Abstract
This work envisions a new encryption primitive for many-to-many paradigms such as group messaging systems. Previously, puncturable encryption (PE) was introduced to provide forward security for asynchronous messaging services. However, existing PE schemes were proposed only for one-to-one communication, and causes a significant overhead for a group messaging system. In fact, the group communication over PE can only be achieved by encrypting a message multiple times for each receiver by the sender’s device, which is usually suitable to restricted resources such as mobile phones or sensor devices. Our new suggested scheme enables to re-encrypt ciphertexts of puncturable encryption by a message server (i.e., a proxy) so that computationally heavy operations are delegated to the server who has more powerful processors and a constant power source. We then proposed a new Puncturable Proxy Re-Encryption (PPRE) scheme. The scheme is inspired by unidirectional proxy re-encryption (UPRE), which achieves forward secrecy through fine-grained revocation of decryption capability by integrating the PE scheme. This paper first presents a forward secure PPRE in the group messaging service. Our scheme is IND-CCA secure under 3-weak Decision Bilinear Diffie-Hellman Inversion assumption.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ateniese, G., Benson, K., Hohenberger, S.: Key-private proxy re-encryption. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 279–294. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_19
Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9, 1–30 (2006)
Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: NDSS (2015)
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. Adv. Cryptol. - EUROCRYPT 1403, 127–144 (1998)
Blazy, O., Bultel, X., Lafourcade, P.: Two secure anonymous proxy-based data storages. In: Proceedings of the 13th ICETE. pp. 251–258 (2016)
Boneh, D., Boyen, X.: Efficient selective identity-based encryption without random oracles. J. Cryptol. 24, 659–693 (2011)
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13
Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proceedings of the 14th ACM CCS (2007)
Chu, C.-K., Tzeng, W.-G.: Identity-based proxy re-encryption without random oracles. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 189–202. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75496-1_13
Derler, D., Krenn, S., Lorünser, T., Ramacher, S., Slamanig, D., Striecks, C.: Revisiting proxy re-encryption: forward secrecy, improved security, and applications. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 219–250. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_8
Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Proceedings of the 8th PKC. pp. 416–431 (2005)
Ge, C., Susilo, W., Fang, L., Wang, J., Shi, Y.: A cca-secure key-policy attribute-based proxy re-encryption in the adaptive corruption model for dropbox data sharing system. Des. Codes Crypt. 86(11), 2587–2603 (2018)
Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_19
Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: Proceedings of the 2015 IEEE S and P, pp. 305–320. IEEE Computer Society (2015)
Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. IEEE Trans. Inf. Theor. 57(3), 1786–1802 (2011)
Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_21
Mambo, M., Okamoto, E.: Proxy cryptosystems: delegation of the power to decrypt ciphertexts. IEICE Trans. Fundam. 80–A, 54–63 (1997)
Matsuo, T.: Proxy re-encryption systems for identity-based encryption. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 247–267. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_13
Myers, S., Shull, A.: Efficient hybrid proxy re-encryption for practical revocation and key rotation. Cryptology ePrint Archive, Report 2017/833 (2017). https://eprint.iacr.org/2017/833
Tang, Q.: Type-based proxy re-encryption and its construction. In: Proceedings of the 9th INDOCRYPT. pp. 130–144. Berlin, Heidelberg (2008)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Weng, J., Deng, R.H., Ding, X., Chu, C.K., Lai, J.: Conditional proxy re-encryption secure against chosen-ciphertext attack. In: Proceedings of the 4th ASIACCS. pp. 322–332 (2009)
Weng, J., Deng, R.H., Liu, S., Chen, K.: Chosen-ciphertext secure bidirectional proxy re-encryption schemes without pairings. Inf. Sci. 180(24), 5077–5089 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 2
A Proof of Theorem 2
Let \((g, A_{-1} = g^{1/a}, A_1 = g^a, A_2 = g^{a^2}, B = g^b, T)\) be modified \(3-wDBDHI\) instance. We build an algorithm \(\mathcal {B}\) deciding if \(T = (g,g)^{b/a^2}\) out of a successful RCCA adversary \(\mathcal {A}\).
In this proof, our simulator \(\mathcal {B}\) simply halts and outputs a random bit if \(F_{\textsf {OTS}}\) ever occurs. Let \(\textsf {CT}^*_1 = (svk^*,\textsf {ct}^*_{11}, \textsf {ct}^*_{12}, \textsf {ct}^*_{13}, \textsf {ct}^*_{14}, \textsf {ct}^*_{15_i}, \textsf {ct}^*_{16}, \sigma ^*)\) denotes the challenge ciphertext at the first level received by \(\mathcal {A}\), and the set \((t_1^*, \ldots , t_d^*)\) be the target set initially output by \(\mathcal {A}\).
Global setup phase. \(\mathcal {B}\) generates a one-time signature key pair (\(ssk^*, svk^*) \leftarrow \mathcal {G}(\lambda )\) and provides \(\mathcal {A}\) with public parameters including \(w = A_1^{\beta _1}\) and \(v = A_1^{-\beta _1 svk^*} \cdot A_2^{\beta _2}\) for random \(\beta _1, \beta _2\) in \(\mathbb {Z}_p\). Observe that w and v define a hash function \(F(svk)= w^{svk} \cdot v = A_1^{\alpha _1(svk - svk^*)}\cdot A_2^{\alpha _2}\).
\(\mathcal {B}\) also selects randomly \(\alpha _1, \alpha _2 \in \mathbb {Z}_p\), and computes \(g^{\alpha _1}, g^{\alpha _2}\). \(\mathcal {B}\) chooses \(d+1\) points \(\theta _{0}, \theta _{1}, \ldots , \theta _{d}\) uniformly at random from \(\mathbb {Z}_p\), in which \(\theta _{0}\) be a distinguished value not used normal simulation. Then, \(\mathcal {B}\) implicitly sets \(q(0) = 1\), while \(q(t_i) = \theta _{t_i}\), then \(V(H(t_i)) = gA_1^{q(t_i)} = g^{a \theta _{t_i}}\). \(\mathcal {B}\) continuously initializes two empty sets P, C and a counter \(\tau = 0\).
\(\mathcal {B}\) generates the initial puncture key as \(\textsf {PSK}_0 = (\textsf {PSK}_{01}, \textsf {PSK}_{02}, \textsf {PSK}_{03}, \textsf {PSK}_{04}) = (A_1^{\alpha _1 + r_1 + r_2}, V(H(t_0))^{r_1}, g^{r_1}, t_0)\), and the global key for user key generation \(\textsf {DK}= g^{\alpha _2 + r_2}\), with \(r_1, r_2,\in _R \mathbb {Z}_p\).
Phase 1. \(\mathcal {A}\) can repeatedly issue any of the following queries: we call \(\textsf {HU}\) the set of honest parties, including user \(x*\) that is assigned the target public key \(\textsf {pk}_{x^*}\), and \(\textsf {CU}\) the set of corrupt parties. Throughout the game, \(\mathcal {A}\)’s environment is simulated as follows:
-
Key-Generation: public keys of honest users \(x \in \textsf {HU}\backslash {x^*}\) and corrupt users \(x \in \textsf {CU}\) are defined as \(\textsf {pk}_x = g^{x}\) for a randomly chosen x in \(\mathbb {Z}_p\). In addition, user x will generate the \(\textsf {PSK}'_0\):
$$\begin{aligned} \textsf {PSK}'_0= & {} (\textsf {PSK}'_{01}, \textsf {PSK}'_{02}, \textsf {PSK}'_{03}, \textsf {PSK}'_{04}) = (A_1^{(\alpha _1 + r_1 - r_2) 1/x}, A_1^{\theta _0 r_1 1/x}, g^{r_1}, t_0). \end{aligned}$$The target user’s public key is set as \(A_1^{x^*} = g^{a}\).
$$\begin{aligned} \textsf {PSK}'_0= & {} (\textsf {PSK}'_{01}, \textsf {PSK}'_{02}, \textsf {PSK}'_{03}, \textsf {PSK}'_{04}) = (g^{(\alpha _1 + r_1 - r_2)}, g^{\theta _0 r_1}, g^{r_1}, t_0). \end{aligned}$$For corrupt users \(i \in \textsf {CU}\), public key and secret key are both disclosed To generate re-encryption keys from player x to player y, all re-encryption keys are computed:
-
If \( x, y \ne x^*, \textsf {R}_{x \leftarrow y} = g^{(\alpha _2 + r_2)y/x}\)
-
If \( y \ne x^*, \textsf {R}_{x^* \leftarrow y} = A_{-1}^{(\alpha _2 + r_2) y}\) and \( \textsf {R}_{y \leftarrow x^*} = A_1^{(\alpha _2 + r_2)1/y}\).
-
-
Puncture: . \(\mathcal {B}\) increments n, and computes: \(\textsf {PSK}_n = \textsf {Puncture}(\textsf {param}, \textsf {PSK}'_{n-1}, \textsf {TK}, t)\), and adds t to set P, we consider: Corrupt() is queried and \(\{t_1^*, \ldots , t_d^*\} \cap C = \emptyset \). \(\mathcal {B}\) now chooses randomly \(r', r_t, \lambda \in \mathbb {Z}_p\). Thus it outputs the following:
$$\begin{aligned} \textsf {PSK}''_{0}= & {} (\textsf {PSK}'_{01}\cdot (A_1^{r' - \lambda '})^{1/x}, \textsf {PSK}'_{02}\cdot (V(H(t_0))^{r'})^{1/x},\textsf {PSK}'_{03} \cdot g^{r'}, t_0)\\= & {} (\textsf {PSK}'_{01}\cdot (A_1^{r' - \lambda '})^{1/x}, \textsf {PSK}'_{02}\cdot (A_1^{\theta _{0} r'})^{1/x}, \textsf {PSK}'_{03} \cdot g^{r'}, t_0),\\ \textsf {PSK}_{i}= & {} ((A_1^{\lambda '+ r_t})^{1/x}, (A_1^{\theta _t r_t})^{1/x}, g^{r_t}, t). \end{aligned}$$Corrupt() is called at the first time; the adversary issues this query. Then the challenger returns the most recent punctured key \(\textsf {PSK}_n\) to the adversary and sets \(C \leftarrow P\). All subsequent queries return \(\bot \).
-
First level decryption queries: \(\mathcal {A}\) may ask the decryption of a first level ciphertext \(\textsf {CT}_1 = (\textsf {ct}_{10},\textsf {ct}_{11}, \textsf {ct}_{12}, \textsf {ct}'_{12}, \textsf {ct}''_{12}, \textsf {ct}'''_{12}, ,\textsf {ct}_{13}, \textsf {ct}_{14}, \textsf {ct}_{15_i}, \textsf {ct}_{16}, \sigma )\) under the public key \(g^x\). For such a request, \(\mathcal {B}\) returns ‘invalid’ if \((3)-(5)\) do not hold. We assume \(y \in \textsf {HU}\) since \(\mathcal {B}\) can decrypt using the known private key, then \(\mathcal {B}\) can decrypt \(\textsf {Dec}_{\textsf {sk}_y}(\textsf {Enc}_{\textsf {pk}_y}(\textsf {PSK}_i))\) to receive the \(\textsf {PSK}_i\). In the next step, let us first assume that \(\textsf {ct}_{10} = \textsf {ct}_{10}^* = svk^*\). If \((\textsf {ct}_{11},\textsf {ct}_{15_i},\textsf {ct}_{16}, \sigma ) \ne (\textsf {ct}^*_{11},\textsf {ct}^*_{15_i},\textsf {ct}^*_{16}, \sigma )\), \(\mathcal {B}\) is presented with occurence of \(F_{\textsf {OTS}}\) and halts. If \((\textsf {ct}_{11},\textsf {ct}_{15_i},\textsf {ct}_{16}, \sigma ) = (\textsf {ct}^*_{11},\textsf {ct}^*_{15_i},\textsf {ct}^*_{16}, \sigma )\), \(\mathcal {B}\) outputs \(\perp \) which deem \(\textsf {CT}_1\) as a derivative of the challenge pair of \(\textsf {CT}^*, x^*\). We have to compute:
$$\begin{aligned}&\textsf {ct}_{12} = A_1^{rs} = g^{ars},\textsf {ct}'_{12} = g^{r}, \textsf {ct}''_{12} = g^{ark}, \textsf {ct}'''_{12} = g^{ak},\textsf {ct}_{13}= (A_{-1})^{(\alpha _2 + r_2)y / k} \\&= (g^{1/y})^{ (\alpha _2 + r_2) / k}, \textsf {ct}_{14} = A_1{rsk} = g^{ars}, \textsf {ct}_{15_i} = A_2^{\theta _isr}, \end{aligned}$$for unknown exponents \(r,k \in _R \mathbb {Z}_p\). We reduce the computation of \(e(\textsf {ct}_{13}, \textsf {ct}_{14})\) equals to \(e(\textsf {DK}_y, g)^{rs}\) to simulate conveniently in the next step. Lets \(\textsf {ct}_{10} \ne svk^*\), we assume that \(y = x^*\), then we \(\textsf {pk}_y = g^{a}\) since \(\mathcal {B}\) can decrypt using the known private key y. The validity of the ciphertext guarantees
$$\begin{aligned} e(\textsf {ct}_{13}, \textsf {ct}_{14})= & {} e(\textsf {DK}, g)^{ars},\\ \textsf {ct}_{16} = F(svk)^{rs}= & {} g^{\beta _1 a rs (svk - svk^*) (\alpha _1 + \alpha _2)} \cdot g^{a^{2}r \beta _2 (\alpha _1 + \alpha _2)}. \end{aligned}$$Then,
$$\begin{aligned} A= & {} \prod \limits _{j = 0}^{i} \frac{e(\textsf {PSK}_{j1}, \textsf {ct}_{12})^{x^*}}{e(\textsf {PSK}_{j3}, \prod \limits _{k = 1}^{d} \textsf {ct}_{15,k}^{w_k}) \cdot e(\textsf {PSK}_{j2}, \textsf {ct}_{12}) ^{x^* w^*}}\\= & {} \frac{e((g^{\alpha _1 + r_1 - r_2 + r' - \lambda '})^{1/x^*}, g^{ars})^{x^*}}{e(g^{r_1 + r'}, \prod \limits _{k = 1}^{d} (A_1^{\theta _0})^{rs w_k})\cdot e( g^{\theta _0 r_1 1/x},g^{ars} )^{x^* w^*}}\\&\cdots \frac{e(g^{\lambda ' + r_t},g^{ars})^{x^*}}{e(g^{r_t}, \prod \limits _{k = 1}^{d}V(H(t_k))^{w_k})\cdot e( g^{\theta _t r_1 1/x},g^{ars} )^{x^*w^*}} = e(g,g)^{a(\alpha _1 - r_2)r s}. \end{aligned}$$\(\mathcal {B}\) computes: \(e(g,g)^{rs (\alpha _1 + \alpha _2)} = \bigg (\frac{e(\textsf {ct}_{16},A_{-1})}{A^{\beta _2} \cdot (\textsf {ct}_{13}, \textsf {ct}_{14})^{\beta _2 / y(\alpha _2 + r_2)}}\bigg )^{\frac{1}{\beta _1(svk - svk^*)}}\) , and recovers the plaintext \(m = \textsf {ct}_{11} / e(g,g)^{rs (\alpha _1 + \alpha _2)}\).
-
If \(e(\textsf {ct}_{13, \textsf {ct}_14}) = e(\textsf {ct}^*_{13, \textsf {ct}^*_14})\), \(\mathcal {B}\) returns \(\perp \) meaning that \(\textsf {CT}_1\) is simply a re-randomization of the challenge ciphertext.
-
We require \((\textsf {ct}_{11},\textsf {ct}_{15_i},\textsf {ct}_{16}, \sigma ) \ne (\textsf {ct}^*_{11},\textsf {ct}^*_{15_i},\textsf {ct}^*_{16}, \sigma )\), which is an occurence of \(F_{\textsf {OTS}}\) and implies \(\mathcal {B}\)’s termination.
-
In the next phases, \(\mathcal {B}\) must check that m differs from messages \(m_0, m_1\) involved in the challenge query. If \(m \in \{m_0, m_1\}\). \(\mathcal {B}\) returns \(\perp \) according to the \(\textsf {RCCA}\)-security rules.
Challenge. \(\mathcal {A}\) chooses messages \(m_0, m_1\). At this stage, \(\mathcal {B}\) flips a coin \(\mu ^* \in _R \{0,1\}\), and generates the challenge ciphertext \(\textsf {ct}^*_1\) as:
and \(\sigma ^* = \mathcal {S}(ssk, (\textsf {ct}^*_{11},\textsf {ct}^*_{14_i},\textsf {ct}^*_{15},\textsf {ct}^*_{16}))\). With \(\textsf {pk}_x = g^{x^* a}\), \(B = g^b\), and \(r = a\gamma , k ,s = b/a^2\) with the random numbers \(\gamma , k \in \mathbb {Z}_p\).
Phase 2. This phase is identical to Phase 1 with following restrictions: (1) Corrupt() returns \(\perp \) if \(\{t_1^*, \ldots , t_d^*\} \cap P = \emptyset \). (2) Decrypt\(_1\)(\(param, \textsf {sk}_{\textsf {A}}, \textsf {PSK}_i, \textsf {CT}_1, t_1, \ldots , t_d\)) returns \(\perp \) if \((\textsf {CT}_1, t_1, \ldots , t_d) \ne (\textsf {CT}^*_1, t^*_1, \ldots , t^*_d)\).
Guess. \(\textsf {CT}_1^*\) is a valid encryption of \(m_{\mu ^*}\) if \(T = e(g,g)^{b / a^2}\). In contrast, if T is random in \(\mathbb {G}_T\), \(\textsf {CT}_1^*\) perfectly hides \(m_{\mu ^*}\) and \(\mathcal {A}\) cannot guess \(\mu ^*\) with better probability than 1 / 2. When \(\mathcal {A}\) eventually outputs her result \(\mu ' \in \{0,1\}\), \(\mathcal {B}\) decides \(T = e(g,g)^{b/a^2}\) if \(\mu ' = \mu \) and that T is randomly chosen.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Phuong, T.V.X., Susilo, W., Kim, J., Yang, G., Liu, D. (2019). Puncturable Proxy Re-Encryption Supporting to Group Messaging Service. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-29959-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29958-3
Online ISBN: 978-3-030-29959-0
eBook Packages: Computer ScienceComputer Science (R0)