Puncturable Proxy Re-Encryption Supporting to Group Messaging Service

Abstract

This work envisions a new encryption primitive for many-to-many paradigms such as group messaging systems. Previously, puncturable encryption (PE) was introduced to provide forward security for asynchronous messaging services. However, existing PE schemes were proposed only for one-to-one communication, and causes a significant overhead for a group messaging system. In fact, the group communication over PE can only be achieved by encrypting a message multiple times for each receiver by the sender’s device, which is usually suitable to restricted resources such as mobile phones or sensor devices. Our new suggested scheme enables to re-encrypt ciphertexts of puncturable encryption by a message server (i.e., a proxy) so that computationally heavy operations are delegated to the server who has more powerful processors and a constant power source. We then proposed a new Puncturable Proxy Re-Encryption (PPRE) scheme. The scheme is inspired by unidirectional proxy re-encryption (UPRE), which achieves forward secrecy through fine-grained revocation of decryption capability by integrating the PE scheme. This paper first presents a forward secure PPRE in the group messaging service. Our scheme is IND-CCA secure under 3-weak Decision Bilinear Diffie-Hellman Inversion assumption.

A Proof of Theorem 2

Let \((g, A_{-1} = g^{1/a}, A_1 = g^a, A_2 = g^{a^2}, B = g^b, T)\) be modified \(3-wDBDHI\) instance. We build an algorithm \(\mathcal {B}\) deciding if \(T = (g,g)^{b/a^2}\) out of a successful RCCA adversary \(\mathcal {A}\).

In this proof, our simulator \(\mathcal {B}\) simply halts and outputs a random bit if \(F_{\textsf {OTS}}\) ever occurs. Let \(\textsf {CT}^*_1 = (svk^*,\textsf {ct}^*_{11}, \textsf {ct}^*_{12}, \textsf {ct}^*_{13}, \textsf {ct}^*_{14}, \textsf {ct}^*_{15_i}, \textsf {ct}^*_{16}, \sigma ^*)\) denotes the challenge ciphertext at the first level received by \(\mathcal {A}\), and the set \((t_1^*, \ldots , t_d^*)\) be the target set initially output by \(\mathcal {A}\).

Global setup phase. \(\mathcal {B}\) generates a one-time signature key pair (\(ssk^*, svk^*) \leftarrow \mathcal {G}(\lambda )\) and provides \(\mathcal {A}\) with public parameters including \(w = A_1^{\beta _1}\) and \(v = A_1^{-\beta _1 svk^*} \cdot A_2^{\beta _2}\) for random \(\beta _1, \beta _2\) in \(\mathbb {Z}_p\). Observe that w and v define a hash function \(F(svk)= w^{svk} \cdot v = A_1^{\alpha _1(svk - svk^*)}\cdot A_2^{\alpha _2}\).

\(\mathcal {B}\) also selects randomly \(\alpha _1, \alpha _2 \in \mathbb {Z}_p\), and computes \(g^{\alpha _1}, g^{\alpha _2}\). \(\mathcal {B}\) chooses \(d+1\) points \(\theta _{0}, \theta _{1}, \ldots , \theta _{d}\) uniformly at random from \(\mathbb {Z}_p\), in which \(\theta _{0}\) be a distinguished value not used normal simulation. Then, \(\mathcal {B}\) implicitly sets \(q(0) = 1\), while \(q(t_i) = \theta _{t_i}\), then \(V(H(t_i)) = gA_1^{q(t_i)} = g^{a \theta _{t_i}}\). \(\mathcal {B}\) continuously initializes two empty sets P, C and a counter \(\tau = 0\).

\(\mathcal {B}\) generates the initial puncture key as \(\textsf {PSK}_0 = (\textsf {PSK}_{01}, \textsf {PSK}_{02}, \textsf {PSK}_{03}, \textsf {PSK}_{04}) = (A_1^{\alpha _1 + r_1 + r_2}, V(H(t_0))^{r_1}, g^{r_1}, t_0)\), and the global key for user key generation \(\textsf {DK}= g^{\alpha _2 + r_2}\), with \(r_1, r_2,\in _R \mathbb {Z}_p\).

Phase 1. \(\mathcal {A}\) can repeatedly issue any of the following queries: we call \(\textsf {HU}\) the set of honest parties, including user \(x*\) that is assigned the target public key \(\textsf {pk}_{x^*}\), and \(\textsf {CU}\) the set of corrupt parties. Throughout the game, \(\mathcal {A}\)’s environment is simulated as follows:

• Key-Generation: public keys of honest users \(x \in \textsf {HU}\backslash {x^*}\) and corrupt users \(x \in \textsf {CU}\) are defined as \(\textsf {pk}_x = g^{x}\) for a randomly chosen x in \(\mathbb {Z}_p\). In addition, user x will generate the \(\textsf {PSK}'_0\):

  $$\begin{aligned} \textsf {PSK}'_0= & {} (\textsf {PSK}'_{01}, \textsf {PSK}'_{02}, \textsf {PSK}'_{03}, \textsf {PSK}'_{04}) = (A_1^{(\alpha _1 + r_1 - r_2) 1/x}, A_1^{\theta _0 r_1 1/x}, g^{r_1}, t_0). \end{aligned}$$

  The target user’s public key is set as \(A_1^{x^*} = g^{a}\).

  $$\begin{aligned} \textsf {PSK}'_0= & {} (\textsf {PSK}'_{01}, \textsf {PSK}'_{02}, \textsf {PSK}'_{03}, \textsf {PSK}'_{04}) = (g^{(\alpha _1 + r_1 - r_2)}, g^{\theta _0 r_1}, g^{r_1}, t_0). \end{aligned}$$

  For corrupt users \(i \in \textsf {CU}\), public key and secret key are both disclosed To generate re-encryption keys from player x to player y, all re-encryption keys are computed:

  • If \( x, y \ne x^*, \textsf {R}_{x \leftarrow y} = g^{(\alpha _2 + r_2)y/x}\)

  • If \( y \ne x^*, \textsf {R}_{x^* \leftarrow y} = A_{-1}^{(\alpha _2 + r_2) y}\) and \( \textsf {R}_{y \leftarrow x^*} = A_1^{(\alpha _2 + r_2)1/y}\).

• Puncture: . \(\mathcal {B}\) increments n, and computes: \(\textsf {PSK}_n = \textsf {Puncture}(\textsf {param}, \textsf {PSK}'_{n-1}, \textsf {TK}, t)\), and adds t to set P, we consider: Corrupt() is queried and \(\{t_1^*, \ldots , t_d^*\} \cap C = \emptyset \). \(\mathcal {B}\) now chooses randomly \(r', r_t, \lambda \in \mathbb {Z}_p\). Thus it outputs the following:

  $$\begin{aligned} \textsf {PSK}''_{0}= & {} (\textsf {PSK}'_{01}\cdot (A_1^{r' - \lambda '})^{1/x}, \textsf {PSK}'_{02}\cdot (V(H(t_0))^{r'})^{1/x},\textsf {PSK}'_{03} \cdot g^{r'}, t_0)\\= & {} (\textsf {PSK}'_{01}\cdot (A_1^{r' - \lambda '})^{1/x}, \textsf {PSK}'_{02}\cdot (A_1^{\theta _{0} r'})^{1/x}, \textsf {PSK}'_{03} \cdot g^{r'}, t_0),\\ \textsf {PSK}_{i}= & {} ((A_1^{\lambda '+ r_t})^{1/x}, (A_1^{\theta _t r_t})^{1/x}, g^{r_t}, t). \end{aligned}$$

  Corrupt() is called at the first time; the adversary issues this query. Then the challenger returns the most recent punctured key \(\textsf {PSK}_n\) to the adversary and sets \(C \leftarrow P\). All subsequent queries return \(\bot \).

• First level decryption queries: \(\mathcal {A}\) may ask the decryption of a first level ciphertext \(\textsf {CT}_1 = (\textsf {ct}_{10},\textsf {ct}_{11}, \textsf {ct}_{12}, \textsf {ct}'_{12}, \textsf {ct}''_{12}, \textsf {ct}'''_{12}, ,\textsf {ct}_{13}, \textsf {ct}_{14}, \textsf {ct}_{15_i}, \textsf {ct}_{16}, \sigma )\) under the public key \(g^x\). For such a request, \(\mathcal {B}\) returns ‘invalid’ if \((3)-(5)\) do not hold. We assume \(y \in \textsf {HU}\) since \(\mathcal {B}\) can decrypt using the known private key, then \(\mathcal {B}\) can decrypt \(\textsf {Dec}_{\textsf {sk}_y}(\textsf {Enc}_{\textsf {pk}_y}(\textsf {PSK}_i))\) to receive the \(\textsf {PSK}_i\). In the next step, let us first assume that \(\textsf {ct}_{10} = \textsf {ct}_{10}^* = svk^*\). If \((\textsf {ct}_{11},\textsf {ct}_{15_i},\textsf {ct}_{16}, \sigma ) \ne (\textsf {ct}^*_{11},\textsf {ct}^*_{15_i},\textsf {ct}^*_{16}, \sigma )\), \(\mathcal {B}\) is presented with occurence of \(F_{\textsf {OTS}}\) and halts. If \((\textsf {ct}_{11},\textsf {ct}_{15_i},\textsf {ct}_{16}, \sigma ) = (\textsf {ct}^*_{11},\textsf {ct}^*_{15_i},\textsf {ct}^*_{16}, \sigma )\), \(\mathcal {B}\) outputs \(\perp \) which deem \(\textsf {CT}_1\) as a derivative of the challenge pair of \(\textsf {CT}^*, x^*\). We have to compute:

  $$\begin{aligned}&\textsf {ct}_{12} = A_1^{rs} = g^{ars},\textsf {ct}'_{12} = g^{r}, \textsf {ct}''_{12} = g^{ark}, \textsf {ct}'''_{12} = g^{ak},\textsf {ct}_{13}= (A_{-1})^{(\alpha _2 + r_2)y / k} \\&= (g^{1/y})^{ (\alpha _2 + r_2) / k}, \textsf {ct}_{14} = A_1{rsk} = g^{ars}, \textsf {ct}_{15_i} = A_2^{\theta _isr}, \end{aligned}$$

  for unknown exponents \(r,k \in _R \mathbb {Z}_p\). We reduce the computation of \(e(\textsf {ct}_{13}, \textsf {ct}_{14})\) equals to \(e(\textsf {DK}_y, g)^{rs}\) to simulate conveniently in the next step. Lets \(\textsf {ct}_{10} \ne svk^*\), we assume that \(y = x^*\), then we \(\textsf {pk}_y = g^{a}\) since \(\mathcal {B}\) can decrypt using the known private key y. The validity of the ciphertext guarantees

  $$\begin{aligned} e(\textsf {ct}_{13}, \textsf {ct}_{14})= & {} e(\textsf {DK}, g)^{ars},\\ \textsf {ct}_{16} = F(svk)^{rs}= & {} g^{\beta _1 a rs (svk - svk^*) (\alpha _1 + \alpha _2)} \cdot g^{a^{2}r \beta _2 (\alpha _1 + \alpha _2)}. \end{aligned}$$

  Then,

  $$\begin{aligned} A= & {} \prod \limits _{j = 0}^{i} \frac{e(\textsf {PSK}_{j1}, \textsf {ct}_{12})^{x^*}}{e(\textsf {PSK}_{j3}, \prod \limits _{k = 1}^{d} \textsf {ct}_{15,k}^{w_k}) \cdot e(\textsf {PSK}_{j2}, \textsf {ct}_{12}) ^{x^* w^*}}\\= & {} \frac{e((g^{\alpha _1 + r_1 - r_2 + r' - \lambda '})^{1/x^*}, g^{ars})^{x^*}}{e(g^{r_1 + r'}, \prod \limits _{k = 1}^{d} (A_1^{\theta _0})^{rs w_k})\cdot e( g^{\theta _0 r_1 1/x},g^{ars} )^{x^* w^*}}\\&\cdots \frac{e(g^{\lambda ' + r_t},g^{ars})^{x^*}}{e(g^{r_t}, \prod \limits _{k = 1}^{d}V(H(t_k))^{w_k})\cdot e( g^{\theta _t r_1 1/x},g^{ars} )^{x^*w^*}} = e(g,g)^{a(\alpha _1 - r_2)r s}. \end{aligned}$$

  \(\mathcal {B}\) computes: \(e(g,g)^{rs (\alpha _1 + \alpha _2)} = \bigg (\frac{e(\textsf {ct}_{16},A_{-1})}{A^{\beta _2} \cdot (\textsf {ct}_{13}, \textsf {ct}_{14})^{\beta _2 / y(\alpha _2 + r_2)}}\bigg )^{\frac{1}{\beta _1(svk - svk^*)}}\) , and recovers the plaintext \(m = \textsf {ct}_{11} / e(g,g)^{rs (\alpha _1 + \alpha _2)}\).

  • If \(e(\textsf {ct}_{13, \textsf {ct}_14}) = e(\textsf {ct}^*_{13, \textsf {ct}^*_14})\), \(\mathcal {B}\) returns \(\perp \) meaning that \(\textsf {CT}_1\) is simply a re-randomization of the challenge ciphertext.

  • We require \((\textsf {ct}_{11},\textsf {ct}_{15_i},\textsf {ct}_{16}, \sigma ) \ne (\textsf {ct}^*_{11},\textsf {ct}^*_{15_i},\textsf {ct}^*_{16}, \sigma )\), which is an occurence of \(F_{\textsf {OTS}}\) and implies \(\mathcal {B}\)’s termination.

In the next phases, \(\mathcal {B}\) must check that m differs from messages \(m_0, m_1\) involved in the challenge query. If \(m \in \{m_0, m_1\}\). \(\mathcal {B}\) returns \(\perp \) according to the \(\textsf {RCCA}\)-security rules.

Challenge. \(\mathcal {A}\) chooses messages \(m_0, m_1\). At this stage, \(\mathcal {B}\) flips a coin \(\mu ^* \in _R \{0,1\}\), and generates the challenge ciphertext \(\textsf {ct}^*_1\) as:

$$\begin{aligned}&\textsf {ct}^*_{10} = svk^*, \textsf {ct}^*_{11} = m_{\mu ^*} \cdot T^{\alpha _1 + \alpha _2}, \textsf {ct}^*_{12} = B^{\gamma x^*}, \textsf {ct}'^*_{12} = A_1^{\gamma }, \textsf {ct}''^*_{12} = A_2^{\gamma k},\textsf {ct}'''^*_{12} = A_1^{k} ,\\&\textsf {ct}^*_{13} = A_{-1}^{k(\alpha _2 + r_2)}, \textsf {ct}^*_{14} = B^{k\gamma }, \textsf {ct}^*_{15_i} = B^{\theta _i\gamma }, \textsf {ct}^*_{16} = B^{\beta _2} , \end{aligned}$$

and \(\sigma ^* = \mathcal {S}(ssk, (\textsf {ct}^*_{11},\textsf {ct}^*_{14_i},\textsf {ct}^*_{15},\textsf {ct}^*_{16}))\). With \(\textsf {pk}_x = g^{x^* a}\), \(B = g^b\), and \(r = a\gamma , k ,s = b/a^2\) with the random numbers \(\gamma , k \in \mathbb {Z}_p\).

Phase 2. This phase is identical to Phase 1 with following restrictions: (1) Corrupt() returns \(\perp \) if \(\{t_1^*, \ldots , t_d^*\} \cap P = \emptyset \). (2) Decrypt\(_1\)(\(param, \textsf {sk}_{\textsf {A}}, \textsf {PSK}_i, \textsf {CT}_1, t_1, \ldots , t_d\)) returns \(\perp \) if \((\textsf {CT}_1, t_1, \ldots , t_d) \ne (\textsf {CT}^*_1, t^*_1, \ldots , t^*_d)\).

Guess. \(\textsf {CT}_1^*\) is a valid encryption of \(m_{\mu ^*}\) if \(T = e(g,g)^{b / a^2}\). In contrast, if T is random in \(\mathbb {G}_T\), \(\textsf {CT}_1^*\) perfectly hides \(m_{\mu ^*}\) and \(\mathcal {A}\) cannot guess \(\mu ^*\) with better probability than 1 / 2. When \(\mathcal {A}\) eventually outputs her result \(\mu ' \in \{0,1\}\), \(\mathcal {B}\) decides \(T = e(g,g)^{b/a^2}\) if \(\mu ' = \mu \) and that T is randomly chosen.