Interactive conditional proxy re-encryption with fine grain policy

https://doi.org/10.1016/j.jss.2011.06.045Get rights and content

Abstract

Conditional proxy re-encryption (C-PRE) allows a semi-trusted proxy to convert a ciphertext satisfying one conditional set by sender into an encryption of the same message intended for a different recipient than the one that was originally intended to. In ISC 2009, Weng, Yang, Tang, Deng, and Bao proposed an efficient CCA secure C-PRE scheme, and left an open problem on how to construct CCA-secure C-PRE schemes supporting “OR” and “AND” gates over conditions. In this paper, we made the first attempt in constructing C-PRE schemes with richer policy, and hence addressing the problem raised by Weng et al. Nevertheless, our scheme is an interactive scheme. The ‘interactive setting’ used in our scheme refers to the case where the re-encryption key generation algorithm requires the involvement of the private key of the delegator and delegatee. As a consequence, we call our new cryptographic primitive as interactive conditional proxy re-encryption with fine grain policy (ICPRE-FG). This notion basically enhances the notion of PRE by enabling the features from the attribute-based encryption (ABE). That means, our ICPRE-FG has been constructed from a careful combination of the existing PRE and ABE techniques. In an ICPRE-FG system, each ciphertext is labeled by the delegator with a set of descriptive conditions and each re-encryption key is associated with an access tree that specifies which type of ciphertexts the key can re-encrypt. We formalize the security model of ICPRE-FG, and then we present a new and efficient construction of ICPRE-FG scheme with CCA-security under the well-studied assumption in the random oracle model.

Highlights

► We made the first attempt in constructing C-PRE schemes with richer policy. ► This work addresses the problem raised by Weng et al. in 2009. ► Our scheme is an interactive scheme, and hence it solves the problem raised by Weng et al. partially.

Introduction

Proxy re-encryption. Proxy re-encryption (PRE), introduced by Blaze, Bleumer and Strauss at EUROCRYPT 1998 (Blaze et al., 1998), allows a semi-trusted proxy, with some additional information (a.k.a., a re-encryption key), to transform a ciphertext under Alice’s public key into a new ciphertext under Bob’s public key on the same message. The proxy only needs a re-encryption key, and cannot learn anything about the encrypted message. Instead of converting all ciphertexts, Alice may only want the proxy to convert some ciphertexts with a certain keyword. To allow this, Weng et al. (2009) presented the notion of conditional proxy re-encryption (C-PRE), whereby only ciphertexts satisfying a certain keyword condition set by Alice can be transformed by the proxy.

Motivation. The limitation to all the previous C-PRE schemes is that they only allow the proxy to re-encrypt a ciphertext that matches a certain keyword, but does not allow any boolean combinations. Yet boolean combinations of conditions are essential to make effective use of a C-PRE, since a simple keyword condition often yields far too coarse results. For example, we define an email to have the following keyword fields: “From”, “Date”, “Importance”, and “Subject”. Suppose a delegator will be away in April, then he wants a proxy to re-encrypt any important emails. Rather than re-encrypting all emails, a delegator might only want those emails that are marked “From: Bob” with “Date: March” or ‘Date: April” and pertain to “Subject: finance”, in which case what is needed is the ability to re-encrypt on the conjunction of the conditions, “Bob” and (“March” or “April”) and “finance”. This problem was first identified by Weng et al. (2009), but they left it as an open research problem on how to construct CCA-secure C-PRE schemes supporting “OR” and “AND” gates over conditions.

We shall provide another practical example to illustrate the practicality of the problem. Consider the scenario in a Personal Health Record (PHR) disclosure. A PHR contains all kinds of health-related information about an individual (say, Alice). On the one hand, a PHR contains medical history from various medical service providers, that includes surgery, illness, laboratory test results, allergies, chronic diseases, vaccinations, imaging (X-ray) reports, immunization records, etc. On the other hand, the sensitive information provided by Alice may be included in her PHR, for example, her weight, food statistics, contact information and any other information related to her health. It will be useful for Alice to acquire health care services and monitor her health status by the information provided form her PHR. Thus, it is clear that a PHR contains very sensitive data that must be protected. Furthermore, there must be a different level of protections required. For instance, Alice will not mind if the information about her food statistics is known to other people, but she would like to keep her health history private.

To ensure Alice’s privacy, one may think to encrypt her PHR and store only the ciphertexts in the PHR database. Then, the database can be decrypted on demand. This solution is not practical since Alice needs to be involved in every request and perform the decryption. Furthermore, as some part of the information may be released to Alice’s general practitioner, and then when Alice is referred to a specialist, this information will need to be released again to this particular specialist. Of course, doing multiple decryptions will be possible but this will be very inefficient. Incorporating a proxy re-encryption would be a viable solution in this situation. But traditional proxy re-encryption is not suitable either since the proxy who has the re-encryption key can convert all ciphertext of PHR. Furthermore, some of Alice’s PHR may be disclosed to an illegitimate entity if the proxy is corrupted. This problem can be avoided by requiring Alice to have many re-encryption key pairs as there are different categories in her PHR data. We can incorporate the following fine-grained PHR disclosure scheme as follows.

Suppose different categories of Alice’s encrypted PHR are accompanied with a list of keywords or conditions, such as the encrypted PHR under the conditions (“Alice”,“allergies”), or the encrypted PHR under the conditions (“Alice”, “imaging reports”, “2010”).

Then, Alice categorizes her PHR according to her privacy concerns. For instance, she can send a re-encryption key from Alice to a general practitioner under the access policy (“Alice” and ((“imaging reports” and “2010”) or “allergies”)) to the proxy P1, and a re-encryption key from Alice to the pharmacist under the access policy (“Alice” and “allergies”) to the proxy P2. This situation needs a proxy re-encryption primitive that supports fine-grain policies which include “OR” and “AND” gates over conditions.

By doing this, for the encrypted PHR under the conditions (“Alice”,“allergies”), it can be re-encrypted by proxy P1, then can be decrypted by the general practitioner. It also can be re-encrypted by proxy P2, then can be decrypted by the pharmacist. However, only the proxy P1 can re-encrypt the encrypted PHR under the conditions (“Alice”,“imaging reports”, “2010”) but not proxy P2.

Our idea. Our main goal in this paper is to design C-PRE schemes that supports “OR” and “AND” gates over conditions. The idea is to enhance the notion of PRE by enabling the features from an attribute-based encryption (ABE). More generally, we view the attributes in ABE as conditions, and by using PRE, the proxy can re-encrypt the ciphertexts only if the associated condition is satisfied.

We note that at a glance, it seems trivial to achieve this notion by combining a CCA secure proxy re-encryption with a CCA secure attribute based encryption. Nevertheless, unfortunately this is not true. From a theoretical point of view, proxy re-encryption has its complex properties which would lead to many security issues while attribute based encryption is very limited in its security proof. Concretely, for a CCA secure conditional PRE, the proxy should publicly or privately verify (private verification refers to verification using the re-encryption key) the validity of the first level ciphertexts, and both the two levels (first and first levels) ciphertexts should be able to resist the adversary’s malicious manipulation attempts. We note that by merely combining two ciphertexts will allow malleability-style attacks on the (IND-CCA) security of an encryption scheme, and hence, it is insecure. Furthermore, it is clear that a proxy could do the translation without any trusted party involved. Moreover, ciphertext translation is extended to conditional re-encrypt which supporting “OR” and “AND” gates over conditions instead of traditional PRE. These requirements enhance the difficulty of constructing such a primitive.

Our contributions. In this paper, we move one step ahead by making the first attempt in constructing C-PRE schemes with richer policy in an interactive setting where the re-encryption key generation algorithm requires the involvement of the private key of the delegator and delegatee. Hence, it can be seen as partially answering the open research problem posed by Weng et al. Specifically, we introduce a new cryptographic primitive called interactive conditional proxy re-encryption with fine grain policy (ICPRE-FG), which is a extension of conditional proxy re-encryption cryptosystem. In ICPRE-FG system, each ciphertext is labeled by the delegator with a set of descriptive conditions (or keywords). Each proxy’s re-encryption key is associated with a tree-access structure where the leaves are associated with conditions. This structure determines which type of ciphertexts the key can re-encrypt. Hence, the ciphertexts are simply labeled with a set of descriptive conditions, while the tree-access structure is specified in the re-encryption key. As in the case of secret sharing schemes, one can build a secret-sharing scheme that requires a set of parties to cooperate in order to reconstruct a secret. For instance, one can specify a tree access structure where the interior nodes comprise AND and OR gates and the leaves consist of different parties. Any set of parties that satisfy the tree can reconstruct the secret of re-encryption key.

We formalize the ICPRE-FG security model by incorporating the advantages of the previous C-PRE. We chose to extend Weng et al.’s model (Weng et al., 2009), since their C-PRE scheme has been equipped with a proper framework as well as performance and security analysis. The model of our ICPRE-FG closely follows Weng et al.’s C-PRE scheme (Weng et al., 2009) with a few small modifications corresponding to the fine grain policy setting. Concretely, we define the first and first level ciphertext security for ICPRE-FG. Furthermore, ICPRE-FG must provide security against collusion attacks. That means, no group of proxies should be able to combine their re-encryption keys in such a way that they can re-encrypt a ciphertext that none of them alone could.

Then, we present an efficient construction of ICPRE-FG scheme, and prove its CCA-security under the well-studied decisional bilinear Diffie–Hellman (DBDH) assumption in the random oracle model.

The first PRE scheme was proposed by Blaze et al. (1998) based on ElGamal public key encryption. However, their scheme suffers from collusion attacks, i.e., Bob can collude with the proxy to reveal Alice’s secret key. In 2005, Ateniese et al. (2005) presented unidirectional PRE schemes based on bilinear pairings which resists against the collusion attack. Subsequently, many PRE schemes were presented using pairings (Canetti and Hohenberger, 2007, Libert and Vergnaud, 2008, Weng et al., 2010). In the PKI-based setting, it is needed to distribute public key certificates and therefore, this can be viewed as the drawback of using the PKI-based setting. Green and Ateniese (2007) extended the above notion to identity-based proxy re-encryption (IB-PRE). Subsequently, the work Chu et al., 2009, Lai et al., 2010 also studied the identity-based proxy re-encryption (IB-PRE). Due to the fact that pairing computation is a costly expensive operation, the subsequent work (Deng et al., 2008, Chow et al., 2010) studied PRE schemes to be constructed without bilinear pairings, especially in computation resource limited settings.

In a conditional proxy re-encryption (C-PRE), only ciphertexts satisfying a certain keyword condition set by Alice can be transformed by the proxy. Weng et al. (2009) proposed a CCA secure C-PRE scheme in the random oracle model. Unfortunately, Weng et al. (2009) demonstrated that Weng et al.’s C-PRE scheme (Weng et al., 2009) did not address the third level ciphertext security, and pointed out that Weng et al. (2009) is not CCA-secure by providing a concrete attack. Subsequently, Weng et al. (2009) proposed a more efficient C-PRE scheme with CCA security in the random oracle model. Similarly, in the full version of the paper in PKC 08, Libert and Vergnaud (2008) also introduced a PRE scheme to provide warrant-based and keyword-based delegations. Tang (2008) also introduced type-based proxy re-encryption. Recently, Chu et al. introduced a conditional proxy broadcast re-encryption (Chu et al., 2009), in which the proxy can delegate decryption rights to a set of users at a time. All the previous constructions of C-PRE schemes are not anonymous. Based on PRE and PEKS (public key encryption with keyword search), Fang et al. (2009) presented a replayable CCA secure anonymous C-PRE scheme without requiring random oracle.

Attribute-based encryption (ABE) (Sahai and Waters, 2005) can be viewed as a generalization of identity-based cryptosystems. In this cryptographic notion, attributes are incorporated as inputs. Objects are encrypted using a set of attributes describing the intended receiver. Goyal et al. (2006) further developed this idea and introduced two variants of ABE namely ciphertext-policy attribute-based encryption (CP-ABE) and key-policy attribute-based encryption (KP-ABE). In a CP-ABE system, a user’s private key is associated with a set of attributes and an encrypted ciphertext will specify an access policy over attributes. A user will be able to decrypt if and only if his attributes satisfy the ciphertext’s policy. Furthermore, Goyal et al. (2006) also presented a construction for Key-Policy ABE. In 2007, Bethencourt et al. (2007) presented a ciphertext-policy attribute-based encryption scheme. Similar as our ICPRE-FG, Liang et al. (2009) introduced a new cryptographic primitive called attribute-based proxy re-encryption scheme (ABPRE) which extends the traditional proxy re-encryption to the attribute-based counterpart, and thus empower users with delegating capability in the access control environment. Users, identified by attributes, could freely designate a proxy who can re-encrypt a ciphertext related with a certain access policy to another one with a different access policy. However, their proposed scheme is only proved to be chosen plaintext secure, and they claimed that to strengthen their scheme under chosen ciphertext security notion is a challenging open problem. We note that in their approach, the main difficulty is to simulate the decryption oracle since the re-encryption algorithm will probably varies the format of valid ciphertexts. Hence, it is unknown how to extend their technique to achieve a scheme that is secure under chosen ciphertext security and therefore, the open question that they proposed is indeed a challenging one.

The rest of this paper is organized as follows. In Section 2 , we will provide the definitions and complexity assumption that will be used throughout this paper, together with the security model of ICPRE-FG schemes. In Section 3 , we present our ICPRE-FG scheme in the random oracle model. Finally, Section 4 concludes the paper.

Section snippets

Definitions

In this section, we first review the complexity assumption required in our schemes, and then provide the definition and security of a conditional proxy re-encryption with fine grain policy support scheme.

Proposed CCA-secure ICPRE-FG scheme

In this section, inspired by ABE scheme (Goyal et al., 2006), we will present our construction of interactive conditional proxy re-encryption with fine grain policy scheme with CCA security. Recall that we wish to create an ICPRE-FG scheme in which a ciphertext created under conditional set W can be re-encrypted only by a re-encryption key for access tree T where T(W)=1. In addition, ICPRE-FG must provide security against collusion attacks. That means no group of proxy should be able to combine

Conclusion

In this paper, we introduced a new cryptographic primitive called interactive conditional proxy re-encryption with fine grain policy (ICPRE-FG), which is a much richer type of conditional proxy re-encryptions. In an ICPRE-FG system, each ciphertext is labeled by the delegator with a set of descriptive conditions and each re-encryption key is associated with an access structure that specifies which type of ciphertexts the key can re-encrypt. We formalized the ICPRE-FG security model and

References (21)

  • G. Ateniese et al.

    Improved proxy re-encryption schemes with applications to secure distributed storage.

  • J. Bethencourt et al.

    Ciphertext-policy attribute-based encryption.

  • M. Blaze et al.

    Divertible protocols and atomic proxy cryptography.

  • D. Boneh et al.

    Efficient selective-ID based encryption without random oracles.

  • D. Boneh et al.

    Identity-based encryption from the weil pairing.

  • R. Canetti et al.

    Chosen-ciphertext secure proxy re-encryption.

  • C. Chu et al.

    Conditional proxy broadcast re-encryption.

  • S. Chow et al.

    Efficient unidirectional proxy re-encryption.

  • R. Deng et al.

    Chosen-cipertext secure proxy re-encryption without pairings.

  • L. Fang et al.

    Anonymous conditional proxy re-encryption without random oracle.

There are more references available in the full text version of this article.

Cited by (23)

  • KAPRE: Key-aggregate proxy re-encryption for secure and flexible data sharing in cloud storage

    2021, Journal of Information Security and Applications
    Citation Excerpt :

    PRE schemes that control the delegation of decryption rights based on the data owner’s access policy are the ones useful in the application scenario [45]. Such schemes include Type-based PRE (TPRE) [37–39], Conditional PRE (CPRE) [40–42] and Proxy Broadcast Re-encryption (PBRE) [43,44]. There are several constructions present in each of these categories satisfying different sets of properties.

  • Proxy re-encryption for fine-grained access control: Its applicability, security under stronger notions and performance

    2020, Journal of Information Security and Applications
    Citation Excerpt :

    An interesting problem was left open by Weng et al. [84] on how to construct a conditional proxy re-encryption scheme that supports more descriptive conditional keyword consisting of boolean predicates. Fang et al. [88] replaced the conditional keyword with an access structure [10] of descriptive attributes possessed by the users. Their scheme is unidirectional, interactive, non-transitive and non-temporary.

  • PRECISE: Identity-based private data sharing with conditional proxy re-encryption in online social networks

    2018, Future Generation Computer Systems
    Citation Excerpt :

    Thus, such construction achieves fine-grained data dissemination. We analyze and compare our scheme with several OSN schemes including Beato et al. [7], He et al. [13], Sun et al. [14], Beato et al. [15], Hu et al. [19], Liang et al. [36], and CPRE schemes including Yang et al. [35], Fang et al. [18], Xu et al. [17] in terms of data confidentiality, multiple receivers, suitable for OSN, secure data disseminating, re-encryption key generation and conditional dissemination. Table 1 shows the results with regard to these aspects.

  • Identity-based conditional proxy re-encryption with fine grain policy

    2017, Computer Standards and Interfaces
    Citation Excerpt :

    Follow their work, many PRE schemes [11–15] with different properties have been proposed. To make flexible control on encrypted ciphertexts, conditional proxy re-encryption(CPRE) schemes [16,17,8,18] were proposed, in which only ciphertexts satisfying a certain condition can be re-encrypted. Identity-based proxy re-encryption.

View all citing articles on Scopus
1

This work is supported by ARC Future Fellowship FT0991397.

View full text