Lattice-based key private PREs with HRA security and PCS security

Abstract

Proxy re-encryption (PRE) schemes, which nicely solve the problem of delegating decryption rights, enable a semi-trusted proxy to transform a ciphertext encrypted under one key into a ciphertext of the same message under another arbitrary key. Cohen first pointed out the insufficiency of the security under chosen-plaintext attacks (CPA) of PREs in PKC 2019, and proposed a strictly stronger security notion, named security under honest re-encryption attacks (HRA), of PREs. Surprisingly, a few PREs satisfy the stronger HRA security and almost all of them are pairing-based till now. To the best of our knowledge, we present the first direct construction of HRA secure single-hop PREs based on standard LWE problems with comparably small and polynomially-bounded parameters in this paper. Combining known reductions, the HRA security of our PREs could also be guaranteed by the worst-case basic lattice problems (e.g. SIVPγ with γ=Õ(n3.5)). Our single-hop PRE schemes are key-private, which means that the implicit identities of a re-encryption key will not be revealed even in the case of a proxy colluding with some corrupted users. Meanwhile, our single-hop PRE schemes are also post-compromise (PCS) secure, ensuring that a re-encrypted ciphertext remains confidential even when the past key, potential old ciphertexts and the re-encryption key have been exposed. Some discussions about key-privacy of multi-hop PREs are also proposed, which indicates that several constructions of multi-hop PREs do not satisfy their key-privacy definitions.