A Proxy Re-Encryption Scheme with the Unforgeability of Re-Encryption Keys against Collusion Attacks

Proxy re-encryption (PRE) schemes are cryptosystems which allow a proxy who has a re-encryption key to convert a ciphertext originally encrypted for one party into a ciphertext which can be decrypted by another party. In IWSEC 2011, Hayashi et al. proposed the new security notion for PRE called ``unforgeability of re-encryption keys against collusion attacks,\u27\u27 UFReKey-CA for short. They proposed the PRE schemes and claimed that their schemes meet UFReKey-CA. However, Isshiki et al. pointed out that the schemes do not meet UFReKey-CA in IWSEC 2013. It is an open problem of constructing the scheme which meets UFReKey-CA. In this paper, we propose new PRE schemes which meet confidentiality (RCCA security) assuming that the q-wDBDHI problem is hard and meet UFReKey-CA assuming that the 2-DHI problem is hard

Non-Transferable Proxy Re-Encryption Scheme

SEC8: Selected topics in Information SecurityA proxy re-encryption (PRE) scheme allows a proxy to re-encrypt a ciphertext for Alice (delegator) to a ciphertext for Bob (delegatee) without seeing the underlying plaintext. However, existing PRE schemes generally suffer from at least one of the followings. Some schemes fail to provide the non-transferable property in which the proxy and the delegatee can collude to further delegate the decryption right to anyone. This is the main open problem left for PRE schemes. Other schemes assume the existence of a fully trusted private key generator (PKG) to generate the re-encryption key to be used by the proxy for re-encrypting a given ciphertext for a target delegatee. But this poses two problems in PRE schemes if the PKG is malicious: the PKG in their schemes may decrypt both original ciphertexts and re-encrypted ciphertexts (referred as the key escrow problem); and the PKG can generate reencryption key for arbitrary delegatees without permission from the delegator (we refer to it as the PKG despotism problem). In this paper, we propose the first non-transferable proxy re-encryption scheme which successfully achieves the nontransferable property. We show that the new scheme solved the PKG despotism problem and key escrow problem as well. © 2012 IEEE.published_or_final_versio

Breaking and Fixing Anonymous Credentials for the Cloud

In an attribute-based credential (ABC) system, users obtain a digital certificate on their personal attributes, and can later prove possession of such a certificate in an unlinkable way, thereby selectively disclosing chosen attributes to the service provider. Recently, the concept of encrypted ABCs (EABCs) was introduced by Krenn et al. at CANS 2017, where virtually all computation is outsourced to a semi-trusted cloud-provider called wallet, thereby overcoming existing efficiency limitations on the user’s side, and for the first time enabling “privacy-preserving identity management as a service”. While their approach is highly relevant for bringing ABCs into the real world, we present a simple attack allowing the wallet to learn a user\u27s attributes when colluding with another user -- a scenario which is not covered by their modeling but which needs to be considered in practice. We then revise the model and construction of Krenn et al. in various ways, such that the above attack is no longer possible. Furthermore, we also remove existing non-collusion assumptions between wallet and service provider or issuer from their construction. Our protocols are still highly efficient in the sense that the computational effort on the end user side consists of a single exponentiation only, and otherwise efficiency is comparable to the original work of Krenn et al

CCA-Secure PRE Scheme without Random Oracles

In a proxy re-encryption scheme, a semi-trusted proxy can transform a ciphertext under Alice\u27s public key into another ciphertext that Bob can decrypt. However, the proxy cannot access the plaintext. Due to its transformation property, proxy re-encryption can be used in many applications, such as encrypted email forwarding. In this paper, by using the techniques of Canetti-Hohenberger and Kurosawa-Desmedt, we propose a new single-use unidirectional proxy re-encryption scheme. Our proposal is secure against chosen ciphertext attack (CCA) and collusion attack in the standard model

Efficient unidirectional proxy re-encryption

Office of Research, Singapore Management Universit

Efficient Unidirectional Proxy Re-Encryption

Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same plaintext for Bob. The proxy only needs a re-encryption key given by Alice, and cannot learn anything about the plaintext encrypted. This adds flexibility in various applications, such as confidential email, digital right management and distributed storage. In this paper, we study unidirectional PRE, which the re-encryption key only enables delegation in one direction but not the opposite. In PKC 2009, Shao and Cao proposed a unidirectional PRE assuming the random oracle. However, we show that it is vulnerable to chosen-ciphertext attack (CCA). We then propose an efficient unidirectional PRE scheme (without resorting to pairings). We gain high efficiency and CCA-security using the ``token-controlled encryption\u27\u27 technique, under the computational Diffie-Hellman assumption, in the random oracle model and a relaxed but reasonable definition

Non-Transferable Proxy Re-Encryption

Proxy re-encryption (PRE) allows a semi-trusted proxy to transform a ciphertext for Alice into a ciphertext of the same message for Bob. The traditional security notion of PRE focuses on preventing the proxy with the re-encryption key learning anything about the encrypted messages. However, such a basic security requirement is clearly not enough for many scenarios where the proxy can collude with Bob. A desirable security goal is therefore to prevent a malicious proxy colluding with Bob to re-delegate Alice’s decryption right. In 2005, Ateniese, Fu, Green and Hohenberger first proposed this intriguing problem called non-transferability, in the sense that the only way for Bob to transfer Alice’s decryption capability is to expose his own secret key. It captures the notion that Bob cannot collude with the proxy and transfer Alice’s decryption right without compromising his own decryption capability. However, over the last decade, no solutions have achieved this property. In this paper, we positively resolve this open problem. In particular, we give the first construction of nontransferable proxy re-encryption where the attacker is allowed to obtain one pair of keys consisting of Bob’s secret key and the corresponding re-encryption key. Using indistinguishability obfuscation and k-unforgeable authentication as main tools, our scheme is provably secure in the standard model. The essential idea behind our approach is to allow Bob’s secret key to be evoked in the process of decrypting Alice’s ciphertext while hiding the fact that only Bob could decrypt it by the obfuscated program. In addition, we also show a negative result: a CPA secure proxy re-encryption scheme with “error-freeness” property cannot be non-transferable

Efficient cryptographic primitives: Secure comparison, binary decomposition and proxy re-encryption

”Data outsourcing becomes an essential paradigm for an organization to reduce operation costs on supporting and managing its IT infrastructure. When sensitive data are outsourced to a remote server, the data generally need to be encrypted before outsourcing. To preserve the confidentiality of the data, any computations performed by the server should only be on the encrypted data. In other words, the encrypted data should not be decrypted during any stage of the computation. This kind of task is commonly termed as query processing over encrypted data (QPED). One natural solution to solve the QPED problem is to utilize fully homomorphic encryption. However, fully homomorphic encryption is yet to be practical. The second solution is to adopt multi-server setting. However, the existing work is not efficient. Their implementations adopt costly primitives, such as secure comparison, binary decomposition among others, which reduce the efficiency of the whole protocols. Therefore, the improvement of these primitives results in high efficiency of the protocols. To have a well-defined scope, the following types of computations are considered: secure comparison (CMP), secure binary decomposition (SBD) and proxy re-encryption (PRE). We adopt the secret sharing scheme and paillier public key encryption as building blocks, and all computations can be done on the encrypted data by utilizing multiple servers. We analyze the security and the complexity of our proposed protocols, and their efficiencies are evaluated by comparing with the existing solutions.”--Abstract, page iii

A Provably-Secure Unidirectional Proxy Re-Encryption Scheme Without Pairing in the Random Oracle Model

Proxy re-encryption (PRE) enables delegation of decryption rights by entrusting a proxy server with special information, that allows it to transform a ciphertext under one public key into a ciphertext of the same message under a different public key. It is important to note that, the proxy which performs the re-encryption learns nothing about the message encrypted under either public keys. Due to its transformation property, proxy re-encryption schemes have practical applications in distributed storage, encrypted email forwarding, Digital Rights Management (DRM) and cloud storage. From its introduction, several proxy re-encryption schemes have been proposed in the literature, and a majority of them have been realized using bilinear pairing. In Africacrypt 2010, the first PKI-based collusion resistant CCA secure PRE scheme without pairing was proposed in the random oracle model. In this paper, we point out an important weakness in the scheme. We also present the first collusion-resistant pairing-free unidirectional proxy re-encryption scheme which meets CCA security under a variant of the computational Diffie-Hellman hardness assumption in the random oracle model

Secure server-aided data sharing clique with attestation

National Research Foundation (NRF) Singapor