Time-and-ID-Based Proxy Reencryption Scheme

Timeand ID-based proxy reencryption scheme is proposed in this paper in which a type-based proxy reencryption enables the delegator to implement fine-grained policies with one key pair without any additional trust on the proxy. However, in some applications, the time within which the data was sampled or collected is very critical. In such applications, for example, healthcare and criminal investigations, the delegatee may be interested in only some of the messages with some types sampled within some time bound instead of the entire subset. Hence, in order to carter for such situations, in this paper, we propose a time-and-identitybased proxy reencryption scheme that takes into account the time within which the data was collected as a factor to consider when categorizing data in addition to its type. Our scheme is based on Boneh and Boyen identity-based scheme (BB-IBE) and Matsuo’s proxy reencryption scheme for identity-based encryption (IBE to IBE). We prove that our scheme is semantically secure in the standard model.


Introduction
A proxy reencryption (PRE) scheme involves three parties: delegator (Alice), delegatee (Bob), and a proxy (semitrusted third party).Alice assigns a key to a proxy to reencrypt all her messages encrypted with her public key such that the reencrypted ciphertexts can be decrypted with Bob's private key.Due to this delegation of decrypting capability, various applications of PRE have been suggested, for example, email forwarding, digital rights management (DRM), law enforcement, and secure network file storage [1][2][3][4].Charlie provides multiple-hop or multiuse proxy to the systems while PRE schemes could be defined based on the direction of operation, number of hops (possible reencryption), and their structure.Unidirectional PRE implies that the proxy can reencrypt a message from Alice to Bob but cannot reencrypt a message from Bob to Alice using the same key, while bidirectional PRE applies from sender to recipient and vice versa.PRE schemes capable of reencrypting a message from Alice to Bob and then from Bob to Charlie are said to be a multihop or multi-use proxy [5,6].On the other hand, single-hop schemes use a specific key to reencrypt between only two entities.It is important that the PRE scheme should at least satisfy the following requirements: (1) a proxy alone cannot obtain the underlying plaintext and (2) delegatee cannot obtain the underlying plaintext without the proxy's cooperation.
Based on a simple modification of the ElGamal encryption scheme, Blaze et al. [7] in 1998 proposed the first PRE scheme where the proxy is kept from knowing plaintexts and secret keys [8].Ateniese et al. [1] proposed a number of unidirectional PRE schemes and discussed their several potential applications such as distributed secure file systems.Later, many unidirectional PRE schemes with different properties have been proposed [9][10][11].In recent past, the concept of identity-based proxy reencryption (IB-PRE) has gained popularity among researchers [12,13].It (IBE) was first introduced by Shamir [14].The main idea of ID-based cryptosystems is that the identity information of each user (such as E-mail addresses, security number, or IP addresses) works as his/her public key.In other words, the user's public key can be calculated directly from his/her identity rather than being extracted from a certificate issued by a certificate authority (CA) as is the case in certificate-based cryptosystems.ID-based public key setting serves as a good alternative for certificate-based public key setting, especially when efficient key management and moderate security are required.After Boneh and Franklin [15] proposed a practical IBE scheme, Green and Ateniese later [16] proposed the first IB-PRE scheme.IB-PRE is IBE which permits delegation of decryption capability.They also discussed its several interesting applications such as bridging IBE and public key encryption (PKE).Since then, several IB-PRE schemes have been proposed [17,18].In IB-PRE, a user who has a secret key corresponding to his/her public identity can decrypt a ciphertext encrypted with his/her identity as in IBE.In 2007, Matsuo proposed the concept of four types of PRE schemes: certificate-based PKE (CBE) to CBE, IBE to CBE, CBE to IBE, and IBE to IBE [19].Matsuo's schemes are based on ElGamaltype CBE scheme and BB-IBE [20].Now CBE to IBE and IBE to IBE PRE schemes are being standardized by IEEEP1363.3working group [21].
In 2008, Tang [22] first introduced the concept of typebased PRE (TB-PRE).He proposed two schemes; one scheme achieved ciphertext privacy and was proved chosen plaintext attack (IND-PR-CPA) secure under the eXternalDiffie-Hellman (XDH) and co-BDH assumptions, while the other scheme achieved chosen ciphertext attack (IND-PR-CCA) security under the knowledge of exponent (KE) and the bilinear Diffie-Hellman (BDH) assumptions.In a TB-PRE scheme, the delegator categorizes his/her messages (ciphertexts) into different subsets and is capable of delegating the decryption right of each subset to a specific delegatee.The ciphertexts for the delegator are generated based on the delegator's public key and the message type which is used to identify the message subset.TB-PRE as a variant of PRE could be considered as a subset of conditional proxy reencryption (C-PRE).In C-PRE schemes, ciphertexts are generated with respect to a certain condition and the proxy can translate a ciphertext only if the associated condition is satisfied [23,24].Ibraimi et al. [25] proposed the first type-and-identity-based proxy reencryption (TIB-PRE) scheme based on the Boneh-Franklin IBE scheme.Their scheme was proved semantically secure against an adaptive chosen plaintext attack for the delegator (IND-ID-DR-CPA).They further showed how their scheme could be used by a patient to enforce his/her personal health record (PHR) disclosure policies.A TIB-PRE scheme is basically a TB-PRE scheme that encompasses IBE and PRE.

Motivation and Contribution.
As pointed out in [22,25], the existing PRE schemes have a limitation in that the proxy could reencrypt all ciphertexts encrypted under delegator's public key and pass them to the delegatee.In order to implement fine-grained access control policies, the delegator (1) can choose a different key pair for each possible subset of his/her messages and choose a proxy to delegate his decryption right or (2) can choose to trust the proxy to enforce his policies by reencrypting the predefined subset of his ciphertexts to the specific delegatee.However, both of these approaches are infeasible in practice because they are too involving for the delegator and also demand strong trust on the proxy.On the other hand, in a type-based proxy reencryption scheme, the delegator can categorize his messages (ciphertexts) into different subsets and is capable of delegating the decryption right of each subset to a specific delegatee.Hence, type-based proxy reencryption enables the delegator to implement fine-grained policies with one key pair and without any additional trust on the proxy.
Despite this advantage, however, in some applications, instead of delegating all the messages under a type-based subset, the delegator may be required to delegate just some of the messages within the subset.This may be because the delegate could be interested in specific messages collected or sampled within a specified period of time.For example, (1) in healthcare, a physician maybe interested only in a patient's recent (e.g., last five months) prescription history to check if his/her recent drug interactions could conflict with the proposed course of treatment.(2) In criminal investigations, an investigator may only be interested in video footage from closed circuit television recordings (CCTV) of the crime scene that were taken within the time bound of the occurrence of the crime.In view of such cases, we argue that incorporating an element of time period (e.g., hours, days, etc.) in TBE would give the delegator more flexibility to provide the proxy with more fine-grained reencryption capabilities.Hence, in this paper we propose a time-andidentity-based proxy reencryption scheme (  -IB-PRE) to solve aforementioned shortfalls in PRE schemes while at the same time adopting the advantages of TB-PRE and IBE schemes.Our scheme is based on BB-IBE and Matsuo's IBE to IBE PRE schemes.Unlike the existing TB-PRE schemes, the ciphertexts for the delegator in our scheme are generated based on the delegator's public key and some specified time periods.We find this assumption plausible because it is common practice to attach date and even time to data upon its collection.Note that our scheme can be considered as a special case of TBE.As such we assume that the delegator will first categorize his/her messages into subsets according to type and then, as may be requested by the delegatee, the delegator can further recategorizes the messages into refined subsets depending on specified time period.The reencryption key in our scheme is independent of the delegatee's private key.As a result, our scheme can achieve master secret security.

Preliminaries
In this section, we first review the basic concept of the bilinear maps and related assumptions.Then, a brief discussion of IBE and TIB-PRE together with their respective security models will follow [26].Definition 1.Let  and  1 be two cyclic multiplicative groups with prime order .Let  be a generator of  and let ê:  ×  →  1 be a bilinear map with the following properties.
(ii) Nondegeneracy: the map does not send all pairs in  ×  to the identity in  1 .Observe that since  and  1 are groups of prime order this implies that if  is a generator of , then ê(, ) is a generator of  1 . is said to be a bilinear group if the group operation in  and the bilinear map ê:  ×  →  1 are both efficiently computable.
We assume that there is an efficient algorithm Gen for generating bilinear groups.The algorithm Gen takes a security parameter  as input and outputs a tuple (, ,  1 , , and ê).
Definition 2. The decisional bilinear Diffie-Hellman (dBDH) problem in groups (,  1 ) is as follows.Given (,   ,   ,   , ) ∈  ×  1 with unknown , ,  ∈   *  , decide whether  = ê(, )  .The advantage of an algorithm A in solving the dBDH problem is defined as follows: where the probability is over the random choice of generator  ∈  , the randomly chosen integers , ,  ∈   *  , the random choice of  ∈   1 , and the random bits used by A. We say that the (, , -) dBDH assumption holds in  if no time algorithm has advantage at least  in solving the dBDH problem in  under a security parameter .

Definition and Security Notion for IBE
Definition 3.An IBE scheme consists of four algorithms:   ,   ,   , and   [27].
(1  ).This algorithm takes a security parameter  as input and outputs parameters params which are distributed to users and the master key  which is kept private.
(params, , ).This algorithm takes parameters params, the master key , and an identifier  as input and it outputs a private key   associated with .
(params, , ).This algorithm takes parameters params, a message , and an identifier  as input and outputs a ciphertext   encrypted under .
(  ,   ).This algorithm takes a ciphertext   associated with an identifier  as input and outputs a message  or ⊥ as an error message.Definition 4. The selective identity chosen plaintext (IND-sID-CPA) security for an IBE scheme is defined as a game between an adversary A and a challenger C, where the challenger simulates the protocol execution and answers queries from the adversary.
Initialization.The adversary outputs an identifier  * where it wishes to be challenged.
.The challenger runs the setup algorithm and returns parameters params to the adversary while keeping the master key  to itself.
Phase 1.The adversary adaptively issues  1 ⋅ ⋅ ⋅   private key queries for   ̸ =  * .The challenger runs the algorithm   and outputs the private keys    corresponding to   .The challenger sends    to the adversary.
Once adversary decides that phase 1 is over, it selects two equal length plaintexts  0 ,  1 ∈  on which it wishes to be challenged.
Phase 2. The adversary continues to issue  +1 ⋅ ⋅ ⋅   queries as in phase 1 but with restriction that he/she cannot issue private key queries for   =  * .The challenger responds as in phase 1.
An IBE system is said to be (, , , -) IND-sID-CPA secure if for any -time IND-sID-CPA adversary A that makes at most  chosen secret key queries under a security parameter  we have Adv game  < .As shorthand, we say that an IBE system is (, , , -) IND-sID-CPA secure.

Definition and Security Notion for TIBE and TIB-PRE Scheme
Definition 6.We base our definitions on [22,25] Definition 8. We model selective identity chosen plaintext security for a TIB-PRE scheme as a game between an adversary A and a challenger C, where the challenger simulates the protocol execution and answers queries from the adversary.
Initialization.The adversary outputs an identity  * and  * where it wishes to be challenged.
- .The challenger runs the setup algorithm and returns parameters params to the adversary while keeping the master key  to itself.
Phase 1. Taking parameters params as input, the adversary adaptively issues the following queries.
V - .The adversary queries with any identifier   ̸ =  * .The challenger outputs private keys    corresponding to   .The challenger sends    to adversary.
- .The adversary queries with (  ,   , ).If   has been queried to a private key query, then the challenger halts.Otherwise, the challenger outputs a reencryption key   →   for type  and sends it to the adversary.
Once adversary decides that phase 1 is over, it selects two equal length plaintexts  0 ,  1 ∈  on which it wishes to be challenged.
Phase 2. The adversary continues to issue queries as in phase 1 but with restrictions that (i) he/she cannot issue private key queries for   =  * ; (ii) if there is a  - query with (, ,  * , ), then (,  * , ) has not been queried to  - .
The challenger responds as in phase 1.

Our Construction
In this section, we propose our time-and-identity-based proxy reencryption scheme (  -IB-PRE) based on BB-IBE and Matsuo ID-PRE scheme.We adopt the basic principles of TIB-PRE.First we describe our   -IBE scheme followed by a discussion of the delegation process.In our scheme, we assume one level delegation, meaning that the delegatees will not further delegate their decryption rights to other users.We adopt   to denote some specified period of time (date, month, or year).Our scheme consists of six algorithms, namely, Setup, KeyGen, Pextract, Encrypt, Preenc, and Decryp.

𝑆𝑒𝑡𝑢𝑝(1 𝑘
).This algorithm is run by the PKG and works as follows: it takes the security parameter  and selects a random generator  ∈  and random element  2 ∈  .Pick a random  ∈   *  and set  1 =   ,  =   2 , and params = (,  1 ,  2 ).Here,  =  is the master secret key and params are public parameters.
(params, , ).Here, the PKG takes parameters params, master key  = , and an identifier  as input.The PKG picks a random value  ∈   *  and outputs a private key   corresponding to , where (, , ,   ).To encrypt a message  bounded by time   , the message sender picks  ∈   *  at random, computes  = ê( 1 ,  2 ), and outputs ciphertext   , where Note that  = ê( 1 ,  2 ) can be precomputed once and for all so that encryption does not require any pairing computations.

Definition 5 .
We define the advantage of adversaries in an IND-sID-CPA games as Adv game  = (Pr [  = ] . A TIBE scheme consists of four algorithms:   ,   ,   , and   .Both   and   are run under IBE.Below, we define   and   .Note that we adopt the notation  to stand for message type.(params,,, ).This algorithm takes parameters params, a message , an identifier , and a message type  as input and it outputs a ciphertext   encrypted under .Both   and  are sent to the receiver.(,   , ).This algorithm takes the ciphertext   , the private key   , and a message type  as input.The algorithm outputs a message  of type .-, and  - are defined as above.Below we define  - and  - .- (  ,   , ).This algorithm is run by the delegator.It takes a delegator's private key   , the delegator's identifier , the delegatee's identifier   , and a message type  as input.The algorithm outputs   →   as the reencryption key. - (  ,   →   , ).This algorithm is run by the proxy.It takes the ciphertext   associated with delegator's identifier, the reencryption key   →   , and a message type  as input.The algorithm outputs a new ciphertext   for delegatee.