Realizing Proxy Re-encryption in the Symmetric ... - Semantic Scholar

Realizing Proxy Re-encryption in the Symmetric World Amril Syalim, Takashi Nishide, and Kouichi Sakurai Department of Informatics, Kyushu University, Fukuoka, Japan [email protected],{nishide,sakurai}@inf.kyushu-u.ac.jp

Abstract. Proxy re-encryption is a useful concept and many proxy reencryption schemes have been proposed in the asymmetric encryption setting. In the asymmetric encryption setting, proxy re-encryption can be beautifully implemented because many operations are available to directly transform a cipher to another cipher without the proxy needs to access the plaintexts. However, in many situations, for a better performance, the data is encrypted using symmetric ciphers. Most symmetric ciphers do not support proxy cryptography because of malleability (that is needed to implement the proxy re-encryption) is not a desired property in a secure encryption scheme. In this paper, we suggest an idea to implement a pure proxy re-encryption for the symmetric ciphers by first transforming the plaintext into a random sequence of blocks using an All or nothing transform (AONT). We show an example of the proxy re-encryption scheme using a weak encryption (i.e. simple permutation) that has a simple conversion function to convert a permutation to another. The encryption scheme exploits three characteristics of an AONT transformation: (1) the output of an AONT is a pseudorandom, (2) the output of an AONT cannot be transformed back if any parts is missing, and (3) the output of an AONT cannot be transformed back without having all blocks with correct position. We show security argument of the proposed scheme and its performance evaluation. Key words: Database Encryption, Symmetric Key Encryption, Proxy Re-encryption, All or Nothing Transform (AONT)

1

Introduction

Proxy cryptography is a useful concept that can be applied in many contexts. An example is when a data owner store his/her data in a server in the Internet so that the data can be accessed from anywhere at anytime. Although this model has many advantages, the data owner should consider the security of his/her confidential data, because without additional security mechanisms an attacker (who breaks the security of the server) and also the database administrator can do anything to the data: accessing, updating or removing the data. The data owner can implement an access control mechanism to secure their data. The access control mechanism is normally implemented by a trusted reference monitor in the server that intercepts access to the data. In an untrusted

2

Amril Syalim et al.

server, this solution is not convenient and cost-heavy because the data owner needs to install a trusted hardware in the server securely. The access control can also be implemented by using cryptography (encryption mechanism). This method is convenient because the data owner does not need to interact with the data service provider (to set up a trusted hardware). The data owner encrypts the sensitive data and stores the encrypted data in the server. The data owner can share the data (granting access) to other users accessing the database by providing the encryption keys. However, there are some inflexibilities with the encryption solution and access granting by providing the encryption keys. A user who has the encryption key can always decrypt the data–although the user’s access right has been revoked. To completely revoke the access of the user, the data owner needs to re-encrypt the data with a new key. Using a naive solution, re-encryption is a costly computation, because basically the data owner needs to download the data, decrypt the data and encrypt with the new key and then upload the data to the database. A promising solution is by securely delegating re-encryption mechanism to a proxy in the database server. Before re-encryption, the owner only needs to send a re-encryption key to the proxy. The proxy re-encrypt the data without the need to decrypt any parts of the data. The proxy should be a semi-trusted party: it should execute the protocol correctly even though we do not trust the proxy accessing unencrypted data. To implement the proxy re- encryption, we need to find a function that translates the ciphertext from one key to another key without having to access the plaintext. In a symmetric encryption setting, a solution is by encrypting the data using a two layers symmetric encryption [5]. Re-encryption is performed only in the second layer encryption, however, to re-encrypt the data, the proxy needs to execute two costly computations: decrypt and then encrypt. There are many solutions for proxy re-encryption in the public-key world [1, 4, 8, 11]. The problem with these schemes is the schemes cannot be applied directly to the database because, for performance reason, the database is normally encrypted using symmetric key encryption. The public-key proxy re-encryption can be efficiently used to re-encrypt the private key that is used to encrypt the data with the symmetric ciphers [1]. However, this scheme has a weakness, because re-encrypting the key does not update the actual key used to encrypt data (the key of the symmetric encryption), so the users who has the previous key can use the same key to decrypt the data. For example, the data is encrypted with a private key SK. To protect the SK, it is encrypted with the owner public key P KO . The owner grants access to another user (for instance the user A) by re-encrypting SK using the user A’s public key P KA , so now user A can decrypt the private key SK using his/her private key. After somewhile, the owner revokes user A’s access by re-encrypting the SK using another key that cannot be decrypted by the user A (i.e. the key is re-encrypted with the user B’s public key).

Realizing Proxy Re-encryption in the Symmetric World

3

As shown in the above example, the actual secret key SK remains the same. The public-key re-encryption scheme is only used to re-encrypt the key but not the data. In the above example, the user A can always access data because he has SK even though the SK has been re-encrypted for another user. To fully revoke the user A access we need to update SK with a new key not known by the user A. Contributions of this paper: It is desirable to have the symmetric encryption scheme that can directly convert one cipher to another. However, to be able to re-encrypt one cipher directly to another, we need to have a one-way function which output can be transformed meaningfully (i.e. malleability [7])– the properties that, as we show in Appendix A, are removed from currently wide used practical one-way function (i.e. SHA or AES). We suggest a feasible solution by first transforming the data using an All or Nothing Transform (AONT) and exploits some of its characteristics to implement efficient proxy re-encryptions schemes1 . Those useful characteristics are [6, 12]: (1) the output of an AONT is a pseudorandom (so that the probability to find the same output for two different blocks are small), (2) the output of an AONT can only be transformed back if we have all blocks with correct position, and (3) the output of an AONT cannot be transformed back if any parts is missing. By exploiting those characteristics, we can develop a symmetric cipher proxy re-encryption scheme that is weak if is used with general input plaintext, but it is strong if the input is transformed with an AONT.

2

Related Works

There are many solutions for proxy re-encryption in the asymmetric encryption world. A seminal paper by Blaze et al. [3] proposes a bidirectional proxy reencryption based on El- Gamal’s encryption. The scheme works for a generator g of a group prime order q, the private key ska = a is a randomly selected element of Z∗q and the public key pka is g a . The ciphertext ca for the message m is (g r .m, g ar ) that can be decrypted back using the private key a to get the r . A proxy can directly convert ca to ciphertext cb (for the plaintext m = (ggar.m )1/a private key skb = b ∈ Z∗q and public key pkb = g b ) using a re-encryption key rka→b = b/a. This re-encryption is possible because cb = (g r .m, (g ar )b/a ). This scheme is bidirectional, because the proxy can also compute rkb→a = a/b and if the proxy colludes with one of the users, they can recover the private key of the other user (i.e. (a/b) ∗ b = a). 1

We can also implement more efficient proxy re-encryption using asymmetric ciphers by only encrypting a small part of AONT transforms. However, this scheme has a weakness because the previous users may store this small encrypted part and use it for decrypting the message even if the encryption key in the actual data has been changed.

4

Amril Syalim et al.

Many schemes are proposed to improve the Blaze et al.’s scheme [1, 4, 8, 11]. An example is the work of Atenise et al. [1] that uses pairing. The scheme works for bilinear map e : G1 × G1 ⇒ G2 with system parameter the random generator g ∈ G1 and Z = e(g, g) ∈ G2 . The public key of the first user is pka = (Z a1 , g a2 ) and the private key is ska = (a1 , a2 ). The encrypted form of a message m ∈ G2 is ca = (g r , m.Z ra1 ) for random r ∈ Zq . The proxy can convert ca to another ciphertext using the pairing property (e(g1a , g2b ) = e(g1 , g2 )ab ) by 0 0 computing cb = (e(g r , g a1 b ), m.Z ra1 ) = (Z br , m.Z r ), for r0 = a1 r so that it can be decrypted by a second user with public key pkb = g b and the private key is 0

ska = b to get m =

(m.Z r ) . (Z br0 )1/b

Cook et al. [5] showed that the symmetric ciphers that are closed under functional composition [10] (i.e. for encryption E and message m, there exists encryption keys k1 , k2 , k3 so that Ek3 (m) = Ek2 (Ek1 (m))) has a security weakness because it is vulnerable to known plaintext attack only requiring 2|k|/2 rather than 2|k| for brute force key search. Cook et al. suggest a solution for proxy re-encryption for symmetric ciphers by using double encryption [5]. In this scheme, the owner encrypts the data m with a key k1 and re-encrypt with another key k2 to get, for example the ciphertext c = Ek2 (Ek1 (m)). To grant access to a user, the owner should provide both of keys k1 and k2 to the user. The re-encryption is done by the proxy for the second encryption by providing k2 to the proxy. During re-encryption process, the proxy can not access the data m, because the data is protected by the first encryption layer. Using this method, the proxy needs to execute two costly computations: decrypting with the old key and encrypting with the new key. Another related work in re-encryption for symmetric cipher is the work of Hirose [9]. The author develops a conversion method for cipher encrypted with Galois Counter Mode (GCM) mode. This method is not intended for proxy reencryption but to find the conversion method that is faster than decrypt-thenencrypt. The author define GCTR as encryption function without producing authentication tag in the GCM. For the plaintext P1 , .., Pn−1 , Pn∗ where Pn∗ is the last bit string and a block cipher H = E(K, 0128 ), the GCTR is defined as follows. For Yi =incr(Yi−1 ) where i = 1, ..., n, the ciphertext Ci = Pi ⊕ E(K, Yi ) for i = 1, ..., n−1, Cn∗ = Pn∗ ⊕MSBu (E(K, Yn )) where u is the number of bit of the last string. The ciphertext C is C1 ||C2 || . . . ||Cn−1 ||Cn∗ . The GCM mode encrypt by calling the function GCM-AE as folows. Let Y0 = IV ||031 1 if len(IV ) = 96 and GHASH(H, {}, IV ) otherwise. The ciphertext C =GCTR(K, Y0 , P ) and the tag T =MSBt (GHASH(H, A, C) ⊕ E(K, Y0 )) where GHASH is the function to compute the tag using Galois field with input authenticated data A and the ciphertext C. The GCM-AE produces the ciphertext C and the tag T (with length t). To re-encrypt (C A , T A ) =GCM-AE(K A , IV A , P, A) to another ciphertext and tag (C B , T B ) =GCM-AE(K B , IV B , P, A), we use the following steps: 1. produce (C R , T R ) =GCM-AE(K B , IV B , C A , A), and S A =GCTR(K A , (Y0 )A , 0|P | ) R n+1−i 2. compute C B = C R ⊕ S A and T B = T R ⊕MSBt (⊕n−1 ) i=1 Si .H

Realizing Proxy Re-encryption in the Symmetric World

5

It is easy to see the correctness of this approach because CiA = Pi ⊕ EK A (YiA ) CiR = CiA ⊕ EK B (YiB ) S A = 0|P | ⊕ EK A (YiA ) C R ⊕ S A = (Pi ⊕ EK A (YiA ) ⊕ EK B (YiB )) ⊕0|P | ⊕ EK A (YiA ) = Pi ⊕ EK B (YiB ) = CiB

Because we need to execute two encryptions, the performance of this mechanism is not much better than decrypt-then-encrypt approach.

3

Security Requirements

In this section, we describe the security requirements of the proxy re-encryption scheme. The setting of the system is a data owner stores his/her data in a semi-trusted database server. To protect the data from malicious users and also the database administrator, the owner encrypts the data before storing them in the database. The share the data to other users, the data owner provides the decryption keys so that the other users can download and decrypt the data. A semi-trusted proxy (i.e. it always executes the protocol correctly although it cannot be trusted with sensitive data) is contacted whenever the data owner needs to re-encrypt the data (to revoke user’s access, or to update the keys because the previous keys are leaked/lost to an unauthorized/unknown parties). We cannot prevent a user who has access to the data downloads and stores the data in other place. The purposes of the re-encryption scheme are not only to protect the data but also to protect the current encryption key be inferred by the previous users who have access to parts or all parts of the data. We summarize security requirements for the proxy re-encryption as follows: 1. the proxy can convert the ciphertext encrypted with one key to another without the need to decrypt or access the plaintext 2. the proxy cannot access the unencrypted data (i.e. the plaintexts) directly or when executing the proxy re-encryption protocol 3. the proxy cannot re-encrypt the data without the owner’s consent 4. a user who owns the previous decryption keys before re-encryption cannot infer/calculate the current key even if he know all plaintext, previous ciphertext and the current ciphertext 5. the encryption scheme is also secure in the standard senses (i.e. Chosen Plaintext Attack–CPA), any outside attackers cannot decrypt the data without having the correct decryption keys

6

4 4.1

Amril Syalim et al.

Security Primitives All or nothing transform (AONT)

All or nothing transform (AONT) converts s blocks message M = m0 , ..., ms−1 into a pseudo message M 0 = m00 , ..., m0n−1 for n > s so that any blocks of the original message cannot be recovered if any block of the pseudo message is missing. Rivest [12] proposed an AONT that converts the message by encrypting each block with a random key and xor-ing the random key with the hash of all blocks, so that the encryption key cannot be recovered without having all part of the pseudo message. This scheme works for n = s + 1 where for each block message M and random key K 0 compute m0i = mi ⊕ E(K 0 , i). Then, compute m0n−1 = K 0 ⊕ h1 ⊕ h2 ⊕ . . . ⊕ hs−1 where hi = E(K0 , m0i ⊕ i) and K0 is a fixed (and publicly known) key. The Rivest scheme is a specific form of the Optimal Asymmetric Encryption Padding (OAEP) proposed by Bellare et.al [2]. OAEP is intended as a padding method before encrypting with RSA. The OAEP works for parameters n and k0 0 where the OAEP transformation {0, 1}n × {0, 1}k0 ] → {0, 1}n , for n0 = n + k0 is defined as OAEP G,H (x, r) = x ⊕ G(r)||r ⊕ H(x ⊕ G(r)), where G : {0, 1}k0 → {0, 1}n is a random generator, and H : {0, 1}n → {0, 1}k0 is a hash function. The Rivest scheme is an OAEP if we assume random r as the key K 0 , G(r) as E(K 0 , 1), E(K 0 , 2), . . .) and H as h1 ⊕ h2 ⊕ . . . ⊕ hn . 4.2

Perm, DePerm and FindCK

A permutation P erm is a bijection function that takes input two sequences with the same size n. The first sequence is the permutation key k0 , k1 , ..., kn−1 where 0 ≤ ki ≤ n−1 for 0 ≤ i ≤ n−1 and ka 6= kb for a 6= b. The second sequence is any sequence s0 , s1 , ..., sn−1 for with each element has the same size b for b ≥ 1. The permutation P erm transforms the second input sequence by changing the order of the sequence according to the first input sequence (permutation key). For example a permutation P erm((3, 1, 2, 0), (a, b, c, d)) transforms the the second input into (d, b, c, a). The permutation algorithm is shown in the Algorithm 1.

Inputs: sequence size n, permutation key KEP , input P IN Outputs: permuted sequence P OU T for i = 0 to n − 1 do P OU T [i] ← P IN [KEP [i]] end for return P OU T

Algorithm 1: Permutation Algorithm

Realizing Proxy Re-encryption in the Symmetric World

7

A de-permutation DeP erm is a bijection function that takes two inputs as P erm. The difference is the DePerm converts back the second sequence that has been permuted using the P erm. An example is DePerm((3, 1, 2, 0), (d, b, c, a)) = (a, b, c, d). The DePerm an algorithm is shown in the Algorithm 2.

Inputs: sequence size n, permutation key KEP , input DP IN Outputs: de-permuted sequence DP OU T for i = 0 to n − 1 do DP OU T [KEP [i]] = DP IN [i] end for return DP OU T

Algorithm 2: DePermutation Algorithm

An output of a permutation can be converted directly to an output of another permutation by finding a conversion key CK. The conversion key of a permutation key KPA to permutation key KPB is a permutation key so that for input sequence InSeq, P erm(KPB , InSeq) = P erm(CK, P erm(KPA , InSeq). We can find the conversion key CK easily if we have the first permutation key KPA and the second permutation key KPB using algorithm shown in the Algorithm 3. Inputs: sequence size n, first permutation KPA , and second permutation KPB Outputs: the conversion key CK for i = 0 to n − 1 do for j = 0 to n − 1 do if KPA [i] == KPB [j] then CK[j] = i break end if end for end for return CK

Algorithm 3: Find Conversion Key Algorithm

4.3

Permutation Key Generator (PGen)

The permutation key generator is used to generate permutation keys where each of them consists of a sequence of distinct numbers from 0 to n−1. A permutation key can be generated from a smaller size of key using a function that takes input a key k and the number of elements in the sequence (n). The function has a property that without knowing the key k, the output cannot be computed better than a random guess. We implement the function using a deterministic

8

Amril Syalim et al.

encryption function E(k, p) that takes an input k and a plaintext p using the algorithm shown in the Algorithm 4.

Prepare n log n bits input and store in array A with n elements Fill each element of the array with the number 0 to n − 1 for i = 0 to n − 1 do tmp = E(k, i) tmp = log n bits of the least significant bits of tmp swap A[i] with A[tmp] end for return A

Algorithm 4: Permutation Key Generation Algorithm

5 5.1

Using All-or-nothing transformation to develop a symmetric cipher proxy re-encryption scheme Preliminaries

Let m0 , m2 , ..., ms−1 is a sequence of s blocks message where the size of each mi is b. A proxy re-encryption algorithm PR is a quintiple algorithms = (G, E, D, RG, RE) where: – G is a key generation algorithm that regenerate random keys to be used by E – E is the encryption algorithm that converts s blocks input m0 , m1 , ..., ms−1 that outputs n blocks ciphertext c0 , c1 , ..., cn−1 using keys generated by G – D is the decryption algorithm that transforms the ciphertext c0 , c1 , ..., cn−1 back into the plaintext m0 , m1 , ..., ms−1 – RG is an algorithm to generate keys for re-encryption algorithm RE A A – RE is the re-encryption algorithm that transforms the ciphertext cA 0 , c1 , ..., cn−1 B B B encrypted with private key KA into ciphertext c0 , c1 , ..., cn−1 encrypted with private key KB 5.2

Symmetric Cipher Proxy Re-encryption algorithm

The proxy re-encryption algorithm PR = (G, E, D, RG, RE) works on b × s bits message m = m0 , m2 , ..., ms−1 where the message is divided into s blocks with size b. – Key Generation (G) • The data owner generates three random keys K1 , K2 , and K3 with the size the same as k in the permutation generator algorithm in Section 4.3. • The data owner generates a random b bits XOR key KX .

Realizing Proxy Re-encryption in the Symmetric World

9

– Encryption (E). The data owner encrypts the message m using the keys K1 , K2 , K3 , and KX . • Transform the message m = m0 , m2 , ..., ms−1 using an AONT that outputs a b × n pseudo message m0 = m00 , m01 , ..., m0n−1 • Generate three permutation keys P1 , P2 and P3 using the permutation generator algorithm (in Section 4.3) with inputs (K1 , b), (K2 , b) and (K3 , n) respectively. • Apply the permutation with key P3 to all blocks (the size of each element in the sequence m0 is b bits) m0 = P erm(P3 , m0 ) • For i = 0 to n − 1, apply the following transformation for each block m0i (now the size of each element in the sequence m0i is 1 bit): c0 = P erm(P1 , m00 ) ⊕ P erm(P2 , KX ) ci = P erm(P1 , m0i ) ⊕ P erm(P2 , ci−1 ) – Decryption (D). To decrypt the ciphertext c, a user needs to have all keys K1 , K2 , K3 , and KX . • Generate three permutation keys P1 , P2 and P3 using the permutation generator algorithm (in Section 4.3) with inputs (K1 , b), (K2 , b) and (K3 , n) respectively. • For i = n − 1 to 0 apply the following transformation for each block ci to get m0i : m0i = DeP erm(P1 , ci ⊕ P erm(P2 , ci−1 ) m00 = DeP erm(P1 , c0 ⊕ P erm(P2 , KX )) • Apply the DePermutation with key P3 to all blocks: m0 = DeP erm(P3 , m0 ) • Transform the pseudo message m0 = m00 , m01 , ..., m0n−1 back using AONT to get the original message m = m0 , m2 , ..., ms−1 – Re-encryption Key Generation (RG). The data owner generates the reencryption keys that are sent to the proxy for re-encrypting the ciphertext with the new keys • Generate three new random keys K10 , K20 , and K30 0 • Generate a new random b bits XOR key KX 0 • Find the conversion key from K1 to K1 : CK1 = F indCK(P Gen(K1 , b), P Gen(K10 , b) that produces b log b bits conversion key CK1 • Find the conversion key from K3 to K30 : CK3 = F indCK(P Gen(K3 , n), P Gen(K30 , n) that produces n log n bits conversion key CK3 0 • Re-encryption keys are CK1 , CK3 , KX , KX , K2 and K20 – Re-Encryption (RE). The proxy re-encrypts the ciphertext c using the 0 re-encryption keys CK1 , CK3 , KX , KX , K2 and K20 :

10

Amril Syalim et al.

• Compute P2 = P Gen(K2 ) and P20 = P Gen(K20 ) • For i from n − 1 to 0 apply the following transformation: c0i = P erm(CK1 , ci ⊕ P erm(P2 , ci−1 )) c00 = P erm(CK1 , c0 ⊕ P erm(P2 , KX )) • Apply the permutation with key CK3 to all blocks c0 = P erm(CK3 , c0 ) • For i = 0 to n − 1 apply the following transformation for each block c: 0 c00 = c00 ⊕ P erm(P20 , KX )

c0i = c0i ⊕ P erm(P20 , c0i−1 ) Correctness of the re-encryption algorithm The ciphertext of each block before re-encryption is as follows: m0 = P erm(P3 , m0 ) c0 = P erm(P1 , m00 ) ⊕ P erm(P2 , KX ) ci = P erm(P1 , m0i ) ⊕ P erm(P2 , ci−1 ) To re-encrypt, we use the following equalities: P erm(P1 , m00 ) = c0 ⊕ P erm(P2 , KX ) P erm(P1 , m0i ) = ci ⊕ P erm(P2 , ci−1 )) P erm(CK1 , P erm(P1 , ci )) = P erm(P10 , ci ), and P erm(CK3 , P erm(P3 , c0 )) = P erm(P30 , c0 ) To re-encrypt, first the proxy transforms c0 using the following transformation for i from n − 1 to 0 to converts key P1 to P10 : c0i = P erm(CK1 , ci ⊕ P erm(P2 , ci−1 )) = P erm(P10 , m0i ) c00 = P erm(CK1 , c0 ⊕ P erm(P2 , KX )) = P erm(P10 , m00 ) Then permute the results using CK3 to convert P3 to P30 : c0 = P erm(CK3 , c0 ) = P erm(P30 , c0 ) The last step is to apply the following transformation for i = 0 to n − 1 that 0 converts the P2 to P20 and KX to KX : 0 0 c00 = c00 ⊕ P erm(P20 , KX ) = P erm(P10 , m00 ) ⊕ P erm(P20 , KX )

c0i = c0i ⊕ P erm(P2 , c0i−1 ) = P erm(P10 , m0i ) ⊕ P erm(P20 , c0i−1 ) All of these steps correctly convert the keys from K1 , K2 , K3 and KX to 0 K10 , K20 , K30 and KX .

Realizing Proxy Re-encryption in the Symmetric World

6

11

Security Analysis

Using this scheme, to encrypt the pseudomessage, we use the following formula: m0 = P erm(P3 , m0 ) c0 = ci =

P erm(P1 , m00 ) ⊕ P erm(P2 , KX ) P erm(P1 , m0i ) ⊕ P erm(P2 , ci−1 )

(1) (2) (3)

We classify three types of potential attackers. They are the previous users, the proxy and the outsiders. 6.1

The previous users

The previous users are the users who were previously granted access by providing the previous correct encryption keys. The previous users may store some parts or all of the pseudomessages (which has not been changed when updating the keys) and also the unencrypted data in their previous access sessions. The previous users may also store all or parts of the previous ciphertexts and they can access all of the current ciphertexts. The purpose of the previous user’s attacks is to find the new encryption keys which are not authorized to have. (One motivation of the previous users to get the new keys eventhough he/she may store the unencrypted data locally is to easily share the data to other users by sharing the new encryption–it is more convenient to share the data by only sharing the keys rather than the large data). We analyze the security of this scheme against the previous users by playing a Known Plaintext Attack (KPA) game. The rationale of this game is that the output of an AONT is a pseudorandom, so that each pseudo-message is unique (there is no two exactly same blocks of pseudomessages). It should be noted that we assume the proxy does not collude with any previous users. It is easy to check that the previous user can recover the current encryption key if he/she get the re-encryption key. (However, as a comparison, even a costly double encryption method [5] is not resistant to the collusion attack). Known Plaintext Attack (KPA) game ReEnckpa U A,Π for previous user U A and proxy re-encryption scheme Π: 1. The previous user has access to all pseudomessages (m0 ) and the ciphertexts (c). 2. The previous user chooses two pseudomessage blocks m0a and m0b and sends the indexes a and b to an encryption oracle 3. The encryption oracle chooses one of the indexes j = a or b and sends back cj = P erm(P1 , m0j ) ⊕ P erm(P2 , cj−1 ) if j > 0 and cj = P erm(P1 , m00 ) ⊕ P erm(P2 , KX ) for j = 0 4. The previous user chooses k = a or b. The previous user wins if k = j. If the previous user wins ReEnckpa U A,Π = 1 otherwise 0.

12

Amril Syalim et al.

We should show that the advantage of the previous user is very small (represented by a small number ). Pr[ReEnckpa U A,Π = 1] ≤

1 + 2

Theorem 1. If each of the outputs of AONT m0 and the ciphertext c is unique and pseudorandom, and the output of permutation key generator (described in Section 4.3) is pseudorandom, the proxy re-encryption scheme shown in Section 5.2 is secure in the Known Plaintext Attack (KPA) game ReEnckpa U A,Π . Proof. From the equation 1, to guess j, the previous user UA should guess the permutation key P3 . Because P3 is pseudorandom it cannot be guessed better than the random guess (we can prove formally by showing that the problem to guess the bits of the permutation key is the same as the problem to guess the outputs of underlying encryption function E(k, p) used in P Gen described in Section 4.3). – The previous user tries to find the first log n bits of the key P3 by comparing m0a and m0b with cj • Because each cj does not reveal either the number of 0s or 1s bits of the m0a and m0b , the previous user cannot guess the permutation key by checking the number of 0s or 1s bits • The previous users can guess the permutation with success probability 1 2 (by assuming that the outputs of E(k, p) are pseudorandom). – To win the game, the previous user should solve the equation c0 = P erm(P1 , m00 )⊕ P erm(P2 , KX ) and ci = P erm(P1 , m0i ) ⊕ P erm(P2 , ci−1 ) (equations 2 and 3) • The previous users cannot reduce ci = P erm(P1 , m0i ) ⊕ P erm(P2 , ci−1 ) into ca + cb = P erm(P1 , m0a + m0b ) or ca + cb = P erm(P1 , ca−1 + mb−1 ) by xor-ing two equations because each mi and ci−1 is unique. • The previous user should solve the ci = P erm(P1 , m0i ) ⊕ P erm(P2 , ci−1 ) directly. – Because P1 and P2 are also pseudorandom (by assuming that E(k, p) is secure), the previous user do not have better advantage than random guessing. 6.2

The proxy

The proxy is the semi-trusted entity that converts the ciphertexts from one key to another key without decrypting the data. The proxy does not have access to the pseudo messages, the data, or any previous keys. However, the proxy has 0 access to all re-encryption keys (CK1 , CK3 , KX , KX , K2 and K20 ), all previous ciphertexts and all current ciphertexts. Although the proxy correctly executes the re-encryption protocol he/she may try to decrypt some ciphertexts or to infer any current encryption/decryption keys. We analyze the security of this scheme againts the proxy in a Ciphertext Only Attack (COA) game.

Realizing Proxy Re-encryption in the Symmetric World

13

Ciphertext Only Attack (COA) game ReEnccoa PA,Π for the proxy PA and proxy re-encryption scheme Π: 1. The proxy has access to all the ciphertexts (c). 2. The proxy chooses two ciphertext blocks c0a and c0b and sends the indexes a and b to a decryption oracle 3. The encryption oracle chooses one of the indexes j = a or b and sends back the plaintext mj or m0 where m0j = DeP erm(P1 , ci ⊕P erm(P2 , ci−1 ) if j > 0 and m00 = DeP erm(P1 , c0 ⊕ P erm(P2 , KX )) for j = 0 4. The proxy chooses k = a or b. The previous user wins if k = j. If the previous user wins, ReEnccoa PA,Π = 1, otherwise 0. We should show that the advantage of the proxy is very small (). Pr[ReEnccoa PA,Π = 1] ≤

1 + 2

Theorem 2. If each of the outputs of AONT m0 and the ciphertext c is unique and pseudorandom, and the output of permutation key generator (described in Section 4.3) is pseudorandom, the proxy re-encryption scheme shown in Section 5.2 is secure in the Ciphertext Only Attack (COA) game ReEnccoa PA,Π . Proof. To win the ciphertext only game, the proxy should guess a large number bits of the keys as shown below: 1. The proxy tries to guess the correct j. Because P1 and P2 are pseudorandom (by assuming that E(k, p) is secure), eventhough the proxy knowns P2 , the proxy cannot guess P1 better that random guessing, so guessing j is also no better than random guessing. To check the correctness of the guessing, the proxy should decrypt the ciphertext. However, to decrypt any blocks, the proxy should find all correct bits of the key for all blocks of the pseudo messages. So, before correctly decrypting all ciphertexts to get all blocks of the pseudo messages, the proxy cannot check the correctness of j. 2. The proxy tries to guess the current keys (P1 and P3 ) using the re-encryption keys. However without knowing the previous keys, the proxy cannot infer anything about the current keys (by assuming that encryption function E(k, p) used in P Gen is secure). 3. What can be done by the proxy is to try to guess all possible keys (brute force attack) and decrypting all blocks for each guessing. This attack is impractical for a large number of blocks of the pseudo messages.  6.3

The outsiders

The outsiders are the other attackers that cannot be classified into the previous users or the proxy. The outsiders do not have access to any of the previous keys, any re-encryption keys or any pseudomessage. However, we assume the outsiders have access to all ciphertexts (previous or current ciphertext). The purposes of the outsider’s attack are to decrypt any parts of the ciphertext or finding any

14

Amril Syalim et al.

keys. The outsider’s game is similar to the proxy game in Section 6.2 except that the outsider does not know the P2 . So the outsider has less security advantage than the proxy.

7

Performance Evaluation

We analyze the performance of the scheme by calculating the computation costs to execute the scheme. Table 1 shows the computation costs that are needed by the scheme for the key generation (KeyGen), encryption (Enc), decryption (Dec), re-encryption key generation (ReKeyGen), and re-encryption (ReEnc). The computational costs are represented by the number of executions of the primitives for n number of blocks. The primitives are: AONT transform/detransform (AONT), permutation (P erm), de-permutation (DeP erm), finding conversion key (F indCK), permutation key generation (P Gen), random bits generation (RandGen) and XOR operation (⊕).

Table 1. The number of primitives execution Primitives KeyGen Enc Dec ReKeyGen ReEnc AONT 1 1 P erm 2n + 1 3n + 1 DeP erm 2n + 1 F indCK 2 P Gen 3 3 4 2 4 4 RandGen XOR (⊕) n n 2n

P erm, DeP erm, F indCK, and XOR are cheap operations. The costs of AONT, P Gen and RandGen operations are linear to a symmetric cipher operation. For example, the AONT scheme proposed by Rivest needs 2n encryption operations [12]. As shown in Table 1, the costs of key generation and re-encryption key generation are linear to symmetric cipher operations because key generation needs 4 random bits generations (RandGen) while re-encryption keys generation needs 2 operations of find conversion key (F indCK), 4 permutation key generations (P Gen) and 4 random bits generations (RandGen). The costs of encryption and decryption are also linear to symmetric cipher operations because encryption needs execution of an AONT transform, 2n + 1 permutations, 3 permutation key generations, and n times XOR, while decryption needs execution of an AONT transform, 2n + 1 de-permutations, 3 permutation key generations, and n times XOR. Re-encryption in this scheme is very efficient because it only needs 2 permutation key generations regardless of the number of blocks and a linear number of cheap P erm and XOR operations (3n + 1 P erm and 2n XOR operations).

Realizing Proxy Re-encryption in the Symmetric World

8

15

Discussion: using CBC and CTR modes as alternatives to AONT

The security of the scheme in Section 5.2 relies on the difficulty to find the correct position of the AONT transformation. Other encryption modes (CBC and CTR) also have characteristics that the blocks cannot be decrypted correctly if we cannot find the correct position of the blocks. In CTR, we should know the correct position of a block for decrypting the block. In CBC mode, we should know a pair of consecutive blocks to decrypt a block. It is interesting to know whether it is possible to implement the scheme showed in Section 5.2 using CBC or CTR. 8.1

Using CBC mode

Each block encrypted with CBC is defined as ci = E(k, pi ⊕ ci−1 ), c0 = IV , where IV is an initialization vector. To decrypt a block ci we use the following formula: pi = E(k, ci ) ⊕ ci−1 , c0 = IV . If we substitute the AONT with a CBC mode there are some features of AONT that cannot be substituted by CBC: 1. In CBC, we only need to know two consecutive modes and decrypt a block to get a block of the plaintext, while in the AONT we need to know all blocks with correct position and decrypt all blocks to get any block of the plaintext. 2. In CBC, we do not need to have all of blocks, we can decrypt any blocks and get a block of plaintext by knowing two consecutive blocks. Those characteristics of CBC affects the security of the re-encryption as follows: – the previous user does not need to know all bits key P3 to decrypt a part of the blocks. By using CBC, it is possible the previous user shares a part of the blocks without knowing all bits of the key (which is not possible in All-or-Nothing-Transform (AONT), because in AONT to leak a block, we need to have all correct bits of the key). – for the proxy and the outsiders, by using CBC mode, attack to find the encryption key is easier, because the proxy and the outsider can check the correctness of a key for a block by only decrypting the block rather than decrypting all blocks of the message with correct keys for all blocks in AONT scheme to test the correctness of any bits of key in a block. 8.2

Using CTR mode

In CTR, we use a nonce n and counter i to encrypt each block of the message. Each block encrypted with CTR is defined as ci = E(k, n ⊕ i) ⊕ pi . To decrypt a block ci we use the following formula: pi = E(k, n ⊕ i) ⊕ ci . The CTR mode has the same weaknesses as the CBC so if we use CTR there are some advantages for the previous users, the proxy and the outsiders:

16

Amril Syalim et al.

– the previous user does not need to know all bits key P3 to decrypt a part of the blocks. By using CTR, it is possible the previous user shares a part of the blocks without knowing all bits of the key (which is not possible in scheme that uses AONT). – attack to find the encryption key is easier for the proxy and the outsiders if we use CTR, because the proxy and the outsider are able to check the correctness of a key (for the block) by only decrypting a block of message rather than decrypting all blocks with the correct key in AONT scheme.

9

Conclusion

In this paper, we have described a proxy re-encryption scheme for the symmetric ciphers. The scheme exploits some characteristics of All-or-nothing (AONT) transformation to develop an efficient proxy re-encryption scheme. We showed security and performance evaluation of the scheme. We also discussed the possibility to use CBC and CTR modes as AONT’s substitutes.

A

Attempts to develop a secure proxy re-encryption using pure symmetric cipher

A proxy re-encryption cannot be implemented using currently used practical one-way functions (i.e. SHA and AES). We show the argument by trying to develop a proxy re-encryption for symmetric cipher using Xor-scheme (Vernam cipher), stream cipher and block cipher. A.1

Xor-scheme (Vernam Cipher)

In the Vernam Cipher, the key is generated by random function with the same length of the message. Besides its big key size, it also does not support secure proxy cryptography. Let KA , KB be two random keys and E is the encryption function, then we can produce the ciphertext CA and CB using the following equations: CA = E(KA , M ) = KA ⊕ M

(4)

CB = E(KB , M ) = KB ⊕ M

(5)

To support the proxy re-encryption, there is a function P that converts CA to CB where: CB = P (E(KA , M ) = P (KA ⊕ M ) This equation is fulfilled by P = (KA ⊕ KB )⊕, because

Realizing Proxy Re-encryption in the Symmetric World

17

CB = (KA ⊕ KB ) ⊕ (KA ⊕ M ) = KB ⊕ M However, this method is not secure because from the equation 4 and 5: M = KA ⊕ CA = KB ⊕ CB KB = KA ⊕ CA ⊕ CB

(6)

In the equation 6, the user who knows the previous ciphertext CA , previous key KA and the current ciphertext CB can easily compute KB . A.2

Stream cipher-like encryption

In the stream cipher, the plaintext (m0 , m1 , ..., mn−1 ) is encrypted to produce A A the ciphertext (cA 0 , c1 , ..., cn−1 ) using a random generator R with a private key KA as follows: A A cA i = R(KA , mi−1 , ...m0 , ci−1 , ...c0 ) ⊕ mi

(7)

To implement the proxy re-encryption that converts the ciphertext encrypted with key KA to the ciphertext encrypted with key KB , the proxy should be able to re-encrypt the ciphertext cA i into the ciphertext B B cB i = R(KB , mi−1 , ...m0 , ci−1 , ...c0 ) ⊕ mi

(8)

using a conversion function P , where A A A cB i = P (c0 , c1 , ..., cn−1 )

= P (R(KA ) ⊕ m0 , R(KA , m0 , cA 0 ) ⊕ m1 , ... A R(KA , mn−2 , ...m0 , cA n−2 , ...c0 ) ⊕ mn−1 )

so that: B A R(KB , mi−1 , ...m0 , cB i−1 , ...c0 ) ⊕ mi = P (R(KA ) ⊕ m0 , R(KA , m0 , c0 ) ⊕ m1 , ... B R(KA , mn−2 , ...m0 , cB n−2 , ...c0 ) ⊕ mn−1 ) A A R(KB , mi−1 , ...m0 , cA i−1 , ...c0 ) = P (R(KA ) ⊕ m0 , R(KA , m0 , c0 ) ⊕ m1 , ... A R(KA , mn−2 , ...m0 , cA n−2 , ...c0 )

⊕mn−1 ) ⊕ mi

(9)

The users who are previously granted access to the message m should not be able to infer KB even if the users know the previous key KA , all plaintexts B B B A (m0 , m1 , ..., mn−1 ) and all ciphertexts (cA 0 , c1 , ..., cn−1A , c0 , c1 , ..., cn−1 ). There are two possibilities:

18

Amril Syalim et al.

1. (A strict requirement): the proxy can collude with the user, so that the users know P from the proxy. If the proxy colludes, the user can compute the right side of the equation 9. For instance the result is A, then

P (R(KA ) ⊕ m0 , R(KA , m0 , cA 0 ) ⊕ m1 , ... A R(KA , mn−2 , ...m0 , cA n−2 , ...c0 ) ⊕ mn−1 ) ⊕ mi = A

and B R(KB , mi−1 , ...m0 , cB i−1 , ...c0 ) = A

(10)

Because the user knows all plaintexts and ciphertexts (he/she only does not have KB ), for a secure proxy re-encryption scheme it should not be possible to calculate KB . This requirement is only fulfiled if the function R is a one-way function so it is not possible to infer KB from the output of R and some others inputs. 2. (A less strict requirement): the proxy does not collude with the user, so that the users does not know P . From equations 7 and 8 we get:

A A mi = R(KA , mi−1 , ...m0 , cA i−1 , ...c0 ) ⊕ ci B B mi = R(KB , mi−1 , ...m0 , cB i−1 , ...c0 ) ⊕ ci

then B A A A B R(KB , mi−1 , ...m0 , cB i−1 , ...c0 ) = R(KA , mi−1 , ...m0 , ci−1 , ...c0 ) ⊕ ci ⊕ ci

Because the user can compute the right side (for instance the result is B), we get the formula similar to equation 10.

B R(KB , mi−1 , ...m0 , cB i−1 , ...c0 ) = B

(11)

With the same reason as the equation 10, for a secure proxy re-encryption scheme, the function R should be a one-way function that protect KB even if the users know the ouputs and other inputs. If R is a one-way function, from the equation 9 we have the following equations:

Realizing Proxy Re-encryption in the Symmetric World

19

B A R(KB , mi−1 , ...m0 , cB i−1 , ...c0 ) = P (R(KA ) ⊕ m0 , R(KA , m0 , c0 ) ⊕ m1 , ... A R(KA , mn−2 , ...m0 , cA n−2 , ...c0 )

⊕mn−1 ) ⊕ mi B A R(KB , mi , ...m0 , cB i , ...c0 ) = P (R(KA ) ⊕ m0 , R(KA , m0 , c0 ) ⊕ m1 , ... A R(KA , mn−2 , ...m0 , cA n−2 , ...c0 )

.. .

⊕mn−1 ) ⊕ mi+1 .. .

From the above equations we can conclude that to have a proxy cryptography, we should find a one-way function which we can do operation to the ciphertexts meaningfully. We can simplify the above equation (i.e the random function R only uses the private key KA or KB and a counter i) to the following equations: R(KA , i) = P (R(KB , i) ⊕ mi ) R(KA , i + 1) = P (R(KB , i + 1) ⊕ mi+1 ) .. .. . . With this simplification, we still need a special one-way function which the ciphertexts are easily converted to another ciphertext with different keys. This property is undesirable and not possible in the current practical one-way function used in the real world (i.e. SHA or AES-based one-way functions). A.3

Block cipher-like encryption

In the block cipher-like encryption, the plaintext (m0 , m1 , ..., mn−1 ) is encrypted A A to produce the ciphertext (cA 0 , c1 , ..., cn−1 ) using a block cipher encryption E with a key KA as follows: A A cA i = E(KA , mi , mi−1 , ...m0 , ci−1 , ...c0 )

(12)

To implement the proxy re-encryption, the proxy should be able to convert B the ciphertext cA i encrypted with the private key KA into another ciphertext ci encrypted with the key KB as follows: B B cB i = E(KB , mi , mi−1 , ...m0 , ci−1 , ...c0 )

(13)

With the same arguments as the stream cipher previous section, E should be a one-way function and has properties that cannot be implemented with the current practical one-way functions.

20

Amril Syalim et al.

References 1. Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur., 9(1):1–30, 2006. 2. Mihir Bellare and Phillip Rogaway. Optimal asymmetric encryption. In EUROCRYPT, pages 92–111, 1994. 3. Matt Blaze, Gerrit Bleumer, and Martin Strauss. Divertible protocols and atomic proxy cryptography. In In EUROCRYPT, pages 127–144. Springer-Verlag, 1998. 4. R. Canetti and S. Hohenberger. Chosen-ciphertext secure proxy re-encryption. In Proceedings of the 14th ACM conference on Computer and communications security, pages 185–194. ACM, 2007. 5. Debra L. Cook and Angelos D. Keromytis. Conversion and proxy functions for symmetric key ciphers. In ITCC, pages 662–667, 2005. 6. Anand Desai. The security of all-or-nothing encryption: Protecting against exhaustive key search. In CRYPTO, pages 359–375, 2000. 7. Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM J. Comput., 30(2):391–437, 2000. 8. M. Green and G. Ateniese. Identity-based proxy re-encryption. In Applied Cryptography and Network Security, pages 288–306. Springer, 2007. 9. Shoichi Hirose. On re-encryption for symmetric authenticated encryption. In Computer Security Symposium (CSS) 2010, 2010. 10. Burton S. Kaliski Jr., Ronald L. Rivest, and Alan T. Sherman. Is the data encryption standard a group? (results of cycling experiments on des). J. Cryptology, 1(1):3–36, 1988. 11. Benoˆıt Libert and Damien Vergnaud. Unidirectional chosen-ciphertext secure proxy re-encryption. IEEE Transactions on Information Theory, 57(3):1786–1802, 2011. 12. Ronald L. Rivest. All-or-nothing encryption and the package transform. In In Fast Software Encryption, LNCS 1267, pages 210–218. Springer-Verlag, 1997.