Improved Security Notions for Proxy Re-Encryption to Enforce Access Control

Abstract

Proxy Re-Encryption (PRE) allows a ciphertext encrypted under Alice’s public key to be transformed to an encryption under Bob’s public key without revealing either the plaintext or the decryption keys. PRE schemes have clear applications to cryptographic access control by allowing outsourced data to be selectively shared to users via re-encryption to appropriate keys. One concern for this application is that the server should not be able to perform unauthorised re-encryptions. We argue that current security notions do not adequately address this concern. We revisit existing definitions for PRE, starting by challenging the concept of unidirectionality, which states that re-encryption tokens from A to B cannot be used to re-encrypt from B to A. We strengthen this definition to reflect realistic scenarios in which adversaries may try to reverse a re-encryption by retaining information about prior ciphertexts and re-encryption tokens. We then strengthen the adversarial model to consider malicious adversaries that may collude with corrupt users and attempt to perform unauthorised re-encryptions; this models a malicious cloud service provider aiming to subvert the re-encryption process to leak sensitive data. Finally we revisit the notion of authenticated encryption for PRE. This currently assumes the same party who created the message also encrypted it, which is not necessarily the case in re-encryption. We thus introduce the notion of ciphertext origin authentication to determine who encrypted the message (initiated a re-encryption) and show how to fufil this requirement in practice.

The author was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).

Appendices

A Common Definitions for Confidentiality in PRE

Since [7], the main notion for security in PRE schemes is against chosen-ciphertext attacks (CCA) as opposed to chosen-plaintext (CPA) attacks. However since the focus of this paper is to revisit definitions with respect to unauthorised re-encryptions, for simplicity we restrict security to CPA and leave IND-CCA to future work. We further note that since authors of recent practical unidirectional and multi-hop schemes focus on CPA security [17], this not a significant weakening of security in comparison with existing practical schemes.

The following definition is a formalism of the preservation of indistinguishability introduced in [7] adapted to CPA security. We note that this definition does not consider compromised keys.

Definition 8

A PRE scheme \({\mathcal {PRE}}\) preserves IND-CPA if for all algorithms there exists a negligible function such that:

where is given in Fig. 4.

Fig. 4.

The game which reflects the most common notion of indistinguishability for PRE.

Informally, the PRE scheme is still IND-CPA secure even when the adversary is given access to a re-encryption and token generation oracle. Clearly the underlying PKE scheme must be IND-CPA in order for the PRE scheme to be pres-IND-CPA.

Observe that the above definition applies whether or not the PRE scheme is ciphertext-dependent or unidirectional. It can be easily extended to symmetric PRE by providing the adversary with encryption oracles for both keys, see [11].

B A Secure PRE Scheme in the Malicious Model

Recall that PRE suitable for access control must be multi-hop. For the malicious model we require a unidirectional and token robust scheme. A multi-hop, ciphertext dependent scheme is given in Fig. 5. We use Definitions 4 and 5 to assess the unidirectionality and token robustness.

Fig. 5.

An ElGamal-based scheme similar to [5] which is best-achievable unidirectional and token robust.

Correctness: Let \(C_i = (g^y, m \cdot g^{x_i y})\) be an encryption of m under \(g^{x_i}\). The update token resulting from \(\mathsf {ReEnc}(x_i, g^{x_j}, g^y)\) has the form \(\varDelta _{i,j,C} = (g^{y'}, X_j^{y'} \cdot (g^y)^{- x_i}) = (g^{y'}, g^{x_j y' - x_i y})\). Then re-encryption derives a ciphertext of the form \(C_j = (g^{y'}, m \cdot g^{x_i y} \cdot g^{x_j y' - x_i y}) = (g^{y'}, m \cdot g^{x_j y'})\).

1.1 B.1 Security Analysis

First we show that this scheme is ReEnc-IND-CPA, then best-achievable unidirectional. Here we give proof sketches, but note that the full proofs can be found in [4].

Theorem 2

The scheme described in Fig. 5 is ReEnc-IND-CPA under the decisional Diffie-Hellman assumption.

Proof sketch

Re-encrypted ciphertexts under \(x_j\) are identically distributed to ciphertexts encrypted for the first time under \(x_j\). Therefore the problem reduces to ElGamal being IND-CPA, so we can assume the scheme is ReEnc-IND-CPA.    \(\square \)

Theorem 3

The scheme in Fig. 5 is best-achievable unidirectional.

We prove this through two lemmas, first proving maximal irreversibility and then token robustness.

Lemma 1

The scheme described in Fig. 5 is maximally irreversible under the Computational Diffie-Hellman (CDH) assumption.

We assume \({\bar{\lambda }}\in \{0, s, \dots cs\}\) where s is the size of components in the ciphertext and c is the number of components updated during re-encryption, as in Definition 5. In [4] we provide a proof showing the unidirectionality of the scheme when \({\bar{\lambda }}\in \{0, s, \dots , cs\}\).

Proof sketch

The CDH assumption states that, given \((g^a, g^b)\), it is computationally infeasible to compute \(g^{ab}\). To prove this, show that an adversary who only retains \(\varDelta _{i,j,C}^1 = g^{x_i y - x_j y'}\) cannot derive \(\tilde{C} = g^y\) without breaking the CDH assumption. Analogously, an adversary who only retains \(g^y\) cannot calculate \(g^{x_i y - x_j y'}\).    \(\square \)

Lemma 2

The scheme in Fig. 5 has token robustness under the CDH assumption.

Proof sketch

To win the token robustness game, the adversary must output a token which re-encrypts an honestly-generated ciphertext so that it is under a key which it has not been encrypted under before.

The adversary must output a token \((g^{y'}, g^{x_j y' - x_i y})\), where \(j \not \in \mathsf {chain}(m)\). It is trivial for the adversary to calculate for some from . It remains for the adversary to calculate \(g^{x_i y}\), which requires either factoring or finding the most common factor modulo p, which are hard problems.    \(\square \)

This shows our scheme is suitable for the malicious model according to the goals outlined in Sect. 1, namely that a malicious server is unable to perform unauthorised re-encryptions on stored files as much as can be guaranteed given realistic storage assumptions. Full details and an explicit construction for the adapted scheme with COA can be found in [4].