ABSTRACT
This study presents a unidirectional proxy re-encryption scheme for group communication. In this study, a proxy is only allowed to convert ciphertext for Alice into ciphertext for Bob without revealing any information on plaintext or private key. It is suitable for the environment in which no mutual relationship exists and transitivity is not permitted. Finally, this study proves the proposed scheme secure against chosen ciphertext attack in standard model.
PDF Abstract XML References Citation
How to cite this article
DOI: 10.3923/itj.2009.83.88
URL: https://scialert.net/abstract/?doi=itj.2009.83.88
INTRODUCTION
Mambo and Okamoto (1997) introduced the technique for delegating decryption right. Later, Blaze et al. (1998) first presented the concept of proxy re-encryption scheme, which allows a proxy to transform a ciphertext under Alices public key into a ciphertext of the same message under Bobs private key. However, the proxy can not obtain anything about the plaintext or the private key used to decrypt the ciphertext.
From a functional point of view, proxy re-encryption schemes are divided into two categories: bidirectional and unidirectional (Ivan and Dodis, 2003). In a bidirectional scheme, the proxy secret key can be used to divert ciphertexts from Alice to Bob and vice versa. Obviously, a mutual trust relationship between Alice and Bob is needed, otherwise, some security problem will arise (Ateniese et al., 2005). For example, one of the crucial issues in bidirectional scheme is how to deal with transitivity, i.e., proxy alone has ability to create delegation rights between two entities that have never agreed on this. In a unidirectional scheme, the proxy secret key is allowed to be used to divert ciphertexts from Alice to Bob, whereas from Bob to Alice is not permitted. Currently, how to construct an efficient unidirectional proxy re-encryption scheme has been an open and interesting problem.
The proxy re-encryption scheme has many applications. For example, in traditional storage system (Blaze, 1993; Freeman and Miller, 2000), the Server who housing information sometimes just semi-trusted and some added means should be used to ensure its security. In 2005, Ateniese et al., 2005 designed an efficient and secure distributed storage system in which the proxy rencryption scheme is employed. There are some other applications, such as secure email forwarding and so on (Blaze et al., 1998; Canetti and Hohenberger, 2007).
To date, most of the researches of proxy re-encryption emphasize two entities communication. For example, a proxy transforms a ciphertext computed under Alices public key into one that can be opened by Bobs secret key. However, few literatures present approach to deal with proxy re-encryption for group communication. Group communication is a useful primitive for sharing message in a specifically group and has been widely used in unbalanced networks, for example, clusters of mobile devices (Phan et al., 2002). Ma et al. (2007a, b) designed an encryption scheme to ensure the privacy of the messages shared in the group. In the scheme, anyone can encrypt a message and distribute it to a designated group and any member in the designated group can decrypt the ciphertext. There exists proxy re-encrypted problem in two different groups. For example, due to the change of duty, some work managed by group A has been assigned to group B such that some encrypted documents sent to group A should be decrypted by group B. In such scenario, proxy re-encryption technique can be used to realize this transformation.
Ma et al. (2007a) proposed a group-based proxy re-encryption scheme, however it is bidirectional, i.e., the proxy using one secret key can divert ciphertext from group A to group B and vice versa. As a natural extension of this study presents a group-based unidirectional scheme which secure against chosen ciphertext attack in standard model. It is suitable for the scenario in which no mutual relationship exists and transitivity is not permitted (Ma et al., 2007b).
The notion of atomic proxy cryptography was presented by Blaze et al. (1998). It provides securer and more efficient way than usual to deal with the scenario in which a proxy decrypts a ciphertext using Alices private key and then encrypts the result using Bobs public key. They depict two examples: one for encryption and another for signature. However, the two examples presented in this study were proved to have low security guarantees. Their approach is only useful when the trust relationship between Alice and Bob is mutual and the transitivity is not harmful to the system. In addition, it is not suitable for group communication since the proxy has to preserve n re-encryption key for n group members.
Ivan and Dodis (2003) designed proxy encryption for ElGamal, RSA and an IBE scheme using secret sharing technique. In their ElGamal based scheme, Public Key Generator (PKG) generates encrypt key EK and decrypt key DK for each user and then DK is divided into two parts x1 and x2, which satisfy DK = x1+x2. Moreover, they designed unidirectional and bidirectional proxy encryption scheme. These secret-sharing schemes do not change ciphertexts for Alice into ciphertext for Bob in the purest sense, the delegate decryption by requiring Bob to store additional secret that maybe difficult for him to manage.
Following the work of Ivan and Dodis, Ateniese et al., 2005 presented an improved proxy re-encryption scheme and employed it in distributed storage system. In their re-encryption scheme, the proxy only preserves a discrete value to prevent the collude attack. The advantage of the method presented by Ivan and Dodis (2003) is that it is feasible to design a unidirectional proxy encryption. Whereas it is very difficult to extend the scheme to group communication since overload stems from the secret sharing technology. Thus why the scheme proposed by Ateniese et al. , (2005) is not very practical.
Canetti and Hohenberger, 2007 proposed a bidirectional proxy re-encryption scheme secure against chosen ciphertext attack in standard model. In their study, the bilinear pairing technology is used to design proxy re-encryption scheme. Although their approach is just suitable for two entities, some method can be used to design group communication.
Libert and Vergnaud (2008) proposed a proxy re-encryption scheme which comes from Canetti-Halevi-Katzs (Canetti et al., 2004) scheme and can be seen as a natural extension of the Canetti-Hohenberger definition to the unidirectional case. Their scheme is unidirectional, i.e., only allows the proxy to divert ciphertexts form Alice to Bob. However, some messages on Alice such as public key have been preserved in the ciphertext generated in the phase of ReEnc. An attacker maybe uses these messages to recognize the original recipient of the ciphertext. Furthermore, the scheme may be menaced by malleability.
There are some other re-encryption schemes, such as Jakobssons quorum controlled asymmetric proxy re-encryption (Jakobsson, 1999) and the identity-based scheme presented by Green and Ateniese (2007). There are some investigations on proxy signature schemes (MacKenzie and Reiter, 2001).
BACKGROUND
Preliminaries: Let G1 be a cyclic multiplicative group generated by g, whose order is a prime q and G2 be a cyclic multiplicative group of the same order q. Assume that the discrete logarithm in both G1 and G2 is intractable. A bilinear pairing is a map e: G1xG2 → G2 and satisfies the following properties:
• | Bilinear: e (ga, pb) = e (g, p)ab. For all g, p ∈ G1 and the equation holds |
• | Non-degenerate: There exists p ∈ G1, if e (g, p) = 1, then g = O |
• | Computable: For g, p ∈ G1, there is an efficient algorithm to compute e (g, p) |
Typically, the map e will be derived from either the Weil or Tate pairing on an elliptic curve over a finite field. Pairings and other parameters should be selected in proactive for efficiency and security (Boneh et al., 2001).
Complexity assumptions
Computational diffie-hellman assumption: Given ga and gb for some , compute gab ∈ G1. A (τ, ε)-CDH attacker in G1 is a probabilistic machine Ω running in time τ such that:
where, the probability is taken over the random values a and b. The CDH problem is (τ, ε)-intractable if there is no (τ, ε)-attacker in G1. The CDH assumption states that it is the case for all polynomial τ and any non-negligible ε.
Decisional bilinear Diffie-Hellman assumption (Boneh and Boyen, 2004): We say that an algorithm π that outputs b ∈ {0, 1} has advantage ε in solving the Decisional Bilinear Diffie-Hellman (DBDH) problem in G1 if:
where, the probability is over the random bit of π, the random choice of and the random choice of T ∈ G2. The DBDH problem is intractable if there is no attacker in G1 can solve the DBDH with non-negligible ε.
V-Decisional Diffie-Hellman assumption: An algorithm π that outputs b ∈ {0, 1} has advantage ε in solving the V-Decisional Diffie-Hellman (V-DDH) problem in G1 if:
where, the probability is over the random bit of π, the random choice of and the random choice of T ∈ G1. The V-DDH problem is intractable if there is no attacker in G1 can solve the V-DDH with non-negligible ε.
Security notions: The proposed unidirectional re-encryption scheme consists of five algorithms, namely KeyGen, ReKeyGen, Enc, ReEnc and Dec.
• | KeyGen (1λ): On input the security parameter, outputs the public key Ppub of each group and the corresponding private key ski for each member |
• | ReKeyGen (sk1, sk2): On input two private key sk1 and sk2, outputs a unidirectional re-encryption key |
• | Enc (Ppub, m). On input message m ∈ {0, 1}* and a public key Ppub, outputs a ciphertext C |
• | ReEnc (rk(1→2), C1): On input ciphertext C1 and the re-encryption key rk(1→2), outputs a ciphertext C2 or an error symbol ⊥ |
• | Dec (sk, C): On input ciphertext C and a private key sk, outputs the corresponding message m |
The indistinguishable chosen ciphertext attack (IND-CCA) presented by Goldwasser and Micali (1984) has been widely used to analyze the security of an encryption scheme. In this model, several queries are available to the attacker to model his capability. Subsequently, Rackhoff and Simon (1992) enhanced it and proposed adaptively chosen ciphertext attack (IND-CCA2). Since this notion is stronger, it is becoming a prevalent model in analyzing encryption scheme. Green and Ateniese (2007) enhanced the model and used it to discuss the security of proxy re-encryption scheme, then followed by Canetti and Hohenberger, 2007.
Here, we define adaptively chosen ciphertext security of the group-based unidirectional proxy re-encryption scheme. Compared to the model mentioned by Canetti and Hohenberger, 2007, we do not consider the case of group A or Bs corruption due to the properties of our key generation. Security is defined using the following game between an Attacker and Challenger.
Setup: The Challenger initializes the system and gives the Attacker the resulting system parameters and the public key Ppub. It keeps private key to itself
Query phase 1:
• | Decrypt queries: The attacker issues a query (ci1, ci2, ci3). The challenger outputs decrypt (ci1, ci2, ci3), otherwise outputs error symbol ⊥ |
• | Re-encrypt queries: The attacker issues a query (ci1, ci2, ci3) encrypted using the public key of group A. The challenger outputs re-encrypt (rk(A→B (ci1, ci2, ci3)). Obviously, the output is a ciphertext encrypted using the public key of group B |
The attacker is allowed to perform the query phase 1 several times.
Challenge: Once the attacker decides that query phase 1 is over, the Attacker outputs two equal length messages {M0, M1} to the challenger. Upon receiving the messages, the challenger chooses a random bit e ∈ {0, 1}, invokes encrypt (Pa, Me) and outputs as the answer.
Query phase 2: The Attacker continues to adaptively issue decrypt queries and re-encrypt queries. The Challenger responds as in the phase 1. These queries may be asked adaptively as in Query phase 1, but the query on is not permitted.
Guess: Finally, the Attacker outputs a guess for e ∈ {0, 1} and wins the game if e = e.
The encryption scheme is secure against chosen ciphertext attack, if the attacker has a negligible advantage to win the game.
THE PROPOSED UNIDIRECTIONAL PROXY RE-ENCRYPTION SCHEME
Assume that there exist two groups in present scheme, namely A and B. The function of the proxy is to transform ciphertext corresponding to the public key of group A into ciphertext for the public key of group B without revealing any information about the secret decryption keys or the clear text. It means that present proxy re-encryption is a unidirectional scheme. The proposed scheme consists of following steps.
Initialize: Let G1 be a cyclic multiplicative group generated by g, whose order is a prime q and G2 be a cyclic multiplicative group of the same order q. A bilinear pairing is a map: e: G2xG1→G2 that can be efficiently computed. PKG chooses and h ∈ G1 uniformly at random and then computes g1 = ga and g2 = gb. The master private keys are a and b and the master public keys are g1, g2 and h.
Key generation: PKG chooses uniformly at random as the tag of the group B. Using PB = gl as group Bs public key. The private key of the member pi ∈ B can be generated as follows:
• | PKG chooses uniformly at random |
• | Compute and output and |
The member pis private key is di = {di1, di2, di3}. This set of keys is used to decrypt re-encrypted ciphertext. In case pi is demanded to directly decrypt a ciphertext that sends to him without converted by the proxy, PKG should generate following set of private keys for him to complete this mission.
We have . Similarly, PKG chooses uniformly at random as the tag of the group A. Using PA = gk as group As public key. The members private key can be generated as pi ∈ B.
Encrypt: In order to encrypt a message M ∈ {0, 1}l for the group A, the sender (SEnc) first chooses uniformly at random and computes the ciphertext:
The ciphertext for message M is c = (c1, c2, c3). The sender SEnc sends the ciphertext to all the members in the group A by broadcast over Internet.
Re-encrypt: In order to transform the ciphertext to group B whose public key is PB = gl, PKG picks a random number and computes n2, such that n1+n2 = t. Thereafter, PKG generates three re-encrypt keys:
and sends these keys to proxy in a secure way. Then using the re-encrypt keys, the proxy performs the following computing:
The proxy sends the re-encrypted ciphertext to group B.
Decrypt: After receiving the re-encrypted message c = , the member pi ∈ B decrypts the ciphertext as follows:
• | Compute |
• | Compute |
In fact any member pi ∈ B can compute T correctly, since:
So, the member pi can obtain the plaintext .
In case pi ∈ B is demanded to directly decrypt a ciphertext that sender send to him, he should use private keys to decrypt it. To the ciphertext generated for group B, for example and the users pi decrypts the ciphertext as follows:
Then we have .
Note that the proxy with the re-encrypt keys can only convert ciphertext for group A into ciphertext for B as we have described earlier. In other words, the proxy can transform e (ga, gk).M into E (ga, gt)s.M that can be decrypted by group B. Obviously, it is impossible to transform e (ga, gl).M into E (ga, gk)s.M with the re-encrypt keys . Therefore, we say this scheme is a unidirectional scheme.
SECURITY
The security of the proposed unidirectional proxy re-encryption scheme in standard mode is described here. The measure used to prove present scheme comes from the study (Canetti and Hohenberger, 2007).
Lemma: Suppose the CDH assumption holds. Then given ga, gab, gac ∈ G1, computing gbc is intractable.
Proof: Assume that given ga, gab, gac ∈ G1, the attack Alice has ability to compute another gbc. Then we can design an algorithm to solve CDH problem. In other words, given gm, gn ∈ G1, the challenger Bob can compute gm.n by running Alice as a subroutine.
To the given gm, gn ∈ G1, Bob chooses a random number , computes gmt and gnt and then sends gt, gmt and gnt to Alice. With the assumption, Alice can output gm.n, then Bob can solve CDH problem.
Theorem: Suppose that the V-DDH is intractable. Then our proxy re-encryption scheme is secure against adaptively chosen ciphertext attack.
Proof: Assume that if the attacker Alice has ability to break the proposed encryption scheme via chosen ciphertext attack with non-negligible probability ε, then we can prove that there exists challenger Bob that can solve V-DDH problems with the same probability. In other words, given ga, gas, gak ∈ G1 and T ∈ G1 Bob can decide if T is equal to gsk with non-negligible probability by running Alice as a subroutine. The challenger Bob interacts with Alice by simulating Decrypt, Re-encrypt oracles.
Bob initializes the system, chooses random numbers . Let
Then Bob chooses a random number and publishes PA = gak and PB = gakα.
Query phase 1:
• | Decrypt queries: To every new query (c1, c2, c3), Bob computes and outputs as the answer |
• | Re-encrypt queries: To every new query (c1, c2, c3), Bob computes |
and sets and then outputs as the answer.
Since, are two random number, Alice can not distinguish the simulated answers from the actual results. Thereby, we say above simulation is perfect. Alice is allowed to perform decrypt and re-encrypt queries several times.
Challenge phase: When Alice decides Query phase 1 is over, she chooses two equal length messages M0, M1 and sends them to Bob. Bob chooses a random bit e ∈ {0, 1}, computes and outputs:
as the answer. The challenge phase can be performed only once.
Query phase 2: Alice continues to adaptively issue decrypt and re-encrypt queries. Bob responds as in the phase 1. However, the query on is not permitted.
Guess: Finally, Alice outputs a guess e ∈ {0, 1} for e. If e = e, then Bob decides T = gsk, otherwise Bob decides T ≠ gsk.
Obviously, above simulation is perfect. We say that Alice can break the proxy re-encryption scheme with non-negligible probability ε. It means that Alice can output correct e with probability ε. Then Bob can solve the V-DDH with same probability ε by running Alice as a subroutine.
CONCLUSION
Many proxy re-encryption schemes have been presented in recent few years. However, unidirectional scheme is still an open problem which is attracting much attention. In this study, we present a unidirectional proxy re-encryption scheme used for group communications. In our scheme, the proxy only has ability to divert the ciphertext for group A into ciphertext for group B. To the member in group A/B, he can independently decrypt the ciphertext for the group. Obviously, the performance of encryption in our proposed scheme is similarly to that of study (Canetti and Hohenberger, 2007) and it is crucial to the group communication since lots of members are involved in. Decryption operation is independently completed by each group member.
ACKNOWLEDGMENT
This study is supported by the National Natural Science Foundation of China (60862001).
REFERENCES
- Ateniese, G., K. Fu, M. Green and S. Honhenberger, 2005. Improved proxy re-encryption schemes with applications to secure distributed storage. Proceedings of the NDSS, February 3-4, 2005, The Internet Society, pp: 29-43.
Direct Link - Blaze, M., 1993. A cryptographic file system for Unix. Proceedings of the 1st ACM Conference on Communications and Computing Security, November 3-5, 1993, Virginia, USA., pp: 9-16.
Direct Link - Blaze, M., G. Bleumer and M. Strauss, 1998. Divertible protocols and atomic proxy cryptography. Adv. Cryptol. Eurocrypt'98, 1403: 127-144.
CrossRefDirect Link - Boneh, D. and X. Boyen, 2004. Efficient selective-ID secure identity based encryption without random oracles. Advances in cryptology Eurocrypt 2004. Lecture Notes Comput. Sci., 3027: 223-238.
CrossRefDirect Link - Canetti, R., S. Halevi and J. Katz, 2004. Chosen-ciphertext security from identity-based encryption. Proceedings of the UROCRYPTO 2004, May 2-6, 2004, Springer Berlin/Heidelberg, pp: 207-222.
CrossRefDirect Link - Freeman, W. and E. Miller, 2000. Design for a decentralized security system for network-attached storage. Proceedings of the 17th Symposium on Mass Storage Systems and Technologies, October 31-31, 2000, Computer Soc. Los. Alamitos, CA., USA., pp: 361-373.
Direct Link - Goldwasser, S. and S. Micali, 1984. Probabilistic encryption. J. Comput. Syst. Sci., 28: 270-299.
CrossRef - Green, M. and G. Ateniese, 2007. Identity-based proxy re-encryption. Proceedings of the ACNS, June 5-8, 2007, Springer Berlin/Heidelberg, pp: 288-306.
CrossRefDirect Link - Ivan, A. and Y. Dodis, 2003. Proxy cryptography revisited. Proceedings of the 10th Network and Distributed System Security Symposium, February 6-7, 2003, The Internet Society, pp: 1-20.
Direct Link - Jakobsson, M., 1999. On quorum controlled asymmetric proxy re-encryption. Proceedings of the 2nd International Workshop on Practice and Theory in Public Key Cryptography, March 1–3, Springer Berlin/Heidelberg, UK., ISBN: 3-540-65644-8, pp: 112-121.
Direct Link - Libert, B. and D. Vergnaud, 2008. Unidirectional chosen-ciphertext secure proxy re-encryption. Proceedings of the PKC 2008, March 9-12, 2008, Springer Berlin/Heidelberg, pp: 360-379.
Direct Link - Ma, C., Q. Mei and J. Li, 2007. Broadcast group-oriented encryption in group communication. J. Computat. Inform. Syst., 3: 63-71.
CrossRefDirect Link - MacKenzie, P. and M.K. Reiter, 2001. Two-party generation of DSA signature. Proceedings of the Advances in Cryptology-CRYPTO2001, August 19-23, 2001, Springer Berlin/Heidelberg, pp: 137-154.
Direct Link - Mambo, M. and E. Okamoto, 1997. Proxy cryptosystems: Delegation of the power to decrypt ciphertexts. IEICE Trans. Fund. Elect. Commun. Comput. Sci., E80-A/1: 54-63.
Direct Link - Phan, T., L. Huan and C. Dulan, 2002. Challenge: Integrating mobile wireless devices into the computational grid. Proceedings of the MobiCom, September 23-28, 2002, ACM New York, USA., pp: 271-278.
Direct Link - Rackhoff, C. and D.R. Simon, 1992. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. Lecture Notes Comput. Sci., 576: 434-444.
CrossRef