Certificateless Proxy Re-Encryption Without Pairings

Abstract

Proxy re-encryption (PRE) allows a proxy with re-encryption keys to transform a ciphertext under a given public key into a ciphertext of the same message under a different public key, and can not learn anything about the encrypted message. Due to its transformation property, PRE has many practical applications such as cloud storage, confidential email, and digital right management, and so on. Certificateless proxy re-encryption (CLPRE) provides not only the transformation property of PRE but also the advantage of identity-based cryptography without suffering from its inherent key escrow. Unfortunately, construction of CLPRE schemes has so far depended on the costly bilinear pairings. In this paper, we propose the first construction of CLPRE schemes without the bilinear pairings whose security is based on the standard computational Diffie-Hellman (CDH) assumption in the random oracle model. We first present a chosen-plaintext (CPA) secure CLPRE scheme, and then convert it into a chosen-ciphertext (CCA) secure CLPRE scheme. Compared with other CLPRE schemes, our CLPRE schemes provide the shortest re-encryption key and do not require any pairing operation and map-to-point hash operation, which are more efficient and more suitable for low-power devices.

Appendices

A Single-Hop Unidirectional CLPRE

Definition 1 (CLPRE). A single-hop unidirectional CLPRE scheme consists of the following algorithms:

• Setup( \(1^\lambda \) ): Taking security parameter \(1^\lambda \) as input, the Key Generation Center (KGC) runs the algorithm to generate the public parameters params and a master key msk. The params includes the description of message space \(\mathcal {M}\). We assume throughout that params are publicly and authentically available.

• PartialKeyExtract(params,msk, \(ID_A\) ): Taking params, msk and a user \(A\)’s identifier \(ID_A\) as inputs, the KGC runs the algorithm to generate a partial public key \(P_A\) and a partial private key \(D_A\). \(P_A\) and \(D_A\) are transported to the user \(A\) over a secure channel by KGC.

• SetSecretValue(params, \(ID_A\) ): Taking params and user \(A\)’s identifier \(ID_A\) as inputs, this algorithm returns a randomly chosen secret value \(S_A\). This algorithm and the next two are performed by the user \(A\) himself.

• SetPrivateKey(params, \(D_A\) , \(S_A\) ): Taking params, \(D_A\) and \(S_A\) as inputs, user \(A\) runs the algorithm to generate a private key \(SK_A\).

• SetPublicKey(params, \(P_A\) , \(S_A\) ): Taking params, \(P_A\) and \(S_A\) as inputs, this algorithm returns a public key \(PK_A\).

• SetReEncKey(params, \(SK_A\) , \(ID_A\) , \(PK_A\) , \(ID_B\) , \(PK_B\) ): Taking params, user \(A\)’s identifier \(ID_A\) and a public/private key pair (\(PK_A\),\(SK_A\)), user \(B\)’s identifier \(ID_B\) and public key \(PK_B\) as inputs, this algorithm returns a re-encryption key \(RK_{A\rightarrow B}\) that allows converting second level ciphertexts for \(ID_A\) into first level ciphertexts for \(ID_B\).

• \(\mathbf{Encrypt}\)(params,\(ID_A\),\(PK_A\),\(m\)): Taking params, user \(A\)’s identifier \(ID_A\) and public key \(PK_A\), a message \(m \in \mathcal {M}\) as inputs, this algorithm returns a second level ciphertext \(C_A\) that can be re-encrypted into a first level one (intended for a possibly different receiver) using the suitable re-encryption key. A ciphertext is called first level ciphertext if it cannot be re-encrypted for another party. In our schemes, first level ciphertexts are re-encrypted ciphertexts.

• \(\mathbf{ReEncrypt}\)(params,\(RK_{A\rightarrow B}\),\(C_A\)): Taking params, a re-encryption key \(RK_{A\rightarrow B}\) from user \(A\) to user \(B\) and a second level ciphertext \(C_A\) for user \(A\) as inputs, this algorithm returns a first level ciphertext \(C_B^\prime \) for user \(B\) or \(\bot \).

• \(\mathbf{Decrypt}_1\)(params,\(SK_B\),\(C_B^\prime \)): Taking params, a user \(B\)’s private key \(SK_B\) and a first level ciphertext \(C_B^\prime \) as inputs, this algorithm returns either a message \(m\) or \(\bot \).

• \(\mathbf{Decrypt}_2\)(params,\(SK_A\),\(C_A\)): Taking params, a user \(A\)’s private key \(SK_A\) and a second level ciphertext \(C_A\) as inputs, this algorithm returns either a message \(m\) or \(\bot \).

Correctness. For all \(m \in \mathcal {M}\) and all pair (\(PK_A\),\(SK_A\)), (\(PK_B\),\(SK_B\)), these algorithm should satisfy the following conditions of correctness:

• \(\mathbf{Decrypt}_2(\mathbf{params},SK_A,\mathbf{Encrypt}(\mathbf{params},ID_A,PK_A,m)) = m.\)

• \(\mathbf{Decrypt}_1(\mathbf{params},SK_B,\mathbf{ReEncrypt}(\mathbf{params},RK_{A\rightarrow B},C_A)) = m.\)

where \(C_A = \mathbf{Encrypt}(\mathbf{params},ID_A,PK_A,m)\), \(RK_{A\rightarrow B} = \mathbf{SetReEncKey} (\mathbf{params},SK_A,ID_A,PK_A,ID_B,PK_B)\).

B Security Model

Definition 2. Security of Second Level Ciphertexts (2nd-IND-CLPRE-ATK). Let \(ATK \in \{CPA,CCA\}\), security of second level ciphertexts is defined according to the following two games “Game I” and “Game II”. The challenger \(\mathcal {B}\) maintains a public key list \(Publickey^{List}\) which is set of \((ID,PK_{ID},st)\). Let \(PK_{ID}\) denotes the current public key for \(ID\), \(st=0\) denotes the \(PK_{ID}\) is generated honestly by \(\mathcal {B}\), \(st=1\) denotes \(\mathcal {B}\) embed the hard problem into the \(PK_{ID}\) and \(st=\bot \) denotes the public key for \(ID\) has already replaced by \(\mathcal {A}_I\).

“Game I”: This is a game between \(\mathcal {A}_I\) and the challenger \(\mathcal {B}\).

• Setup: The challenger \(\mathcal {B}\) takes a security parameter \(1^\lambda \) and runs the Setup( \(1^\lambda \) ) algorithm to generate the system parameter params and a master key msk. The challenger gives params to \(\mathcal {A}_I\) while keeping msk secret.

• Phase 1: \(\mathcal {A}_I\) issues queries \(q_1,\cdots ,q_m\) adaptively where query \(q_i\) is one of the following:

  • Partial key extraction queries: On input \(ID\) by \(\mathcal {A}_I\), the challenger \(\mathcal {B}\) responds by running algorithm PartialKeyExtract to generate the partial key (\(P_{ID}\),\(D_{ID}\)) for entity \(ID\).

  • Public key request queries: On input \(ID\) by \(\mathcal {A}_I\), the challenger \(\mathcal {B}\) searches whether exists a tuple \((ID,PK_{ID},st) \in Publickey^{List}\). If exists, \(\mathcal {B}\) returns \(PK_{ID}\) to \(\mathcal {A}_I\). Otherwise, \(\mathcal {B}\) runs algorithm SetPublicKey to generate the public key \(PK_{ID}\) for \(ID\). \(\mathcal {B}\) adds \((ID,PK_{ID},st)\) to the \(Publickey^{List}\) where the value of \(st\) is decided by the \(\mathcal {B}\)’s strategy and return \(PK_{ID}\) to \(\mathcal {A}_I\).

  • Private key extraction queries: On input \(ID\) by \(\mathcal {A}_I\), \(\mathcal {B}\) searches a tuple \((ID,PK_{ID},st) \in Publickey^{List}\). If \(st \ne \bot \), \(\mathcal {B}\) responds by running algorithm SetPrivateKey to generate the private key \(SK_{ID}\) for entity \(ID\). However, it is unreasonable to expect \(\mathcal {B}\) to be able to respond to such a query if \(\mathcal {A}_I\) has already replaced \(ID\)’s public key and \(\mathcal {B}\) returns “Reject” for this case \(st=\bot \).

  • Replace public key queries: \(\mathcal {A}_I\) can repeatedly replace the public key \(PK_{ID}\) for any entity \(ID\) with any valid public key \(PK^\prime _{ID}\) of its choice. \(PK^\prime _{ID}\) is called a valid public key if \(PK^\prime _{ID} \in G^* \times G^* \times G^*\) in our CLPRE schemes. If does not exist a tuple \((ID,PK_{ID},st) \in Publickey^{List}\), \(\mathcal {B}\) adds \((ID,PK^\prime _{ID},st=\bot )\) to \(Publickey^{List}\). Otherwise, \(\mathcal {B}\) renews \((ID,PK_{ID},st)\) with \((ID,PK^\prime _{ID},st=\bot )\).

  • Re-encryption key extraction queries: On input (\(ID_1\),\(ID_2\)) by \(\mathcal {A}_I\), \(\mathcal {B}\) searches a tuple \((ID_1,PK_{ID_1},st_1) \in Publickey^{List}\). if \(st_1 \ne \bot \), \(\mathcal {B}\) responds by running algorithm SetReEncKey to generate the re-encryption key \(RK_{ID_1\rightarrow ID_2}\). Otherwise, return “Reject”. It is unreasonable to expect \(\mathcal {B}\) to be able to respond to such a query if \(\mathcal {A}_I\) has already replaced \(ID_1\)’s public key.

  • Re-encryption queries: On input (\(ID_1\),\(ID_2\),\(C_{ID_1}\)) by \(\mathcal {A}_I\),

    1. 1.

       If \(ATK = CCA\), \(\mathcal {B}\) searches a tuple \((ID_1,PK_{ID_1},st_1) \in Publickey^{List}\). if \(st_1 \ne \bot \), \(\mathcal {B}\) responds by running algorithm ReEncrypt to convert the second level ciphertext \(C_{ID_1}\) into a first level \(C_{ID_2}^\prime \) with the suitable re-encryption key \(RK_{ID_1\rightarrow ID_2}\). Otherwise, return “Reject”. It is also unreasonable to expect \(\mathcal {B}\) to be able to respond to such a query if \(\mathcal {A}_I\) has already replaced \(ID_1\)’s public key.

    2. 2.

       If \(ATK = CPA\), return \(\bot \) to \(\mathcal {A}_I\).

  • Decryption queries for first level ciphertext: On input (\(ID\),\(C\)) by \(\mathcal {A}_I\),

    1. 1.

       \(ATK = CCA\): If \(C\) is a first level ciphertext, \(\mathcal {B}\) runs the algorithm \(\mathbf{Decrypt}_1\) using the related private key to decrypt the \(C\) and returns the result to \(\mathcal {A}_I\). Otherwise, return “Reject”.

    2. 2.

       \(ATK = CPA\): return \(\bot \) to \(\mathcal {A}_I\).

  • Decryption queries for second level ciphertext: On input (\(ID\),\(C\)) by \(\mathcal {A}_I\),

    1. 1.

       \(ATK = CCA\): If \(C\) is a second level ciphertext, \(\mathcal {B}\) runs the algorithm \(\mathbf{Decrypt}_2\) using the related private key to decrypt the \(C\) and returns the result to \(\mathcal {A}_I\). Otherwise, return “Reject”.

    2. 2.

       \(ATK = CPA\): return \(\bot \) to \(\mathcal {A}_I\).

• Challenge: Once the adversary \(\mathcal {A}_I\) decides that Phase 1 is over it outputs the challenge identity \(ID^{*}\) and two equal length plaintexts \(m_0, m_1 \in \mathcal {M}\). In particular, \(ID^{*}\) can not be corrupted⁶. Moreover, \(\mathcal {A}_I\) is restricted to choose a challenge identity \(ID^{*}\) such that trivial decryption is not possible (i.e., It does not happen both \(\mathcal {A}_I\) has extracted the re-encryption key \(RK_{ID^{*}\rightarrow ID}\) and \(ID\) has been corrupted by \(\mathcal {A}_I\)). \(\mathcal {B}\) searches a tuple \((ID^*,PK_{ID^*},st^*) \in Publickey^{List}\). \(\mathcal {B}\) then picks a random bit \(\beta \in \{0,1\}\) and computes the challenge ciphertext \(C^{*}\) = Encrypt(params,\(ID^{*}\),\(PK_{ID^{*}}\), \(m_\beta \)). The challenger returns \(C^{*}\) to \(\mathcal {A}_I\).

• Phase 2: Almost the same as that in Phase 1, but with the following restrictions.

  • Partial key extraction queries: On input \(ID\) by \(\mathcal {A}_I\), if \(\mathcal {A}_I\) has already replaced the public key for \(ID\) and exists a pair \((ID,C)\) is a derivative of \((ID^{*},C^{*})\), the challenger \(\mathcal {B}\) returns \(\bot \). Derivatives of \((ID^{*},C^{*})\) [12] is defined as follows:

    1. 1.

       Reflexivity: \((ID^{*},C^{*})\) is a derivative of itself.

    2. 2.

       Derivation by re-encryption: If the adversary has issued a re-encryption query on input \((ID^{*},ID,C^{*})\) and obtained the resulting re-encryption ciphertext \(C\), then \((ID,C)\) is a derivative of \((ID^{*},C^{*})\).

    3. 3.

       Derivation by re-encryption key: If the adversary has issued a re-encryption key extract query on input \((ID^{*},ID)\) and obtained the re-encryption key \(RK_{ID^{*}\rightarrow ID}\), then \((ID,C)\) is a derivative of \((ID^{*},C^{*})\) where \(C = \mathbf{ReEncrypt}(\mathbf{params},RK_{{ID^{*}}\rightarrow ID},C^{*})\).

  • Private key extraction queries: On input \(ID\) by \(\mathcal {A}_I\) if exists a pair \((ID,C)\) is a derivative of \((ID^{*},C^{*})\) or \({ID} = {ID^{*}}\), \(\mathcal {B}\) returns \(\bot \).

  • Re-encryption key extraction queries: On input (\(ID_1\),\(ID_2\)) by \(\mathcal {A}_I\), if \(ID_1= ID^{*}\) and the entity \(ID_2\) has been corrupted by \(\mathcal {A}_I\), \(\mathcal {B}\) returns \(\bot \).

  • Re-encryption queries: On input (\(ID_1\),\(ID_2\),\(C_{ID_1}\)) by \(\mathcal {A}_I\), if \((ID_1,C_{ID_1})\) is a derivative of \((ID^{*},C^{*})\) and \(ID_2\) has been corrupted by \(\mathcal {A}_I\), \(\mathcal {B}\) returns \(\bot \).

  • Decryption queries for first level ciphertext: On input (\(ID\),\(C\)) by \(\mathcal {A}_I\), if \((ID,C)\) is a derivative of \((ID^{*},C^{*})\), the challenger returns \(\bot \).

  • Decryption queries for second level ciphertext: On input (\(ID\),\(C\)) by \(\mathcal {A}_I\), if \((ID,C) = (ID^{*},C^{*})\), the challenger returns \(\bot \).

• Guess: Finally, the adversary \(\mathcal {A}_I\) outputs a guess \(\beta ^{\prime }\in \{0,1\}\) and wins the game if \(\beta ^{\prime }=\beta \).

“Game II”: This is a game between \(\mathcal {A}_{II}\) and the challenger \(\mathcal {B}\). We merely describe the difference between “Game I” and “Game II” as follows:

• \(\mathcal {A}_{II}\) knows the master-key but is disallowed to replace public keys during the “Game II”. Hence, \(\mathcal {A}_{II}\) does not need partial key extraction oracle and is not provided the public key replacement oracle.

• In “Game II”, an entity \(ID\) is called corrupted if \(\mathcal {A}_{II}\) has already extracted the private key for \(ID\).

• For public key request queries issued by \(\mathcal {A}_{II}\), \(\mathcal {B}\) additionally needs to return a randomness \(s_{ID}\) with respect to the partial public key \(P_{ID}\) such that \(\mathcal {A}_{II}\) can compute the partial private key by itself.

We define \(\mathcal {A}_i\)’s advantage in “Game \(i\)” at level 2 where \(i\in \{I,II\}\) as

$$Adv^{2nd-IND-CLPRE-ATK}_{Game\ i,\ \mathcal {A}_i}(\lambda ) = |Pr[\beta ^{\prime }=\beta ]-\frac{1}{2}|$$

A single-hop unidirectional CLPRE scheme is said to be \((t,\epsilon )\)-2nd-IND-CLPRE-ATK secure if for any \(t\)-time 2nd-IND-CLPRE-ATK adversary \(\mathcal {A}_i\) we have \(Adv^{2nd-IND-CLPRE-ATK}_{Game\ i,\ \mathcal {A}_i}(\lambda )<\epsilon \) for both \(i=I\) and \(i=II\). We simply say that a single-hop unidirectional CLPRE scheme is 2nd-IND-CLPRE-ATK secure if \(t\) is polynomial with respect to security parameter \(\lambda \) and \(\epsilon \) is negligible.

Definition 3. Security of First Level Ciphertexts (1st-IND-CLPRE-ATK). We merely describe the difference between Definitions 2 and 3 as follows:

• Since first level ciphertexts cannot be re-encrypted, \(\mathcal {A}_i\) (\(i\in \{I,II\}\)) is granted access to all re-encryption keys. The re-encryption oracle becomes useless since all re-encryption keys are available to \(\mathcal {A}_i\).

• Derivatives of the challenge ciphertext are simply defined as \((ID^{*},C^{*})\) is a derivative of itself.

• For challenge query issued by \(\mathcal {A}_i\), \(\mathcal {A}_i\) is required to provide the delegator \(\widetilde{ID}\), the delegatee \(ID^*\) and two equal length plaintexts \(m_0, m_1 \in \mathcal {M}\). The challenge ciphertext is then generated by the re-encryption process. Specifically, \(C^*=\mathbf{ReEncrypt}(\mathbf{params}, RK_{\widetilde{ID} \rightarrow ID^*},\mathbf{Encrypt}(\mathbf{params},\widetilde{ID},\widetilde{PK},m_\beta ))\) where \(\beta \mathop {\longleftarrow }\limits ^{\$} \{0,1\}\). Note that Type I adversary \(\mathcal {A}_I\) disallows replace the public key of \(\widetilde{ID}\) before the challenge phase, otherwise the challenge ciphertext \(C^*\) can not be generated correctly. We also require that \(\mathcal {A}_i\) for both \(i=I\) and \(i=II\) cannot issue the private key extract query for \(\widetilde{ID}\). Since the construction of our CLPRE schemes (cf. Sect. 4) has the original access [1] property, the restriction is necessary. Obviously, \(ID^*\) is uncorrupted.

A single-hop unidirectional CLPRE scheme is said to be \((t,\epsilon )\)-1st-IND-CLPRE-ATK secure if for any \(t\)-time 1st-IND-CLPRE-ATK adversary \(\mathcal {A}_i\) we have \(Adv^{1st-IND-CLPRE-ATK}_{Game\ i,\ \mathcal {A}_i}(\lambda )=|Pr[\beta ^{\prime }=\beta ]-\frac{1}{2}|<\epsilon \) for both \(i=I\) and \(i=II\).

Definition 4 (CLPRE-ATK Security). We say a CLPRE scheme is CLPRE-ATK secure where \(ATK \in \{CPA,CCA\}\) if the scheme is 1st-IND-CLPRE-ATK secure and 2nd-IND-CLPRE-ATK secure.

C Security Proof of Theorem 1

We shall accomplish our proof with two following lemmas. Lemmas 1 and 2 show that the proposed CLPRE1 scheme is 2nd-IND-CLPRE-CPA secure and 1st-IND-CLPRE-CPA secure respectively.

Lemma 1. The proposed CLPRE1 scheme is 2nd-IND-CLPRE-CPA secure in the random oracle model, if the CDH assumption holds in \(\mathbb {G}\) and the Schnorr signature is EUF-CMA secure.

Firstly, we prove that the proposed CLPRE1 scheme is 2nd-IND-CLPRE-CPA secure against Type I adversary \(\mathcal {A}_I\) in the random oracle model. In particular, if there exists a 2nd-IND-CLPRE-CPA Type I adversary \(\mathcal {A}_I\) against our CLPRE1 scheme with advantage \(\epsilon \) when running in time \(t\), making \(q_{pk}\) public key request queries, \(q_{pak}\) partial key extract queries, \(q_{prk}\) private key extract queries, \(q_{pr}\) public key replacement queries, \(q_{rk}\) re-encryption key extract queries and \(q_{H_i}\) random oracle queries to \(H_i\) (\(1\leqslant i \leqslant 4\)). Then, for any \(0 < \upsilon < \epsilon \), there exists

• either an algorithm \(\mathcal {B}\) to solve the (\(t^{\prime },{\epsilon }^{\prime }\))-CDH problem in \(\mathbb {G}\) with

  $$\begin{aligned} t^{\prime }\le&\ t+(q_{H_1}+q_{H_2}+q_{H_3}+q_{H_4}+q_{pk}+q_{pak}+q_{prk}+q_{pr}+q_{rk})O(1)\\&+(2q_{pk}+q_{pak}+2q_{prk}+3q_{rk})t_e \\ \epsilon ^{\prime } \ge&\ \frac{1}{q_{H_2}}\left( \frac{2(\epsilon -\upsilon )}{e(1+q_{prk}+{q_{rk}})}-\tau \right) \end{aligned}$$

  where \(t_e\) denotes the running time of an exponentiation in group \(\mathbb {G}\), \(e\) denotes the base of the natural logarithm and \(\tau \) denotes the advantage that \(\mathcal {A}_I\) can distinguish the incorrectly-formed re-encryption keys in our simulation from all correctly-formed re-encryption keys in a “real world” interaction.

• or an attacker who breaks the EUF-CMA security of the Schnorr signature with advantage \(\upsilon \) within time \(t^{\prime }\).

Proof

Without loss of generality, we assume that the Schnorr signature is \((t^\prime ,\upsilon )\)-EUF-CMA secure. Suppose there exists a \(t\)-time 2nd-IND-CLPRE-CPA Type I adversary \(\mathcal {A}_I\) who can break the 2nd-IND-CLPRE-CPA security of our CLPRE1 scheme with advantage \(\epsilon - \upsilon \). Then we show how to construct an algorithm \(\mathcal {B}\) which can solve the \((t^\prime ,\epsilon ^\prime )\)-CDH problem in group \(\mathbb {G}\).

Suppose \(\mathcal {B}\) is given a CDH challenge tuple \((g,g^a,g^b)\in \mathbb {G}^3\) with unknown \(a,b \mathop {\longleftarrow }\limits ^{\$} \mathbb {Z}_q^{*}\) as input. The goal of \(\mathcal {B}\) is to compute the \(g^{ab}\). \(\mathcal {B}\) can act as the challenger and play the 2nd-IND-CLPRE-CPA “Game I” with \(\mathcal {A}_I\) as follows.

Setup. \(\mathcal {B}\) computes \(y=g^x\) where \(x\mathop {\longleftarrow }\limits ^{\$} \mathbb {Z}_q^*\) and gives \((\mathbb {G},q,g,y,n,H_1,H_2,H_3,H_4)\) to \(\mathcal {A}_I\) as params, where \(H_1,H_2,H_3,H_4\) are random oracles controlled by \(\mathcal {B}\).

Random Oracle Queries. Algorithm \(\mathcal {B}\) maintains four hash lists \(H_1^{List}\), \(H_2^{List}\), \(H_3^{List}\) and \(H_4^{List}\) which are initially empty, and responds as follows:

• \(H_1\) queries: On receiving a query \((ID,\omega )\) to \(H_1\):

  1. 1.

     If \(\langle (ID,\omega ),e\rangle \) has appeared in the \(H_1^{List}\), return \(e\) as answer.

  2. 2.

     Otherwise, pick a random \(e \in \mathbb {Z}_q^{*}\), add \(\langle (ID,\omega ),e\rangle \) to \(H_1^{List}\) and return \(e\) as answer.

• \(H_2\) queries: On receiving a query \(K\) to \(H_2\):

  1. 1.

     If \(\langle K,R\rangle \) has appeared in the \(H_2^{List}\), return \(R\) as answer.

  2. 2.

     Otherwise, pick a random \(R \in \{0,1\}^n\), add \(\langle K,R\rangle \) to \(H_2^{List}\) and return \(R\) as answer.

• \(H_3\) queries: On receiving a query \((k_1,k_2,ID_1,PK_1,ID_2,PK_2)\) to \(H_3\):

  1. 1.

     If \(\langle (k_1,k_2,ID_1,PK_1,ID_2,PK_2),X\rangle \) has appeared in the \(H_3^{List}\), return \(X\) as answer.

  2. 2.

     Otherwise, pick a random \(X \in \mathbb {Z}_q^{*}\), add \(\langle (k_1,k_2,ID_1,PK_1,ID_2,PK_2),X\rangle \) to \(H_3^{List}\) and return \(X\) as answer.

• \(H_4\) queries: On receiving a query \(\mu \) to \(H_4\):

  1. 1.

     If \(\langle \mu ,\delta \rangle \) has appeared in the \(H_4^{List}\), return \(\delta \) as answer.

  2. 2.

     Otherwise, pick a random \(\delta \in \mathbb {Z}_q^{*}\), add \(\langle \mu ,\delta \rangle \) to \(H_4^{List}\) and return \(\delta \) as answer.

Phase 1: \(\mathcal {B}\) responds a series of \(\mathcal {A}_I\)’s queries as follows:

• Partial key extraction queries: On input \(ID\) by \(\mathcal {A}_I\), the challenger \(\mathcal {B}\) responds as below:

  1. 1.

     If \(\langle ID,(\omega ,t),s\rangle \) has appeared in \(Partialkey^{List}\), return \((\omega ,t)\) as answer.

  2. 2.

     Otherwise, pick a random \(s\in \mathbb {Z}_q^{*}\) and compute \(\omega = g^s\). Run the random oracle query \((ID,\omega )\) to \(H_1\) and obtain \(\langle (ID,\omega ),e\rangle \in H_1^{List}\). Compute \(t=s+ex\) mod \(q\), add \(\langle ID,(\omega ,t),s\rangle \) to \(Partialkey^{List}\) and return \((\omega ,t)\) as answer.

• Public key request queries: On input \(ID\) by \(\mathcal {A}_I\), the challenger \(\mathcal {B}\) responds as below:

  1. 1.

     If \(\langle ID, (\omega ,\mu ,\phi ), coin\rangle \) has appeared in \(Publickey^{List}\), return \(PK_{ID}=(\omega ,\mu ,\phi )\) as answer.

  2. 2.

     Otherwise, pick a \(coin \in \{0,1\}\) such that \(Pr[coin=0]= \theta \) (\(\theta \) will be determined later).

  3. 3.

     The challenger \(\mathcal {B}\) runs the above simulation algorithm for partial key extraction taking \(ID\) as input to get a partial key \((\omega ,t)\).

  4. 4.

     If \(coin = 0\), pick \(z, v \in \mathbb {Z}_q^{*}\) at random and compute \(\mu = g^z\) and \(\phi =g^v\). Add \(\langle ID, (t,z,v)\rangle \) to \(Privatekey^{List}\) and \(\langle ID, (\omega ,\mu ,\phi ),coin \rangle \) to \(Publickey^{List}\). Return \(PK_{ID}=(\omega ,\mu ,\phi )\) as answer.

  5. 5.

     Otherwise, pick \(z, v \in \mathbb {Z}_q^{*}\) at random and compute \(\mu =(g^a)^z\) and \(\phi =g^v\). Add \(\langle ID, (t,?,v), z\rangle \) to \(Privatekey^{List}\) and \(\langle ID, (\omega ,\mu ,\phi ),coin \rangle \) to \(Publickey^{List}\). Return \(PK_{ID}=(\omega ,\mu ,\phi )\) as answer.

• Private key extraction queries: On input \(ID\) by \(\mathcal {A}_I\), the challenger \(\mathcal {B}\) can respond as below:

  1. 1.

     The challenger \(\mathcal {B}\) runs the above simulation algorithm for public key request taking \(ID\) as input to get a tuple \(\langle ID, (\omega ,\mu ,\phi ),coin \rangle \in Publickey^{List}\).

  2. 2.

     If \(coin=0\), search \(Privatekey^{List}\) for a tuple \(\langle ID, (t,z,v)\rangle \) and return \(SK_{ID} =(t,z,v)\) as answer.

  3. 3.

     If \(coin=\bot \), \(\mathcal {B}\) returns “Reject”. By \(coin=\bot \) we denote the case that the public key for \(ID\) has been replaced by \(\mathcal {A}_I\).

  4. 4.

     Otherwise, \(\mathcal {B}\) aborts the simulation.

• Replace public key queries: \(\mathcal {A}_I\) can repeatedly replace the public key \(PK_{ID}=(\omega ,\mu ,\phi )\) for any \(ID\) with any valid public key \(PK^{\prime }_{ID}=(\omega ^{\prime },\mu ^{\prime },\phi ^\prime )\) of its choice. On input \((ID,PK^{\prime }_{ID})\), \(\mathcal {B}\) checks whether \((\omega ^\prime ,\mu ^\prime ,\phi ^\prime ) \in \mathbb {G}^* \times \mathbb {G}^* \times \mathbb {G}^*\). If not, return “Reject”. Otherwise \(\mathcal {B}\) searches \(Publickey^{List}\) for a tuple \(\langle ID, (\omega ,\mu ,\phi ),coin \rangle \). If the tuple exists, \(\mathcal {B}\) sets \((\omega ,\mu ,\phi ) = (\omega ^\prime ,\mu ^\prime ,\phi ^\prime )\) and \(coin = \bot \). Otherwise, add \(\langle ID, (\omega ^\prime ,\mu ^\prime ,\phi ^\prime ),coin=\bot \rangle \) to \(Publickey^{List}\).

• Re-encryption key extraction queries: On input (\(ID_1\),\(ID_2\)) by \(\mathcal {A}_I\), \(\mathcal {B}\) runs the above simulation algorithm for public key request taking \(ID_1\) as input to get a tuple \(\langle ID_1, (\omega _1,\mu _1,\phi _1),coin_1 \rangle \in Publickey^{List}\).

  1. 1.

     If \(coin_1 = \bot \), return “Reject”.

  2. 2.

     If \(coin_1 = 0\), \(\mathcal {B}\) searches \(Privatekey^{List}\) for a tuple \(\langle ID_1, (t_1,z_1,v_1)\rangle \) and runs the above simulation algorithm for public key request taking \(ID_2\) as input to get a public key \((\omega _2,\mu _2,\phi _2)\). \(\mathcal {B}\) computes \(\gamma _2={\omega _2}y^{H_1(ID_2,\omega _2)}\) and \(X_{12}=H_3(\gamma _2^{v_1},\phi _2^{v_1},ID_1,PK_1,ID_2,PK_2)\). Return \(RK_{ID_1\rightarrow ID_2}=(t_1{H_4(\mu _1)}+z_1)\cdot X_{12}\) mod \(q\).

  3. 3.

     Otherwise, return \( RK_{ID_1\rightarrow ID_2} \mathop {\longleftarrow }\limits ^{\$} \mathbb {Z}_q^{*}\).

Challenge: On receiving a challenge query \((ID^{*},(m_0,m_1))\), \(\mathcal {B}\) responds \(\mathcal {A}_I\)’s query as follows:

1. 1.

   The challenger \(\mathcal {B}\) runs the above simulation algorithm for public key request taking \(ID^*\) as input to get a tuple \(\langle ID^*, (\omega ^*,\mu ^*,\phi ^*),coin^* \rangle \in Publickey^{List}\).

2. 2.

   If \(coin^*=0\), \(\mathcal {B}\) aborts the simulation.

3. 3.

   Otherwise (i.e., \(coin^*=1\) since the additional restriction for \(\mathcal {A}_I\)), \(\omega ^*=g^{s^*},\mu ^*=(g^a)^{z^*}\), \(\mathcal {B}\) does as follows:

   1. (a)

      Compute \(\gamma ^*={\omega ^*}y^{e^*}=g^{s^*+xe^*}\) where \(e^*=H_1(ID^*,\omega ^*)\) and \(Y^*={\gamma ^*}^{H_4(\mu ^*)} \mu ^*\).

   2. (b)

      Set \(c_1^* =g^b\), pick \(c_2^* \in \{0,1\}^n\) and \(\beta \in \{0,1\}\) at random.

   3. (c)

      Implicitly define \(H_2({Y^*}^b)=H_2((g^b)^{(s^*+xe^*)H_4(\mu ^*)} \cdot (g^{ab})^{z^*})=c_2^*\oplus m_\beta \)

4. 4.

   Return \(C^*=(c_1^*,c_2^*)\) as the challenge ciphertext.

Phase 2: Adversary \(\mathcal {A}_I\) continues to issue the rest of queries with the restrictions described in the 2nd-IND-CLPRE-CPA “Game I”. \(\mathcal {B}\) responds \(\mathcal {A}_I\)’s queries as in Phase 1.

Guess: Finally, \(\mathcal {A}_I\) outputs a guess \(\beta ^{\prime }\in \{0,1\}\). Algorithm \(\mathcal {B}\) randomly picks a tuple \((K,R)\) from the list \(H_2^{List}\). Since we make an additional restriction that \(\mathcal {A}_I\) cannot replace the public key for \(ID^{*}\), \(\mathcal {B}\) knows \(s^*\) and \(z^*\) with respect to \(PK_{ID^*}\). Thereby, \(\mathcal {B}\) can compute \(K^\prime = \left( \frac{K}{(g^b)^{(s^*+xe^*)H_4(\mu ^*)}}\right) ^{1/z^*}\) and outputs \(K^\prime \) as the solution to the given CDH instance.

[Analysis] The main idea of the analysis is borrowed from [9]. Firstly, we evaluate the simulations of the random oracles given above. From the construction of \(H_1\), \(H_3\) and \(H_4\), it’s clear that the simulations of \(H_1\), \(H_3\) and \(H_4\) are perfect. As long as \(\mathcal {A}_I\) does not query \({Y^*}^b\) to \(H_2\), the simulation of \(H_2\) is perfect. By \(AskH_2^*\) we denote the event that \({Y^*}^b\) has been queried to \(H_2\).

Next, we analyse the conditions for abort as follows:

1. 1.

   The value \(coin^*\) corresponding to \(ID^*\) is 1.

2. 2.

   For each of \(\mathcal {A}_I\)’s private key extraction queries on input \(ID \ne ID^*\), the \(coin\) corresponding to \(ID\) is 0.

3. 3.

   For each of \(\mathcal {A}_I\)’s re-encryption key extraction queries on input (\(ID_1\),\(ID_2\)), if \(ID_1 \ne ID^*\), the \(coin_1\) corresponding to \(ID_1\) is 0.

If any of the above conditions are false, \(\mathcal {B}\) aborts the simulation. Let \(Abort\) denotes the event that \(\mathcal {B}\) aborts during the simulation. Then \(Pr[\lnot Abort] \ge (1-\theta )\cdot \theta ^{q_{prk}} \cdot \theta ^{q_{rk}}=(1-\theta )\theta ^{q_{prk}+q_{rk}}\) which is maximized at \(\theta = \frac{q_{prk}+q_{rk}}{1+q_{prk}+q_{rk}}\). Hence, \(Pr[\lnot Abort] \ge \frac{1}{e(1+q_{prk}+q_{rk})}\) where \(e\) denotes the base of the natural logarithm.

Next, one can notice that the simulated challenge ciphertext is identically distributed as the real one from the construction. The simulation of re-encryption key extraction queries is perfect other than these re-encryption keys \(RK_{ID^*\rightarrow ID}\) where \(ID\) is uncorrupted. By \(F\) we denote the event that there exists a probabilistic polynomial time (p.p.t.) 2nd-IND-CLPRE-CPA Type I adversary \(\mathcal {A}_I^\prime \) which can distinguish the incorrectly-formed re-encryption keys in our simulation from all correctly-formed re-encryption keys in a “real world” interaction. By \(\tau \) denotes the probability that the event \(F\) occurs. We make a separate argument if \(Pr[F]=\tau \) is non-negligible, then we can construct an algorithm \(\mathcal {B^\prime }\) who can solve the CDH problem in \(\mathbb {G}\) with a non-negligible probability. Due to the space limit, the separate argument will be given in the full paper. By the separate argument, we can obtain that \(Pr[F]=\tau \) is negligible under the CDH assumption.

Now we define an event \(E\) to be \((AskH_2^* \vee F) | \lnot Abort\). If \(E\) does not happen, it is clear that \(\mathcal {A}_I\) does not gain any advantage in guessing \(\beta \) due to the randomness of the output of the random oracle \(H_2\). Namely, we have \(Pr[\beta ^\prime = \beta |\lnot E]= \frac{1}{2}\). Hence, by splitting \(Pr[\beta ^\prime = \beta ]\), we have \(Pr[\beta ^\prime = \beta ] = Pr[\beta ^\prime = \beta |\lnot E]Pr[\lnot E]+ Pr[\beta ^\prime = \beta |E]Pr[E] \le \frac{1}{2}Pr[\lnot E]+Pr[E]=\frac{1}{2}+\frac{1}{2}Pr[E]\) and \(Pr[\beta ^\prime = \beta ]\ge Pr[\beta ^\prime = \beta |\lnot E]Pr[\lnot E]=\frac{1}{2}-\frac{1}{2}Pr[E].\)

By the definition of advantage \((\epsilon - \upsilon )\) for the 2nd-IND-CLPRE-CPA Type I adversary \(\mathcal {A}_I\), we have \(\epsilon -\upsilon =|Pr[\beta ^\prime = \beta ]-\frac{1}{2}|\le \frac{1}{2}Pr[E]= \frac{1}{2} Pr[(AskH_2^* \vee F) | \lnot Abort] \le \frac{1}{2Pr[\lnot Abort]} (Pr[AskH_2^*]+Pr[F]).\)

Since \(Pr[\lnot Abort] \ge \frac{1}{e(1+q_{prk}+q_{rk})}\) and \(Pr[F]=\tau \), we obtain \(Pr[AskH_2^*]\ge \frac{2(\epsilon -\upsilon )}{e(1+q_{prk}+q_{rk})}-\tau \).

If \(AskH_2^*\) happens then \(\mathcal {B}\) will be able to solve the CDH instance.

Hence, we obtain \(\epsilon ^{\prime } \ge \frac{1}{q_{H_2}}\left( \frac{2(\epsilon -\upsilon )}{e(1+q_{prk}+{q_{rk}})}-\tau \right) .\)    \(\square \)

The security proof against Type II adversary \(\mathcal {A}_{II}\) is analogous. Due to the space limit, we omit the details. The probability loss of the reduction is the same as the security proof against \(\mathcal {A}_I\). Note that the Type II adversary \(\mathcal {A}_{II}\) has the master-key and can not replace public keys of entities.

Lemma 2. The proposed CLPRE1 scheme is 1st-IND-CLPRE-CPA secure in the random oracle model, if the CDH assumption holds in \(\mathbb {G}\) and the Schnorr signature is EUF-CMA secure.

Due to lack of space, the proof of this lemma will be given in the full paper. We re-write \(C_B^{\prime }=\langle g^{X_{AB} \tilde{r}}, m\oplus H_2(g^{\tilde{r}})\rangle \) where \(\tilde{r}=(t_AH_4(\mu _A)+z_A)r\) mod \(q\). Then, 1st-IND-CLPRE-CPA security of the proposed CLPRE1 scheme is following the fact that the first level ciphertext \(C_B^{\prime }\) is indeed a “hashed” CPA-secure ElGamal encryption where the associated secret key \(X_{AB}\) can merely be computed by the delegator \(A\) or delegatee \(B\).