Efficiently Obfuscating Re-Encryption Program under DDH Assumption

A re-encryption program (or a circuit) transforms a ciphertext encrypted under Alice\u27s public key $pk_1$ to a ciphertext of the same message encrypted under Bob\u27s public key $pk_2$. Hohenberger et al. (TCC 2007) constructed a pairing-based obfuscator for a family of circuits implementing the re-encryption functionality under a new notion of obfuscation called as \textit{average-case secure obfuscation}. Chandran et al. (PKC 2014) proposed a lattice-based construction for the same. The construction given by Hohenberger et al. could only support encryptions of messages from a polynomial space and the decryption algorithm may have to perform a polynomial number of pairing operations in the worst case. Moreover, the proof of security relies on strong assumptions. On the other hand, the construction given by Chandran et al. relies on standard assumptions on lattices but could only satisfy a relaxed notion of correctness. In this work we propose a simple and efficient obfuscator for the re-encryption functionality which doesn\u27t suffer from \textit{any} of the above mentioned drawbacks. In particular, our construction satisfies the strongest notion of correctness, supports encryption of messages from an exponential sized domain and relies on the standard DDH-assumption. We also strengthen the black-box security model for encryption - re-encryption system proposed by Hohenberger et al. and prove the average-case virtual black box property of our obfuscator as well as the security of our encryption - re-encryption system (in the strengthened model) under the DDH-assumption. All our proofs are in the standard model