An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing

Transcription

1 An Efficient Certificateless Proxy Re-Encryption Scheme without Pairing Presented By: Arinjita Paul Authors: S. Sharmila Deva Selvi, Arinjita Paul, C. Pandu Rangan TCS Lab, Department of CSE, IIT Madras. 19/12/17 1

2 Outline of Presentation Need for certificateless encryption. What is proxy re-encryption? Certificateless proxy re-encryption. Definition and security model. Our scheme. Conclusion. 19/12/17 2

3 Certificateless Encryption Introduced by Al-Riyami and Paterson [Asiacrypt 2003]. Key generation involves both the central authority (KGC) and the user. KGC + = Overcomes the drawbacks of other encryption techniques: Public Key Infrastructure (PKI): Management of certificates. Identity Based Encryption (IBE): Key- Escrow Problem. 19/12/17 3

4 Proxy Re-Encryption Introduced by Blaze, Bleumer and Strauss [Eurocrypt 1998]. Allows a semi-trusted third party (proxy) to re-encrypt an already encrypted data into a new encryption. The proxy never learns anything about the underlying data! Alice Alice 19/12/17 Bob Bob 4

5 Consider the following scenario: Alice Alice Cloud Service Provider Stores encrypted files in Cloud Alice A

6 Alice Cloud Service Provider Requests for Shared data Alice Bob

7 Alice shares her secret key with Bob to decrypt the encrypted file Alice Alice Bob Compromises Alice s privacy!

8 One Solution: Proxy Re-Encryption! Alice Alice Proxy Server Sends Re encryption key Alice (Delegator) Bob (Delegatee) Alice sends a special key construct re encryption key to the proxy server.

9 RE-ENCRYPTION Alice Bob Proxy Server Proxy re-encrypts the encrypted file of Alice. CAlice + re-key = CBob Proxy cannot learn any information about the underlying file.

10 Bob Proxy Server Encrypted file sent to Bob Alice (Delegator) Bob (Delegatee)

11 CLPRE Definition: A CLPRE scheme consists of the following algorithms: Setup : KGC generates public parameters and master secret key. PartialKeyExtract : KGC forms partial public key & secret key. UserKeyGen : User forms user public key & private key.

12 CLPRE Definition: A CLPRE scheme consists of the following algorithms: SetPrivateKey : User generates full private key. SetPublicKey : User forms full public key. Re-KeyGen: User forms re-encryption key.

13 CLPRE Definition: A CLPRE scheme consists of the following algorithms: Encrypt: Sender encrypts m under a public key and outputs ciphertext C. Decrypt: Receiver decrypts C using private key and obtains m.

14 CLPRE Definition: A CLPRE scheme consists of the following algorithms: Re-Encrypt : Proxy re-encrypts original ciphertext into a ciphertext under a different public key using the re-encryption algorithm. Re-Decrypt : Receiver decrypts re-encrypted ciphertext D using private key

15 Correctness of CLPRE: Consistency between encryption & decryption: Consistency between re-encryption & re-decryption:

16 Security for CLPRE: Two types of adversaries in CLPRE: Type I Type II -Without a msk. -With msk. -Can replace public keys of its choice, representing an outsider. -Represents a KGC who can eavesdrop or place decryption queries. Due to the existence of two levels of ciphertexts, it is essential to prove the security for both levels: original and re-encrypted.

17 Security Model for CLPRE SECURITY AGAINST TYPE-I ADVERSARY: The security for original ciphertext is shown as a game between Challenger & Adversary: CLPRE scheme is IND-CLRE-CCA secure if

18 Security Model for CLPRE SECURITY AGAINST TYPE-I ADVERSARY:The security for re-encrypted ciphertext is shown as a game between Challenger & Adversary. CLPRE scheme is IND-CLRE-CCA secure if

19 Security Model for CLPRE SECURITY AGAINST TYPE-II ADVERSARY: The security for original ciphertext is shown as a game between Challenger & Adversary: CLPRE scheme is IND-CLRE-CCA secure if

20 Security Model for CLPRE SECURITY AGAINST TYPE-II ADVERSARY: The security for re-encrypted ciphertext is shown as a game between Challenger & Adversary: CLPRE scheme is IND-CLRE-CCA secure if

21 Our CLPRE Scheme - Our scheme is pairing- free. - All existing schemes are based on costly bilinear pairing functions. CLPRE schemes Security Model Remarks Sur et al. [CMS10] CCA Random Oracle Based on pairing. Attacked by Zheng et al. Guo et al. [ProvSec13] RCCA Random Oracle Based on bilinear pairing. Yang et al. [ICISC13] CCA Random Oracle Pairing-free. Attacked b Srinivasan et al. Srinivasan et al. [ASIACCS15] CCA Random Oracle Pairing-free. Attack shown in our work. Our work [ProvSec17] CCA Random Oracle Pairing free.

22 Our CLPRE Scheme Setup: Choose a group of prime order q. is the generator of. Pick, compute Choose cryptographic hash functions

23 Our CLPRE Scheme PartialKeyExtract: - Pick UserKeyGen: - Pick. - Compute - Compute - Compute - - Compute - - SetPrivateKey: SetPublicKey:

24 Our CLPRE Scheme Public Verifiability:

25 Our CLPRE Scheme C Sender Encrypt: - Pick - Compute : Alice

26 Our CLPRE Scheme C Sender Decrypt: - Compute. - Check if C is wellformed: - If satisfied, compute: Alice

27 Our CLPRE Scheme Re-KeyGen: - Pick - Compute such that - Compute such that - Compute - Compute

28 Our CLPRE Scheme D C Proxy Sender Re-Encrypt: Re-Decrypt: - Check if ciphertext is wellformed. - Compute: - Compute: - Check - If satisfied, compute: Bob

29 Security against Adversary I Scheme is secure in the Random Oracle model, under the following assumptions: Original ciphertext security: under Computational diffiehellman (CDH) assumption. Re-encrypted ciphertext security: under Computational diffiehellman (CDH) assumption.

30 Security against Adversary II Original ciphertext security: under Computational diffiehellman (CDH) assumption. Re-encrypted ciphertext security: under Computational diffiehellman (CDH) assumption.

31 Advantage of our Scheme: - Our scheme is pairing- free. - All existing schemes are based on costly bilinear pairing functions. Future Work: - Designing a collusion-resistant CLPRE.

32 Additional Contribution: - We reveal a weakness in the security-proof of the only existing CLPRE scheme by Srinivasan et al.[asiaccs15]. - Construct a distinguisher for the simulation and real system, where C is a first-level ciphertext constructed using random : Real System Simulation - We fix the flaw by introducing a full domain hash function to obtain trapdoor for randomness r.

33

34