under \(g^{x_i}\). The update token resulting from \(\mathsf {ReEnc}(x_i, g^{x_j}, g^y)\) has the form \(\varDelta _{i,j,C} = (g^{y'}, X_j^{y'} \cdot (g^y)^{- x_i}) = (g^{y'}, g^{x_j y' - x_i y})\). Then re-encryption derives a ciphertext of the form \(C_j = (g^{y'}, m \cdot g^{x_i y} \cdot g^{x_j y' - x_i y}) = (g^{y'}, m \cdot g^{x_j y'})\).
1.1 B.1 Security Analysis
First we show that this scheme is ReEnc-IND-CPA, then best-achievable unidirectional. Here we give proof sketches, but note that the full proofs can be found in [4].
Theorem 2
The scheme described in Fig. 5 is ReEnc-IND-CPA under the decisional Diffie-Hellman assumption.
Proof sketch
Re-encrypted ciphertexts under \(x_j\) are identically distributed to ciphertexts encrypted for the first time under \(x_j\). Therefore the problem reduces to ElGamal being IND-CPA, so we can assume the scheme is ReEnc-IND-CPA. \(\square \)
Theorem 3
The scheme in Fig. 5 is best-achievable unidirectional.
We prove this through two lemmas, first proving maximal irreversibility and then token robustness.
Lemma 1
The scheme described in Fig. 5 is maximally irreversible under the Computational Diffie-Hellman (CDH) assumption.
We assume \({\bar{\lambda }}\in \{0, s, \dots cs\}\) where s is the size of components in the ciphertext and c is the number of components updated during re-encryption, as in Definition 5. In [4] we provide a proof showing the unidirectionality of the scheme when \({\bar{\lambda }}\in \{0, s, \dots , cs\}\).
Proof sketch
The CDH assumption states that, given \((g^a, g^b)\), it is computationally infeasible to compute \(g^{ab}\). To prove this, show that an adversary who only retains \(\varDelta _{i,j,C}^1 = g^{x_i y - x_j y'}\) cannot derive \(\tilde{C} = g^y\) without breaking the CDH assumption. Analogously, an adversary who only retains \(g^y\) cannot calculate \(g^{x_i y - x_j y'}\). \(\square \)
Lemma 2
The scheme in Fig. 5 has token robustness under the CDH assumption.
Proof sketch
To win the token robustness game, the adversary must output a token which re-encrypts an honestly-generated ciphertext so that it is under a key which it has not been encrypted under before.
The adversary must output a token \((g^{y'}, g^{x_j y' - x_i y})\), where \(j \not \in \mathsf {chain}(m)\). It is trivial for the adversary to calculate for some from . It remains for the adversary to calculate \(g^{x_i y}\), which requires either factoring or finding the most common factor modulo p, which are hard problems. \(\square \)
This shows our scheme is suitable for the malicious model according to the goals outlined in Sect. 1, namely that a malicious server is unable to perform unauthorised re-encryptions on stored files as much as can be guaranteed given realistic storage assumptions. Full details and an explicit construction for the adapted scheme with COA can be found in [4].
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lee, E. (2019). Improved Security Notions for Proxy Re-Encryption to Enforce Access Control. In: Lange, T., Dunkelman, O. (eds) Progress in Cryptology – LATINCRYPT 2017. LATINCRYPT 2017. Lecture Notes in Computer Science(), vol 11368. Springer, Cham. https://doi.org/10.1007/978-3-030-25283-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-25283-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25282-3
Online ISBN: 978-3-030-25283-0
eBook Packages: Computer ScienceComputer Science (R0)