Store
Build
Why Züs
Züs Blimp vs AWS S3
Züs Vult Vs Google Drive
Ecosystem Apps
EN
Documentation
Store
Build
Why Züs
Züs Blimp vs AWS S3
Züs Vult Vs Google Drive
Sharing of Encrypted files in Blockchain Made Simpler S. Sharmila Deva Selvi1 , Arinjita Paul1 , Siva Dirisala2 , Saswata Basu2 and C. Pandu Rangan1 1 Department of Computer Science and Engineering, IIT Madras, India. sharmioshin@gmail.com, {(arinjita, prangan)}@cse.iitm.ac.in 2 0chain LLC, San Jose, USA. {(siva, saswata)}@0chain.net Abstract. Recently, blockchain technology has attracted much attention of the research community in several domains requiring transparency of data accountability, due to the removal of intermediate trust assumptions from third parties. One such application is enabling file sharing in blockchain enabled distributed cloud storage. Proxy re-encryption is a cryptographic primitive that allows such file sharing by re-encrypting ciphertexts towards legitimate users via semi-trusted proxies, without them learning any information about the underlying message. To facilitate secure data sharing in the distributed cloud, it is essential to construct efficient proxy re-encryption protocols. In this paper, we introduce the notion of proxy self re-encryption (SE-PRE) that is highly efficient, as compared to the existing PRE schemes in the literature. We show that our self encryption scheme is provably CCA secure based on the DLP assumption and our proxy re-encryption scheme with self encryption is CCA secure under the hardness of the Computational Diffie Hellman (CDH) and Discrete Logarithm (DLP) assumption. Our novel encryption scheme, called self encryption, has no exponentiation or costly pairing operation. Even the re-encryption in SE-PRE does not have such operations and this facilitates the service provider with efficiency gain. 1 Introduction The recent explosion of data volumes and demand for computing resources have prompted individuals and organisations to outsource their storage and computation needs to online data centers, such as cloud storage. While data security is enforced by standard public-key encryption mechanisms in the cloud, secure data sharing is enabled by efficient cryptographic primitives such as proxy re-encryption (PRE). PRE enables re-encryption of ciphertexts from one public key into another via a semi-trusted third party termed proxy, who does not learn any information about the underlying plaintext. A user can delegate access to his files by constructing a special key, termed as re-encryption key, using which the proxy performs the ciphertext transformation towards a legitimate delegatee. PRE systems can be classified into unidirectional and bidirectional schemes based on the direction of delegation. They can also be classified into single-hop and multi-hop schemes based on the number of re-encryptions permitted. In this work, we focus on unidirectional and single-hop PRE schemes. The current model of cloud storage is operated through centralised authorities, which makes such a system susceptible to single point failures and permanent loss of data. Recently, blockchain technology, initially designed as a financial ledger, has attracted the attention of researchers in a wide range of applications requiring accountable computing and auditability. Blockchain enabled distributed peer-to-peer cloud storage solutions are steadily replacing its centralised counterpart. A blockchain provides multiple parties to agree upon transactions and contracts in an immutable and auditable way. Decentralised applications such as dApp providers make use of this capability to provide services that are transacted in a publicly verifiable manner. When the service provided by the dApp is not directly from the dApp owner itself but from other third parties, it brings up additional challenges. How would the end user using the dApp trust that the unknown third party service provides used by the dApp are trust worthy? This issue is specifically addressed, for example, by the dApp called 0box [1] provided by 0Chain "[2]. Such a storage dApp allows any user to upload and share their files to their friends and families similar to many other popular storage services. However, most existing services trust the service provider and upload the content without any encryption. But 0box strives to provide zero-knowledge storage such that the third party storage providers will not know the uploaded content. This is achieved using an efficient CCA-secure proxy re-encryption scheme, outlined in this paper. When a user shares the encrypted content with a trusted party, he provides the reencryption keys using the public key of the trusted party so that only that party is able to decrypt the content. By facilitating the associated transactions on the blockchain, this scheme provides end-to-end transparency and security for end users to procure storage services at highly competitive prices without worrying about the reputation of the storage providers. We first propose a novel self-encryption (SE) scheme, which is much more efficient than the standard CPA secure El-Gamal encryption scheme. This work is further extended to design a CCA-secure proxy reencryption scheme (SE-PRE) that adds re-encryption functionality to self-encryption. Prior to our work, the most efficient PRE construction was reported in [13] by Selvi et al. We show that our PRE design is much more efficient than the scheme in [13]. Proxy Re-encryption (PRE) : Proxy re-encryption is a term coined by Blaze, Bleumer, and Strauss [7] and formalized by Ateniese, Fu, Green, and Hohenberger [3][4]. PRE has been studied extensively for almost two decades [7][3][4][13][12]. A good survey of the PRE schemes and security models of PRE can be found in [11] [8]. 2 Preliminaries In this section we give the definitions of various assumptions adopted for proving the security of the proposed schemes, the general and security model of SE and SE-PRE schemes. 2.1 Definition Definition 1. Discrete Logarithm Problem (DLP) : The discrete logarithm problem in a cyclic group G of order q is, given (q, P, Y ) such that q is a large prime, P, Y ∈ G, find a ∈ Z*q such that Y = aP . Definition 2. Computation Diffie Hellman Problem (CDH) : The Computation Diffie Hellman Problem in a cyclic group G of order q is, given (q, P, aP, bP ) such that q is a large prime, P, aP, bP ∈ G, find Q such that Q = abP , where a ∈ Z*q . 2.2 Generic Model of Self-Encryption (SE) : The self encryption (SE) is a novel primitive that allows an user to store their files securely with minimal computation overhead. This primitive is different from the traditional public key encryption approach as encryption can be done only by the owner of the file who possess the private key related to the public key which is used for encrypting the file. It has the following algorithms : 1. Setup(κ): This algorithm is run by the trusted entity. On input of a security parameter κ, the Setup algorithm will output the system parameters P arams. 2. KeyGen(Ui , P arams): This algorithm is run by the user Ui . This is used to generate a public and private key pair (P Ki , SKi ) for the user Ui . 3. Self-Encrypt(m, tw , SKi , P Ki , P arams): The encryption algorithm is run only by the user Ui . This algorithm requires the knowledge of the private key SKi corresponding to the public key P Ki of user Ui . This takes as input the message m, the tag tw , the private key 2 "SKi and public key P Ki of user Ui . It will output a ciphertext C which is the encryption of message m under the public key P Ki and tag tw . This approach differs from the traditional public key encryption where the encrypt algorithm can be run by any user. 4. Self-Decrypt(C, SKi , P Ki , P arams): The decryption algorithm is run by the user Ui . On input of the ciphertext C, the private key SKi and the public key P Ki of user Ui , this will output the message m if C is a valid self encryption of m under P Ki , SKi and tw . Otherwise, it returns ⊥. 2.3 Generic Model of Proxy Re-Encryption with Self-Encryption(SE-PRE): The SE-PRE is a proxy re-encryption primitive that uses a self encryption scheme as the base algorithm and provides a mechanism to delegate the self-encrypted ciphertext. The SE-PRE scheme consists of the following algorithms: 1. Setup(κ):The setup algorithm takes as input a security parameter κ. This will output the system parameters P arams. This algorithm is run by a trusted party. 2. KeyGen(Ui , P arams): The key generation algorithm generates a public and private key pair (P Ki , SKi ) of user Ui . This algorithm is run by a user Ui . 3. ReKeyGen(SKi , P Ki , P Kj , cw , P arams ): The re-encryption key generation algorithm takes as input a private key SKi of delegator Ui , public key P Ki of delegator Ui , public key P Kj of delegatee Uj and condition cw under which proxy can re-encrypt. It outputs a re-encryption key RKi→j . This is executed by the user Ui . 4. Self-Encrypt(m, tw , SKi , P Ki , P arams): The self encryption algorithm takes as input the message m, the tag tw , the private key SKi of user Ui and public key P Ki of the user Ui . It outputs a ciphertext C which is the encryption of message m under the public key P Ki , private key SKi and tag tw . This algorithm is executed by the user Ui . 5. Re-Encrypt(C, P Ki , P Kj , cw , RKi → j , P arams): The re-encryption algorithm takes as input a self-encrypted ciphertext C, the delegator's public key P Ki , the delegatee's public key P Kj , the condition cw and a re-encryption key RKi→j corresponding to cw . It outputs a ciphertext D which is the encryption of same m under public key P Kj of user Uj . This is run by a proxy who is provided with the re-encryption key RKi→j . 6. Self-Decrypt(C, SKi , P Ki , P arams): The self decryption algorithm is run by the user Ui . This will take as input the ciphertext C, the private key SKi of user Ui and public key P Ki of user Ui . It will output the message m if C is a valid encryption of m under P Ki and SKi of user Ui and tag tw . If C is not valid, this algorithm returns ⊥. 7. Re-Decrypt(D, SKj , P arams): The re-decryption algorithm takes as input a re-encrypted ciphertext D and a private key SKj of user Uj . It outputs a message m ∈ M, if D is a valid re-encrypted ciphertext of message m or the error symbol ⊥ if D is invalid. This algorithm is run by the user Uj 2.4 Security Model In this section we present the security model for the self-encryption scheme and the proxy reencryption scheme. The security model gives details about the restrictions and oracle accesses given to the adversary. It is modelled as a game between a challenger C and an adversary A. 2.5 Security Model for Self-Encryption The security of Self-Encryption (SE) scheme against chosen ciphertext attacks(IND-SE-CCA) is demonstrated as a game between an adversary A and a challenger C. The game is as follows: 3 "- Setup : C takes a security parameter κ and runs the Setup(κ) algorithm to generate the system parameters P arams . It provides P arams to A. C then runs KeyGen(U, P arams) to generate a private and public key pair SK, P K of user U and provides P K to A. SK is kept by A. - Phase-1 : A can adaptively issue queries to the following oracles provided by C : • Self-Encrypt(m, tw ) Oracle : C runs the Self-Encrypt(m, tw , SK, P K, P arams) algorithm to generate the ciphertext C and returns it to A. • Self-Decrypt(C, P K) Oracle : C runs the Self-Decrypt(C, SK, P K, P arams) and returns the output to A. - Challenge : After getting sufficient training, A submits two messages m0 , m1 from M of equal length and a tag tw * to C. C picks a random bit δ ∈ {(0, 1)} and outputs the ciphertext C * =Self-Encrypt(mδ , tw * , SK, P K). - Phase-2 : On receiving the challenge C * , A is allowed to access the various oracles provided in Phase-1 with the restrictions given below : 1. Self-Decrypt(C * ) query is not allowed. 2. Self-Encrypt(mδ , tw * query is not allowed. 0 0 - Guess : After getting sufficient training, A will output its guess δ . A wins the game if δ=δ 2.6 Security Model for Proxy Re-Encryption with Self-Encryption In this section we provide the security model for the SE-PRE scheme. The model involves the security of original ciphertext as well as transformed ciphertext. The ciphertext that can be re-encrypted is called the original ciphertext and the output of the re-encryption is called the transformed ciphertext. Security of Original Ciphertext The security of Proxy Re-Encryption with Self-Encryption (SE-PRE) schemes against chosen ciphertext attacks(IND-SE-PRE-CCAO ) for the original ciphertext is modelled as a game between an adversary A and a challenger C. The security game is described below : - Setup : C takes a security parameter κ and runs the Setup(κ) algorithm to generate the system parameters P arams. The P arams is then given to A. - Phase-1 : On receiving the system parameters, a target public key P KT and tag tw * , A is allowed to access Keygen, Self-Encrypt, Self-Decrypt, Rekey, Re-Encrypt, Re-Decrypt algorithms. A simulates the algorithms as oracles and A can adaptively issue queries to these oracles. The various oracles provided by C are: • Corrupted KeyGen(Ui ) : C runs the KeyGen(Ui , P arams) to obtain the public and private key pair (P Ki , SKi ). C returns both SKi and P Ki to A. • Uncorrupted KeyGen(Ui ) : C runs the KeyGen(Ui , P arams) to obtain the public and private key pair (P Ki , SKi ) and returns P Ki to A. SKi is not provided to A. • ReKeyGen(Ui , Uj ): C runs the ReKeyGen(SKi , P Ki , P Kj , cw , P arams) to obtain the re-encryption key RKi→j and returns it to A. • Self-Encrypt(m, tw , P Ki ) : C runs the Self − Encrypt(m, tw , SKi , P Ki , P arams) to obtain the ciphertext C and returns it to A. • Re-Encrypt(C, P Ki , P Kj , cw ) : C runs the Re-Encrypt(C, P Ki , cw , RKi → j , P arams) to obtain the ciphertext D and returns it to A. Here, RKi→j is the re-encryption key from P Ki to P Kj under the condition cw • Self-Decrypt(C, P Ki ) : C runs the Self-Decrypt(C, SKi , P Ki , P arams) and returns the output to A. 4 "• Re-Decrypt(D, P Kj ): C runs the Re-Decrypt(D, SKj , P Kj , P arams) and returns the output to A. For the ReKey, Encrypt, Re-Encrypt, Decrypt, Re-Decrypt oracle queries it is required that public keys P Ki and P Kj are generated beforehand. - Challenge : On getting sufficient training, A will output two equal-length plaintexts m0 , m1 ∈ M. Here, the constraint is: P KT is generated using Uncorrupted Keygen and Rekey(P KT , P Kj , cw ), is not queried in Phase-1 for cw = tw * C flips a random coin δ ∈ {(0, 1)}, and sets the challenge ciphertext C * = Self-Encrypt(mδ , tw * , SKT , P KT , P arams). C then provide C * as challenge to A. - Phase-2 : A can adaptively query as in P hase − 1 with the following restrictions: 1. A cannot issue Corrupted KeyGen(UT ) query. 2. A cannot issue Self-Decrypt(C * , P KT , tw * ) query. 3. A cannot issue Re-Encrypt(C * , P KT , P Kj ) query on C * from P KT to P Kj if P Kj is Corrupted. 4. A cannot issue ReKey(P KT , P Kj , cw ) query if cw =tw * . 5. A cannot issue Re-Decrypt query on D* , P Kj if D* is the output of Re-Encrypt(C * , P KT , P Kj , cw ) and cw = tw * . 0 0 - Guess : Finally, A outputs a guess δ ∈ {(0, 1)} and wins the game if δ = δ. Security of Transformed Ciphertext The security of transformed of Proxy Re-Encryption with Self-Encryption(SE-PRE) scheme against chosen ciphertext attacks(IND-SE-PRE-CCAT ) is modelled as a game between an adversary A and a challenger C. This is achieved by: - Setup :C takes a security parameter κ and runs the Setup(κ) algorithm and gives the resulting system parameters P arams, a target public key P KT and tag tw * to A. Phase-1 :This phase is similar to the Phase-1 of IND-SE-PRE-CCAO . We do not provide Re-Encrypt oracle as we are providing all the re-encryption keys for the adversary - Challenge : Once A decides P hase − 1 is over, it outputs two equal-length plaintexts m0 , m1 ∈ M. C flips a random coin δ ∈ {(0, 1)}, and sets the challenge ciphertext as follows: • Compute C * = Self-Encrypt(mδ , tw * , SKi , P Ki , P arams ), (P Ki , SKi be the public, private key pair of user Ui and Ui can be honest or corrupt. • Sets D* = Re-Encrypt(C * , RKi→T ) which is then sent to A. - Phase-2 : A adaptively issues queries as in P hase − 1, and C answers them as before with the following restrictions: 1. A cannot issue Corrupted KeyGen(UT ) query. 2. A cannot issue Re-Decrypt(D* , P KT ) query 0 0 - Guess : Finally, A outputs a guess δ ∈ {(0, 1)} and wins the game if δ = δ. 3 The Self-Encrypt(SE) Scheme : Self-Encrypt scheme is a special kind of encryption primitive that allows a user to store file securely in cloud or any distributed storage. In this approach the owner of the file uses his/her private key to encrypt the file. This significantly reduces the computation involved in storing the file. We provide the self encryption scheme and the prove its CCA security in the random oracle model. 5 "3.1 The Scheme The SE scheme consist of the following algorithms: - Setup(κ): • Let G be an additive cyclic group of prime order q. Let P be a generator of group G. • Let ∆ = hSym.Encrypt, Sym.Decrypti be any symmetric key encryption scheme. We may assume that ∆ is a symmetric key encryption algorithm that uses messages of block size k. • Choose the hash functions, H1 : {(0, 1)}lt × Zq * → Zq * H2 : Zq * → {(0, 1)}lk H3 : {(0, 1)}lm × G → {(0, 1)}l3 • Here lt is the size of the tag, lm is the size of the message and lk is the size of the symmetric key used by the symmetric key encryption scheme ∆. Also, l3 is dependent on the security parameter κ. • Output P arams = hq, G, P, H1 (), H2 (), H3 (), ∆i - KeyGen(U , P arams): The KeyGen algorithm generates the public and private key of the user U by performing the following steps: R • Choose a random integer x ← Zq * • Output P K = hX = xP i and SK = hxi. - Self-Encrypt(m, tw , SK, P K, P arams): On input of message m, tag tw , private key SK = x of user U , public key P K = xP of user U and the public parameters P arams this algorithm will generate the self encryption as follows: • Choose random t ∈ Zq * • Set ht = H1 (tw , x). • Set C1 = t + ht . • Compute Key = H2 (t) • C2 = {Ĉi}(f or i=1 to l) and Ĉi =Sym.Encrypt (Mi , Key) for all i = 1 to l, l is the number of blocks. Assume that m = M1 M2 ... Ml where |Mi |=k and k is the block size of ∆. • C3 = H3 (m, t) • Output the ciphertext C = hC1 , C2 , C3 , tw i. - Self-Decrypt(C, SKi , P arams): Self decryption algorithm is used to decrypt the files that are previously encrypted by the user U using his/her private key. This algorithm does the following: • ht = H1 (tw , SKi ). • t = C1 − ht • Key = H2 (t) • Compute Mi =Sym.Decrypt(Ĉi , Key) for all i=1 to l and construct m = M1 M2 ... Ml . ? • If C3 = H3 (m, t) then, output m. Else, Output ⊥. Correctness of t: RHS = C1 − ht = (t + ht ) − ht = t; = LHS 6 "3.2 Security Proof: Theorem 1. If there exists a (γ, ) adversary A with an advantage that can break the INDSE-CCA security of the SE scheme, then C can solve the discrete log problem with advantage 0 where, 0 ≥ Proof. In this section we formally prove the security of SE scheme in the random oracle model. The IND-SE-CCA security of the SE scheme is reduced to the discrete logarithm problem(DLP). The challenger A is given with the instance of DLP (i.e given (q, P, Y ) such that q is a large prime, P, Y ∈ G, find a such that Y = aP .) If there exist an adversary A that can break the IN D − SE − CCA security of the SE scheme, then C can make use of A to solve the discrete logarithm problem, which is assumed to be hard. Thus the existence of such adversary is not possible. The challenger C sets the public key P K = Y (PK=aP) and the corresponding private key SK = x = a(which is not known to C). C then provides P K to A. A has access to various algorithms of SE and the hash functions as oracles. C simulates the hash functions and the Self-Encrypt, Self-Decrypt algorithms as described below: - Phase-1 : A is given to access all the oracles as defined in the security model IND-SE-CCA. Here it should be noted that C which does not have the knowledge of private key SK = a provides the functionalities Self-Encrypt, Self-Decrypt algorithm. • The hash functions involved in the SE scheme are simulated as random oracles. To provide consistent output, C maintains the lists LH1 , LH2 and LH3 corresponding to the hash function H1 , H2 and H3 involved in the SE scheme. * H1 Oracle: When a query with input (tw , x) is made, the tuple htw , x, ht i is retrieved from LH1 and ht is returned, if (tw , x) is already there in LH1 list. Otherwise, C does the following: · If xP = Y , then abort. This is because C obtains the solution to DLP i.e x = a. · Pick ht ∈ G. · If ht is already present in LH1 list, go to previous step. · Store htw , x, ht i in LH1 list and output ht . * H2 Oracle: When a query with t is made, C the tuple ht, Keyi from LH2 list is retrieved and will return Key, if (t) is already present in LH2 list. Otherwise, C does the following: · Pick Key ∈ {(0, 1)}lk . · If Key is already present in LH2 list, go to previous step. · Store ht, Keyi in LH2 list and return Key. * H3 Oracle: When a query with input (m, T ) is made, C retrieves the tuple hm, T, αi from LH3 list and returns α, if (m, T ) is already present in LH3 list. Otherwise, C does the following: · Pick α ∈{' '} {(0, 1)}l3 . · If α is already present in LH3 list, go to previous step. · Store hm, T, αi in LH3 list and return α. • Self-Encrypt Oracle : When a Self-Encrypt query is made with (m, tw ) as input, C does the following: * Choose random t ∈ Zq * * Set ht = H1 (tw , x). * Set C1 = t + ht . * Compute Key = H2 (t) * C2 = {Ĉi}(f or i=1 to l) and Ĉi =Sym.Encrypt (Mi , Key) for all i = 1 to l, l is the number of blocks. Assume that m = M1 M2 ... Ml where |Mi |=k and k is the block size of ∆. 7 "* C3 = H3 (m, t) * Output the ciphertext C = hC1 , C2 , C3 , tw i. * Output the self-encrypted ciphertext C to A. • Self-Decrypt Oracle: When a Self-Decrypt query is made with C = hC1 , C2 , C3 , tw i as input, C performs the following: * If C is in LEncrypt list, pick m corresponding to C from the tuple hC, mi in LEncrypt list and output m. * If (tw , −) is present in LH1 list then, retrieve ht corresponding to (tw , −) from LH1 list. Else, it returns ⊥ * T = C1 − ht * Key = H2 (t) * Compute Mi = Sym.Decrypt(Ĉi , Key) for all i=1 to l and construct m = M1 M2 ... Ml . ? * If C3 = H3 (m, t) then, output m. Else, it output ⊥. - Challenge Phase : After the first phase of training is over, A provides m0 , m1 ∈ M, tw * such that (m0 , tw * ) or (m1 , tw * ) was not queried to Self-Encrypt oracle during Phase-1 and provides to C. C now generates the challenge ciphertext C * = Self-Encrypt(mδ , tw * ) and δ ∈R {(0, 1)}- Phase-2 : A can interact with all the oracles as in Phase-1 but with the following restrictions: • A cannot make the query Self-Decrypt(C * ) • A cannot make the query Self-Encrypt(mδ , tw * ), δ ∈ {(0, 1)}0 0 - Guess: Once Phase-2 is over, A output its guess δ . A wins the game if δ = δ . 4 The Proxy Re-Encryption with Self Encryption Scheme(SE-PRE) : In this section we present a proxy re-encryption scheme which uses the self encryption proposed in Section 3. The SE scheme is modified such a way that it allows verifiability of ciphertext by proxy during re-encryption without knowing the message. It helps in achieving CCA security of SE-PRE. This also helps in avoiding the DDOS attack being launched on Proxy's service. The proxy is equipped with a method to identify invalid ciphertext so that it will serve its functionality only to valid input. Also.the SE-PRE algorithm can be deployed in a simple and efficient manner than using the traditional PRE schemes available till date. 4.1 The Scheme: In this section we present the proxy re-encryption scheme SE-PRE that uses private encryption algorithm. The SE-PRE proposed here uses a novel approach, consisting of the following algorithms. - Setup(κ): • Let G be an additive cyclic group of prime order q. Let P be a generator of group G. • Let ∆ = hSym.Encrypt, Sym.Decrypti be any symmetric key encryption scheme. We may assume that ∆ is a symmetric encryption algorithm working on block of size k. 8 "• Choose the hash functions, H0 : {(0, 1)}lt → {(0, 1)}l0 H1 : {(0, 1)}lt × Zq * × G → Zq * H2 : Zq * → {(0, 1)}lk H3 : {(0, 1)} lm × Zq * → {(0, 1)}l3 H4 : Zq * × {(0, 1)}(lc +l3 +l5 ) × G → Zq * H5 : {(0, 1)}lt × Zq * × G → {(0, 1)}l5 H6 : {(0, 1)}lw × G × G × G → Zq * H7 : Zq * × G → Zq * H8 : G × G → {(0, 1)}(lw +lp ) H9 : {(0, 1)}lu × Zq * → Zq * Hc : {(0, 1)}* → {(0, 1)}lc • Here lt is size of the tag, lm is size of the message, lc is the size of the ciphertext, lp is κ and lk is size of the symmetric key used in the encryption scheme ∆. Also, lω , lu , l0 , l3 and l5 are dependent on the security parameter κ. • Output P arams = hq, P , G, P, Hi ()(f or i = 0 to 9) , Hc (), ∆i - KeyGen(Ui , P arams): The KeyGen algorithm generates the public and private key of the user Ui by performing the following: R • Choose a random integer xi ← Zq * • Output P Ki = hXi = xi P i and SK = hxi i. - RekeyGen(SKi , P Ki , P Kj , cw , P arams) : This algorithm generates the re-encryption key required to translate a ciphertext of user Ui into a ciphertext of user Uj . This is run by the user Ui . The ciphertext to be re-encrypted is encrypted under the public key P Ki of user Ui and with the condition cw , which are specified by user Ui . This algorithm works as follows: R • Choose ω ← ∈ {(0, 1)}lω • Compute hc = H1 (cw , xi , Xi ) ∈ Zq * • Compute r = H6 (ω, xi Xj , Xi , Xj ) ∈ Zq * • Compute s = H7 (r, Xj ) ∈ Zq * • Compute γ = rXj • Compute the re-encryption key RKi→j = hR1 , R2 , R3 , R4 , R5 , R6 i where, R1 = s − hc ∈ Zq * R2 = rP ∈ G R3 = (ω||Xi ) ⊕ H8 (γ, Xj ) ∈{' '} {(0, 1)}lω +lg R4 = H6 (ω, γ, Xi , Xj ) ∈ Zq * R5 = H5 (tw , xi , Xi ) ∈ {(0, 1)}l5 R6 = H0 (tw ) • Output the re-encryption key RKi→j = hR1 , R2 , R3 , R4 , R5 , R6 i - Self-Encrypt(m, tw , SKi , P Ki , P arams): On input of message m, tag tw , private key SKi , public key P Ki of user Ui and the public parameters P arams • Choose random ω ∈ Zq * • Set ht = H1 (tw , xi , Xi ) ∈ Zq * • Compute C1 = t + ht . 9 "• Compute Key = H2 (t) • Compute C2 = {Ĉi}(f or i=1 to l) and Ĉi =Sym.Encrypt (Mi , Key) for all i = 1 to l, l is the number of blocks. Assume that m = M1 M2 ... Ml where |Mi |=k and k is the block size of ∆. • Set C3 = H3 (m, t) • Find α = H5 (tw , xi , Xi ) ∈ {(0, 1)}l5 • C4 = H4 (C1 , C2 , C3 , α, X) • Set C5 = H0 (tw ) • Output the ciphertext C = hC1 , Hc (C2 ), C3 , C4 , C5 )i. - Re-Encrypt(C, P Ki , P Kj , cw , RKi → j , P arams) : This algorithm is run by the proxy which is given with the re-encryption key RKi → j by user Ui . This generates the reencryption of a ciphertext encrypted under public key P Ki of user Ui under the condition cw into a ciphertext encrypted under public key P Kj of user Uj . This algorithm does not perform any complex computation and this greatly reduces the computational overhead on the entity that performs the role of a proxy. This algorithm does the following computations : • If C4 6= H4 (C1 , Hc (C2 ), C3 , R5 , tw , X) OR C5 6= R6 , then it returns ⊥ • Set D2 = C2 , D3 = C3 , D4 = R2 , D5 = R3 • Choose u ∈ {(0, 1)}lu • Compute β = H9 (u, R4 ) ∈ Zq * • Compute D1 = β(C1 + R1 ) ∈ Zq * • Set D6 = u • Output the re-encrypted ciphertext D = hD1 , D2 , D3 , D4 , D5 , D6 i - Self-Decrypt(C, SKi , P arams): Self-Decrypt algorithm is used to decrypt the self-encrypted ciphertext C of a user that is stored by him in the cloud. This algorithm performs the following: • Find α = H5 (tw , xi , Xi ) ∈ {(0, 1)}l5 • If C4 6= H4 (C1 , C2 , C3 , α, tw , X), then it returns ⊥ • ht = H1 (tw , SKi ). • t = C1 − ht • Key = H2 (t) • Compute Mi =Sym.Decrypt(Ĉi , Key) for all i=1 to l and construct m = M1 M2 ... Ml . ? • If C3 = H3 (m, t) then, output m. Else, Output ⊥. Correctness of t: RHS = C1 − ht = (t + ht ) − ht =t = LHS - Re-Decrypt(D, SKj , P arams): The Re-Decrypt algorithm is used to decrypt the reencrypted ciphertext D. This algorithm does the following: • Compute γ = xj D4 • Compute ω||Xi = D5 ⊕ H8 (γ, Xj ) • Compute r = H6 (ω, xj Xi , Xi , Xj ) ∈ Zq * • Compute s = H7 (r, Xj ) ∈ Zq * • ρ = H6 (ω, γ, Xi , Xj ) ∈ Zq * • Compute β = H9 (D6 , ρ) ∈ Zq * • Compute t = β −1 (D1 ) − s • Find Key = H2 (t) • Compute Mi =Sym.Decrypt(Ĉi , Key) for all i=1 to l and construct m = M1 M2 ... Ml . ? • If (C3 = H3 (m, t)) then, output m. Else, it returns ⊥. 10 "Correctness of T : RHS = β −1 D1 − s = β −1 [β(C1 + R1 )] − s = [(t + ht ) + (s − hc )] − s; Here ht = hc = (t + s) − s =t = LHS 4.2 Security Proof: In this section, we formally prove the security of SE-PRE scheme. We prove the original ciphertext and the transformed ciphertext security in the random oracle model. Security of the Original Ciphertext Theorem 2. If a (γ, ) adversary A with an advantage breaks the IND-SE-PRE-CCAO security of the SE-PRE scheme in time γ, then C can solve the discrete log problem or CDH with advantage 0 where, 1 0 ≥ qt Here, qt is the number of queries to H6 oracle. Proof. We formally prove the original ciphertext security IND-SE-PRE-CCAO of SE-PRE scheme in the random oracle model. The IND-SE-PRE-CCAO security of the SE-PRE scheme is reduced to the discrete logarithm problem(DLP) or the Computational Diffie Hellman Problem (CDH). The challenger C is given with the instance of CDH (q, P, Y = aP, Y 0 = a2 P, Z = bP ) such that q is a large prime, P, Y, Y 0 Z ∈ G. Now, we show that if there exist an adversary A that can break IND-SE-PRE-CCAO security of the SE-PRE scheme then C can make use of that adversary A to solve the discrete logarithm problem or the CDH problem, which are assumed to be hard. Hence the existence of such an adversary A is not possible. Now, adversary A is provided the access to various Self-Encrypt, Self-Decrypt, ReKey, Re-Encrypt, Re-Decrypt algorithms and the hash functions as oracles. C provides P KT = Y and tw * to A. The game is demonstrated below: - Phase-1 : A interacts with C adhering to the restrictions given in the security model INDSE-PRE-CCAO . A submits the target condition tw * to C. C answers the queries made to various Corrupted KeyGen, Uncorrupted Keygen, Self-Encrypt, Self-Decrypt, ReKey, Re-Encrypt, Re-Decrypt oracles and the hash oracles as given below: • The hash functions are modelled as random oracles. In order to provide consistent output, C maintains various lists LHc and LHi (for i = 0 to 9) corresponding to the hash function Hc and Hi , (for i = 0 to 9). Oracles H1 , H2 and H3 are simulated as given in the proof of SE scheme. The other hash oracles are simulated as follows: * H0 Oracle: On input of tw , C checks whether a tuple htw , h0 i corresponding to tw is there in LH0 list. If it is already present then return h0 , else pick h0 ∈{' '} {(0, 1)}l0 . Store htw , h0 i in LH0 list and return h0 . * Hc Oracle: On input of C̄, C checks whether a tuple hC̄, hc i corresponding to C̄ is already there in LHc list. If it is present then hc is returned, else pick hc ∈ {(0, 1)}lc . Store hC̄, hc i in LHc list and return hc . * H1 Oracle: When a query with input (tw , x, X) is made, the tuple htw , x, X ht i is retrieved from LH1 and ht is returned, if (tw , x, X) is already there in LH1 list. Otherwise, C does the following: 11 "· If X = Xi in LHonest and x̄i Y = X, then abort. This is because C obtains the solution to DLP i.e x̄−1 i x = a. · Pick ht ∈ G. · If ht is already present in LH1 list, go to previous step. · Store htw , x, X, ht i in LH1 list and output ht . * H4 Oracle: When H4 oracle is queried with (C1 , C2 , C3 , α, tw ) as input, C retrieves the tuple hC1 , C2 , C3 , C4 , tw , h4 i from LH4 list and returns h4 , if an entry corresponding to (C1 , C2 , C3 , α, tw ) is already there in LH4 list. Otherwise, C does the following: · Pick h4 ∈ Zq * . · If h4 is already present in LH4 list, go to previous step. · Store hC1 , C2 , C3 , α, tw , h4 i in LH4 list and return h4 . * H5 Oracle: When H5 oracle is queried with (tw , x, X) as input, C retrieves the tuple htw , x, X, h5 i from LH5 list and returns β, if an entry corresponding to (tw , x, X) is already there in LH5 list. Otherwise, C does the following: · Pick h5 ∈ Zq * . · If h5 is already present in LH5 list, go to previous step. · Store htw , x, X, h5 i in LH5 list and return h5 . * H6 Oracle: When H6 oracle is queried with (ω, γ, X, Y ) as input, C retrieves the tuple hω, γ, X, Y, h6 i from LH6 list and returns h6 , if an entry corresponding to (ω, γ, X) is there in LH6 list. Otherwise, C does the following: · Pick h6 ∈ Zq * . · If h6 is already present in LH6 list, go to previous step. · Store hω, γ, X, Y , h6 i in LH6 list and return h6 . * H7 Oracle: When H7 oracle is queried with (r, X) as input, C retrieves the tuple hr, X, h7 i from LH7 list and returns h7 , if an entry corresponding to (r, X) is already there in LH7 list. Otherwise, C does the following: · Pick h7 ∈ Zq * . · If h7 is already present in LH7 list, go to previous step. · Store hr, X, h7 i in LH7 list and return h7 . * H8 Oracle: When H8 oracle is queried with (γ, X) as input, C retrieves the tuple hγ, X, h8 i from LH8 list and returns h8 , if an entry corresponding to (γ, X) is already there in LH8 list. Otherwise, C does the following: · Pick h8 ∈ {(0, 1)}lw +lp . · If h8 is already present in LH8 list, go to previous step. · Store hγ, X, h8 i in LH8 list and return h8 . * H9 Oracle: When H9 oracle is queried with (u, r) as input, C retrieves the tuple hu, r, h9 i from LH9 list and returns h9 , if an entry corresponding to (u, r) is already there in LH9 list. Otherwise, C does the following: · Pick h9 ∈ Zq * . · If h9 is already present in LH9 list, go to previous step. · Store hu, r, h9 i in LH9 list and return h9 . • Corrupted KeyGen Oracle: When a query is made with input Ui , C does the follows: * Picks a random xi ∈ Zq * . * Computes Xi = xi P * Sets P Ki = hXi i and SKi = hxi i. * Stores hUi , xi , Xi i in LCorrupt list and returns (SKi , P Ki ). Here C knows the private key SKi of user Ui . • Uncorrupted Keygen Oracle :When a query is made with input Ui , the C performs the following: * Picks a random x̄i ∈ Zq * . * Computes Xi = x̄i Y = x̄i aP = xi P , where xi = x̄i a 12 "* Sets P Ki = hXi i. By definition SKi = hxi = x̄i ai. This is not known to C; a is the discrete log corresponding to Y in the DLP which is given as the challenge to C. * Stores hUi , −, x̄i , Xi i in LHonest list and returns P Ki . • ReKeyGen Oracle : On input of (cw , P Ki , P Kj ), C does the following to generate the re-encryption key: * If (P Ki ∈ LCorrupt ) · Compute RKi→j = RekeyGen(cw , SKi , P Ki , P Kj ). · Store htw , P Ki , P Kj , RKi→j i in LReKey list. · Output RKi→j * If tw , P Ki , P Kj has an entry in LReKey list, retrieve and return RKi→j * If P Ki ∈ LHonest , then R · Choose ω ← ∈ {(0, 1)}lω · Choose hc in ∈ Zq * and store hcw , −, Xi i in LH1 list. · If Xj is corrupt r = H6 (ω, x̄i xj aP,, Xi , Xj ) ∈ Zq * · If tw = tw * and P Ki = P KT then set rb = H6 (ω, x̄i a2 P, Xi , Xj ) ∈ Zq * (Here C does not know rb) · Compute s = H7 (−, Xj ) ∈ Zq * · By definition γ = rXj = rx̄j abP · Compute the re-encryption key RKi→j = hR1 , R2 , R3 , R4 , R5 , R6 i where, R1 = s − hc ∈ Zq * R2 = rbP ∈ G R3 = (ω||Xi ) ⊕ H8 (−, Xj ) ∈{' '} {(0, 1)}lω +lg R4 = H6 (ω, −, Xi , Xj ) ∈ Zq * R5 = h5 ∈ {(0, 1)}l5 , Storehtw , −, Xi , h5 iinLH5 list R6 = H0 (tw ) · Output the re-encryption key RKi→j = hR1 , R2 , R3 , R4 , R5 , R6 i • Self-Encrypt Oracle : On input of (m, tw , P Ki ), C does the following: * if P Ki corrupt, then run Self-Encrypt(m, tw , SKi , P Ki ) * If P Ki is honest, then perform the following · Choose random t ∈ Zq * · Choose ht ∈ Zq * and store htw , −, Xi , ht i in LH1 list. · Compute C1 = t + ht . · Compute Key = H2 (t) · Compute C2 = {Ĉi}(f or i=1 to l) and Ĉi =Sym.Encrypt (Mi , Key) for all i = 1 to l, l is the number of blocks. Assume that m = M1 M2 ... Ml where |Mi |=k and k is the block size of ∆. · Set C3 = H3 (m, t) · Choose α ∈ {(0, 1)}l5 and store htw , xi , Xi , h5 = αi in LH5 list. · C4 = H4 (C1 , C2 , C3 , α, X) · Set C5 = H0 (tw ) · Store hC, tw , P Ki i in LEncrypt list. · Output the ciphertext C = hC1 , Hc (C2 ), C3 , C4 , C5 )i. • Re-Encrypt Oracle : On input C = hC1 , C2 , C3 , C4 , C5 , P Ki , P Kj i , C does the following: * Generate the re-encryption key RKi→j = ReKey(P Ki , P Kj ) * Run D = Re-Encrypt(C, RKi→j , P Ki , P Kj ) as per the algorithm. * Store hC, D, P Ki , P Kj , tw i in LRe−Encrypt list and output D 13 "• Self-Decrypt Oracle: On input C = hC1 , C2 , C3 , C4 , C5 , tw , P Ki i , C does the following: * If an entry for (C, tw , Xi ) is there in LEncrypt list, return the corresponding m. * if P Ki corrupt, then run Self-Decrypt(C, SKi ) * If P Ki is honest, then perform the following: · Find htw , x, X, h5 i from LH5 list such that (Xi = xP ) OR (X = Xi AND x = −). Set α = h5 . If there is no such entry then query α = H5 (tw , −, Xi ). · If C4 6= H4 (C1 , C2 , C3 , α, tw , X), then it returns ⊥ Find htw , x, X, h1 i from LH1 list such that (Xi = xP ) OR (X = Xi AND x=-). Set α = h5 . If there is no such entry query α = H5 (tw , −, Xi ). · Find htw , x, X, h1 i from LH1 list such that (Xi = xP ) OR (X = Xi AND x=-), then set ht = h1 . If there is no such entry query then ht = H1 (tw , −, Xi ). · t = C1 − ht · Key = H2 (t) · Compute Mi =Sym.Decrypt(Ĉi , Key) for all i=1 to l and construct m = M1 M2 ... Ml . ? · If C3 = H3 (m, t) then, output m. Else, Output ⊥. • Re-Decrypt Oracle : On input of ciphertext D, C does the following: * if P Kj corrupt, then run Re-Decrypt(D, SKj ) * If P Ki and P Kj are honest, then perform the following 1. Pick γ, h8 from hγ, X, h8 i LH8 list for X = Xj and 2. For each γ retrieved from LH8 list: compute ω||Xi = D5 ⊕ h8 and r = H6 (ω, x̄j x̄i a2 P, Xi , Xj ). If γ = rXj , then proceed with next step, else continue checking with other γ retrieved from LH8 list. If no such γ is found, then it returns ⊥. 3. Compute s = H7 (r, Xj ) ∈ Zq * 4. ρ = H6 (ω, γ, Xi , Xj ) ∈ Zq * 5. Compute β = H9 (D6 , ρ) ∈ Zq * 6. Compute t = β −1 (D1 ) − s 7. Find Key = H2 (t) 8. Compute Mi =Sym.Decrypt(Ĉi , Key) for all i=1 to l and construct m = M1 M2 ... Ml . ? 9. If (C3 = H3 (m, t)) then, output m. Else, it returns ⊥. - Challenge Phase : Once the training is over, A provides m0 , m1 ∈ M such that (m0 , tw * ) or (m1 , tw * ) was not queried to Self-Encrypt oracle during Phase-1 and provides to C. C generates the challenge ciphertext C * = Self-Encrypt(mδ , tw * ) and δ ∈R {(0, 1)}- Phase-2 : A interacts with the oracles as in Phase-1 with the following restrictions, • A cannot make the query Self-Decrypt(C * ) • A cannot make the query Self-Encrypt(mδ , tw * ), δ ∈ {(0, 1)}• A cannot make the query Re-Encrypt(C * , P KT , P Kj ), P Kj ∈ LCorrupt • A cannot make the query Re-Decrypt(D, P Kj ), if D = Re−Encrypt(C * , P KT , P Kj ) and P Kj ∈ LHonest • A cannot make the query ReKey(tw * , P KT , P Kj ) and P Kj ∈ LCorrupt 0 0 - Guess: After getting sufficient training, A output the guess δ . A wins the game if δ = δ . C now picks randomly γ from LH6 list and provides as solution to the CDH problem. t u Security of the Transformed Ciphertext Theorem 3. If a (t, ) adversary A with an advantage breaks the IND-SE-PRE-CCAT security of the SE-PRE scheme, then C can solve the Computational Diffie Hellman(CDH) problem with advantage 0 where, 14 "0 ≥ 1 qt Here, qt is the number of queries to H6 oracle. Proof. In this section we formally prove the security of the transformed ciphertext of SE-PRE scheme in the random oracle model. The security of the scheme is reduced to the CDH problem. The challenger A is given the instance of CDH (i.e given (q, P, aP, bP ) such that q is a large prime, P, aP, bP ∈ G, find Y such that Y = abP .) Now, if there exist an adversary who can break the IND-SE-PRE-CCAT security of SE-PRE then C can make use of A to solve the CDH problem, which is assumed to be hard. Hence such an A does not exist. All the oracles are similar to that of IND-SE-PRE-CCAO . The challenge ciphertext issued will be a transformed ciphertext. A has much more access than IND-SE-PRE-CCAO : - A is allowed to access the rekey from P KT to any P Kj . - A is allowed to access Self-Decrypt for P KT Challenge :After getting sufficient training A provides two messages m0 , m1 and gives to C. C generates the ciphertext as, - Generate C * = Self-Encrypt(mδ , tw * , P Ki ); P Ki ∈ LHonest - Generate D* = RE-Encrypt(C * , tw * , P Ki , P KT ); - Provides D* to A. In Phase-2, A is now allowed to access all the oracles except Re-Decrypt(D* , P KT ). The rest of the proof is similar to IND-SE-PRE-CCAO . t u 5 Experimental Analysis In this section we provide the implementation results and time taken by various algorithms in SE and SE-PRE scheme. We compare the efficiency of our CCA secure SE scheme with the traditional CPA secure El-Gamal scheme (Weaker security than CCA) and report the same in Table.1. Also, we have compared our SE-PRE scheme with the only non-pairing unidirectional CCA secure PRE scheme by Selvi et al.[13] available. This is reported in Table 2. It is a known fact that pairing is very expensive than other group operations and hence we are not taking any pairing based schemes into consideration. The implementations are done on 2.4 GHz Intel Core i7 quad-core processor and the results have been reported below. . The programming language used is Go language [5], and the programming tool is Goland 2018.2. The cryptographic protocols are implemented using the edwards25519-curve [6], which is the current standard deployed in cryptocurrencies [10] for fast performances. From the performance comparison in Table 1, we note that our CCA secure self-encryption SE scheme is more efficient than the existing CPA-secure El-Gamal encryption scheme [9]. Also, from Table 2, it is evident that our selfproxy re-encryption SE-PRE scheme without bilinear pairing is more efficient than the existing pairing-free PRE scheme by Selvi et al. [13]. Algorithm CPA-Secure El-Gamal Scheme Our CCA secure SE Scheme Key Generation 612.947 591.677 Encryption 420.307 65.416 Decryption 300.052 41.65 Table 1: Performance Evaluation of the CPA secure El-Gamal encryption scheme and our Self-Encryption Scheme. (All timings reported are in microseconds.) From the above results it is evident that our SE encryption scheme is practical and suitable for cloud based scenarios where the user themselves store their files. Also, the SE-PRE scheme provides a very efficient approach to share encrypted files mainly in block-chain. 15 "Algorithm CCA-Secure Selvi et al. Scheme Our CCA secure SE-PRE Scheme Key Generation 714.271 579.702 First Level Encryption 1044.695 87.85 First Level Decryption 1554.78 60.356 Re-Encryption Key Generation 478.368 796.036 Re-Encryption 1087.52 23.216 Re-Decryption 1077.05 745.031 Table 2: Performance Evaluation of the efficient pairing-free unidirectional PRE scheme due to Chow et al. and our Scheme. (All timings reported are in microseconds.) 6 Conclusion In this paper, we have given a self encryption scheme SE based on discrete logarithm (DLP) assumption and then extended it to a Proxy Re-Encryption(SE-PRE) scheme suitable for block chain and distributed storage. First, we formally prove the CCA security of the SE and then the security of SE-PRE scheme in the random oracle model. We have also implemented our SEPRE scheme using GO language. From the results of our implementation, it is evident that our SE-PRE scheme is much efficient than the techniques available in literature till date. This makes it more suitable for distributed applications. It will be interesting to see how one can design a multi-recipient or broadcast PRE based on the self encryption approach that will provide high efficiency gain in decentralised platforms. References 1. 0box application by 0chain :https://0chain.net/zerobox. 2. Ochain website : https://0chain.net. 3. Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2005, San Diego, California, USA, 2005. 4. Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur., 9(1):1-30, 2006. 5. Daniel J. Bernstein. The go programming language. https://golang.org/. 6. Daniel J. Bernstein. Curve25519: New diffie-hellman speed records. In Public Key Cryptography PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, NY, USA, April 24-26, 2006, Proceedings, pages 207-228, 2006. 7. Matt Blaze, Gerrit Bleumer, and Martin Strauss. Divertible protocols and atomic proxy cryptograp hy. In Advances in Cryptology - EUROCRYPT '98, International Conference on the Theory and Application of Cryptographic Techniques, Espoo, Finland, May 31 - June 4, 1998, Proceeding, pages 127-144, 1998. 8. Isaac Agudo David Nuez and Javier Lopez. A parametric family of attack models for proxy reencryption. Cryptology ePrint Archive, Report 2016/293, 2016. https://eprint.iacr.org/ 2016/293. 9. Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 31(4):469-472, 1985. 10. Hartwig Mayer. Ecdsa security in bitcoin and ethereum: a research survey. CoinFaabrik, June, 28, 2016. 11. David Nuñez, Isaac Agudo, and Javier López. Proxy re-encryption: Analysis of constructions and its application to secure access delegation. J. Network and Computer Applications, 87:193-209, 2017. 12. S. Sharmila Deva Selvi, Arinjita Paul, and C. Pandu Rangan. An efficient non-transferable proxy re-encryption scheme. In Applications and Techniques in Information Security - 8th International Conference, ATIS 2017, Auckland, New Zealand, July 6-7, 2017, Proceedings, pages 35-47, 2017. 13. S. Sharmila Deva Selvi, Arinjita Paul, and Chandrasekaran Pandu Rangan. A provably-secure unidirectional proxy re-encryption scheme without pairing in the random oracle model. In CANS, volume 11261 of Lecture Notes in Computer Science, pages 459-469. Springer, 2017. 16 "