Delegation of Decryption Rights With Revocability From Learning With Errors

The notion of decryption rights delegation was initially introduced by Blaze <italic>et al.</italic> in EUROCRYPT 1998. It, defined as <italic>proxy re-encryption</italic>, allows a semi-trusted proxy to convert a ciphertext intended for a party to another ciphertext of the same plaintext, without knowledge of the underlying plaintext and decryption key. It has been explored to many real-world applications, e.g., encrypted email forwarding. However, the intrinsic all-or-nothing share feature of proxy re-encryption yields a limitation that the share cannot be revoked. This may hinder the scalability of its applications in practice. In this paper, for the first time, we define the concept of revocability in terms of decryption rights delegation. The novel concept enables data owner to revoke the shared decryption rights when needed. Inspired by the seminal lattice-based proxy re-encryption proposed in PKC 2014, we design a concrete lattice-based construction which satisfies the notion. In our construction, we make use of binary-tree structure to implement the revocation of decryption rights, so that the update of re-encryption key is reduced to <inline-formula> <tex-math notation="LaTeX">$O(logN)$ </tex-math></inline-formula> (instead of <inline-formula> <tex-math notation="LaTeX">$O(N)$ </tex-math></inline-formula>), where <inline-formula> <tex-math notation="LaTeX">$N$ </tex-math></inline-formula> is the maximum number of delegatee. Furthermore, the security of our scheme is based on the standard learning with errors problem (LWE problem), which could be reduced to the worst-case hard problems (such as GapSVP and SIVP) in the context of lattices. The scheme is chosen ciphertext secure in the standard model. As of independent interest, our scheme achieves both backward and forward security, which means that once a user is revoked after a time period <inline-formula> <tex-math notation="LaTeX">$\mathbf {t}$ </tex-math></inline-formula>, it cannot gain access to all encrypted files before and after <inline-formula> <tex-math notation="LaTeX">$\mathbf {t}$ </tex-math></inline-formula>.

[1]  Huaxiong Wang,et al.  Revocable Identity-Based Encryption from Lattices , 2012, ACISP.

[2]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[3]  W. Marsden I and J , 2012 .

[4]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[5]  Huaxiong Wang,et al.  Revocable Predicate Encryption from Lattices , 2017, ProvSec.

[6]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[7]  Xavier Boyen,et al.  Identity-Based Encryption from Lattices in the Standard Model , 2009 .

[8]  Javier López,et al.  NTRUReEncrypt: An Efficient Proxy Re-Encryption Scheme Based on NTRU , 2015, AsiaCCS.

[9]  Keita Emura,et al.  Revocable Identity-Based Encryption Revisited: Security Model and Construction , 2013, Public Key Cryptography.

[10]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[11]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[12]  Elena Kirshanova,et al.  Proxy Re-encryption from Lattices , 2014, Public Key Cryptography.

[13]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[14]  Marcel Keller,et al.  On the Amortized Complexity of Zero-Knowledge Protocols , 2009, Journal of Cryptology.

[15]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[16]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[17]  Xavier Boyen,et al.  Key-Private Proxy Re-encryption under LWE , 2013, INDOCRYPT.

[18]  Benoît Libert,et al.  Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption , 2008, IEEE Transactions on Information Theory.

[19]  Ran Canetti,et al.  Chosen-ciphertext secure proxy re-encryption , 2007, CCS '07.

[20]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[21]  Vipul Goyal,et al.  Identity-based encryption with efficient revocation , 2008, IACR Cryptol. ePrint Arch..

[22]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[23]  Susan Hohenberger,et al.  Key-Private Proxy Re-encryption , 2009, CT-RSA.

[24]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[25]  Keisuke Tanaka,et al.  Proxy Re-Encryption based on Learning with Errors (Mathematical Foundation of Algorithms and Computer Science) , 2010 .

[26]  Feng-Hao Liu,et al.  Various Proxy Re-Encryption Schemes from Lattices , 2016, IACR Cryptol. ePrint Arch..

[27]  Dong Hoon Lee,et al.  Efficient revocable identity-based encryption via subset difference methods , 2017, Des. Codes Cryptogr..

[28]  Matthew Green,et al.  Identity-Based Proxy Re-encryption , 2007, ACNS.

[29]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.