Embed Size (px)
Citation preview
Computer Standards & Interfaces 34 (2012) 380–389
Contents lists available at SciVerse ScienceDirect
Computer Standards & Interfaces
j ourna l homepage: www.e lsev ie r .com/ locate /cs i
Hierarchical conditional proxy re-encryption
Liming Fang a, Willy Susilo b,⁎, Chunpeng Ge a, Jiandong Wang a
a College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, Chinab Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Australia
⁎ Corresponding author.E-mail addresses: [email protected] (L. Fang)
(W. Susilo).
0920-5489/$ – see front matter © 2012 Elsevier B.V. Alldoi:10.1016/j.csi.2012.01.002
a b s t r a c t
a r t i c l e i n f oArticle history:Received 2 September 2010Received in revised form 21 October 2011Accepted 2 January 2012Available online 11 January 2012
Keywords:Proxy re-encryptionHierarchical conditional proxy re-encryptionChosen-ciphertext security
In this paper, we introduce a new primitive called hierarchical conditional proxy re-encryption (HC-PRE) thatenhances the concept of C-PRE by allowing more general re-encryption key delegation patterns. Hierarchicalconditional proxy re-encryption (HC-PRE) scheme is the hierarchical extension of conditional proxy re-encryption (C-PRE) where the condition is a vector of keywords. We present an efficient construction of hi-erarchical key derivation C-PRE scheme where the ciphertext length is independent from the depth of the hi-erarchy. We further extend our work by presenting a more generalized key delegation, by allowing the use ofa wildcard in the keyword vector.
© 2012 Elsevier B.V. All rights reserved.
1. Introduction
The notion of proxy re-encryption (PRE) scheme was put forth byBlaze, Bleumer, and Strauss [4]. The goal of such a system is to securelyenable a proxy to re-encrypt a ciphertext under a delegator's public-key and designate it to a delegatee without relying on any trustedparties. The notion of PRE has been found very useful in many applica-tions, such as in law enforcements, cryptographic operations instorage-limited devices and email forwarding. For example, users canassign their email server as the proxy such that it can re-encrypt theemails to allow different users to open it without the need to knowthe contents of the email.
A proxy in traditional PRE system is too powerful as it has the abil-ity to encrypt all of the user's (such as Alice) emails to another user(such as Bob). In a corporate email forwarding scenario, instead ofconverting all ciphertexts (which are the encrypted emails), Alicemay only want the proxy to convert the ciphertexts with a certainkeyword. In particular, for example when Alice is away on holiday,she only wants Bob to read emails with the keyword “business” thatwill require her urgent attention, instead of reading all of her emails.To fill this gap, Weng et al. [22] presented the notion of conditionalproxy re-encryption (C-PRE), whereby only ciphertexts satisfying acertain keyword condition set by Alice can be transformed by theproxy.
rights reserved.
Although C-PRE is useful in many applications, we found thatsometimes we need more than its basic features (to be discussed fur-ther later). Furthermore, there remain some important issues to consideras follows.
- (Re-delegation.) Suppose a proxy Charlie has the re-encryption keyunder the keyword “Subject: finance”. It means that Charlie can re-encrypt any encrypted emails that Alice receives which has the key-word “Subject: finance”. Suppose, Charlie is away in July and hewould like to re-delegate the re-encryption rights under the key-word vector “Date: July” and “Subject: finance” to another proxy,David, then Charlie will be required to derive a re-encryption keywith a keyword vector W′=(“Date: July”, “Subject : finance”) fromthe re-encryption key with the keyword vector W=(“Subject:finace”) that he acquired originally from Alice. Hence, the re-delegation will require a C-PRE scheme that supports re-delegationfrom a keyword vectorW to W′, where Wp W′.
- (Conjunctive Delegation.) Traditional C-PRE schemes only allowthe proxy to re-encrypt the ciphertext that match a certain key-word, but do not allow for boolean combinations of several key-words. For example, we define an email to have the followingkeyword fields: “From”, “Date”, “Importance”, and “Subject”. Sup-pose Alice will be away, then she wants a proxy to re-encrypt anyimportant emails. Rather than re-encrypting all emails, Alicemight only want those emails that are marked “From: Bob” with“Date: July”, “Importance: High” and pertain to “Subject: finance”.It is unfortunate that the traditional C-PRE cannot be used to solvethis case. In this scenario, the ability to re-encrypt on the conjunc-tion of the keywords, “Bob”, “July”, “High” and “finance” is re-quired. Furthremore, Weng et al. [22] also left an open problemon how to construct CCA-secure C-PRE schemes supporting “OR”
381L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
and “AND” gates over conditions. A possible approach is to definea meta-keyword for every possible conjunction of keywords.Like regular keywords, these meta-keywords can be associatedwith ciphertext. For example, an email that contains the keywords“Bob”, “July”, “High ” and “finance” may be augmented with themeta-keyword “Bob:July:High:finance”. The obvious drawback ofthis approach is that an email that contains m keywords requiresan additional 2m meta-keywords to allow all possible conjunctivere-encryption keys.
1.1. Our contributions
In this paper, we introduce a new primitive called hierarchicalconditional proxy re-encryption (HC-PRE) that enhances the conceptof C-PRE by allowing more general re-encryption key delegation pat-terns. HC-PRE scheme is the hierarchical extension of C-PRE wherethe condition is vectors of keywords. The re-encryption keys for aproxy with keyword vector length k can derive re-encryption keysfor their children, i.e. with length k+1. We formalize the HC-PRE se-curity model by incorporating the advantages in the previous C-PREschemes. We also define the first level and second level ciphertext se-curity for HC-PRE.
One may think that HC-PRE can be trivially obtained from a CCAsecure C-PRE scheme. However, unfortunately this is not trivial todo so due to the collusion problem. To illustrate this, we will demon-strate that Weng et al.'s C-PRE scheme (which is CCA secure) cannotbe converted trivially to HC-PRE. This is because the keyword(H2(pki,w))− ski in the re-encryption key (H2(pki,w)pkjs)− ski in Wenget al.'s scheme is not equipped with any random value, and hence col-lusion attack can be mounted when HC-PRE scheme is constructedthis way. Furthermore, adding a random value to the existing schemeis not a trivial task either.
Subsequently, we present an efficient construction of hierarchicalconditional proxy re-encryption (HC-PRE) scheme. Our efficient con-struction has several advantages over previous such systems, including:
- (Re-delegation.) The re-encryption keys for the proxy with key-word vector length k can derive re-encryption keys for their chil-dren, which are of length k+1.
- (Constant Size Ciphertext.) Two level ciphertexts produced by ourscheme are independent of the keyword vector length. In our firstHC-PRE scheme, the second level ciphertext contains only five ele-ments. The first level ciphertext contains only three elements anddecryption requires only one bilinear map computation.
- (Chosen-Ciphertext Security.) Our scheme achieves chosen-ciphertext security on the first and second level ciphertext security.
Finally, we also extend our hierarchical conditional proxy re-encryption scheme to achieve a more generalized key delegation byallowing more general re-encryption key delegation patterns. Thatmeans a re-encryption key is derived for a vector of a keyword vector,where entries can be left blank using a wildcard. This re-encryptionkey can then be used to derive re-encryption keys for any patternthat replaces wildcards with concrete keyword strings.
1.2. Related work
The concept of PRE was proposed by Blaze et al. [4]. PRE can becategorized into bidirectional PRE and unidirectional PRE. In a bidi-rectional PRE, the proxy can transform from a delegator to a delegateeand vice versa. In contrast, the proxy in unidirectional PRE cannottransform ciphertexts in the opposite direction. PRE also can be cate-gorized into single-hop and multi-hop. Single-hop means that a re-encrypted ciphertext cannot be further re-encrypted. In contrast,multi-hop means that a ciphertext can be re-encrypted severaltimes. In 2005, Ateniese et al. [1] demonstrated how to construct uni-directional schemes using bilinear maps and simultaneously prevent
proxies from colluding with delegatees in order to expose the delega-tor's secret key. Since then, there are many PRE schemes were pre-sented using pairing [8,15,9,17,24]. Since in a PKI-based setting, it isneeded to distribute public key certificates, the work [15,9] extendedthe above notion to identity-based proxy re-encryption (IB-PRE).Since pairing computations are very costly, the subsequent work[12,19,11,16] studied the construction of PRE schemes without bilin-ear pairings, which is particularly useful in the resource limitedenvironment.
Weng et al. [22] introduced the notion of conditional proxy re-encryption (or C-PRE), whereby only ciphertexts satisfying one condi-tion set by Alice can be transformed by the proxy and then decryptedby Bob. They also proposed a CCA secure C-PRE scheme in the randomoracle model. Unfortunately, Weng et al. [23] showed that Weng etal.'s C-PRE scheme [22] fails to achieve the CCA-security, and subse-quently they proposed a more efficient CCA secure C-PRE scheme, andproved its chosen ciphertext security under the decisional bilinearDifie-Hellman (DBDH) assumption in the random oracle model. Simi-larly, in the full version of paper in PKC 08, Libert and Vergnaud [17] in-troduced a PRE scheme to provide warrant-based and keyword-baseddelegations. Tang et al. [20] also introduced type-based proxy re-encryption. Recently, Chu et al. introduced a conditional proxy broad-cast re-encryption [10], in which the proxy can delegate decryptionrights to a set of users at a time. Since the conditions in the previousC-PRE are not anonymous, based on PRE and PEKS (public key encryp-tion with keyword search [3,7,18,25]), Fang et al. [14] presented a re-playable CCA secure anonymous conditional proxy re-encryptionscheme without requiring random oracle. Vivek et al. [21] proposedan efficient C-PRE schemewhichuses substantially less number of bilin-ear pairings compared to Weng et al.'s scheme [23]. Nevertheless, thesecurity notions in [21] only considered the second level ciphertext se-curity, and hence, it does not address the first level ciphertext (originalciphertext) security, and therefore, it is deemed to be incomplete. Fur-thermore, in Vivek et al.'s definition, the proxy requires two key pairs(i.e., the partial re-encryption key and the condition key) to performthe transformation, and the drawback is that the condition key cki*,w*
is same for different delegatees when the delegator is the same. Thus,the adversary can combine the condition key cki*,w* and the re-encryption key rki*, j with pkj to attack the C-PRE scheme, and that isthe reason why they prohibit this query. Hence, we consider that thisapproach is rather unnatural in practice.
1.3. Paper organization
The rest of this paper is organized as follows. In Section 2, we willprovide the definitions and complexity assumption that will be usedthroughout this paper, together with the security model of hierarchi-cal C-PRE schemes. In Section 3, we present our hierarchical C-PRE inthe random oracle model. In Section 4, we extend our HC-PRE schemeto achieve a more generalized key delegation. In Section 5, we pro-vide some applications for HC-PRE schemes. Finally, Section 6 con-cludes the paper.
2. Definitions
In this section, we first review the complexity assumptions re-quired in our schemes, and then provide the definition and securityof a hierarchical conditional proxy re-encryption scheme.
2.1. Negligible function
A function �(n): N↦R is negligible in n if 1/�(n) is a non-polynomially-bounded quantity in n.
382 L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
2.2. Bilinear maps
LetG1 andG2 be multiplicative cyclic groups of prime order p, andg be a generator of G1. We say e: G1×G1→G2 is a bilinear map [5], ifthe following conditions hold.
1. e(g1a,g2b)=e(g1,g2)ab for all a, b ∈ ℤp and g1, g2 ∈ G1.2. e(g,g)≠1.3. There is an efficient algorithm to compute e(g1,g2) for all g1, g2 ∈G1.
2.3. The DBDH assumption
Let e: G1×G1→G2 is a bilinear map. We define the advantagefunction AdvG1 ;B
DBDH of an adversary B as
Pr B g; ga; gb; gc; e g; gð Þabc� �
¼ 1h i
−Pr B g; ga; gb; gc; gr� �
¼ 1h i��� ���
where a, b, c, r ∈ ℤp are randomly chosen. We say that the decisionalbilinear Diffie Hellman assumption [5] relative to generator G1 holdsif AdvG1 ;B
DBDH is negligible for all PPT B.
2.4. The bilinear Diffie-Hellman Exponent (BDHE) Assumption
Let e:G1×G1→G2 be a bilinearmap. The (L+1)— BDHE assumptiongiven g, h, and gα
i
inG1 for i=1,2,…, L, L+2,…, 2 L as input. As a short-hand, let yi=gα
i
. We define the advantage functionAdvG1 ;BLþ1ð Þ−BDHE λð Þ
of an adversary B as
���Pr B g; h; y1; ⋯; yL; yLþ2; ⋯; y2L; e g;hð ÞαLþ1� �¼ 1
h i
−Pr B g; h; y1; ⋯; yL; yLþ2; ⋯; y2L; e g;hð Þr� � ¼ 1� ����
where g, h,∈G1 and α, r∈ ℤp are randomly chosen.We say that the de-cisional (L+1)— BDHE assumption [5,6] relative to generatorG1 holds ifAdvG1 ;B
Lþ1ð Þ−BDHE λð Þ is negligible for all B.
2.5. Hierarchical conditional proxy re-encryption
In the following, we will provide the definition of a hierarchicalconditional proxy re-encryption scheme and the game-based securitydefinition.
Definition 1 (hierarchical conditional proxy re-encryption). A(single hop) hierarchical conditional proxy re-encryption scheme[22] comprises the following algorithms:
- GlobalSetup(λ): The GlobalSetup algorithm is run by a trustedparty that, takes as input a security parameter λ. It generates theglobal parameters GP.
- KeyGen(i): The key generation algorithm generates the public keypki and the secret key ski for user i.
- RKeyGen(ski,W,skj): The re-encryption key generation algorithm,takes as input a secret key ski, a conditional keyword vectorW=(w1,w2,…wk) and another secret key skj. It outputs a re-encryption key rki,W,j.Hierarchical key derivation: There is a partial order ≽ defined on thekeyword vector. The idea is that given the key rki,W,j there is a dele-gation algorithm that can be used to generate the key rki,W′,j,when-everW≽W′. In hierarchical C-PRE, we say thatW≽W′, if and only ifW=(w1,w2,…wk) and W=(w1,w2,…wk,wk+1). Given the re-encryption key rki,Wk, j of the parent conditional keyword vectorWk=(w1,w2,…wk) at length k, it can output the re-encryptionkey rki,Wk+1, j for conditional keyword vector Wk+1=(w1,w2,…wk,wk+1).
- Enc1(pk,m): The level 1 encryption algorithm takes as input a pub-lic key pk, and a plaintextm ∈M. It outputs a first level ciphertextCT under public key pk. Here M denotes the message space.
- Enc2(pk,m,W): The level 2 encryption algorithm takes as input apublic key pk, a plaintext m ∈ M and a conditional keywordvector W=(w1,w2,…wk). It outputs a second level ciphertext CTassociated with W under public key pk.
- ReEnc(Cti,rki,W,j): The re-encryption algorithm, run by the proxy,takes as input a second level ciphertext CTi associated with Wunder public key pki, a re-encryption key rki,W,j. It outputs a firstciphertext(level 1) CTj under public key pkj, or an error symbol ⊥.
- Dec1(CTj,skj): The level 1 decryption algorithm takes as input a se-cret key skj and a first level ciphertext CTj under public key pkj. Itoutputs a message m ∈ M or an error symbol ⊥.
- Dec2(CTj,ski): The level 2 decryption algorithm takes as input a se-cret key ski and a second level cipertext CTi. It outputs a messagem∈ M or an error symbol ⊥.
Note that we omit the global parameters GP as the other algo-rithms' input for simplicity. The correctness of HC-PRE means that, acorrectly generated ciphertext can be correctly decrypted by theuser who has the correct secret key, i.e., for any conditional keywordvector W=(w1,w2,…wk), any message m, any (pki,ski)←KeyGen(i),(pkj,skj)←KeyGen(j), and CTi=Enc2(pk,m,W),
Pr Dec2 CTi; skið Þ ¼ m½ � ¼ 1
and
Pr Dec1 ReEnc CTi;RKeyGen Ski;W; skj� �� �
; skj� �
¼ mh i
¼ 1:
In the following, we will provide the game-based security defini-tion of HC-PRE. Our definition considers a challenger that producesa number of public keys. As [17], we let the corrupted users, the hon-est users, target public key pki* and target keyword vector W⁎=(w1⁎,w2⁎,…wn
⁎) of length n be determined at the beginning of the game.Additionally, we allow the adversary to adaptively query a re-encryption oracle and decryption oracles.
Definition 2 (HC-PRE-IND-CCA game). Let λ be the security param-eter and A be the adversary. We consider the following two games.
Game 1: (IND-L2-CCA game: Security of level 2 ciphertexts.)
1. Setup: The challenger C perform Globalsetup(λ) to get the publicparameter GP. Give the global parameter GP to A.
2. Query phase 1. A makes the following queries:- Uncorrupted key generation query ⟨i⟩: C first runs algorithmKeyGen(i) to obtain a public/secret key pair (pki,ski), and thensends pki to A.
- Corrupted key generation query ⟨j⟩: C first runs algorithm Key-Gen(j) to obtain a public/secret key pair (pkj,skj), and thensends (pkj,skj) to A.
- Re-encryption key query ⟨pki,W,pkj⟩: C runs algorithmRKeyGen(ski,W,skj) to generate a re-encryption key rki,W,j andreturns it to A. Here, ski is the secret key with respect to pki. Itis required that pki and pkj have been generated beforehand byalgorithm KeyGen.
- Re-encryption query ⟨pki,pkj(W,CTi)⟩: C runs algorithm
CTj ¼ ReEnc CTi;RKeyGen ski;W; skj� �� �
- and returns the resulting ciphertext CTj to A. It is required thatpki and pkj have been generated beforehand by algorithmKeyGen.
- Decryption query ⟨pki,(W,CTi)⟩ : Here ⟨pki,(W,CTi)⟩ denotes thequeries on second level ciphertext(level 2). Challenger C returnsthe result of Dec2(CTi,ski) to A. It is required that pki has beengenerated beforehand by algorithm KeyGen.
383L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
- Decryption query ⟨pkj,CTj⟩: Here ⟨pkj,CTj⟩ denotes the queries onre-encrypted ciphertext(level 1). Challenger C returns the resultof Dec1(CTj,skj) to A. It is required that pkj has been generatedbeforehand by algorithm KeyGen.
3. Challenge. OnceA decides that Phase 1 is over, it outputs two equallength plaintexts (m0,m1). C chooses a bit β ∈ {0,1} and sets thechallenge ciphertext to be CT*=Enc2(pki*,mβ,W*), which is sentto A.
4. Query phase 2.A continues making queries as in the query phase 1.5. Guess. A outputs the guess β′. The adversary wins if β′=β.
During the above game, adversary A is subject to the followingrestrictions where W is W⁎ or a prefix of W⁎:
- (i). A can not issue corrupted key generation queries on ⟨i⁎⟩ toobtain the target secret key ski*.
- (ii). A can not issue decryption queries on neither ⟨pki*, (W,CT*)⟩nor ⟨pkj,CTj⟩ where ⟨pkj,CTj⟩ is a re-encryption of the challengepair ⟨pki*, (W,CT*)⟩.
- (iii). A can not issue re-encryption queries on ⟨pki*,pkj(W,CT*)⟩ ifpkj appears in a previous corrupted key generation query.
- (iv). A can not obtain the re-encryption key rki*,W, j, if pkj appearsin a previous corrupted key generation query.
We refer to the above adversaryA as an IND-L2-CCA adversary. Hisadvantage is defined as
SuccAGame1 λð Þ ¼ Pr β′−β
h i−1=2
��� ���
Game 2: (IND-L1-CCA: Security of level 1 ciphertexts.) Next, wewill consider the definition of security of level 1 by providing the ad-versary with a level 1 ciphertext in the challenge phase. For single-hopschemes, the adversary is provided with access to all re-encryptionkeys in this definition. The re-encryption oracle thus becomes uselesssince A can re-encrypt ciphertexts by himself when given all re-encryption keys. Thus, a level 2 decryption oracle is also unnecessary.
The hierarchical C-PRE scheme is said to be HC-PRE-IND-CCA se-cure if both SuccAGame1 λð Þ and SuccAGame2 λð Þ are negligible.
Master Secret Security. Ateniese et al. [1] also defined another im-portant security requirement, named master secret security, for uni-directional PRE. That's mean even the dishonest proxy colludes withthe delegatees, it is still impossible for them to expose the privatekey in full of their common delegator. As discussed in [17,24], the no-tion of CCA security at the first level is easily seen to imply the mastersecret security.
3. Proposed CCA-secure hierarchical C-PRE scheme
In this section, based on Boneh, Boyen and Goh's HIBE scheme [6],we will present our construction of hierarchical conditional proxy re-encryption scheme with CCA Security. Weng et al. [22] listed someimportant principles for designing CCA-secure C-PRE schemes, as fol-lows: 1) the proxy should verify the validity of the second level ci-phertexts, and 2) both the two level (first and second level)ciphertexts should be able to resist the adversary's malicious manip-ulating. And they also claimed that it is non-trivial to design a C-PREscheme satisfying these requirements.
3.1. Our construction
The description of our hierarchical conditional proxy re-encryptionscheme is as follows.
- GlobalSetup(λ): Let λ be the security parameter and (p,g,G1,G2,e)be the bilinear map parameters. Let message space beM ¼ 0;1f gk1 . Let H1: {0,1}⁎→ℤp
⁎, G2→ 0;1f gk1 , H3: {0,1}⁎→ G1⁎
and H4: {0,1}⁎→ℤp⁎ be hash functions. For now, we assume that
conditional keyword vector W at length k are vectors of elementsin {0,1}⁎, means W=(w1,w2,…wk). We assume the maximumlength of keyword vector is L. Selects random g1,g2,h1,···,hL ∈G1. The global system parameters are (p,g,G1,G2,e,g1,g2,h1,···,hL,k1,L,H1,H2,H3,H4).
- KeyGen(i): user i selects random xi ∈ ℤp⁎, computes Xi=gxi. His
public key as pki=Xi and the secret key ski=xi.- RKeyGen(ski,W,skj): given user i's secret key ski=xi, a conditionalkeyword vector W=(w1,w2,…wk), and user j's secret key skj=xj,selects random r ∈ ℤp
⁎, computes
a0 ¼ g2xi−xj ∏l¼1
khlH4 pki ;wlð Þg1
� �r; a1 ¼ gr
b ¼ bl ¼ hlr� �
l∈ kþ1;⋯;Lf g
sets the re-encryption key rki,W,j=(a0,a1,b).Hierarchical key derivation: When given the re-encryption key rki,Wk, j=(a0,a1,b), it can compute the re-encryption key rki,Wk+ 1, j
for conditional keyword vector Wk+1=(w1,w2,…wk,wk+1) asfollows. Picks a random t ∈ ℤp
⁎ and computes
a0′ ¼ a0bkþ1
H4 pki ;wkþ1ð Þ ∏l¼1kþ1hl
H4 pki ;wlð Þg1� �t
a1′ ¼ a1g
t
b′ ¼ blhlt
� �l∈ kþ2;⋯;Lf g
This re-encryption key rki,Wk+1, j=(a0′,a1′,b′) is a properly distributedforWk+1 for r′=r+t ∈ ℤp
⁎.- Enc1(pk1,m): To encrypt a message m ∈ M under the public keypki. Picks R ∈ G2⁎ and computes s=H1(m,R), and outputs thefirst level ciphertext CTi=(B,D,E).
B ¼ gs;D ¼ e Xi; g2ð ÞsR; E ¼ m⊕H2 Rð Þ
- Enc2(pki,m,W): To encrypt a message m ∈M under the public keypki and a conditional keyword vectorW=(w1,w2,…,wk). Picks R ∈G2⁎ and computes s=H1(m,R), and outputs the second level ci-phertext CTi=(B,C,D,E,F).
B ¼ gs;C ¼ ∏l¼1khl
H4 pki ;wlð Þg1� �s
;D ¼ e Xi; g2ð ÞsR; E ¼ m⊕H2 Rð ÞF ¼ H3 B;C;D; Eð Þs
- ReEnc(Cti,rki,W,j): on input of a re-encryption key rki,W,j=(a0,a1,b)and a second level ciphertext CTi=(B,C,D,E,F). It first tests
e ∏l¼1khl
H4 pki ;wlð Þg1;B� �
¼? C; gð Þe H3 B;C;D; Eð Þ;Bð Þ¼? e F; gð Þ
If the test fails, then outputs ⊥, otherwise, CTi, is re-encrypted bycomputing
D′ ¼ e a1;Cð Þe a0;Bð Þ ⋅D
The re-encrypted ciphertext(level 1) is CTj=(B,D′,E).Indeed, for a valid ciphertext, we have
D′ ¼ e a1;Cð Þe a0;Bð Þ ⋅D ¼
e gr ;∏l¼1khl
H4 pki ;wlð Þg1Þs
� �e g2
xi−xj ∏l¼1khl
H4 pki ;wlð Þg1� �r
; gs� � ⋅e Xi; g2ð ÞsR
¼ e gxj−xi ; g2� �sR⋅e Xi; g2ð ÞsR ¼ e Xj; g2
� �sR
384 L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
- Dec1(CTj,skj):On input a secret key skj and afirst level ciphertext (re-encrypted ciphertext) CTj=(B,D,E). It computes R ¼ D
e B;g2ð Þxj ;m ¼E⊕H2 Rð Þ; s ¼ H1 m;Rð Þ, and checks whether B¼? gs holds. If yes, itreturnsm; else it returns ⊥.
- Dec2(CTi,ski): On input a secret key ski and a second level cipher-text CTi=(B,C,D,E,F). It computes R ¼ D
e B;g2ð Þxi ;m ¼ E⊕H2 Rð Þ; s ¼H1 m;Rð Þ, and checks whether
B ¼ gs;C ¼ ∏l¼1khl
H4 pki ;wlð Þg1� �s
; F ¼ H3 B;C;D; Eð Þs
holds. If yes, it returns m; else it returns ⊥.
3.1.1. CorrectnessIt is straightforward to verify that all the correctly generated orig-
inal/re-encrypted ciphertexts can be correctly decrypted.
3.1.2. EfficiencyWe now consider the efficiency of the scheme. Observe that for a
keyword vector at any length, the second level ciphertext (original ci-phertext) contains only three elements in G1, one element in G2, andone element inM, and decryption takes only 1 pairing operation. Thefirst level ciphertext (re-encrypted ciphertext) contains only one ele-ment inG1, one element in G2, and one element inM. Further, it willtake two exponentiations and one pairing computation to do the firstlevel decryption. That means, in our system, the ciphertext size growsindependently with the keyword vector length. Furthermore, notethat e(Xi,g2) that is used for conducting the encryption can also bepre-computed, and therefore the encryption does not require anypairings in practice. Hence, our scheme is very practical.
3.1.3. The re-encryption key generationNote that our HC-PRE scheme is unidirectional since it is impossi-
ble to derive the re-encryption key rki,W,j from rkj,W,i for the differentinput of H4. The re-encryption key rki,W,j in our HC-PRE schemeneeds both the private key of user i and user j, thus it's needed theuser i interactive with user j when generating the re-encryptionkey. Therefore, it is interesting to design a non-interactive HC-PREscheme. Below is the process of re-encryption key generation:
User j may select a random r′ ∈ ℤp⁎ and computes
a0′ ¼ g2
−xj ∏l¼1khl
H4 pki ;wlð Þg1� �r′
; a1 ¼ a1′gr
b ¼ bl ¼ bl′hl
r� �
l∈ kþ1;⋯;Lf g
sends (a0,a1,b′) to user i. Note that (a0,a1,b′) is not a re-encryption keyfor user j under keyword vector W=(w1,w2,…,wk) since H4(pkj,w) isinstead of H4(pki,w). Then user i selects a random r∈ ℤp⁎ and computes
a0 ¼ a0′g2
xi ∏l¼1khl
H4 pki ;wlð Þg1� �r
; a1 ¼ a1′gr
b ¼ bl ¼ bl′hl
r� �
l∈ kþ1;⋯;Lf g
3.2. Security of our HC-PRE
In this subsection, we prove the HC-PRE-IND-CCA security for ourscheme in the random oracle model. The analysis of Game 1 andGame 2 are as follows.
Theorem 1. If the decisional (L+1)-BDHE and DBDH assumption hold,then the above scheme is HC-PRE-IND-CCA secure in the random oraclemodel.
Lemma 1. If there exists an IND-L2-CCA adversary A against ourscheme, then there exists an algorithm B which can solve the deci-sional (L+1)-BDHE problem.
Proof. Our approach to proving Lemma 1 closely follows the proof ofsecurity for HIBE scheme [6]. Suppose there exists a polynomial-timeadversary, that can attack our scheme in the random oracle model.We build a simulator B that can play a decisional (L+1)-BDHEgame. We let the challenger set the groupsG1 andG2 with an efficientbilinear map e and a generator g of G1. Simulator B inputs a (L+1)-BDHE instance (g,h,y1,···,yL,yL+2,···y2L,T), and has to distinguishT=e(g,h)α
L+ 1from a random element in G2.
In the following, we call HU the set of honest parties, includinguser i⁎ that is assigned the target public key pki*, and CU the set of cor-rupt parties.A first outputting an keyword vector W=(w1⁎,w2⁎,…wn
⁎)of depth nbL that it intends to attack. As in [6], if nbL then B padsW⁎
with L-n zeroes on the right to make W⁎ a vector of length L. Hence,from here we assume that W⁎ is a vector of length L.
The random oracles H1, H2, H3 and H4 for each user i are controlledby B as follows.
If A queries (m,R) to the random oracle H1, B searches H1List for an
entry (m,R,s). If it exists, return r as answer. Otherwise, it chooses s ∈ℤp⁎ at random and return it as answer and put (m,R,s) into H1
List.If A queries (R) to the random oracle H2, B searches H2
List for anentry (R,ω). If it exists, return ω as answer. Otherwise, it chooses ω∈ {0,1}k at random and return it as answer and put (R,ω) into H2
List.If A queries (B,C,D,E) to the random oracle H3, B searches H3
List foran entry (B,C,D,E,ϕ,ψ). If it exists, return ψ as answer. Otherwise, itchooses ϕ∈Zp
� at random and computes ψ=gϕ, then return ψ as an-swer and put (B,C,D,E,ϕ,ψ) into H3
List.If A queries (pki,w) to the random oracle H4, B searches H4
List foran entry (pki,w,θ). If it exists, return θ as answer. Otherwise, itchooses θ ∈ ℤp
⁎ at random and return it as answer and put (pki,w,θ) into H4
List.
1. Setup: Let λ be the security parameter and (p,g,G1,G2,e) be the bi-linear map parameters. Let message space be M ¼ 0;1f gkl . We as-sume the maximum length of keyword vector is L. Selects arandom value γ ∈ ℤp⁎, sets g2=gα
L+γ. Next, B picks randomγ1,···,γL ∈ ℤp
⁎, and sets hl=gγi/yL− l+1 for l=1,···,L. B alsopicks random δ ∈ ℤp⁎, and sets g1=gδ∏ l=1
L yL− l+1H4 (pki*,wl*). The
global system parameters are (p,g,G1,G2,e,g1,g2,k1,L,H1,H2,H3,H4).2. Query phase 1. A makes the following queries:
- Uncorrupted key generation query ⟨i⟩: public keys of honestuser i ∈ HU (including target public key) are defined as follow-ing: B selects a random value ηi ∈ ℤp
⁎, computes Xi=ga+ηi.This implicitly defines the system secret key value asxi=α+ηi. His public key as pki=Xi. Sends public key to A.
- Corrupted key generation query ⟨i⟩: Public keys of corrupt user i∈ CU are the same as the key generation algorithm, this meansthe simulator B can know the both the public key and secretkey of user i ∈ CU, and then sends (pki,ski) to A.
- Re-encryption key query ⟨pki,W,pkj⟩: Consider a query for the re-encryption key corresponding to a conditional keywordvector Wu=(w1,w2,…,wu) where u≤L. The only restriction isthatWu is notW⁎ or a prefix ofW⁎when pki=pki*. This restrictionensures that there exists a k ∈ {1,…,u} such that H4(pki,wk)≠H4(pki*,wk*). To respond to the query, algorithm B first de-rives re-encryption key for conditional keyword vectorWk=(w1,w2,…,wk) from which it then constructs a re-encryption key for the requested conditional keyword vectorWu=(w1,w2,…,wk,…,wu). B has to distinguish several situations:(a) If i ∈ CU and j ∈ CU, since B can know the secret key xi for
user i and xj for user j, so B can compute it correctly.(b) If i∈ HU and j∈ CU, or i∈ CU and j∈ HU, letΦ=xi – xj=pa
+π, that's mean π=ηi – xj and ρ=1 when i ∈ HU and j ∈CU, and π=xi – ηj and ρ=–1 when i ∈ CU and j ∈ HU. Togenerate the re-encryption key for keyword vectorWk=(w1,w2,…,wk), B first picks a random �r∈Zp
�. Let r ¼
385L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
ρ⋅αk
H4 pki ;wkð Þ−H4 pki� ;w�kð Þð Þþ �r∈Z�
p. To generate the first compo-
nent of the re-encryption key, first observe that
∏l¼1khl
H4 pki ;wlð Þg1� �r
¼ ∏l¼1k gγ1=yL−lþ1� �H4 pki ;wlð Þgδ∏l¼1
LyL−lþ1H4 pki� ;wl
�ð Þ� �r
¼ gð Þδþ∑l¼1k H4 pki ;wlð Þγ1ð Þ⋅∏l¼1
k−1 yL−lþ1� �H4 pki� ;wl
�ð Þ−H4 pki ;wlð Þ
⋅ yL−kþ1� �H4 pki� ;wk
�ð Þ−H4 pki ;wkð Þ⋅∏l¼kþ1LyL−lþ1
H4 pki�wl�ð ÞÞr
Let Z denote the product of the first, second, and fourthterms. That is,
Z ¼�gδþ∑l¼1
k H4 pki ;wið Þγið Þ∏l¼1k−1 yL−lþ1
H4 pki� ;wl�ð Þ−H4 pki ;wlð Þ� �
⋅∏l¼kþ1LyL−1þ1
H4 pki� ;wl�ð ÞÞr
Note that, B can compute all the terms in Z.Next, observe that the third term, namely (yL−k+1)r(H4(pki*,wk*))
−H4(pki,wl) is
yL−kþ1� �r H4 pki� ;wk
�ð Þð Þ−H4 pki ;wkð Þ
¼ yL−kþ1� ��r H4 pki� ;wk
�ð Þð Þ−H4 pki ;wkð Þ
⋅ yL−kþ1� � H4 pki� ;wk
�ð Þð Þ−H4 pki ;wkð Þ⋅ρ⋅αk
H4 pki;wkð Þ−H4 pki� ;wk�ð Þð Þ
¼ yL−kþ1� ��r H4 pki� ;wk
�ð Þð Þ−H4 pki ;wkð Þ yLþ1� �−ρ
Hence, the first component in the re-encryption key isequal to:
a0 ¼ g2xi−xj ∏l¼1
khlH4 pki ;wlð Þg1
� �r
¼ gαLþγ
� �ραþπ⋅Z⋅ yL−kþ1
� ��r H4 pki� ;wk�ð Þ−H4 pki ;wkð Þð Þ yLþ1
� �−ρ
¼ gαLþ1� �ρ
gπαLþγ ραþπð Þ⋅Z⋅ yL−kþ1
� ��r H4 pki� ;wk�ð Þ−H4 pki ;wkð Þð Þ yLþ1
� �−ρ
¼ yLþ1ρyl
πy1ργgπγ⋅Z⋅ yL−kþ1
� ��r H4 pki� ;wk�ð Þ−H4 pki ;wkð Þð Þ yLþ1
� �−ρ
¼ ylπy1
ργgπγ⋅Z⋅ yL−kþ1� ��r H4 pki� ;wk
�ð Þ−H4 pki ;wkð Þð Þ
Since yL+1 cancels out, all the terms in this expression areknown to B. Thus, B can compute the first re-encryption keycomponent.
B can compute the second re-encryption key component:
a1 ¼ gr ¼ gρ⋅αk
H4 pki ;wkð Þ−H4 pki� ;wk�ð Þð Þþ�r
¼ yk
ρ
H4 pki ;wkð Þ−H4 pki� ;wk�ð Þð Þg�r
Similarly, the remaining elements bk+1=hk+1r ,···,bL=hL
r
can be computed by B since they do not involve a yL+1
term.
(c) If i ∈ HU and j ∈ HU, B selects random r ∈ ℤp⁎, and computes
a0 ¼ g2ηi−ηj ∏l¼1
khlH4 pki ;wlð Þg1
� �r; a1 ¼ gr
b ¼ bl ¼ hlr� �
l∈ kþ1;⋯Lf g
Thus, B can derive a valid re-encryption key for Wk=(w1,w2,…wk). B uses this re-encryption key to derive a re-encryption key for the descendant conditional keywordvector Wu=(w1,w2,…wu) and gives A the result.
- Re-encryption query ⟨pki,pkj,W,CTi⟩: let the conditional key-word vectorW=(w1,w2,…wu) where u≤L, ifW isW⁎ or a pre-fix of W⁎ and pki=pki*, then B searches H1
List and H2List to see
whether there exist a tuple (m,R,s) and a tuple (R,ω) such that
B ¼ gs;C ¼ ∏l¼1khl
H4 pki ;wlð Þg1� �s
;D ¼ e Xi; g2ð ÞsRe ¼ m⊕H2 Rð Þ; F ¼ H3 B;C;D; Eð Þs
If yes, outputs the first level ciphertext CTj=(B,D′=e(Xj,g2)sR,E) toA; else outputs ⊥. Otherwise, since B can compute unidi-rectional re-encryption key rki,W,j, soB can compute it correctly.
- Decryption query ⟨pkj,CTj⟩: If ⟨pkj,CTj⟩ denote the queries on re-encrypted ciphertext(first level ciphertext), CTj=(B,D,E). For a user'sj∈ CU,B can decrypt it correct, sinceB known the secret key for user j∈ CU. For a user's j∈HU, thenB searchesH1
List andH2List to seewhether
there exist a tuple (m,R,s) and a tuple (R,ω) such that
B ¼ gs;D ¼ e Xj; g2� �s
R; E ¼ m⊕H2 Rð Þ
If yes, outputs m to A; else outputs ⊥.- Decryption query ⟨pki,W,CTi⟩: If ⟨pki,W,CTi⟩ denote the queries on sec-ond level ciphertext CTi. B makes a re-encryption query on ⟨pki,pkj,W,CTi⟩ to get the re-encrypted ciphertext(first level ciphertext) CTj, thenmakes a decryption query on ⟨pkj,CTj⟩, and sends the result to A
3. Challenge. Once A decides that Phase 1 is over, it outputs twoequal length plaintexts (m0,m1). B responds by choosing a randomβ ∈ {0,1}, B picks random R⁎ ∈ G2⁎ and computes
B� ¼ hC� ¼ hδþ∑l¼1
L γlH4 pki� ;wl�ð Þð Þ
D� ¼ R�⋅T⋅c yL;hð Þηi e y1;hð Þγe g; hð Þηi�γE� ¼ mβ⊕H2 R�ð Þgϕ
� ¼ H3 B�;C�
;D�; E�ð Þ
F� ¼ hϕ�
where B makes a query (B⁎,C⁎,D⁎,E⁎) to the random oracle H3 foran entry (B*,C*,D*,E*,ϕ*,ψ). To see this, implicit letting H1(mβ,R⁎)=s⁎=c, if T=e(g,h)α
L+ 1, then
C� ¼ hδþ∑l¼1L γlH4 pki� ;wl
�ð Þð Þ
¼ ∏l¼1L gγl=yL−lþ1� �H4 pki� ;wl
�ð Þ� �
gδ∏l¼1LyL−lþ1
H4 pki� ;wl�ð Þ
� �� �c
¼ h1H4 pki� ;w1
�ð Þ⋯hLH4 pki� ;wL�ð Þg1
� �c
D� ¼ R�⋅T⋅e yL; hð Þηi� e y1;hð Þγe g;hð Þηi�γ¼ R�⋅e g; hð ÞαLþ1
⋅e g;hð Þηi�αL
e g;hð Þγαe g;hð Þηi�γ¼ R�⋅e g; hð Þ ηi� þαð Þ αLþγð Þ¼ R�⋅e gxi� ; g2
� �c
4. Query phase 2.A continuesmaking queries as in the query phase 1.5. Guess. A outputs the guess β′, if β′=β, then output 1 meaning
T=e(g,h)αL+ 1
; else output 0 meaning T=e(g,h)r.
Probability Analysis: Suppose there exists a polynomial-time ad-versary, A, in Game 1 that can attack our scheme with an advantageε. Now we provide the probability of the simulator B:
When T=e(g,h)αL+ 1
then A must satisfy |Pr[β′=β] – 1/2|≥ε.When T is uniform in G2, R⁎ and D⁎ are uniformly random and inde-pendent, then Pr[β′=β]=1/2. Therefore, when α is uniform in ℤp⁎
and T is uniform in G2. We have that
���Pr B g;h; y1; ⋯; yL; yLþ2; ⋯y2L; e g; hð ÞαLþ1� �¼ 1
h i
−Pr B g;h; y1; ⋯; yL; yLþ2; ⋯y2L; e g;hð Þr� � ¼ 1� ����≥j 1=2� εð Þ−1=2 ¼ εj
as required. This completes the proof of Lemma 1. □
Lemma 2. If there exists an IND-L1-CCA adversary A against ourscheme, then there exists an algorithm B can solve the DBDHproblem.
Proof. We first let the challenger set the groups G1 and G2 with anefficient bilinear map e and a generator g of G1. Simulator B inputsa DBDH instance (g,ga,gb,gc,T), and has to distinguish T=e(g,g)abc
from a random element in G2.
386 L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
The random oracles H1, H2, H3 and H4 are same as in Lemma 1.In the following, we call HU the set of honest parties, including
user i⁎ that is assigned the target public key pki*, and CU the set of cor-rupt parties.
1. Setup: Let λ be the security parameter and (p,g,G1,G2,e) be the bi-linear map parameters. Let message space beM ¼ 0;1f gki . We as-sume the maximum length of keyword vector is L. Sets g2=gb.Next, B picks random γ1,···,γL ∈ ℤp
⁎, and sets hi=gγi fori=1,···,L. B also picks random δ ∈ ℤp
⁎, and sets g1=gb+ δ. Theglobal system parameters are (p,g,G1,G2,e,g1,g2,k1,L,H1,H2,H3,H4).
2. Query phase 1. A makes the following queries:- Uncorrupted key generation query ⟨i⟩: public keys of honestuser i ∈ HU (including target public key) are defined as follow-ing: B selects a random value ηi ∈ ℤp
⁎, computes Xi=ga+ηi.This implicitly defines the system secret key value as xi=a+ηi. Sends public key to A.
- Corrupted key generation query ⟨i⟩: Public keys of corrupt user i∈ CU are the same as the key generation algorithm, this meansthe simulator B can know the both the public key and secretkey of user i ∈ CU, and then sends (pki,ski) to A.
- Re-encryption key query ⟨pki,W,pkj⟩: Consider a query for there-encryption key corresponding to a conditional keyword vec-tor W=(w1,w2,…,wk) where k≤L. B has to distinguish severalsituations:(a) If i ∈ CU and j ∈ CU, since B can know the secret key xi for
user i and xj for user j, so B can compute it correctly.(b) If i∈ HU and j∈ CU, or i∈ CU and j∈ HU, letΦ=xi – xj=pa
+π, that's mean π=ηi – xj and ρ=1 when i ∈ HU and j ∈CU, and π=xi – ηj and ρ=–1 when i ∈ CU and j ∈ HU. Togenerate the re-encryption key for conditional keywordvector Wk=(w1,w2,…,wk), B first picks a random �r∈Zp
�.Let r ¼ −paþ �r∈Zp
�. First observe that the first componentin the re-encryption key is equal to:
a0 ¼ g2xi−xj ∏l¼1
khlH4 pki ;wlð Þg1
� �r
¼ gb� �paþπ
gγ1� �H4 pki ;w1ð Þ⋯ gγk
� �H4 pki ;wkð Þgbþδ� �−paþ�r
¼ gab� �ρ
gb� �π
g−aþ�r� �γ1H4 w1ð Þ⋯ g−paþ�r
� �γkH4 pki ;wkð Þ
× gab� �−ρ
g−ρaδgb�r gδ
�r
¼ gb� �π
ga� �−1g
�r� �γ1H4 w1ð Þ⋯ ga
� �−1g�r
� �γkH4 pki ;wkð Þ
× ga� �−ρδ gb
� ��πgδ
�r
Since gab cancels out, all the terms in this expression areknown to B. Thus, B can compute the first re-encryptionkey component.B can compute the second re-encryption key component:
a1 ¼ gr ¼ ga� �−ρg�r
Similarly, the remaining elements bk+1=hk+1r ,···,
bL=hLr can be computed by B since they do not involve a
gab term.(c) If i ∈ HU and j ∈ HU, B selects random r ∈ ℤp
⁎, and computes
a0 ¼ g2ηi−ηj ∏l¼1
khlH4 pki ;wlð Þg1
� �r; a1 ¼ gr
b ¼ bl ¼ hlr� �
l∈ kþ1;⋯Lf g
Thus, B can derive a valid re-encryption key for Wk=(w1,w2,…,wk). And sends A the result.
- Re-encryption query ⟨pki,pkj,W,CTi⟩: since B can compute unidi-rectional re-encryption key rki,W,j, so B can compute it correctly.
- Decryption query ⟨pkj,CTj⟩: If ⟨pkj,CTj⟩ denote the queries on re-encrypted ciphertext (second level ciphertext), CTj=(B,D,E).For a user's j ∈ CU, B can decrypt it correct, since B known thesecret key for user j ∈ CU. For a user's j ∈ HU, then B searchesH1List and H2
List to see whether there exist a tuple (m,R,s) and atuple (R,ω) such that
B ¼ gs;D ¼ e Xi; g2ð ÞsR; E ¼ m⊕H2 Rð Þ
If yes, outputs m to A; else outputs ⊥.- Decryption query ⟨pki,W,CTi⟩: If ⟨pki,W,CTi⟩ denote the queries onfirst level ciphertext CTi. B makes a re-encryption query on ⟨pki,pkj,W,CTi⟩ to get the re-encrypted ciphertext(first level cipher-text) CTj, then makes a decryption query on ⟨pkj,CTj⟩, and sendsthe result to A.
3. Challenge. Once A decides that Phase 1 is over, it outputs twoequal length plaintexts (m0,m1). B responds by choosing a randomβ ∈ {0,1}, picks R* ∈ G2⁎ and computes
B� ¼ gc;D� ¼ T⋅e gb; gc� �ηi
�
⋅R�; E� ¼ mβ⊕H2 R�� �
To see this, implicit letting H1(mβ,R⁎)=s⁎=c, if T=e(g,g)abc, then
D� ¼ e g; gð Þabc⋅e gb; gc� �ηi� R� ¼ e g aþηi�ð Þ; gb
� �cR� ¼ e Xi� ; g
2� �s�
R�
E� ¼ mβ⊕H2 R�ð Þ
4. Query phase 2.A continuesmaking queries as in the query phase 1.5. Guess. A outputs the guess β′, if β′=β, then output 1 meaning
T=e(g,g)abc; else output 0 meaning T=e(g,g)r.
Probability Analysis: Suppose there exists a polynomial-time ad-versary, A, in Game 2 that can attack our scheme with an advantageε. Now we provide the probability of the simulator B:
When T=e(g,g)abc thenAmust satisfy |Pr[β′=β] – 1/2|≥ε. WhenT is uniform inG2, R⁎ and D⁎ are uniformly random and independent,then Pr[β′=β]=1/2. Therefore, when a,b,c are uniform in ℤp
⁎ and T isuniform in G2. We have that
|Pr[B(g,ga,gb,gc,e(g,g)abc)=1]- Pr[B(g,ga,gb,gc,e(g,g)r)=1]|≥ |(1/2±ε) – 1/2|=ε as required. This completes the proof of Lemma 2. □
3.3. Performance comparison
In this section,we provide the comparison between our schemewithWeng et al.'s proposed CCA secure C-PRE (which we call WYTDB) [23].Actually, there are two other candidates that could be considered aswell, namely [22] and [21]. The reason why we only included WYTDBin our comparison is as follows. Weng et al.'s first C-PRE (WDCL) [22]is not CCA secure and therefore, we omit it. Asmentioned earlier, the se-curity notions in [21] does not address the first level ciphertext (originalciphertext) security and the proxy requires two key pairs (i.e., the par-tial re-encryption key and the condition key) to perform the transfor-mation, and hence, this is rather unnatural. Hence, we are left onlywith WYTDB, which provides a comparable security result with ours.
Let |M|, |G1| and |G2| denote the bit-length of a plaintext, an ele-ment in groups G1 and G2, respectively. We denote tp and te as thecomputational cost of a bilinear pairings and exponentiations over abilinear group, respectively. Notice that the encryption algorithm inour scheme does not require any pairing computations once e(Xi,g2)has been viewed as part of the public key. We assume that conditionalkeyword vectorW at length k are vectors of elements in {0,1}⁎, whichmeans W=(w1,w2,…wk). We assume the maximum length of a key-word vector is L. The result of the comparison is outlined in Table 1.
Table 1Comparison among various C-PRE schemes.
Scheme WYTDB [23] Ours
Cost Enc1 4te+ tp 2.5teEnc2 3te+ tp (k+4)teReEnc 3tp k te+6tpDec1 3te+ tp 2te+ tpDec2 2te+ tp (k+3)te+ tp
Length Level1 2|G1|+|G2|+|M| |G1|+|G2|+|M|Level2 2|G1|+|G2|+|M| 3|G1|+|G2|+|M|ReKey 2|G1| (L – k+2)|G1|
Security CCA CCAROM ✓ ✓
Re-delegation × ✓
387L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
When L=k=1, our scheme is as efficient as the Weng et al.'s C-PREscheme (WYTDB) [23]. From Table 1, it is observed that our C-PRESfrom Section 3 outperforms Weng et al.'s C-PRE scheme (WYTDB) [23]in terms of encryption and decryption computational costs. Furthermore,our scheme allows multiple conditions. More importantly, our schemeprovides re-delegation, that means the re-encryption keys for the proxywith keyword vector length k canderive re-encryption keys for their chil-dren, which are of length k+1. However, as Weng et al.'s scheme [23],our scheme is only proven secure in the random oracle model.
4. Generalized key delegation for hierarchical C-PRE scheme
In Section 3, we presented a construction of hierarchical condi-tional proxy re-encryption scheme in which users at level k canderive keys for their children at level k+1. Hierarchical key deriva-tion is a useful feature, but has its limitations. In some situation, thehierarchical structure can be the main stumbling block.
For example, a proxy may want to derive the re-encryption keywith the keyword vector W=(*, “July”, “finance”, *) from the re-encryption key with the keyword vector W=(*, *, “finance”, *)where * is a wildcard that can be replaced with any string. In HIBEsetting, Abdalla, Kiltz, and Neven [2] generalized the concept ofHIBE schemes to identity-based encryption with wildcard key deriva-tion (WKD-IBE). Similar as [2], it is desirable to design a generalizedkey delegation for a hierarchical C-PRE scheme.
As in [2], let re-encryption keys are associated with patterns rath-er than keyword vector. A keyword pattern P is a vector (P1,···,Pn) ∈({0,1}⁎ ∪ {*})n of length n≤L, where * is a special wildcard symboland L is the maximal depth of the HC-PRE scheme. That means eachcomponent of a keyword pattern Pi is either a specific keyword or awildcard. There is a partial order ≽ defined on the keyword vector.The idea is that given the key rki,P,j there is a delegation algorithmthat can be used to generate the key rki,P′,j, whenever P≽P′. We saythat P≽P′ where pattern P′=(P1,···,Pn′), if and only if n′≤n;∀i=1,···,n′, Pi=Pi or Pi=*; and ∀i=n′+1,···,n, Pi=*.
If P=(P1,···Pn) is a pattern, then letW(P) be the set containing allwildcard indices in P, i.e. the indices 1≤ i≤n such that Pi=*, and letW Pð Þ be the complementary set containing all non-wildcard indices.
4.1. Our construction
In this section, we describe generalized key delegation for hierar-chical C-PRE Scheme with constant-size ciphertexts based on Abdalla,Kiltz, and Nevens' idea [2]. The description of our hierarchical condi-tional proxy re-encryption scheme is as follows.
- GlobalSetup(λ): Let λ be the security parameter and (p,g,G1,G2,e) bethe bilinearmap parameters. Letmessage space beM ¼ 0;1f gk1 . LetH1 : {0,1}⁎→ℤp⁎, H2 : G2→ 0;1f gk1 , H3 : {0,1}⁎→ G1⁎ and H4 :{0,1}⁎→ℤp
⁎ be hash functions. For now, we assume that conditionalkeyword vector W at length k are vectors of elements in {0,1}⁎,means W=(w1,w2,…,wk). We assume the maximum length of
keyword vector is L. Selects random g1,g2,h1,···,hL ∈ G1. The globalsystem parameters are (p,g,G1,G2,e,g1,g2,h1,···,hL,k1,L,H1,H2,H3,H4).
- KeyGen(i): user i selects random xi ∈ ℤp⁎, computes Xi=gxi. Hispublic key as pki=Xi and the secret key ski=xi.
- RKeyGen(ski,P,skj): given user i's secret key ski=xi, a conditionalkeywords pattern P=(P1,···,Pn), and user j's secret key skj=xj,selects random r ∈ ℤp⁎, computes
a0 ¼ g2xi−xj ∏l∈W Pð Þhl
H4 pki ;Plð Þg1� �r
; a1 ¼ gr
b ¼ bl ¼ hlr� �
l∈W Pð Þ
sets the re-encryption key rki,P,j=(a0,a1,b).Wildcard key derivation: When given the re-encryption key rki,P,j=(a0,a1,b), it can compute the re-encryption key rki,P′,j wheneverP≽P′ as follows. Picks a random t ∈ ℤp
⁎ and computes
a0 ¼ g2xi−xj ∏l∈W Pð Þhl
H4 pki ;Plð Þg1� �r
; a1 ¼ gr
b ¼ bl ¼ hlr� �
l∈W Pð Þ
This re-encryption key rki,P′,j=(a0,a1,b′) is a properly for keywordspattern P′ distributed for r′=r+t ∈ ℤp
⁎.- Enc1(pki,m): To encrypt a message m ∈ M under the public keypki. Picks R ∈ G2⁎ and computes s=H1(m,R), and outputs thefirst level ciphertext CTi=(B,D,E).
B ¼ gs;D ¼ e Xi; g2ð ÞsR; E ¼ m⊕H2 Rð Þ
- Enc2(pki,m,W): To encrypt a message m ∈M under the public keypki and a conditional keyword vectorW=(w1,w2,…,wk). Picks R ∈G2⁎ and computes s=H1(m,R), and outputs the second level ci-phertext CTi=(B,C,D,E,F)
B ¼ gs;C ¼ ∏l¼1khl
H4 pki ;wlð Þg1� �s
;D ¼ e Xi; g2ð ÞsR; E ¼ m⊕H2 Rð ÞF ¼ H3 B;C;D; Eð Þs
- ReEnc(CTi,rki,P,j): on input of a second level ciphertext CTi=(B,C,D,E,F) under keyword vector W=(w1,w2,…,wk) and a re-encryptionkey rki,P,j=(a0,a1,b) under keyword pattern P=(P1,···,Pn) whereP≽W. Since P≽W, we have that Pi=wi for all i∈W Pð Þ. It first tests
e ∏l¼1khl
H4 pki ;wlð Þg1;B� �
¼? e C; gð Þe H3 B;C;D; Eð Þ;Bð Þ¼? e F; gð Þ
If the test fails, then outputs ⊥, otherwise, CTi, is re-encrypted bycomputing
a0′ ¼ a0∏l∈W Pð Þj≤kbl
H4 pki ;wlð Þ
D′ ¼ e a1;Cð Þe a0
′;B� � ⋅D
The re-encrypted ciphertext(level 1) is CTj=(B,D′,E).Indeed, for a valid ciphertext, we have
D′ ¼ e a1;Cð Þe a0
′; B� � ⋅D
¼e gr ;∏l¼1
khlH4 pki ;wlð Þg1
� �s�
e�g2
xi−xj ∏l∈W Pð ÞhlH4 pki ;wlð Þ
� �r∏l∈W Pð Þj≤kbl
H4 pki ;wlð Þ; gs�⋅e Xi; gsð ÞsR
¼e gr ;∏l¼1
khlH4 pki ;wlð Þg1
� �sÞe g2
xi−xj ∏l¼1khl
H4 pki ;wlð Þgs� �� � ⋅e Xi; g2ð ÞsR
¼ e gxi−xj ; g2� �s
R⋅e Xi; g2ð ÞsR ¼ e Xj; g2� �s
R
388 L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
- Dec1(CTj,skj): On input a secret key skj and a first level ciphertext(re-encrypted ciphertext) CTj=(B,D,E). It computes R ¼ D
e B;g2ð Þxj ;
m ¼ E⊕H2 Rð Þ; s ¼ H1 m;Rð Þ, and checks whether B ¼? gs holds. Ifyes, it returns m; else it returns ⊥.
- Dec2(CTi,ski): On input a secret key ski and a second level cipher-text CTi=(B,C,D,E,F). It computes R ¼ D
e B;g2ð Þxj ;m ¼ E⊕H2 Rð Þ; s ¼H1 m;Rð Þ, and checks whether
B ¼ gs;C ¼ ∏l¼1khl
H4 pki ;wlð Þg1� �s
; F ¼ H3 B;C;D; Eð Þs
holds. If yes, it returns m; else it returns ⊥.
5. Applications of HC-PRE
In this section, we provide three applications for HC-PRE schemes.We specifically selected these applications to demonstrate how HC-PRE schemes can be used to present solutions in these scenarios.
5.1. Application in privacy-preserving location sharing protocol
Location sharing is one of the features provided by social-networking services, which gains popularity these days. It allowsusers to set up privacy policies to control who can access their loca-tion. With the advent of mobile devices, such as iPhone and Blackber-ry, users can comfortably update their location wherever they go andthe service enables them to inform their peers automatically, once thepeers are provided by sufficient access policies. The service enableslocation-sharing providers or middleware to disseminate users' loca-tion data in a secure manner, since the data are actually encrypted.Further, the users can control when or where the data can be viewedby their peers.
A naive solution could be provided as follows. A user, Alice, couldencrypt her location prior to sending it to the location sharing provid-er, and hence, protecting it from the provider or other adversaries. Toenable her peers, Bob and Carol, to view her location, Alice can se-curely disseminate her key to both Bob and Carol. If the key was dis-closed or Alice no longer wants Bob and Carol to view her location,she can revoke it. Rather than using a common shared key, Alicecould establish pair-wise secret keys with each of her friends or incor-porate asymmetric keys, which both require a great deal of additionalstorage, computation and communication overheads. Hence, al-though this solution is feasible, this is not practical.
In [13], Dong et al. presented a privacy-preserving location sharingprotocol for mobile applications, based on the proxy re-encryptioncryptographic primitive. In their solution, Alice sends a re-encryption key to Bob to share her location with Bob. The re-encryption key is computed using Bob's public key and Alice's privatekey, and then it is sent to the location service provider. When Bobwould like to acquire Alice's location, he will first send a request tothe location sharing provider. Then, the location sharing providerwill retrieve Alice's last encryption location and apply the re-encryption key and policies defined by Alice. Finally, the locationsharing provider will provide this information to Bob. Upon receivingthis information, Bob can then decrypt the location and process it ac-cordingly to display Alice's location in the map.
Further, Dong et al. [13] also identified that selective location-based policies would be very useful in location sharing services.Using these selective location-based policies, the users can determinewhether the peers can track their location if some policies are appli-cable. For example, Alice may only want her families (Charlie) totrack her location, but she does not want others (David) to do so, ifshe is at home. To enable this kind of services, it can be easily imple-mented if the location sharing service provider has access to theuser's location. Nevertheless, in this scenario, the provider only
holds encrypted data and hence, Dong et al.'s solution will not be ap-plicable. Hence, they left this problem as an interesting open problem.
We can solve this problem using HC-PRE to provide the solution tothe above problem. First, keyword vectors W1=(“Alice”) andW2=(“Alice”, “NotHome”), and sends re-encryption key rkAlice,W1,Charlie
and rkAlice,W2,David to the location sharing provider. Then, ciphertext con-taining Alice's location, which is encrypted by keyword vectorW=(“Alice”, “Home”) can be re-encrypted by the provider to her fami-lies (Charlie) but not to her friends (David) since the provider can de-rive a re-encryption key rkAlice,W1,Charlie with a keyword vectorW1=(“Alice”, “Home”) from the re-encryption key rkAlice,W1,Charlie withthe keyword vectorW1=(“Alice”).
Furthermore, HC-PRE is possible to support temporary delegationby only allowing the provider to re-encrypt a ciphertext under a dele-gator's public-key into a delegatee's ciphertext for a limited time pe-riod. One possible solution for the above problem is to refresh thekeywords by attaching time period information to them. For example,we assume that all users agree on how time is divided by time periodsand how each time period is specified, e.g. by days such as “04.04.11”.A keyword W1=(“Alice”) and W2=(“Alice”, “NotHome”) now be-come W1=(“08.04.11”, “Alice”), and W2=(“08.04.11”, “Alice”,“NotHome”) where 08.04.11 denotes “8 April 2011”. Note that themore time period is fine grained, the better security can be achieved.
5.2. Application in PHR
Consider the scenario in a Personal Health Record (PHR) disclo-sure. A PHR contains all kinds of health-related information aboutan individual (say, Alice). For example, a PHR contains medical histo-ry that includes surgery, illness, laboratory test results, allergies,chronic diseases, vaccinations, imaging (x-ray) reports, immunizationrecords, etc. and the sensitive information provided by Alice includingher age, weight, family, food statistics, contact information and anyother information related to her health. It is clear that a PHR containsvery sensitive data that must be protected.
To ensure Alice's privacy, one may think to encrypt her PHR andstore only the ciphertexts in the PHR database. Then, the databasecan be decrypted on demand. This solution is not practical sinceAlice needs to be involved in every request to conduct the decryp-tion. Incorporating a proxy re-encryption would be a viable solutionin this situation. Nevertheless, the traditional proxy re-encryption isnot suitable since the proxy who has the re-encryption key can con-vert all ciphertext of PHR. Furthermore, some of Alice's PHR may bedisclosed to an illegitimate entity if the proxy is corrupted. Thisproblem can be avoided by requiring Alice to have many re-encryption key pairs as there are different categories in her PHRdata. We can incorporate the following fine-grained PHR disclosurescheme as follows.
Suppose different categories of Alice's encrypted PHR are accompa-nied with a list of keywords, such as the encrypted PHR under the key-word vector (“2011”,“Alice”,“medical history”,“July”,“allergies”), or theencrypted PHR under the keyword vector (“2011”,“Alice”,“medicalhistory”,“July”,“imaging reports”).
Then, Alice categorizes her PHR according to her privacy concerns.For instance, she can send a re-encryption key rkAlice,W1, Practitioner fromAlice to a general practitioner under the access policy W1=(“2011”,“Alice”, “medicalhistory”) to the proxy P1.
By doing this, for the encrypted PHR under the keyword vector(“2011”,“Alice”,“medical history”,“July”,“allergies”), it can be re-encrypted by proxy P1 since it can derive a re-encryption key rkAlice,W′,
Practitionerwith a keyword vectorW1=(“2011”, “Alice”, “medicalhistrory”,“July”, “Allergies”) from the re-encryption key rkAlice,W1,Practitioner, then itcan be decrypted by the general practitioner. However, the proxy P1can not re-encrypt the encrypted PHR under the keyword vector(“2011”,“Alice”,“July”,“sensitive information”,“age”). When the proxyP1 is away in August 2011 for example, then she wants a proxy P2 to
389L. Fang et al. / Computer Standards & Interfaces 34 (2012) 380–389
do her job. To solve this problem, the proxy P1 can derive a re-encryptionkey rkAlice,W2,Practitioner with a keyword vector W2=(“2011”, “Alice”,“medicalhistory”, “August”) from the re-encryption key rkAlice,W1,Practition-
er, and send it to the proxy P2.
5.3. Application in ZigBee security for visitors in home automaton.
ZigBee network has been identified as the very promising solutionfor constructing the wireless sensor network, due to its advantages interms of high availability, lower power consumption and cost-effectiveness. Hence, ZigBee network has become the most attractivetechnology for home automation, which allows users to designate thehome network and subsequently, control home appliances dependingon their needs. Nevertheless, messages exchanged through the ZigBeenetwork must be protected to improve the safety of home automation.Further, its importance is to provide various services to authorized usersor would-be users, such as visitors.
Unfortunately, the existing ZigBee network is not very attractive atthis stage, in terms of security (namely key-management and capabil-ity of services). ZigBee network requires a huge space to store a lot ofkeys and does not offer the decryption capability as well. Hence, weintend to apply Hierarchical Conditional Proxy Re-encryption, whichre-encrypts a ciphertext with attributes of the visitors to delegatethe capability of decryption to offer a practical and viable solutionfor ZigBee. It also reduces the number of keys and provides a practicalsolution.
When the home owner provides an invitation to his friends to thehome managed by the home automation system, they require to havean authority to control and manage appliances available there. In HC-PRE, the owner can control the management capability of the system.At first, visitors cannot control anything in the house due to the secu-rity policy. For this reason, the owner needs to determine the delega-tion power suitable for visitors to utilize the appliances. Afterdistributing the attributes, appliances (lights, electronic faucets) cannow be controlled by visitors. The owner can set the specific featuresdepending on circumstances, such as prohibiting some of the appli-ances for not being accessed by the visitor. All of appliances athome can be managed by the owner and visitors in HC-PRE scheme.For example, the owner may want the visitor to control the electronicequipments of TV in the living room inMay, but not the TV in the bed-room. We use HC-PRE to solve this problem as follows. First, let key-word vectorW1=(“Electronic”, “Living Room”, “TV”, “May”) and sendsre-encryption key rkOwner,W1,Visitor to the visitor. Then, the ciphertextof living room TV data which is encrypted by keyword vectorW=(“Electronic”, “Living Room”, “TV”, “May”) can be re-encryptedby rkOwner,W1,Visitor to the visitor, and then, they can be decrypted bythe visitor. Nevertheless, the visitor can not re-encrypt the ciphertextof bedroom TV data which are encrypted by keyword vectorW=(“Electronic”, “Bedroom”, “TV”, “May”). If the ownerwants the visitorto control all the electronic equipment, he can send the rkOwner,W2,Visitor
where W2=(“Electronic”) to the visitor, then the visitor can derive re-encryption key rkOwner,W1,Visitor from the rkOwner,W2,Visitor.
6. Conclusion
In this paper, we introduced a new primitive called hierarchicalconditional proxy re-encryption (HC-PRE) where the re-encryptionkeys for proxy with a keyword vector length k can derive re-encryption keys for their children, with length k+1. We presentedan efficient construction of hierarchical key derivation C-PRE schemewhere the ciphertext is independent of the length of the keyword set.Furthermore, we extended our hierarchical C-PRE scheme to achievemore generalized key delegation by allowing more general re-encryption key delegation patterns.
This work motivates a few interesting questions. The first one ishow to construct a CCA-secure HC-PRE scheme without requiringrandom oracles. The second question is how to construct a non-interactive HC-PRE scheme. We also provided a few applicationswhere HC-PRE is applicable.
References
[1] G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy re-encryptionschemes with applications to secure distributed storage, Proc. of the 12th AnnualNetwork and Distributed System Security Symposium, 2005, pp. 29–44.
[2] M. Abdalla, E. Kiltz, G. Neven, Generalized key delegation for hierarchicalidentity-based encryption, Proc. of ESORICS 2007 , LNCS, vol. 4734, Springer, Hei-delberg, 2008, pp. 139–154.
[3] J. Baek, R. Safavi-Naini, W. Susilo, Public key encryption with keyword searchrevisited, Proc. of Applied Cryptography and Information Security 06 (ACIS2006), LNCS, vol. 5072, Springer, Heidelberg, 2008, pp. 1249–1259.
[4] M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptog-raphy, Proc. of EUROCRYPT 1998, LNCS, vol. 1403, Springer, Heidelberg, 1998,pp. 127–144.
[5] D. Boneh, X. Boyen, Efficient selective-ID based encryption without random ora-cles, Proc. of EUROCRYPT 2004, LNCS, vol. 3027, Springer, Heidelberg, 2004,pp. 223–238.
[6] D. Boneh, X. Boyen, E. Goh, Hierarchical identity based encryption with constantsize ciphertext, Proc. of EUROCRYPT 2005, LNCS, vol. 3494, Springer, Heidelberg,2005, pp. 440–456.
[7] D. Boneh, G. Di Crescenzo, R. Ostrovsky, G. Persiano, Public key encryption withkeyword search, Proc. of EUROCRYPT 2004. LNCS, vol. 3027, Springer, Heidelberg,2004, pp. 506–522.
[8] R. Canetti, S. Hohenberger, Chosen-ciphertext secure proxy re-encryption, Proc.of the 14th ACM Conference on Computer and Communications Security, ACMNew York, NY, USA, 2007, pp. 185–194.
[9] C. Chu, W. Tzeng, Identity-based proxy re-encryption without random oracles,Proc. of ISC 2007, LNCS, vol. 4779, Springer, Heidelberg, 2007, pp. 189–202.
[10] C. Chu, J. Weng, S. Chow, J. Zhou, R. Deng, Conditional proxy broadcast re-encryption, Proc. of ACISP 2009, LNCS, vol. 5594, Springer, Heidelberg, 2009,pp. 327–342.
[11] S. Chow, J. Weng, Y. Yang, R. Deng, Efficient unidirectional proxy re-encryption,Proc. of AFRICACRYPT 2010, LNCS, vol. 6055, Springer, Heidelberg, 2010,pp. 316–332.
[12] R. Deng, J. Weng, S. Liu, K. Chen, Chosen-cipertext secure proxy re-encryptionwithout pairings, Proc. of CANS 2008. LNCS, vol. 5339, Springer, Heidelberg,2008, pp. 1–17.
[13] C. Dong, N. Dulay, Longitude: a privacy-preserving location sharing protocol formobile applications, Proc. of IFIPTM 2011, IFIP AICT 358, , 2011, pp. 133–148.
[14] L. Fang, W. Susilo, J. Wang, Anonymous conditional proxy re-encryption withoutrandom oracle, Proc. of ProvSec 2009. LNCS, vol. 5848, Springer, Heidelberg, 2009,pp. 47–60.
[15] M. Green, G. Ateniese, Identity-based proxy re-encryption, Proc. of ACNS 2007,LNCS, vol. 4521, Springer, Heidelberg, 2007, pp. 288–306, Full version: CryptologyePrint Archieve: Report 2006/473.
[16] T. Matsuda, R. Nishimaki, K. Tanaka, CCA proxy re-encryption without bilinearmaps in the standard model, Proc. of PKC 2010, LNCS, vol. 6056, Springer, Heidel-berg, 2010, pp. 261–278.
[17] B. Libert, D. Vergnaud, Unidirectional chosen-ciphertext secure proxy re-encryption, Proc. of PKC 2008, LNCS, vol. 4939, Springer, Heidelberg, 2008,pp. 360–379, Full version:, http://hal.inria.fr/inria-00339530/en/.
[18] H.S. Rhee, W. Susilo, H.-J. Kim, Secure searchable public key encryption schemeagainst keyword guessing attacks, IEICE Electronics Express 6 (5) (2009) 237–243.
[19] J. Shao, Z. Cao, CCA-secure proxy re-encryption without pairings, Proc. of PKC2009, LNCS, vol. 5443, Springer, Heidelberg, 2009, pp. 357–376.
[20] Q. Tang, Type-based proxy re-encryption and its construction, Proc. of INDO-CRYPT 2008, LNCS, vol. 5365, Springer, Heidelberg, 2008, pp. 130–144.
[21] S. Sree Vivek, S. Sharmila Deva Selvi, V. Radhakishan, C. Pandu Rangan, Condition-al proxy re-encryption—a more efficient construction, Proc. of CNSA 2011, CCIS,196, 2011, pp. 502–512.
[22] J. Weng, R.H. Deng, C. Chu, X. Ding, J. Lai, Conditional proxy re-encryption secureagainst chosen-ciphertext attack, Proc. of the 4th International Symposium onACM Symposium on Information, Computer and Communications Security(ASIACCS 2009), 2009, pp. 322–332.
[23] J. Weng, Y. Yang, Q. Tang, R.H. Deng, F. Bao, Efficient conditional proxy re-encryption with chosen-ciphertext security, Proc. of the 12th International Con-ference on Information Security (ISC 2009), 2009, pp. 151–166.
[24] J. Weng, M. Chen, Y. Yang, R. Deng, K. Chen, F. Bao, CCA-secure unidirectionalproxy re-encryption in the adaptive corruption model without random oracles,SCIENCE CHINA Information Sciences. Express 53 (3) (2010) 593–606.
[25] R. Zhang, H. Imai, Generic combination of public key encryption with keywordsearch and public key encryption, Proc. of Cryptology and Network Security, 6thInternational Conference, CANS 2007, LNCS, vol. 4856, Springer, Heidelberg,2007, pp. 159–174.
