Proxy Re-Encryption with Conditional Delegation

Abstract

In a proxy re-encryption (PRE) scheme, a delegator gives a re-encryption key to a semi-trusted proxy who, by using the re-encryption key, can transform a ciphertext encrypted under the delegator's public key into one that can be decrypted using a private key of another user (called a delegatee). That is, the delegator can delegate his decryption rights through the proxy. Since PRE can be applied to many applications such as remote file storage, access control system, and digital right management, cryptographers have taken an interest in the study of PRE. However, there are applications where the delegator wants to delegate the decryption right for a subset of ciphertexts. For example, when Alice on vacation wants to delegate the decryption right for the encrypted e-mails with the keyword, urgent, to Bob, original PRE that only supports the all-or-nothing delegation is not enough. In this literature, the concept of conditional proxy re-encryption (C-PRE) was appeared to provide fine-grained delegation of decryption rights. C-PRE allows that a delegator delegates decryption rights from a delegator to a delegatee through a semi-trusted proxy within the ciphertexts computed under a specific condition. Such a C-PRE scheme can provide more fine-grained delegation in the applications of PRE. Tang proposed the first proxy-invisible C-PRE scheme, where proxy invisibility means that an adversary cannot distinguish between original ciphertexts and re-encrypted ciphertexts. However, Tang's scheme is only secure against chosen plaintext attacks (CPA-secure). Jia~et~al. proposed a proxy-invisible C-PRE scheme that is secure against chosen ciphertext attacks (CCA-secure) with random oracle heuristic

whereas the random oracle methodology that assumes public oracle access to a truly random function is a useful tool for designing a cryptosystem, the security of the cryptosystem proven in the random oracle model does not guarantee its security in the real world where random oracles do not exist. There is no CCA-secure and proxy-invisible C-PRE scheme in the standard model (i.e., without random oracles). This thesis studies the proxy-invisible C-PRE scheme that is CCA-secure in the standard model.