Article Preview
Top1. Introduction
Proxy re-encryption (Blaze et al., 1998) is a special public key encryption scheme that implements ciphertext transformation. The PRE scheme usually composed of three types of participants: the delegator, the delegatee, and the proxy. Specifically, the delegator first generates the corresponding ciphertext based on the plaintext, then generates the re-encryption key based on the encryption key of the delegatee and sends the two parts of information to the proxy. The proxy not only needs to convert delegator's ciphertext to delegatee's ciphertext without decrypting delegator's ciphertext, but it also cannot obtain any information about the plaintext. According to the direction of the ciphertext conversion, it can be divided into a unidirectional PRE scheme and a bidirectional PRE scheme. The unidirectional PRE scheme allows the ciphertext of the delegator to be converted to the ciphertext of the delegatee or the ciphertext of the delegatee to the ciphertext of the delegator. The bidirectional PRE scheme permits the ciphertext of the delegator and the ciphertext of the delegatee to be converted mutually. According to the number of ciphertext conversions in the scheme, it can be divided into a single-hop PRE scheme and a multi-hop PRE scheme. The single-hop PRE scheme merely grants the ciphertext to be converted once, and the multi-hop PRE scheme allows the ciphertext to be converted multiple times.
It is universally acknowledged that proxies are generally semi-trusted. Threshold proxy re-encryption (TPRE) (Lou, S. M. & Cao, Z. F. 2010) is preventing a single proxy from fully grasping the authority, leading to security risks such as abuse of authority or disconnection and failure to provide services. The proxy re-encryption key is distributed to multiple proxies and stored in a decentralized manner, and multiple proxies are required to cooperate to complete the key conversion. Furthermore, TPRE improves the robustness and security of the computing system.
Bellare et al. (2007) first proposed Deterministic Public-key Encryption (D-PKE), where the encryption algorithm is a deterministic function of the plaintext and does not use any random numbers. Due to the original design goal of D-PKE can quickly search for encrypted data in the database. Traditional random public key encryption permits searching encrypted data in linear time. Instead, deterministic encryption encrypts each plaintext into a unique ciphertext, thus allowing similar searches to be performed in logarithmic time. In addition, since deterministic encryption does not involve randomness, there is no problem of being subverted by randomness. Nevertheless, the D-PKE algorithm may encounter side-channel attacks or internal attacks, that is, additionally to the decryption key, the adversary may obtain other information, which also means that the solution may face the threat of information leakage.
Homomorphic Encryption (HE) (Rivest R., 1978) technology has become an important measure to cope with this problem. Homomorphic encryption technology means that the result of homomorphic operation on the ciphertext by the user is the same as the result obtained by performing the same operation on the plaintext and re-encrypting it. This feature not only allows a semi-trusted proxy to directly perform operations on the ciphertext without the private key, but also avoids the leakage of sensitive user information contributed to by the proxy's need to decrypt the ciphertext in the course of the operation. The auxiliary input model (Yuen et al., 2016), as a kind of security model that is stronger than the anti-leakage model, means that the adversary has a type of irreversible auxiliary input function that allows it to simulate a variety of leaks. The adversary can obtain the leaked information of the key through these auxiliary input functions, but no matter how much information is leaked or the key has been completely leaked from the perspective of information theory, it cannot help the adversary to recover the key. Brakerski, Z & Segev, G. (2011) studied the security framework of auxiliary input in the D-PKE scheme. Moreover, the definition of indistinguishable semantic security (PRIV-INDr) is given and pointed out that in this case, it is difficult to reverse in block form.