Skip to main content

What About Bob? The Inadequacy of CPA Security for Proxy Reencryption

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2019 (PKC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11443))

Included in the following conference series:

Abstract

In the simplest setting of proxy reencryption, there are three parties: Alice, Bob, and Polly (the proxy). Alice keeps some encrypted data that she can decrypt with a secret key known only to her. She wants to communicate the data to Bob, but not to Polly (nor anybody else). Using proxy reencryption, Alice can create a reencryption key that will enable Polly to reencrypt the data for Bob’s use, but which will not help Polly learn anything about the data.

There are two well-studied notions of security for proxy reencryption schemes: security under chosen-plaintext attacks (CPA) and security under chosen-ciphertext attacks (CCA). Both definitions aim to formalize the security that Alice enjoys against both Polly and Bob.

In this work, we demonstrate that CPA security guarantees much less security against Bob than was previously understood. In particular, CPA security does not prevent Bob from learning Alice’s secret key after receiving a single honestly reencrypted ciphertext. As a result, CPA security provides scant guarantees in common applications.

We propose security under honest reencryption attacks (HRA), a strengthening of CPA security that better captures the goals of proxy reencryption. In applications, HRA security provides much more robust security. We identify a property of proxy reencryption schemes that suffices to amplify CPA security to HRA security and show that two existing proxy reencryption schemes are in fact HRA secure.

Supported by Facebook Fellowship 2018, NSF GRFP, NSF MACS CNS-1413920, DARPA IBM W911NF-15-C-0236, and Simons Investigator Award Agreement Dated 6-5-12. We would like to thank Rio LaVigne, Akshay Degwekar, Shafi Goldwasser, Vinod Vaikuntanathan, and anonymous reviewers for their helpful feedback.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    This description is an oversimplification. In the many party setting, the adversary has access to a reencryption oracle which will reencrypt ciphertexts between two uncorrupted parties or between two corrupted parties, but not from an honest party to a corrupted party.

  2. 2.

    While we don’t examine every pairing-based construction of proxy reencryption, we suspect that rerandomizing reencryption will suffice for reencryption simulation in many, if not all.

  3. 3.

    The full version [13] discusses the related definition of \(\mathsf {IND\text {-}CCA}_{0,1}\) security from [28].

  4. 4.

    We might also appeal for support to [22], the only paper in the proxy reencryption literature of which we are aware adopting a security definition providing a reencryption oracle without a decryption oracle. One could look to the originators of proxy reencryption for guidance, but the shortcoming we identify does not manifest in the original setting of [5] (there is only Alice and Bob; there is no Proxy). It is therefore of little help.

  5. 5.

    Note that Ivan and Dodis do not adopt the CPA definition used elsewhere, but a definition much closer to our own. There is no gap between their security guarantees and the requirements of their briefly-described application.

    Though primarily focused on the setting where the key escrow agent enforces the limited time requirement by eventually refusing to reencrypt, [22] considers the possibility of dividing time into epochs and enforcing the time limitation technically. Such a proxy reencryption is called temporary in [4]. We do not discuss temporary proxy reencryption further.

  6. 6.

    The literature is divided about whether “single-hop” is merely a correctness property (i.e., able to reencrypt at least once, but agnostic about whether reencrypting more than once is possible) or if it is also a security property (i.e., a ciphertext can be reencrypted once, but never twice). This distinction manifests in the security definition. In works that consider only single-hop correctness [3, 4, 21, 28], the oracle \(\mathcal {O}_\mathsf {ReKeyGen}\) in the security game will not accept queries from honest users to corrupted users (i.e., (ij) such that \(i\in \mathsf {Hon}\) and \(j\in \mathsf {Cor}\)). We adopt this formalism in Definitions 3 and 5 for simplicity of presentation only.

    In works that consider single-hop security [12, 17, 26], the oracle will answer such queries, but the challenge ciphertext must be encrypted under the key of an honest user \(i^*\) for which no such reencryption key was generated (which can be formalized in a number of ways).

    This work adopts the simplest model, requiring only one hope of correctness, but neither requiring nor forbidding additional functionality.

  7. 7.

    Some existing notions in the proxy reencryption literature seem powerful enough to elevate CPA security to HRA security, including proxy invisibility [4], unlinkability [17], and punctured security [1]. However, these notions are not sufficiently well defined to draw any concrete conclusions. The notion of key-privacy [3] does not in general suffice for HRA security.

  8. 8.

    While we do not examine every pairing-based construction of proxy reencryption, we suspect that rerandomizing reencryption will suffice for reencryption simulation in many, if not all.

  9. 9.

    [31] separate the computation of \(\theta _i^*\) from Bob’s public key, but this is only a matter of presentation.

  10. 10.

    The proof requires that an encryption scheme be both fully homomorphic and support proxy reencryption with RIND-CPA security. For concreteness, we have chosen to assume that there exists an FHE scheme whose corresponding PRE is RIND-CPA secure, but a different construction would suffice. We do not further explore the underlying cryptographic assumptions needed to instantiate this encryption scheme.

References

  1. Ananth, P., Cohen, A., Jain, A.: Cryptography with updates. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 445–472. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_15

    Chapter  Google Scholar 

  2. Aono, Y., Boyen, X., Phong, L.T., Wang, L.: Key-private proxy re-encryption under LWE. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 1–18. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03515-4_1

    Chapter  Google Scholar 

  3. Ateniese, G., Benson, K., Hohenberger, S.: Key-private proxy re-encryption. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 279–294. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_19

    Chapter  Google Scholar 

  4. Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(1), 1–30 (2006)

    Article  Google Scholar 

  5. Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122

    Chapter  Google Scholar 

  6. Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_7

    Chapter  Google Scholar 

  7. Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_23

    Chapter  Google Scholar 

  8. Borcea, C., Polyakov, Y., Rohloff, K., Ryan, G., et al.: PICADOR: end-to-end encrypted publish-subscribe information distribution with proxy re-encryption. Future Gener. Comput. Syst. 71, 177–191 (2017)

    Article  Google Scholar 

  9. Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_29

    Chapter  Google Scholar 

  10. Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 185–194. ACM (2007)

    Google Scholar 

  11. Chandran, N., Chase, M., Liu, F.-H., Nishimaki, R., Xagawa, K.: Re-encryption, functional re-encryption, and multi-hop re-encryption: a framework for achieving obfuscation-based security and instantiations from lattices. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 95–112. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_6

    Chapter  Google Scholar 

  12. Chow, S.S.M., Weng, J., Yang, Y., Deng, R.H.: Efficient unidirectional proxy re-encryption. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 316–332. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12678-9_19

    Chapter  Google Scholar 

  13. Cohen, A.: What about Bob? The inadequacy of CPA security for proxy reencryption. Cryptology ePrint Archive, Report 2017/785 (2017). https://eprint.iacr.org/2017/785

  14. Derler, D., Krenn, S., Lorünser, T., Ramacher, S., Slamanig, D., Striecks, C.: Revisiting proxy re-encryption: forward secrecy, improved security, and applications. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 219–250. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_8

    Chapter  Google Scholar 

  15. Dttling, N., Nishimaki, R.: Universal proxy re-encryption. Cryptology ePrint Archive, Report 2018/840 (2018). https://eprint.iacr.org/2018/840

  16. Everspaugh, A., Paterson, K., Ristenpart, T., Scott, S.: Key rotation for authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 98–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_4

    Chapter  Google Scholar 

  17. Fan, X., Liu, F.H.: Proxy re-encryption and re-signatures from lattices (2017)

    Google Scholar 

  18. Fuchsbauer, G., Kamath, C., Klein, K., Pietrzak, K.: Adaptively secure proxy re-encryption. Cryptology ePrint Archive, Report 2018/426 (2018). https://eprint.iacr.org/2018/426

  19. Gentry, C.: A Fully Homomorphic Encryption Scheme. Stanford University (2009)

    Google Scholar 

  20. He, Y.J., Hui, L.C., Yiu, S.M.: Avoid illegal encrypted DRM content sharing with non-transferable re-encryption. In: 2011 IEEE 13th International Conference on Communication Technology (ICCT), pp. 703–708. IEEE (2011)

    Google Scholar 

  21. Hohenberger, S., Rothblum, G.N., Shelat, A., Vaikuntanathan, V.: Securely obfuscating re-encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 233–252. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_13

    Chapter  Google Scholar 

  22. Ivan, A.A., Dodis, Y.: Proxy cryptography revisited. In: NDSS (2003)

    Google Scholar 

  23. Jakobsson, M.: On quorum controlled asymmetric proxy re-encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 112–121. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_9

    Chapter  Google Scholar 

  24. Khurana, H., Heo, J., Pant, M.: From proxy encryption primitives to a deployable secure-mailing-list solution. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 260–281. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_19

    Chapter  Google Scholar 

  25. Lee, S., Park, H., Kim, J.: A secure and mutual-profitable DRM interoperability scheme. In: 2010 IEEE Symposium on Computers and Communications (ISCC), pp. 75–80. IEEE (2010)

    Google Scholar 

  26. Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78440-1_21

    Chapter  Google Scholar 

  27. Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3

    Chapter  Google Scholar 

  28. Nunez, D., Agudo, I., Lopez, J.: A parametric family of attack models for proxy re-encryption. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF), pp. 290–301. IEEE (2015)

    Google Scholar 

  29. Oz, F., Murray, B., Dreyfuss, R.: What About Bob. Touchstone Pictures (1991)

    Google Scholar 

  30. Phong, L., Wang, L., Aono, Y., Nguyen, M., Boyen, X.: Proxy re-encryption schemes with key privacy from LWE. Technical report, Cryptology ePrint Archive, Report 2016/327 (2016). http://eprint.iacr.org/2016/327

  31. Polyakov, Y., Rohloff, K., Sahu, G., Vaikuntanathan, V.: Fast proxy re-encryption for publish/subscribe systems. ACM Trans. Priv. Secur. (TOPS) 20(4), 14 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Aloni Cohen .

Editor information

Editors and Affiliations

Appendices

A The Trivial Scheme

The following description and definition of circular security is adapted with slight modification from [6].

Let \((\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) be a public-key encryption scheme with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) such that \(\mathcal {K}\subseteq \mathcal {M}\). Let \(n>0\) be an integer and let \(\mathcal {C}\) be the set of functions \(\mathcal {C}= \{f:\mathcal {K}^n \rightarrow \mathcal {M}\}\) consisting of

  • all \(|\mathcal {M}|\) constant functions \(f_m(z) = m\) for all \(z \in \mathcal {K}^n\), and

  • all n selector functions \(f_i(x_1,\dots ,x_n) = x_i\) for \(1\le i \le n\).

We define circular security using the following game between a challenger and an adversary \(\mathcal {A}\). For an integer \(n>0\) and a security parameter \(\lambda \), the game proceeds as follows:

  • Initialization: The challenger chooses a random bit \(b\leftarrow \{0,1\}\). It generates \((\mathsf {pk}_1,\mathsf {sk}_1),\dots ,(\mathsf {pk}_n,\mathsf {sk}_n)\) by running \(\mathsf {KeyGen}(1^\lambda )\) n times, and sends \((\mathsf {pk}_1,\dots ,\mathsf {pk}_n)\) to \(\mathcal {A}\).

  • Queries: The adversary repeatedly issues queries where each query is of the form (if) with \(1\le i\le n\) and \(f\in \mathcal {C}\). The challenger responds by setting \(y = f(\mathsf {sk}_1,\dots ,\mathsf {sk}_n)\) and

    $$\begin{aligned} \mathsf {ct}\leftarrow {\left\{ \begin{array}{ll} \mathsf {Enc}(\mathsf {pk}_i,y) &{} \text {if } b=0 \\ \mathsf {Enc}(\mathsf {pk}_i,0^{|y|}) &{} \text {if } b=1 \end{array}\right. } \end{aligned}$$

    and sends \(\mathsf {ct}\) to \(\mathcal {A}\).

  • Finish: Finally, the adversary outputs a bit \(b' \in \{0,1\}\).

We say that \(\mathcal {A}\) wins the game if \(b=b'\). Let \(\mathsf {win}\) be the event that \(\mathcal {A}\) wins the game and define \(\mathcal {A}\)’s advantage as

$$\begin{aligned} \mathsf {Adv}_{\mathsf {circ},n}^\mathcal {A}(\lambda ) = \Pr [\mathsf {win}]. \end{aligned}$$

Definition 8

(n-Circular Security). We say that a public-key encryption scheme \((\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) is n-way circular secure if for all probabilistic polynomial time adversaries \(\mathcal {A}\), there exists a negligible function \(\mathsf {negl}\) such that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}}(\lambda ) < \frac{1}{2} + \mathsf {negl}(\lambda ). \end{aligned}$$

Because existing constructions of circularly secure encryption schemes based on standard assumptions require a bound on the total number of public keys n, the corresponding Trivial Scheme will only satisfy a bounded-key variant of CPA security, defined next.

Definition 9

(Proxy Reencryption: n-CPA Security). For \(n\in \mathbb {N}\), the n-CPA security game is identical to the CPA security game in Definition 3 except for the following underlined modifications. Recall that \(\mathsf {numKeys}\) is initialized to 0 and is incremented after every key generation call in the security game.

  • Uncorrupted Key Generation: obtain a new key pair \((\mathsf {pk}_i,\mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(\mathsf {pp})\). \(\mathcal {A}\) is given \(\mathsf {pk}_i\). The current value of \(\mathsf {numKeys}\) is added to \(\mathsf {Hon}\) and \(\mathsf {numKeys}\) is incremented.

  • Corrupted Key Generation: obtain a new key pair \((pk_i, \mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(\mathsf {pp})\). \(\mathcal {A}\) is given \((\mathsf {pk}_i,\mathsf {sk}_i)\). The current value of \(\mathsf {numKeys}\) is added to \(\mathsf {Cor}\) and \(\mathsf {numKeys}\) is incremented.

The corresponding n-CPA advantage of \(\mathcal {A}\) is denoted \(\mathsf {Adv}_{\mathsf {cpa},n}^\mathcal {A}(\lambda ).\) A proxy reencryption scheme is n-CPA secure if for all probabilistic polynomial-time adversaries \(\mathcal {A}\), there exists a negligible function \(\mathsf {negl}\) such that

$$\begin{aligned} \mathsf {Adv}_{\mathsf {cpa},n}^\mathcal {A}(\lambda ) < \frac{1}{2} + \mathsf {negl}(\lambda ) \end{aligned}$$

 

Trivial Scheme. :

Let \((\mathsf {KeyGen}_\mathsf {circ}, \mathsf {Enc}_\mathsf {circ}, \mathsf {Dec}_\mathsf {circ})\) be an n-way circular secure encryption scheme. Let \(\mathsf {Setup}\equiv \bot \), \(\mathsf {KeyGen}\equiv \mathsf {KeyGen}_\mathsf {circ}\); \(\mathsf {Enc}\equiv \mathsf {Enc}_\mathsf {circ}\);

$$\begin{aligned}&\mathsf {ReKeyGen}(\mathsf {sk}_i,\mathsf {pk}_j) := \mathsf {Enc}_\mathsf {circ}(\mathsf {pk}_j, \mathsf {sk}_i)\\&\mathsf {ReEnc}(\mathsf {rk}_{i\rightarrow j},\mathsf {ct}_i):= \mathsf {ct}_i \Vert \mathsf {rk}_{i\rightarrow j}\\&\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) := \left\{ \begin{array}{ll} \mathsf {Dec}_\mathsf {circ}(\mathsf {Dec}_\mathsf {circ}(\mathsf {sk},\mathsf {ct}^2),\mathsf {ct}^1) &{} \hbox {if } \mathsf {ct}= \mathsf {ct}^1 \Vert \mathsf {ct}^2 \\ \mathsf {Dec}_\mathsf {circ}(\mathsf {sk},\mathsf {ct}) &{} \hbox {otherwise} \end{array} \right. . \end{aligned}$$

 

Theorem 2 states that if \((\mathsf {KeyGen}_\mathsf {circ}, \mathsf {Enc}_\mathsf {circ}, \mathsf {Dec}_\mathsf {circ})\) is an n-way circular secure encryption scheme, then the corresponding Trivial Scheme \(\mathsf {PRE}\) is an n-CPA secure proxy reencryption scheme. In fact, the proof below extends the case when there are n uncorrupted keys and any number of corrupted keys.

Proof

(of Theorem 2). For all \(n\in \mathbb {N}\) and any probabilistic, polynomial-time algorithm \(\mathcal {A}\) (the adversary against the trivial scheme), we construct an efficient algorithm \(\mathcal {A}_\mathsf {circ}\) such that \(\mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}_\mathsf {circ}} = \frac{1}{2}\cdot \mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\). By the hypothesis, this advantage is negligible, completing the proof.

At the beginning of the game, the circular security challenger picks a random bit b. If \(b = 0\), then the Queries oracle encrypts all messages correctly; if \(b =1\), then the Queries oracle encrypts only the message 0. \(\mathcal {A}_\mathsf {circ}\) runs \(\mathcal {A}\) and simulates the CPA security game for \(\mathsf {PRE}\) (if \(\mathcal {A}\) does not follow the specification of the game, \(\mathcal {A}_\mathsf {circ}\) simply aborts).

At the start of Phase 1, \(\mathcal {A}_\mathsf {circ}\) calls its Initialization oracle in the circular security game. In return it receives the public keys \((\mathsf {pk}_1^\mathsf {circ},\dots ,\mathsf {pk}_n^\mathsf {circ})\). To answer an Uncorrupted Key Generation query, \(\mathcal {A}_\mathsf {circ}\) gives to \(\mathcal {A}\) the first unused public key \(\mathsf {pk}_i^\mathsf {circ}\) from this list. To answer a Corrupted Key Generation query, \(\mathcal {A}_\mathsf {circ}\) generates a new key pair \((\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KeyGen}\) and gives \((\mathsf {pk},\mathsf {sk})\) to the adversary.

\(\mathcal {A}\) begins Phase 2 by using its Queries oracle to learn the reencryption keys for all pairs of uncorrupted keys generated. Using its knowledge of the corrupted secret keys, it also computes reencryption keys for all the pairs of corrupted keys generated. Oracle calls from \(\mathcal {A}\) to \(\mathcal {O}_\mathsf {ReKeyGen}\) are answered with the corresponding reencryption key (or with \(\bot \)). To answer oracle calls from \(\mathcal {A}\) to \(\mathcal {O}_\mathsf {ReEnc}\), computes the appropriate response; namely, it concatenates the reencryption key to the ciphertext (or returns \(\bot \)).

At some point, \(\mathcal {A}\) queries the Challenge oracle with an honest key index i and a pair of messages \((\mathbf {m}_0,\mathbf {m}_1)\). \(\mathcal {A}_\mathsf {circ}\) chooses a random one of the messages \(\mathbf {m}\) and queries its own Queries oracle with the pair \((i,\mathbf {m})\), returning the resulting ciphertext to \(\mathcal {A}\).

Finally, \(\mathcal {A}\) guesses whether \(\mathbf {m}= \mathbf {m}_0\) or \(\mathbf {m}_1\). If \(\mathcal {A}\) guesses correctly, \(\mathcal {A}_\mathsf {circ}\) guesses the bit \(b' = 0\). Otherwise, \(\mathcal {A}_\mathsf {circ}\) guesses a random \(b' \leftarrow \{0,1\}\). Conditioned on \(b=0\), \(\mathcal {A}_\mathsf {circ}\) perfectly simulates the \(\mathsf {PRE}\) security game, and guesses \(b' = 0\) with probability \(\mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\). It follows that \(\mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}_\mathsf {circ}} = \frac{1}{2}\cdot \mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\).

B Comparison to RIND-CPA

The concurrent work of Derler, Krenn, Lorünser, Ramacher, Slamanig, and Striecks identify the same problem with CPA security as discussed [14]. They define a new security notion—RIND-CPA security—as an additional property that proxy reencryptions schemes should guarantee.

The key feature of RIND-CPA security is that the adversary gets access to an unrestricted \(\mathsf {ReEnc}\) oracle, but only before seeing the challenge ciphertext. The definition is similar to \(\mathsf {IND\text {-}CCA}_{0,1}\) of [28]. The definition of the RIND-CPA security experiment is from [14, Experiment 8].

Definition 10

(RIND-CPA Security Experiment).

  • \(\mathsf {pp}\leftarrow \mathsf {Setup}(1^\lambda ), (\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {KeyGen}(\mathsf {pp}), b \leftarrow \{0,1\}\)

  • \((\mathsf {pk}^*,\mathsf {st})\leftarrow \mathcal {A}(\mathsf {pp},\mathsf {pk})\)

  • \(\mathsf {rk}\leftarrow \mathsf {ReKeyGen}(\mathsf {sk},\mathsf {pk}^*)\)

  • \((\mathbf {m}_0,\mathbf {m}_1,\mathsf {st}) \leftarrow \mathcal {A}^{\{\mathsf {ReEnc}(\mathsf {rk},\cdot )\}}(\mathsf {st})\)

  • \(b^* \leftarrow \mathcal {A}(\mathsf {st},\mathsf {Enc}(\mathsf {pk},\mathbf {m}_b))\)

  • if \(b = b^*\) return 1, else return 0.

RIND-CPA security requires that for all efficient adversaries, the probability of outputting 1 in the experiment is \(\frac{1}{2} \pm \mathsf {negl}(\lambda )\).

In this section, we compare the approach of [14] with ours. We begin by describing RIND-CPA security as defined by [14]. Next, we compare RIND-CPA with HRA security informally, arguing that HRA provides the better generalization of Enc-CPA security to the PRE setting. Finally, we show that HRA and RIND-CPA security are incomparable notions.

1.1 B.1 Informal Comparison

RIND-CPA is less suitable than HRA as a replacement for CPA security of proxy reencryption. First and most importantly, HRA better captures the intuitive guarantees of Enc-CPA security for standard encryption. Second, access to an unrestricted \(\mathsf {ReEnc}\) oracle makes it a more useful as a testing ground for the development of new techniques. Finally, two idiosyncrasies of the [14] formulation of RIND-CPA security present additional issues.

Capturing Enc-CPA security. In Enc-CPA security for standard encryption, the adversary is able to arbitrarily affect the distribution of plaintext messages. One way of viewing this aspect of the definition is that Enc-CPA requires security while being agnostic as to the true distribution over messages (except that it is efficiently sampleable). Other than choosing the distribution over messages, the adversary is only allowed to see publicly-available information (i.e. public keys and parameters) and honestly encrypted ciphertexts. Informally, the Enc-CPA guarantee is that security should hold under normal operating conditions against eavesdropping parties without making distributional assumptions on plaintext messages. However, Enc-CPA makes no guarantees about dishonestly generated or malformed ciphertexts.

HRA security captures this intuitive guarantee better than RIND-CPA. In the course of normal operation of a proxy reencryption, an adversarial party will see reencrypted ciphertexts. These ciphertexts may come at any time—both before and after other ciphertexts whose contents should remain secret. While HRA allows reencryption both before and after the challenge, RIND-CPA restricts the reencryption oracle to the period before the challenge.

HRA makes minimal assumptions about the distribution of plaintext messages by allowing the adversary to choose messages itself, just as in Enc-CPA. RIND-CPA goes further by making requirements in the face of malformed or dishonestly generated ciphertexts.

A testing ground for new techniques. For classical encryption, Enc-CCA security is strictly stronger than Enc-CPA security. In fact, there are many settings where Enc-CPA security is demonstrably insufficient. Why then does the cryptography community continue to study it? There are many answers to this question, but we mention only two. First, although insufficient for some applications, Enc-CPA is useful in others. Second, it is useful as an intermediate goal because it seems to capture a sort of hard core of the general problem of encryption and spurs the development of new techniques.

HRA security enjoys these same features; RIND-CPA does not. As for usefulness for applications, HRA is meaningful in many of the envisioned applications of proxy reencryption—many more than CPA security. Because RIND-CPA restricts the reencryption oracle to the period before the challenge ciphertext, its usefulness in applications is less clear.

The challenge of constructing CCA secure proxy reencryption is the same as the challenge of Enc-CCA secure encryption: namely, dealing with dishonestly generated, possibly malformed ciphertexts. RIND-CPA, by allowing malformed ciphertexts, presents similar challenges as full CCA security.

As for the usefulness of HRA as an intermediate goal towards CCA security, the historical development of proxy reencryption is proof itself. This sounds paradoxical: how can this be true if the notion has only just been introduced in this work? Many of cryptographers that were targeting CPA security developed schemes that achieve HRA security with only minimal modification. The techniques developed in these constructions were later adapted to achieve CCA security. This suggests that cryptographers’ intuitions for the hard core of reencryption were not flawed, only the formalization of these intuitions as CPA security. HRA security is a better formalization for these intuitions and thus an appropriate intermediate goal for reencryption research.

Idiosyncrasies of the RIND-CPA definition. We mention two unusual properties of the [14] definition. Unlike the adversary’s access to a \(\mathsf {ReEnc}\) oracle, these properties are not inherent in the RIND-CPA concept. It would be easy to propose a modified RIND-CPA definition that did not have these properties (e.g., \(\mathsf {IND\text {-}CCA}_{0,1}\) in [28]).

First, the definition only considers the two party setting. Much like the informal description of proxy reencryption in Sect. 1, there is only a single uncorrupted key and a single corrupted key. It is easy to show that security in the two party setting does not imply security in a many party setting.

Second, not only are inputs to \(\mathsf {ReEnc}\) allowed to be malformed, but the corrupted public key \(\mathsf {pk}^*\) can be malformed as well. The adversary outputs \(\mathsf {pk}^*\) itself and it needs not be honestly generated. This makes RIND-CPA security as defined in [14] formally incomparable to all other definitions of proxy reencryption security we know of, including the \(\mathsf {IND\text {-}CCA}_{0,1}\) of [28].

These drawbacks of the [14] definition do not affect the proof of Theorem 7, but neither does the proof depend on them.

1.2 B.2 Separating RIND-CPA and HRA Security

The following pair of theorems support the conclusion that HRA security and RIND-CPA security are incomparable.

Theorem 6

If there exists an HRA secure PRE scheme, then there exists a PRE scheme that is HRA secure but not RIND-CPA secure.

Proof

Suppose \(\mathsf {PRE}\) is HRA secure, and let \(\top \) be a special symbol that is not a valid ciphertext. Define a new scheme \(\mathsf {PRE}'\) by modifying reencryption as follows:

$$\begin{aligned} \mathsf {ReEnc}'(\mathsf {rk}, \mathsf {ct}) := \left\{ \begin{array}{ll} \mathsf {ReEnc}(\mathsf {rk}, \mathsf {ct}) &{} \quad \hbox {if }\mathsf {ct}\ne \top \\ \mathsf {rk}&{} \quad \hbox {if } \mathsf {ct}= \top \end{array} \right. . \end{aligned}$$

\(\mathsf {PRE}'\) is still HRA secure: \(\mathcal {O}_{\mathsf {ReEnc}'}\) is functionally equivalent to \(\mathcal {O}_\mathsf {ReEnc}\) when restricted to honestly generated ciphertexts.

\(\mathsf {PRE}'\) is not RIND-CPA secure: a single call to \(\mathcal {O}_{\mathsf {ReEnc}'}(i,j,\top )\) (made before the challenge) allows the adversary to learn the reencryption key \(\mathsf {rk}_{i\rightarrow j}\) and thereby decrypt the challenge ciphertext.

Theorem 7

Under the assumptions stated below, there exists a PRE scheme that is RIND-CPA secure but not HRA secure.

The claim assumes the existence of pair of encryption schemes, \(\mathsf {PRE}\) and \(\mathsf {FHE}\) with the following properties. \(\mathsf {PRE}\) is a RIND-CPA secure proxy reencryption scheme with a ciphertext space \(\mathcal {C}_\mathsf {inner}\). \(\mathsf {FHE}\) is a circuit private fully homomorphic encryption scheme with message space \(\mathcal {M}_\mathsf {fhe}= \mathcal {C}_\mathsf {inner}\). The message spaces and ciphertext spaces of the two schemes are all disjoint and efficiently decidable. Finally, the additional proxy reencryption scheme \(\mathsf {PRE}_\mathsf {FHE}\) corresponding to the FHE scheme (see Sect. 5.3) is RIND-CPA secure.Footnote 10 For simplicity, we also assume perfect correctness of reencryption (for both schemes) and of homomorphic evaluation.

Below we present a intuition for the proof of Theorem 7. The proof is included in the full version [13].

Proof Intuition for Theorem 7. Recall that RIND-CPA security allows the adversary access to an unrestricted \(\mathsf {ReEnc}\) oracle, but only before the challenge ciphertext is generated. The main difficulty in separating RIND-CPA and HRA security is the restriction in the HRA reencryption oracle to honestly generated ciphertexts.

The first idea in our construction is the observation that separating RIND-CPA and HRA security would be easy if it were possible to use \(\mathsf {Enc}\) oracle to generate a fresh, honest encryption of the challenge plaintext. This fresh encryption could be reencrypted by the HRA reencryption oracle to a corrupted key, revealing the challenge plaintext.

The second idea is to have two layers of encryption, where the message space of the outer layer is equal to the ciphertext space of the inner layer. If the challenge ciphertext comes from the inner layer, then it can be used as input to the \(\mathsf {Enc}\) oracle to generate a new outer ciphertext containing information about the challenge plaintext—namely, an encryption of the challenge ciphertext. The outer ciphertext is honestly generated and can be reencrypted to a corrupt party and decrypted. But it seems we are no better off; decrypting the outer ciphertext only returns the challenge ciphertext still encrypted under the key of an honest party.

The third idea is to modify \(\mathsf {ReEnc}\)—using fully homomorphic encryption—to reencrypt both the outer ciphertext and the inner challenge ciphertext. In addition to the usual reencrypted ciphertext, we augment \(\mathsf {ReEnc}\) to output an additional, doubly reencrypted ciphertext, where both the outer and inner ciphertexts have been reencrypted. If the recipient of the resulting ciphertext is corrupt, the adversary can decrypt both layers and recover the challenge plaintext, violating HRA security.

We now describe the intuition for how to perform double reencryption. Suppose the proxy reencryption scheme used for the outer layer of encryption is also fully homomorphic. Such a scheme can be constructed from any FHE scheme (see Sect. 5.3). Given input an outer layer ciphertext \(\mathsf {ct}_\mathsf {outer}= \mathsf {Enc}(\mathsf {ct}_\mathsf {inner})\), \(\mathsf {ReEnc}\) will homomorphically evaluate \(\mathsf {Eval}_\mathsf {fhe}(\mathsf {ReEnc},\mathsf {ct}_\mathsf {outer})\). The result is an (non-reencrypted) outer ciphertext containing a reencrypted inner ciphertext. Then, \(\mathsf {ReEnc}\) reencrypts that outer ciphertext. This produces a reencrypted outer ciphertext containing a reencrypted inner ciphertext.

Violating HRA security is simple: the adversary encrypts the challenge ciphertexts, reencrypts it to a corrupted key, then decrypts the doubly-reencrypted component twice to recover the challenge message.

It remains to prove that the constructed PRE scheme is RIND-CPA secure. The homomorphic double reencryption functionality can be simulated by a sequence of calls to \(\mathsf {Enc}\), \(\mathsf {Dec}\) and \(\mathcal {O}_\mathsf {ReEnc}\), allowing us to analyze the two-layered scheme without the double-reencryption modification to \(\mathsf {ReEnc}\). The RIND-CPA security of that scheme follows directly from the RIND-CPA security of the PRE scheme underlying the two layers.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cohen, A. (2019). What About Bob? The Inadequacy of CPA Security for Proxy Reencryption. In: Lin, D., Sako, K. (eds) Public-Key Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/978-3-030-17259-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17259-6_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17258-9

  • Online ISBN: 978-3-030-17259-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics