Information Sciences 177 (2007) 4095–4108 www.elsevier.com/locate/ins How to construct secure proxy cryptosystem Yuan Zhou a,b,* q , Binxing Fang a,b, Zhenfu Cao c, Xiaochun Yun Xiaoming Cheng b a,b , a Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100080, PR China National Computer Network Emergency Response Technical Team/Coordination Center of China, PR China Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, PR China b c Received 2 June 2006; received in revised form 17 January 2007; accepted 26 January 2007 Abstract Proxy cryptosystem, first proposed by Mambo and Okamoto [M.Mambo, E. Okamoto, Proxy cryptosystem: delegation of a power to decrypt ciphertexts, IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E80-A/1 (1997) 54–63], allows the original decryptor to delegate his decrypting capability to the proxies. However, until now, no practical proxy cryptosystem modes are proposed. Therefore, in this paper, we present a novel proxy cryptosystem model: proxy cryptosystem based on time segmentation. Under this mode, a security analysis model will be proposed. Furthermore, a proxy cryptosystem scheme is presented as an example. We will show that the proposed scheme is proven security in the proposed security analysis model. Finally, we will give the ID-based version of this construction. 2007 Elsevier Inc. All rights reserved. Keywords: Proxy cryptosystem; Bilinear Diffie–Hellman; ID-based 1. Introduction 1.1. Background and related work Recently, modern cryptography techniques such as encryption have attracted a lot of attentions due to the booms of e-commerce. However, in some cases, a original decryptor such as the CEO of a corporate may be put on too much decrypting load. Therefore, it is desirable to delegate the decrypting capability to some proxies such as the assistants of CEO, who can decrypt the encrypted messages on behalf of him. At the same time, it is required that the delegation can be withdrew efficiently. q An extended abstract of this paper appears in CISC2005, volume 3820 of Lecture Notes in Computer Science, pp. 150–161, SpringerVerlag, 2005. * Corresponding author. E-mail addresses: zhouyuantdt@163.com (Y. Zhou), bxfang@ict.ac.cn (B. Fang), zfcao@cs.sjtu.edu.cn (Z. Cao), yxc@hit.edu.cn (X. Yun). 0020-0255/$ - see front matter 2007 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2007.01.024 4096 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 The nature method of delegating decryption is to ‘‘decrypt and re-encrypt’’. In this method, there are two parties: one is an original decryptor, and the other is a delegated decryptor. When some ciphertext is sent to the original delegator, he first uses his secret key to implement a decryption operation and get the corresponding plaintext M, then encrypt it with the delegated decryptor’s public key. However, it may be low efficient in some situation. The original decryptor must implement two complete public key cryptographic operations. Moreover, When the original decryptor is off-line, the delegated decryptor cannot implement any decryption operation. In 1996, Mambo and Okamoto [17] introduced proxy cryptosystem to delegate the capacity of decryption. In their original proposal, it allows an original decryptor to transform the ciphertext into another ciphertext for a delegated decryptor. Once the ciphertext transformation is executed successfully, the delegated decryptor can compute a plaintext in place of the original decryptor. After Mambo and Okamoto’s initial work, many scholars have done a lot of works in this field. In 1998, Blaze, Bleumer, and Strauss [5] proposed the notion of atomic proxy cryptography. In this method, the original decryptor and delegated decryptor together publish a transformation key by which a semi-trusted intermediary transforms ciphertext encrypted for the original decryptor directly into ciphertext that can be decrypted by the delegated decryptor. Follow on [5], Jakobsson [16] developed a quorum-based protocol where the semi-trusted intermediary is divided into sub-components and each of them controls a share of the transformation key. Although these schemes are more efficient than ‘‘decrypt and re-encrypt’’, they still have the common shortcoming: When original decryptor or a semi-trusted intermediary is off-line and does not execute transformation, the delegated decryptor cannot decrypt some ciphertext encrypted for the original decryptor. So, it is desirable that a delegated decryptor can decrypt the ciphertext without any ciphertext transformation by other entity. In 2004, a transformation-free proxy (TFP) cryptosystem [21] was presented. The TFP scheme allows delegated decryptor to do decryption without any ciphertext transformation. However, in the scheme, the encryption key must be aiming at the specific delegated decryptor (i.e. the delegated decryptor only can decrypt the ciphertext encrypted by the encryption key according to his identity). Moveover, no formal security notion are given. In comparison to delegation of signature, only few research efforts have been put on delegation of decryption progresses [18,19,22,14,15]. It is fair to say that until the results in [23], constructing a secure proxy cryptosystem was an open problem. 1.2. Our contribution 1.2.1. Proxy cryptosystem based on time segmentation In this paper, we apply a time segmentation mode to proxy cryptosystem. Our idea is from the forwardsecure schemes [2,4]. In a proxy cryptosystem based on time segmentation (PCBTS), a original decryptor registers a public key PK and keeping private the corresponding secret key SK. The expected lifetime of PK is divided into segmentations, say n of them, numbered t1 ; t2 ; . . . ; tn . The public key stays fixed throughout the lifetime of the scheme, this is curial for making such a scheme viable. When the original decryptor wants to delegate his decryption capacity of time segmentation ti, he deviates the proxy secret key SK its at ti from his secret key SK for a proxy decryptor. Then the proxy decryptor obtains the decryption capacity during time segmentation ti. At the same time, a PCBTS scheme should guarantee that even if adversary knows proxy secret key at time segmentation ti, messages encrypted during all time segmentations except ti remain secret. Moveover, We define a rigorous notion of security for PCBTS and ID-based PCBTS. 1.2.2. PCBTS schemes We propose a PCBTS scheme, which makes use of ideas from the Hierarchical identity-based encryption (HIBE) scheme of Gentry and Silverberg [12], the hierarchical identity-based encryption with constant size (HIBE-CSC) scheme of Boneh and Boyen [7], the Foward-secure public-key encryption (FSPE) scheme of Canetti et al. [10] and the scheme of Fujisaki and Okamoto [11]. Its security is based on computational BDH assumption [8,9]. Under this scheme, we construct an ID-based PCBTS scheme. Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 4097 1.3. Organization In Section 2, we first define PCBTS and formally define its security notion, then a PCBTS scheme is provided under the computational BDH assumption. In Section 3, we define ID-based PCBTS and formally define security notion for ID-based PCBTS. In this section, we also provide a ID-based PCBTS scheme. Section 4 gives some results and conclusions. 2. Proxy cryptosystem based on time segmentation and its security In this section, we discuss proxy cryptosystem based on time segmentation (PCBTS). We first discuss the form of algorithms, and then discuss its security. After that, we present a secure PCBTS scheme. 2.1. Proxy cryptosystem based on time segmentation Definition 2.1. A Proxy cryptosystem based on time segmentation (PCBTS) scheme is a 5-tuple of probabilistic, polynomial time (PPT) algorithms ðG; PKD; E; D; PDÞ such that: • The key generation algorithm G takes as input a security parameter 1k, and possibly other parameters, to return a public key PK, and corresponding secret key SK. The algorithm is probabilistic. • The proxy key derivation algorithm PKD takes as input the public key PK, the secret key SK, and the time segmentation t, to return the proxy secret key SK ts of the corresponding time segmentation. • The encryption algorithm E takes as input PK, a time segmentation t, and a message M, to return a ciphertext C. Here, the way of determining the time segmentation t can be described by a example: Suppose a day is selected as the unit for the time segmentation. If the start time of the encryption operation is 11:45 November 13rd, 2006, then the time segmentation t determined by the software which is used for executing the encryption operation is November 13rd,2006. • The decryption algorithm D takes as input PK, the secret key SK, and a ciphertext C to return a message M. • The proxy decryption algorithm PD takes as input PK, the secret proxy secret key SK ts of the corresponding time segmentation t, and a ciphertext C, to return a message M. These algorithms must satisfy the standard correctness requirements as follows: (1) for any ðPK; SKÞ output by Gð1k Þ, and any message M, we have M ¼ DðPK; SK; EðPK; t; MÞÞ. (2) for any ðPK; SK ts Þ output by PKDðPK; SK; tÞ, and any message M, we have M ¼ PDðPK; SK ts ; EðPK; t; MÞÞ. 2.2. Security notion for PCBTS We wish to assess the security of a PCBTS scheme. To do this efficiently we must first pin down an appropriate model, in which all potential actions of the adversary must be considered. We extend the notion of indistinguishability of chosen plaintext attack (IND-CPA) [13] and the notion of indistinguishability of adaptive chosen ciphertext attack (IND-CCA2) [20], and take into account the attack scenario in which the adversary can obtains proxy secret keys of some time segmentations. We call this attack scenario selective time segmentation attack. The adversary knows the total time segmentations, the current time segmentation, and the user’s public key PK. The goal is that even exposure of some proxy secret keys corresponding to some time segmentations it should be computationally infeasible for an adversary to obtain even a bit plaintext information of a given ciphertext of time segmentation t* (the proxy secret key of t* has not been obtained by the adversary) with respect to the already obtained proxy secret keys. 4098 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 Definition 2.2. A PCBTS scheme is secure against selective time segmentation, chosen plaintext attacks (STSCPA) if no polynomially bound adversary A has a non-negligible advantage against the Challenger in the following game: (1) The challenger takes a security parameter 1k and runs the G algorithm. It gives the adversary the public key PK, and keeps the secret key SK to itself. (2) The adversary issues queries q1 ; q2 ; . . . ; qm where query qi is • Proxy secret key query ðti Þ. The challenger responds by running algorithm PKD to generate the proxy secret key SK its corresponding to the time segmentation ti. It sends SK its to the adversary. (3) The adversary generates a request challenge ðt ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext and t* is a time segmentation and did not appear in any proxy secret key query in the second step. The challenger picks a random bit b 2 f0; 1g and sets C ¼ EðPK; t ; M b Þ. It sends C* as the challenge to the adversary. (4) The adversary issues more queries qmþ1 ; qmþ2 ; . . . ; qn where query is • Proxy secret key query ðti Þ where ti 6¼ t . Challenger responds as the second step. At the end of the game the adversary outputs b0 2 f0; 1g and wins the game if b0 ¼ b. The adversary’s advantage is the absolute value of the difference between its success probability and 1/2. Definition 2.3. A PCBTS scheme is secure against selective time segmentation, chosen ciphertext attacks (STSCCA) if no polynomially bound adversary A has a non-negligible advantage against the Challenger in the following game: (1) The challenger takes a security parameter 1k and runs the G algorithm. It gives the adversary the public key PK, and keeps the secret key SK to itself. (2) The adversary issues queries q1 ; q2 ; . . . ; qm where query qi is one of • Proxy secret key query ðti Þ. The challenger responds by running algorithm PKD to generate the proxy secret key SK its corresponding to the time segmentation ti. It sends SK its to the adversary. • Decryption query ðC i ; ti Þ. The challenger runs algorithm D to decrypt the ciphertext Ci using the secret key SK. It sends the resulting plaintext to the adversary. (3) The adversary generates a request challenge ðt ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext and t* is a time segmentation and did not appear in any proxy secret key query in the second step. The challenger picks a random bit b 2 f0; 1g and sets C ¼ EðPK; t ; M b Þ. It sends C* as the challenge to the adversary. (4) The adversary issues more queries qmþ1 ; qmþ2 ; . . . ; qn where query is one of • Proxy secret key query ðti Þ where ti 6¼ t . Challenger responds as the second step. • Decryption query ðC i ; ti Þ where ðC i ; ti Þ 6¼ ðC ; t Þ. Challenger responds as the second step. At the end of the game the adversary outputs b0 2 f0; 1g and wins the game if b0 ¼ b. The adversary’s advantage is the absolute value of the difference between its success probability and 1/2. To prove the security of a PCBTS scheme, we also adopt a concept called plaintext awareness (PA) [1,3]. Plaintext awareness means that the adversary can decrypt any ciphertext it creates. In essence, if the adversary already knows the answer that it will receive from a decryption oracle, then the oracle gives him no additional power. Definition 2.4. Let P ¼ ðG; PKD; E; D; PDÞ be a STS-CPA PCBTS scheme in random oracle, we say it is secure against PA if for any adversary B, there exists a polynomial time algorithm kðkÞ-knowledge extractor K for P in the following game such that 1 kðkÞ is negligible in k: (1) The challenger takes a security parameter 1k and runs the G algorithm. It gives the adversary the public key PK and random oracle H, and keeps the secret key SK to itself. Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 4099 (2) The adversary B issues queries q1 ; q2 ; . . . ; qm where query qi is one of: • Encryption Oracle queries Mi. The challenger runs algorithm E to encrypt the plaintext Mi using the public key PK and random oracle H. It discards the Mi and sends the result ciphertext Ci to the adversary B. • Random oracle queries hi. The challenger responds by a random value Hi as the answer of H ð:Þ. (3) The adversary B creates a C*. We say C 6¼ C i . It sends C* to the challenger. When the challenger receives C*, it run the kðkÞ-knowledge extractor K, which takes as input results Ci of queries Mi, results ðhi ; H i Þ of queries hi and C*. It try to extract the corresponding plaintext M*. When C* is valid ciphertext, the success probability of K to extract the corresponding is kðkÞ. 2.3. The computational bilinear Diffie–Hellman assumption Bilinear Diffie–Hellman problem was formalized by Boneh and Franklin [8]. We briefly review the relevant facts as they appear in [8,9,6]. Let G1 and G2 be two (multiplicative) cycle groups of prime order q. A bilinear pairing is a map e : G1 G1 ! G2 with the following properties: (1) Bilinear: eðP a ; Qb Þ ¼ eðP ; QÞab , where P ; Q 2 G1 , and a; b 2 Z q . (2) Non-degeneracy: There exists P 2 G1 and Q 2 G1 such that eðP ; QÞ 6¼ 1. (3) Computability: There exists an efficient algorithm to computer eðP ; QÞ for P ; Q 2 G1 . Definition 2.5. Given group G1 and G2 of the same prime order q, a bilinear map e : G1 G1 ! G2 and a generator P of G1, then the computational Bilinear Diffie–Hellman (BDH) Problem is defined as follows: Given ðP ; P a ; P b ; P c Þ for some a; b; c 2 Z q as input, compute eðP ; P Þabc 2 G2 . The advantage of an algorithm A solving Computational BDH problem is abc AdvðAÞ ¼ Pr½AðP ; P a ; P b ; P c Þ ¼ eðP ; P Þ where the probability is over the random choice of a, b, c in Z q , the random choice of P 2 G1 and the random bits of A. Definition 2.6. Let IG is a BDH parameter generator that takes a security parameter 1k as input. We say that IG satisfies the computational BDH assumption if AdvðAÞ is negligible (in k) for all PPT algorithms A. 2.4. A PCBTS scheme based on the computational BDH assumption Now, we present a PCBTS scheme. the basic idea of our proposed scheme comes from [12,7,10,11]. The scheme is described as follows. The algorithm Gð1k Þ does the following: (1) Run IGð1k Þ to generate groups G1, G2 of prime order q and bilinear map e. (2) Select a random generator P 2 G1 ; Q 2 G1 and a random s 2 Z q . Set P pub ¼ P s ; Qsec ¼ Qs . (3) Choose a cryptographic hash function H 1 : f0; 1g ! G1 . Choose a cryptographic hash function n n H 2 : f0; 1g ! Z q . Choose a cryptographic hash function H 3 : G2 ! f0; 1g . (4) The public key is PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ. The secret key is Qsec . The message space is M ¼ f0; 1gnk . Here 0 < k < n. The ciphertext space is C ¼ G1 G1 f0; 1gn . The algorithm PKDðPK; Qsec ; tÞ does the following: d Choose a random d 2 Z q , Set S t ¼ Qsec H 1 ðtÞ , and T t ¼ P d . The proxy secret key PSK ¼ ðS t ; T t Þ. The algorithm EðPK; t; MÞ does the following: k (1) Choose a random r1 2 f0; 1g , set C 1 ¼ P r2 , where r2 ¼ H 2 ðmkr1 Þ. r (2) Set C 2 ¼ H 1 ðtÞ 2 . 4100 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 r (3) Set C 3 ¼ ðmkr1 Þ H 3 ðgÞ, where g ¼ eðP pub ; QÞ 2 . (4) Output C ¼ ðt; C 1 ; C 2 ; C 3 Þ. The algorithm DðPK; Qsec ; CÞ does the following: (1) (2) (3) (4) Compute g0 ¼ eðC 1 ; Qsec Þ. Compute M 0 ¼ C 3 H 3 ðg0 Þ. Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext. Output M, where M is the first n k bits of M 0 . We verify consistency. During encryption ðmkr1 Þ is bitwise exclusive-ored with the hash of g. During decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are the same since: g0 ¼ eðC 1 ; Qsec Þ ¼ eðP r2 ; Qs Þ ¼ eðP ; QÞr2 s ¼ eðP pub ; QÞr2 ¼ g Thus, decryption recovers M. The algorithm PDðPK; PSK; CÞ does the following: (1) (2) (3) (4) 1 Compute g0 ¼ eðC 1 ; S t Þ eðT t ; C 2 Þ . Compute M 0 ¼ C 3 H 3 ðg0 Þ. Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext. Output M, where M is the first n k bits of M 0 . We verify consistency. During encryption ðmkr1 Þ is bitwise exclusive-ored with the hash of g. During decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are the same since: g0 ¼ eðC 1 ; S t Þ eðT t ; C 2 Þ1 ¼ eðP r2 ; Qsec H 1 ðtÞd Þ eðP d ; H 1 ðtÞr2 Þ1 d r ¼ eðP r2 ; Qs Þ eðP r2 ; H 1 ðtÞ Þ eðP d ; H 1 ðtÞ 2 Þ r s 1 d d 1 ¼ eðP r2 ; Qs Þ eðP r2 ; H 1 ðtÞ Þ eðP r2 ; H 1 ðtÞ Þ r ¼ eðP r2 ; Qs Þ ¼ eðP ; QÞ 2 ¼ eðP pub ; QÞ 2 ¼ g ð1Þ Thus, decryption recovers M. Our main result of this section is the following. Theorem 2.1. Under the computational BDH assumption, the above PCBTS scheme is secure in the sense of STSCCA. For proving the main theorem, we will first prove Lemmas 2.2 and 2.3. Lemma 2.2. Under the computational BDH assumption, the above PCBTS scheme is secure in the sense of STSCPA. Proof of Lemma 2.2. Assume a PPT algorithm A can be used to attack the above scheme with the advantage in the STS-CPA attack scenario. We construct a algorithm B which attempt to solve the computational BDH problem. Algorithm B is given as input the BDH parameters (q, G1, G2, e) produced by IG and a random instance (P, Pa, Pb, Pc)=(P, P1, P2, P3) of computational BDH problem. The goal of B is to compute abc U ¼ eðP ; P Þ 2 G2 . Algorithm B finds U by interacting with A as follows: Key generation: Algorithm B creates public key PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ by setting P pub ¼ P 1 ¼ P a ; Q ¼ P 2 ¼ P b . Algorithm B give A the public key PK. Observe that the (unknown) secret key associated to PK is SK ¼ Qsec ¼ Qa ¼ P ab . H1-queries: At any time algorithm A may issue queries to H1. To respond to these queries B maintains a list of tuples called H list 1 . Each entity in the list is the form of (ti, mi, ni, Ti). The list is initially empty. To respond to query ti algorithm B does the following: Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 4101 (1) If the query ti already appears on the H list in a entity (ti, mi, ni, Ti), then algorithm B responds with 1 H i ðti Þ ¼ T i . ðn Þ1 1 (2) Otherwise, B randomly selects mi 2 Z q , ni 2 Z q , set T i ¼ P mi ððP pub Þ i Þ , and adds the entity (ti, mi, ni, Ti) to the H list 1 . It responds to A with H i ðt i Þ ¼ T i . H2-queries: At any time algorithm A may issue queries to H2. To respond to these queries B maintains a list of tuples called H list 2 . Each entity in the list is the form of ðli ; Li Þ. The list is initially empty. To respond to query li 2 f0; 1gn algorithm B does the following: (1) If the query li already on the H list 2 in a entity (li, Li), then algorithm B responds with H 2 ðli Þ ¼ Li . (2) Otherwise, B randomly selects Li 2 Z q , and adds the entity (li, Li) to the H list 2 . It responds to A with H 2 ðli Þ ¼ Li . H3-queries: At any time algorithm A may issue queries to H3. To respond to these queries B maintains a list of tuples called H list 3 . Each entity in the list is the form of ðvi ; V i Þ. The list is initially empty. To respond to query vi 2 G2 algorithm B does the following: (1) If the query vi already on the H list 2 in a entity (vi, Vi) then algorithm B responds with H 3 ðvi Þ ¼ V i . n (2) Otherwise, B randomly selects V i 2 f0; 1g , and adds the entity (vi, Vi) to the H list 3 . It responds to A with H 3 ðvi Þ ¼ V i . Proxy secret key queries before challenge: Let ti be a proxy secret key query issued by algorithm A. To respond to the query algorithm B does the following: (1) B runs the above algorithm H1 oracle to compute H i ðti Þ. n :b (2) Then B sets S ti ¼ P m2 i :ni , and T ti ¼ P n2i . In fact, S ti ¼ P m2 i :ni ¼ P ab P ab þ P m2 i :ni ¼ Qsec þ H ðti Þ i , and T ti ¼ P n2i ¼ P ni :b . (3) B responds to A with (Si, Ti). Challenge: The algorithm A generates a request challenge (t*, M0, M1). Here, M 0 and M 1 are equal length plaintext and t* is a time segmentation and did not appear in any proxy secret key query in the second step. The algorithm B picks a random bit b 2 f0; 1g, takes P3 as C 1 , picks a random u 2 Z q and takes P u3 as C 2 , k picks a random N 2 f0; 1g , s 2 f0; 1g and takes ðM b ksÞ N as C 3 , and outputs C ¼ ðt ; C 1 ; C 2 ; C 3 Þ. Proxy secret key queries after challenge: Let ti be a proxy secret key query issued by algorithm A and ti 6¼ t . Algorithm B responds to proxy secret key queries in the same way it did in secret key queries before challenge. Guess: Algorithm A outputs its guess b0 2 f0; 1g. The algorithm B tests if there exists an entity (vi, Vi) in the list H 3 such that V i ¼ N . If it is, B outputs vi as the solution to the given instance of BDH. Let H2 be the event algorithm issues a query for H 2 ðM b ksÞ before challenge, and let H3 be the event algorithm issues a query for H 3 ðvi Þ such that N ¼ H 3 ðvi Þ. Then the successful probability of algorithm A to win the game is Pr½b ¼ b0 ¼ Pr½b ¼ b0 ^ H2 þ Pr½b ¼ b0 ^ + H2 ^ H3 qH 1 þ Pr½b ¼ b0 ^ + H2 ^ + H3 6 k2 þ Pr½H3 þ 2 2 We know that in real attack jPr½b ¼ b0 1=2j P , so we have Pr½H3 P qH 2 2k Hence, at the end of the game, N appears in some tuple on H list 3 with the probability at least probability of B to successfully produce the correct answer. h Now we show that the scheme is PA secure. qH 2 2k , that is the 4102 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 Lemma 2.3. The PCBTS scheme is PA secure. Proof of Lemma 2.3. Assume A is a PA attacker. We construct a kðkÞ-knowledge extractor K, which runs as follows: Set up: We run Gð1k Þ, get public key PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ, get secret key Qsec . H1-queries: At any time algorithm A may issue queries to H1. To respond to these queries we maintain a list of tuples called H list 1 . Each entity in the list is the form of (ti, Ti). The list is initially empty. To respond to query ti we do the following: (1) If the query ti already appears on the H list B responds with H i ðti Þ ¼ T i . 1 in a entity (ti, Ti), then algorithm ðn Þ1 1 (2) Otherwise, we randomly select mi 2 Z q ; ni 2 Z q , set T i ¼ P mi ððP pub Þ i Þ , and adds the entity (ti, Ti) to the H list 1 . It responds to A with H i ðt i Þ ¼ T i . H2-queries: At any time algorithm A may issue queries to H2. To respond to these queries we maintains a list of tuples called H list 2 . Each entity in the list is the form of (li, Li). The list is initially empty. To respond to query li 2 f0; 1gn we do the following: (1) If the query li already on the H list 2 in a entity (li, Li), then algorithm B responds with H 2 ðli Þ ¼ Li . (2) Otherwise, we randomly select Li 2 Z q , and adds the entity (li, Li) to the H list 2 . It responds to A with H 2 ðli Þ ¼ Li . H3-queries: At any time algorithm A may issue queries to H3. To respond to these queries we maintain a list of tuples called H list 3 . Each entity in the list is the form of (vi, Vi). The list is initially empty. To respond to query vi 2 G2 we do the following: (1) If the query vi already on the H list 2 in a entity (vi, Vi), then algorithm B responds with H 3 ðvi Þ ¼ V i . n (2) Otherwise, we randomly select V i 2 f0; 1g , and adds the entity (vi, Vi) to the H list 3 . It responds to A with H 3 ðvi Þ ¼ V i . Encryption-queries: At any time algorithm A may issue queries to E. To respond to these queries we maintain a list of tuples called C list . Each entity in the list is the form of Ci. We use the above algorithm H oracle and the public key PK to encrypt Mi, then we discard the Mi and add Ci to the C list . After that, we send the result ciphertext Ci to the adversary A. Challenge ciphertext: The adversary A creates a C ¼ ðt ; C 1 ; C 2 ; C 3 Þ, where say C 62 C list . It sends C* to us. list list list When we receive C*, we run the kðkÞ-knowledge extractor K, which takes as input H list and C*. 1 ; H2 ; H3 ; C The knowledge extractor K try to extract the plaintext. It works as follows: list list (1) Check if (t*, m*, n*, T*), (l*, L*), (v*, V*) are in H list 1 ; H 2 , and H 3 respectively. If not, then K fails. L L (2) Otherwise, check if C 1 ¼ P , C 2 ¼ ðT Þ . If not, then K fails. (3) Otherwise, compute M 0 ¼ V C 3 , output M*, where M* is the first n k bits of M 0 . Thinking of the success probability of K. Let F be an event that K fails but C* is a valid ciphertext, let H1 list * * be an event that (t*, m*, n*, T*) is in H list 1 , let F be an event that K fails, let H2 be an event that (l , L ) is in H 2 , list * * and let H3 be an event that (v , V ) is in H 3 . Then we have Pr½F 6 Pr½F^ + H1 þ Pr½F^ + H2 þ Pr½F^ + H3 1 1 1 2 1 6 Pr½Fj + H1 þ Pr½Fj + H2 þ Pr½Fj + H3 6 þ þ n ¼ þ n q q 2 q 2 so we have 2 1 k ¼ 1 Pr½F ¼ 1 n q 2 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 4103 Proof of theorem 2.1. Due to the work of [1], If a encryption is CPA secure, at the same time it also PA, then it is CCA. So the theorem follows directly from Lemmas 2.2 and 2.3. h 3. ID-based version of proxy cryptosystem based on time segmentation In this section, we will discuss the ID-based version of PCBTS. Like the discussion order of the PCBTS, this section is arranged as follows: Firstly we discuss the form of algorithms to specify such schemes followed by the security analysis model. After that, we convert the PCBTS scheme described in Section 2.4 into a secure ID-based PCBTS one. 3.1. ID-based PCBTS Definition 3.1. A ID-based PCBTS scheme is a 6-tuple of PPT algorithms ðS; EXT; PKD; E; D; PDÞ such that: • The Setup algorithm S takes as input a security parameter 1k, and possibly other parameters, to return system parameters PM, and master-key MK. The algorithm is probabilistic. • The Extract algorithm EXT takes as input the system parameters PM, the master key MK, and an arbi trary ID 2 f0; 1g , to return a secret key SK. • The proxy key derivation algorithm PKD takes as input PM, ID, and a secret key SK, and the time segmentation t, to return the secret proxy secret key SK ts of the corresponding time segmentation. • The encryption algorithm E takes as input PM, ID, a time segmentation t, and a message M, to return a ciphertext C. Here, the way of determining the time segmentation is the same as the one in Definition 2.1. • The decryption algorithm D takes as input PM, ID, the secret key SK, and a ciphertext C to return a message M. • The proxy decryption algorithm PD takes as input PM, ID, the secret proxy secret key SK ts of the corresponding time segmentation t, and a ciphertext C, to return a message M. These algorithms must satisfy the standard correctness requirements as follows: (1) for any (ID, SK) output by EXTðPM; MK; IDÞ, and any message M, we have M ¼ DðPM; ID; SK; EðPM; ID; t; MÞÞ. (2) for any ðID; SK ts Þ output by PKDðPM; ID; SK; tÞ, and any message M, we have M ¼ PDðPM; ID; SK ts ; EðPM; ID; t; MÞÞ. 3.2. Security notion for ID-based PCBTS When we access the security of an ID-based PCBTS scheme, selective time segmentation attack and chosen ciphertext attack should also be considered. Moveover, as the general ID-based cryptosystem, the attacker may implement secret key extraction attack, which first appears in [9]. Definition 3.2. An ID-based PCBTS is secure against secret key extraction, selective time segmentation, chosen ciphertext attacks (ID-STS-CCA) if no polynomially bound adversary A has a non-negligible advantage against the Challenger in the following ID-based STS-CCA game: (1) The challenger takes a security parameter 1k and runs the S algorithm. It gives the adversary the system parameter PM, It keeps the master key MK to itself. (2) The adversary issues queries q1 ; q2 ; . . . ; qm where query qi is one of: • Extraction query (IDi). The challenger responds by running algorithm EXT to generate the secret key SKi corresponding to (IDi). It sends SK to the adversary. 4104 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 • Proxy secret key query (IDi, ti). The challenger first generates the secret key SKi corresponding to IDi, then responds by running algorithm PKD to generate the proxy secret key SK its corresponding to the time segmentation ti. It sends SK its to the adversary. • Decryption query (IDi, Ci, ti). The challenger runs algorithm D to decrypt the ciphertext Ci using the secret key SK. It sends the resulting plaintext to the adversary. (3) The adversary generates a request challenge ðID ; t ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext, ID is an identity and did not appear in any extraction query in the second step, ðID ; t Þ did not appear in any proxy secret key of query in the second step. The challenger picks a random bit b 2 f0; 1g and sets C ¼ EðPM; ID ; t ; M b Þ. It sends C* as the challenge to the adversary. (4) The adversary issues more queries qmþ1 ; qmþ2 ; . . . ; qn where query is one of • Extraction query (IDi) where IDi 6¼ ID . • Proxy secret key query (IDi, ti) where ðIDi ; ti Þ 6¼ ðID ; t Þ. Challenger responds as the second step. • Decryption query ðIDi ; C i ; ti Þ where ðIDi ; C i ; ti Þ 6¼ ðID ; C ; t Þ. Challenger responds as the second step. At the end of the game the adversary outputs b0 2 f0; 1g and wins the game if b0 ¼ b. The adversary’s advantage is the absolute value of the difference between its success probability and 1/2. 3.3. A ID-based PCBTS scheme based on the computational BDH assumption Now, we convert the PCBTS scheme in Section 2 into ID-based PCBTS scheme. The scheme is described as follows: The algorithm Sð1k Þ does the following: (1) Run IGð1k Þ to generate groups G1, G2 of prime order q and bilinear map e. (2) Select a random generator P 2 G1 and a random s 2 Z q . Set P pub ¼ P s . (3) Choose a cryptographic hash function H 0 : f0; 1g ! G1 . Choose a cryptographic hash function n H 1 : f0; 1g ! G1 . Choose a cryptographic hash function H 2 : f0; 1g ! Z q . Choose a cryptographic n hash function H 3 : G2 ! f0; 1g . (4) The system parameter is PM ¼ ðG1 ; G2 ; e; P ; P pub ; H 0 ; H 1 ; H 2 ; H 3 Þ. The master key is s. The message space is M ¼ f0; 1gnk . Here 0 < k < n. The ciphertext space is C ¼ G1 G1 f0; 1gn . The algorithm EXTðPM; s; IDÞ does the following: (1) Compute QID ¼ H 0 ðIDÞ 2 G1 . (2) Set the secret key d ID to be d ID ¼ sQID where s is the master key. The algorithm PKDðPM; ID; d ID ; tÞ does as follows: (1) Compute QID ¼ H 0 ðIDÞ. d ID ID d ID (2) Choose a random d 2 Z q , Set S ID t ¼ d ID H 1 ðtÞ , and T t ¼ P . The proxy secret key PSK ¼ ðS t ; T t Þ. The algorithm EðPM; ID; t; MÞ does as follows: (1) (2) (3) (4) (5) Compute QID ¼ H 0 ðIDÞ. Choose a random r1 2 f0; 1gk , set C 1 ¼ P r2 , where r2 ¼ H 2 ðMkr1 Þ. Set C 2 ¼ H 1 ðtÞr2 . Set C 3 ¼ ðMkr1 Þ H 3 ðgÞ, where g ¼ eðP pub ; QID Þr2 . Output C ¼ ðt; C 1 ; C 2 ; C 3 Þ. The algorithm DðPM; ID; t; d ID ; CÞ does as follows: (1) Compute g0 ¼ eðC 1 ; d ID Þ. Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 4105 (2) Compute M 0 ¼ C 3 H 3 ðg0 Þ. (3) Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext. (4) Output M, where M is the first n k bits of M 0 . We verify consistency. During encryption ðMkr1 Þ is bitwise exclusive-ored with the hash of g. During decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are the same since: s r s r g0 ¼ eðC 1 ; d ID Þ ¼ eðP r2 ; ðQID Þ Þ ¼ eðP ; QID Þ 2 ¼ eðP pub ; QID Þ 2 ¼ g Thus, decryption recovers M. The algorithm PDðPM; ID; PSK; t; CÞ does the following: (1) (2) (3) (4) 1 ID Compute g0 ¼ eðC 1 ; S ID t Þ eðT t ; C 2 Þ . 0 0 Compute M ¼ C 3 H 3 ðg Þ. Set r2 ¼ H 2 ðM 0 Þ. Test whether the equation C 1 ¼ P r2 holds. If not, reject the ciphertext. Output M, where M is the first n k bits of M 0 . We verify consistency. During encryption ðmkr1 Þ is bitwise exclusive-ored with the hash of g. During decryption C3 is bitwise exclusive-ored with the hash of g 0 . These masks used during encryption and decryption are the same since: ID g0 ¼ eðC 1 ; S ID t Þ eðT t ; C 2 Þ 1 d r ¼ eðP r2 ; d ID H 1 ðtÞ Þ eðP d ; H 1 ðtÞ 2 Þ s d s r s r ¼ eðP r2 ; ðQID Þ Þ eðP r2 ; H 1 ðtÞ Þ eðP d ; H 1 ðtÞ 2 Þ 1 1 s d d 1 ¼ eðP r2 ; ðQID Þ Þ eðP r2 ; H 1 ðtÞ Þ eðP r2 ; H 1 ðtÞ Þ r ¼ eðP r2 ; ðQID Þ Þ ¼ eðP ; QID Þ 2 ¼ eðP pub ; QID Þ 2 ¼ g ð2Þ Thus, decryption recovers M. We can ensure the security of the proposed scheme from following Theorem 3.1. Theorem 3.1. The ID-PCBTS scheme is secure. Proof of theorem 3.1. The proof of the theorem uses the technique of analyzing the Fullident scheme in [8]. Suppose there exists an adversary A against the ID-PCBTS scheme with advantage . We can construct an STS-CCA adversary B that uses A to attack the PCBTS scheme. The game between the challenger and adversary B starts with the challenger first generating a random public key PK ¼ ðG1 ; G2 ; e; P ; P pub ; Q; H 1 ; H 2 ; H 3 Þ by running key generation algorithm G of the PCBTS scheme. The challenger gives PK to algorithm B. Algorithm B works by interacting with A in an ID-STS-CCA game as follows: Setup Algorithm B gives A the ID-PCBTS scheme’s system parameters PM = (G1, G2, e, P, Ppub, H0, H1, H2, H3). Here G1, G2, e, P, Ppub, H1, H2, H3 are taken from PK, and H0 is a random oracle controlled by B as described below: H0-queries: At any time algorithm A can query the random oracle H0. To responds to these queries algorithm B maintains a list of tuples ðIDi ; Qi ; bi ; ci Þ as explained below. We refer to this list as the H list 0 . The list is initially empty. When A queries the oracle H0 at a point IDi algorithm B responds as follows: (1) If the query IDi already appears on the H list 0 in a tuple ðIDi ; Qi ; bi ; ci Þ then algorithm B responds with H 0 ðIDi Þ ¼ Qi 2 G1 . (2) Otherwise, B generates a random coin 2 f0; 1g so that Pr½coin ¼ 0 ¼ d. (3) Algorithm B picks a random bi 2 Z q . If coin ¼ 0 compute Qi ¼ P b . If coin ¼ 1 compute Qi ¼ Qb . (4) Algorithm B adds the tuple ðIDi ; Qi ; bi ; ci Þ to the H list 0 and responds to A with H 0 ðIDi Þ ¼ Qi . Hj-queries (j = 1, 2, 3): When algorithm issues queries to Hj (j = 1, 2, 3), algorithm B relay the queries to challenger and relay the challenger’s responds back to A. 4106 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 Secret key queries before challenge: Let IDi be a secret key extraction query issued by algorithm A. Algorithm B responds to this queries as follows: (1) Run the above algorithm for responding to H0-queries to obtain a Qi 2 G1 such that H 0 ðIDi Þ ¼ Qi . Let ðIDi ; Qi ; bi ; ci Þ be the corresponding tuple on the H list 0 . If ci ¼1 then B reports fail and terminates. (2) Otherwise, set Qi ¼ P bi . Define d i ¼ ðP pub Þbi . Observe that d i ¼ Qi and therefore di is the secret key associated to the IDi. Give di to algorithm A. Proxy secret key queries before challenge: Let (IDi, ti) be a proxy secret key queries issued by algorithm A. Algorithm B responds as follows: (1) Run the above algorithm for responding to H0-queries to obtain a Qi 2 G1 such that H 0 ðIDi Þ ¼ Qi . Let ðIDi ; Qi ; bi ; ci Þ be the corresponding tuple on the H list 0 . If coin ¼1 then B reports fail and terminates. (2) Otherwise, B issue proxy secret key query ti to challenger. When B receives the response (Si, Ti) from challenge, it responds to A with ððS i Þbi ; ðT i Þbi Þ. Decryption queries before challenge: Let ðIDi ; C i ; ti Þ be a decryption query issued by algorithm A. Let C ¼ ðti ; C i1 ; C i2 ; C i3 Þ. Algorithm B responding to this queries as follows: i (1) Run the above algorithm for responding to H0-queries to obtain a Qi 2 G1 such that H 0 ðIDi Þ ¼ Qi . Let ðIDi ; Qi ; bi ; ci Þ be the corresponding tuple on the H list 0 . (2) If ci ¼ 0, run the algorithm for responding to secret key queries to obtain the secret key for the IDi. Then use the secret key to respond to the decryption query. (3) If ci ¼ 1; Qi ¼ Qbi is hold, do as follows: b b • Set C iID ¼ ðti ; ðC i1 Þ i ; ðC i2 Þ i ; C i3 Þ. • Relay the decryption query C iID to the challenger and relay the challenger’s response back to A. Challenge: The algorithm A generates a request challenge ðID ; t ; M 0 ; M 1 Þ. Here, M0 and M1 are equal length plaintext, ID is an identity and did not appear in any extraction query before challenge, ðID ; t Þ did not appear in any proxy secret key of query before challenge. Algorithm B does as follows: (1) Algorithm B gives the challenger (t*, M0, M1) that it wishes to be challenged on. The challenger responds with a PCBTS scheme ciphertext C ¼ ðt ; C 1 ; C 2 ; C 3 Þ such that C* is the encryption of Mb for a random b 2 f0; 1g selected by the challenger. (2) B run the above algorithm for responding to H0-queries to obtain a Q 2 G1 such that H 0 ðID Þ ¼ Q . Let ðID ; Q ; b ; Þ be the corresponding tuple on the1 H list c ¼1 then B reports fail and terminates. 0 . If 1 b bi b1 (3) Otherwise, Q ¼ Q is hold. Set C ID ¼ ðt ; ðC 1 Þ ; ðC 2 Þ ; C 3 Þ, where b1 i is the inverse of b mod q. Algorithm B responds to A with the challenge C ID . Secret key queries after challenge: Let IDi be a secret key extraction query issued by algorithm A and IDi 6¼ ID . Algorithm B responds to secret key queries in the same way it did in secret key queries before challenge. Proxy secret key queries after challenge: Let (IDi, ti) be a proxy secret key query issued by algorithm A and ðIDi ; ti Þ 6¼ ðID ; t Þ. Algorithm B responds to proxy secret key queries in the same way it did in secret key queries before challenge. Decryption queries after challenge: Let ðIDi ; C i ; ti Þ be a decryption query issued by algorithm A and ðIDi ; C i ; ti Þ 6¼ ðID ; C ID ; t Þ. Algorithm B responds to decryption key queries in the same way it did in secret key queries before challenge. Guess: Eventually algorithm A outputs b 0 for b. Algorithm B outputs b 0 as its guess for b. Let S1 be the event that A issues a secret key query of causing algorithm B to abort. Let S2 be the event that A issues a proxy secret key query during that causes algorithm B to abort. Let S3 be the event that A choose a Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 4107 public key ID to be challenged, which causes algorithm B to abort. Let S4 be the event that after challenge Algorithm A issues a decryption query (IDi, Ci) so that the decryption query that B would relay to the challenger is equal to C*. Refer to the method of [8], the probability that algorithm B is not abort is Pr½+ S 1 ^ + S 2 ^ + S 3 ^ + S 4 6 dqE þqP þqD ð1 dÞ Here, qE þ qP þ qD is the maximum number made by the adversary A. Pr½+ S 1 ^ + S 2 ^ + S 3 ^ + S 4 is maximized at dopt ¼ 1 1=ðqE þ qP þ qD þ 1Þ. Using dopt , the probability that B does not abort is at least 1 . So, algorithm B’s advantage is at least eðq þq þq þ1Þ and is not negligible. eðqE þqP þqD þ1Þ E P D So, from Theorem 2.1, we know that the ID-PCBTS scheme is secure. h 4. Conclusion In this paper, we have proposed a practical mode of proxy cryptosystem: proxy cryptosystem based on time segmentation (PCBTS). Under this mode, we presented the security model of PCBTS and ID-based PCBTS. At the same time, the corresponding schemes of PCBTS and ID-based PCBTS are given. Our schemes are practical in e-commence scenario. References [1] M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in: Advances in Cryptology – CRYPTO’98, LNCS, vol. 1462, 1998, pp. 26–45. [2] M. Bellare, S.K. Miner, A forward-secure digital signature scheme, in: Advances in Cryptology – Crypto’99, LNCS, vol. 1666, 1999, pp. 431–448. [3] M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in: Advances in Cryptology – Asiacrypt 2004, LNCS, vol. 3329, 2004, pp. 48–62. [4] M. Bellare, A. Yee, Forward security in private-key cryptography, in: CT-RSA 2003, LNCS, vol. 2612, 2003, pp. 1–18. [5] M. Blaze, G. Bleumer, M. Strauss, Divertible protocol and atomic proxy cryptography, in: Advances in Cryptology – Eurocrypt ’98, LNCS, vol. 1403, 1998, pp. 127–144. [6] D. Boneh, X. Boyen, Efficient selective-ID secure identity-based encryption without random oracle, in: Advances in Cryptology – Eurcocrypt 2004, LNCS, vol. 3027, 2004, pp. 223–238. [7] D. Boneh, X. Boyen, Hierarchical identity-based encryption with constant size, in: Advances in Cryptology – Eurcocrypt 2005, LNCS, vol. 3494, 2005, pp. 440–456. [8] D. Boneh, M. Franklin, Identity based encryption from the Weil pairing, in: Advances in Cryptology – Crypto 2001, LNCS, vol. 2139, 2001, pp. 213–229. [9] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in: Advances in Cryptology – Asiacrypt 2002, LNCS, vol. 2248, 2001, pp. 514–532. [10] R. Canetti, S. Halevi, J. Katz, A forward-secure public-key encryption scheme, in: IEE Proceedings – Computers and Digital Eurocrypt 2003, LNCS, vol. 2656, 2003, pp. 255–271. [11] E. Fujisaki, T. Okamoto, How to enhance the security of public-key encryption, IEICE Trans. Fundam. E83-A (1) (2000) 24–32. [12] C. Gentry, A. Silverberg, Hierarchical identity-based cryptography, in: Advances in Cryptology – Asiacrypt 2002, LNCS, vol. 2501, 2002, pp. 548–566. [13] S. Goldwasser, S. Micali, Probabilistic encryption, J. Comput. Syst. Sci. 28 (1984) 270–299. [14] H.F. Hang, C.C. Chang, A novel efficient (t, n) threshold proxy signature scheme, Inform. Sci. 176 (10) (2006) 1338–1349. [15] C.L. Hsu, K.Y. Tsai, P.L. Tsai, Cryptanalysis and improvement of nonrepudiable threshold multi-proxy multi-signature scheme with shared verification, Inform. Sci. 177 (2) (2006) 543–549. [16] M. Jakobsson, On quorum controlled asymmetric proxy re-encryption, in: Proceedings of Public Key Cryptography 1999, LNCS, vol. 1560, 1999, pp. 112–121. [17] M. Mambo, E. Okamoto, Proxy cryptosystem: delegation of a power to decrypt ciphertexts, IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E80-A/1 (1997) 54–63. [18] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures for delegating signing operation, in: Proceedings of the 3rd ACM Conference on Computer and Communications Security (CCS), New Delhi, India, 1996, pp. 48–57. [19] M. Mambo, K. Usuda, E. Okamoto, Proxy signatures delegation of the power to sign message, IEICE Trans. Functional E79-A (9) (1996) 1338–1354. 4108 Y. Zhou et al. / Information Sciences 177 (2007) 4095–4108 [20] C. Rackoff, D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in: Advances in Cryptology – CRYPTO’91, LNCS, vol. 576, 1992, pp. 433–444. [21] L. Wang, Z. Cao, E. Okamoto, Y. Miao, T. Okamoto, Transformation-free proxy cryptosystems and their applications to electronic commerce, in: Proceedings of Infosecu ’04, 2004, pp. 92–98. [22] Yuan Zhou, Zhenfu Cao, Zhenchuan Chai, An efficient proxy-protected signature scheme based on factoring, in: Proceedings of ISPA Workshops 2005, LNCS, vol. 3759, 2005, pp. 332–341. [23] Yuan Zhou, Zhenfu Cao, Zhenchuan Chai, Construct secure proxy cryptosystem, in: Proceedings of CISC2005, LNCS, vol. 3820, 2005, pp. 150–161.
© Copyright 2024