Lattice Based Mix Network for Location Privacy in Mobile System

In 1981, David Chaum proposed a cryptographic primitive for privacy called mix network (Mixnet). A mixnet is cryptographic construction that establishes anonymous communication channel through a set of servers. In 2004, Golle et al. proposed a new cryptographic primitive called universal reencryption which takes the input as encrypted messages under the public key of the recipients not the public key of the universal mixnet. In Eurocrypt 2010, Gentry, Halevi, and Vaikunthanathan presented a cryptosystem which is an additive homomorphic and a multiplicative homomorphic for only one multiplication. In MIST 2013, Singh et al. presented a lattice based universal reencryption scheme under learning with error (LWE) assumption. In this paper, we have improved Singh et al.’s scheme using Fairbrother’s idea. LWE is a lattice hard problem for which till now there is no polynomial time quantum algorithm. Wiangsripanawan et al. proposed a protocol for location privacy in mobile system using universal reencryption whose security is reducible to Decision Diffie-Hellman assumption. Once quantum computer becomes a reality, universal reencryption can be broken in polynomial time by Shor’s algorithm. In postquantum cryptography, our scheme can replace universal reencryption scheme used in Wiangsripanawan et al. scheme for location privacy in mobile system.


Introduction
In 1981, Chaum [1] proposed a cryptographic primitive for privacy called mix network (Mixnet).A mixnet is cryptographic construction that establishes anonymous communication channel through a set of servers.One type of mixnets accepts encrypted messages under the public keys of all intermediate mixnet nodes and outputs randomly permuted corresponding plaintexts.Sender encrypts the message using public keys of the mixnet nodes in some order.Ciphertext is concatenation of -encryptions which can be seen as building up of a  layered onion.Mixnet receives these ciphertexts from many senders.Mixnet nodes decrypt the ciphertexts using its private keys (remove outer layer of the onion) in reverse order of the encryption and permute them before forwarding to the next mixnet node.Finally, the th mixnet node sends the messages to the respective receivers.In this way, adversary like eavesdropper (external) and mail server (internal) will find it hard to guess who is communicating.Mixnet preserves anonymous communication even with one honest mixnet node.A drawback of decryption type of mixnet is that if one server fails then mixnet fails.
Choonsik et al. [2] proposed a reencryption mixnet which is robust.A reencryption mixnet accepts the encrypted massages under the public key of the mixnet.Mixnet node reencrypts the encrypted message and broadcasts this reencrypted to other mixnet nodes.There is no order of reencryption.Any mixnet node can reencrypt first and broadcast reencrypted to other nodes.Also it is not required that reencryption has to be done by all the mixnet nodes.The private key corresponding to the public key of the mixnet is distributed among all reencryption mixnet nodes [3].Set of ciphertexts produced by last reencryption mixnet node is decrypted by group of  nodes using a (, ) threshold scheme [3].For privacy, it is required that adversary cannot distinguish between the reencrypted ciphertext and a random ciphertext 2 Mobile Information Systems with size being the same as the size of the reencrypted ciphertext.
Both the mixnets discussed above accept encrypted messages under the public key of the mixnet.In 2004, Golle et al. [4] proposed a new cryptographic primitive called universal reencryption which takes the input as encrypted messages under the public key of the recipients not the public key of the universal mixnet.So it dispenses with the complexities of the key generation, key distribution, and key maintenance of the public key of mixnet.A mixnet based on universal reencryption is called universal mixnet.Universal mixnet takes the input as encrypted messages under the public key of the recipients.These encrypted messages are universally reencrypted and permuted by each universal mixnet node before forwarding them to the next node.Finally the output from a universal mixnet is set of universal reencrypted ciphertexts.Potential recipient must perform to decrypt all the ciphertexts to identify messages sent for them.This is a disadvantage of the universal reencryption.
Lattice based cryptography has bloomed in recent years because of the following advantages.
(i) Once quantum computer comes into reality, all the cryptosystem based on prime factorization and discrete logarithm problem can be solved in polynomial time by Shor's algorithm [5].But till now there is no polynomial time quantum algorithm for lattice hard problems.
(ii) Security of the cryptosystem depends on the hardness of the problem in the average case.Ajtai in his seminal result [6] has shown that lattice based cryptosystems are secure on the assumption of lattice based hard problems in the worst case.It gives strong hardness guarantee.
(iii) Lattice based cryptosystems are efficient and parallelizable.
A drawback of lattice based cryptosystem is that it has large key size and ciphertext size.Recently Regev [9] defined the learning with error (LWE) problem and proved that it also enjoys similar average case/worst case equivalence hardness properties under a quantum reduction.
Location privacy is the ability to prevent adversaries from knowing one's current or past location [10].Advances in mobile networks have made location information a useful information in many applications.However location information can be used to know about person's medical condition, alternating lifestyle, and so forth.This information can be used for blackmail by malicious user.Wiangsripanawan et al. [11] proposed a protocol for location privacy in mobile system using universal reencryption [4] whose security is reducible to Decision Diffie-Hellman assumption.Once quantum computer becomes a reality, universal reencryption can be broken in polynomial time by Shor's algorithm [5].
Our Contributions.Universal reencryption has simple idea.In an additive homomorphic cryptosystem, a new ciphertext (encryption of zero) can be appended to the ciphertext.The new ciphertext can be used to reencrypt (change the encryption factor) the ciphertext such that the reencrypted ciphertext and the ciphertext decrypt to the same plaintext because, in an additive homomorphic, ( + 0) = () + (0).
In Eurocrypt 2010 Gentry, Gentry et al. [12] presented a cryptosystem which is an additive homomorphic and a multiplicative homomorphic for only one multiplication.In MIST 2013, Singh et al. [13] presented lattice based universal reencryption scheme using learning with error (LWE) problem based on [12].In this paper, we have improved Singh et al. 's scheme [13] in terms of ciphertext size and computational cost using Fairbrother's idea [14].The idea is simple: ciphertext in scheme [13] has two parts and second part of the ciphertext is encryption of zero.Larger files can be split into many segments and the second part of the ciphertext (encryption of zero) can be made the same for all the segments.By this way, size of the ciphertext is reduced by approximately half and it also reduces the computational cost.
In post quantum cryptography, our scheme can replace universal reencryption scheme used in Wiangsripanawan et al. [11] protocol for location privacy in mobile system.
Paper Outline.Rest of the paper is organized as follows.
In Section 2, we give some preliminaries including security models and hard problems.In Section 3, we describe different types of mixnet.We describe GHV public key cryptosystem [12] in Section 4. In Section 5, we review Singh et al. 's scheme [13].In Section 6, we give our improved construction and in Section 7 we give conclusion and related open problems.

Preliminaries
2.1.Notation.We denote [] = {0, 1, . . ., }, set of real numbers by  and the set of integers by .We assume vectors to be in column form which are written using small letters, for example, .Matrices are written as capital letters, for example, .We denote  ←   () ×  as matrix  whose elements are chosen from the Gaussian distribution   over   and  ←  ×  as matrix  whose elements are chosen uniformly over   .‖‖ denotes the Euclidean norm of the longest (maximum Euclidean norm) vector in matrix ; that is, ‖‖ := max  ‖  ‖ for 1 ≤  ≤ .
We say that negl() is a negligible function in  if it is smaller than the inverse of any polynomial function in  for sufficiently large .

Universal Reencryption Scheme (URe).
Universal Reencryption Scheme consists of four algorithms [4].We denote , , and  as message space, ciphertext space, and set of encryption factors, respectively.
Universal KeyGen().On the input of a security parameter , this algorithm outputs the public key pk and secret key sk pair.
Universal Encryption(pk, , ).On the input of public key pk, a message  ∈ , and an encryption factor  ∈ , this algorithm outputs a ciphertext  ∈ C.
Universal Decryption(, sk).On the input of a secret key sk and a ciphertext , this algorithm outputs message .
Universal Reencryption(, ).On the input of a ciphertext  and reencryption factor  ∈ , but no public key, this algorithm outputs ciphertext   where   ∈ C.

Universal Semantic Security Model for Universal Reencryption Scheme (IND-URe-CPA).
Universal security model is variant of semantic security model and is adapted from [4].In this model, adversary is allowed to construct universal ciphertexts under randomly generated public key pk.The challenger reencrypts the ciphertext.The goal of the adversary is to distinguish between the reencrypted ciphertext and the random ciphertext with the size of the random ciphertext being the same as size of the universally reencrypted ciphertext.Here, security model is defined using the following game played between the challenger and an active adversary.
KeyGen.The challenger runs the key generation algorithm and gives public parameters to the adversary.
Challenger.The adversary submits messages  ∈  and  ∈  (adversary can construct ciphertext).Challenger sets  ← Universal Encryption(, , pk) and chooses a random bit  ∈ {0, 1} and a random ciphertext  with the size of the random ciphertext being the same as size of the universally reencrypted ciphertext.If  = 0, it assigns the challenge ciphertext to  * = Universal Reencryption(,   ).If  = 1, it assigns the challenge ciphertext to  * = .Challenger sends challenge ciphertext  * to the adversary.
Guess.The adversary outputs a guess   ∈ {0, 1} and wins the game if   = .
An IND-URe-CPA adversary is referred to as an adversary A. We define the advantage of the adversary A in attacking universal reencryption scheme  as Adv , () = | Pr[ =   ] − 1/2|.Definition 1.One says that universal reencryption scheme  is universal semantic secure if for all probabilistic polynomial time adversaries , one has Adv , () which is a negligible function.[15].Semantically secure Elgamal cryptosystem consists of three algorithms.

Semantically Secure Elgamal Cryptosystem
Setup.Two primes  and  are randomly selected such that  = 2 + 1. Pick a random generator ℎ ∈   and set  = ℎ 2 (mod). is generator of subgroup  (Schnorr group) of size .Message  is also element of subgroup .Since  ∈   so  ∈   (Quadratic residue modulo ).Pick a random number  ∈  −1 as private key and public key  =   (mod).

Homomorphic Encryption.
A encryption scheme is multiplicative homomorphic encryption scheme if encryption of  is equal to encryption of  into encryption of ; that is, () = ()().
It can be easily proved that Elgamal encryption scheme is multiplicative homomorphic encryption.[16,17].Let  = { 1 , . . .,   } ⊂   consist of  linearly independent -dimensional vectors as column vectors; the lattice generated by the matrix  is

Integer Lattices
The column vectors of matrix  = { 1 , . . .,   } are called a basis for the lattice. and  are called the rank and dimension of the lattice, respectively.When  = , the lattice is called full-rank lattice but generally  ≤ .The determinant of a lattice is the absolute value of the determinant of the basis matrix det(()) = |det()|.
q-Ary Lattices.Generally cryptographic constructions based on lattices use -ary lattices.Lattice  which satisfies the condition   ⊆  ⊆   for some prime  is called -ary lattices.In other words, any vector  ∈   if and only if  mod  ∈   , where   is a -ary lattices.
For prime ,  ∈  ×  , and  ∈    , three -dimensional -ary lattices are defined as follows: Since first -ary lattices are generated by rows of matrix  and second is set of vectors orthogonal to rows of matrix  so these two -ary lattices are dual to each other: Theorem 2 (see [6,18]).Let  ≥ 3 be odd and  := ⌈6 log ⌉.In above,  is uniformly chosen from the random distribution.Even, if  is chosen from the Gaussian distribution still decision LWE is hard [20,21].
Gaussian Distribution   .For  ∈  + , the distribution   on  = [0, 1) is obtained by sampling a Gaussian distribution with mean 0 and variance  2 /2 and reducing the result modulo 1.The probability density function is given by the following equation: In other words, distribution is obtained by "folding" a Gaussian distribution (0,  2 /2) on  into the interval  = [0, 1) [22].
Discrete Gaussian Distribution   .This distribution is obtained by "folding" a Gaussian distribution   on  = [0, 1) into the interval   .It is a discrete distribution over   of the random variable ⌊⌉ mod  where the random variable  ∈  has distribution   .
The following theorem shows that LWE problem is reducible to some lattice problems in the worst case using the quantum algorithm.

Mix Network
A mix network is a multistage system that offers anonymous communication.Here, we describe three types of mixnets: decryption mixnet, reencryption mixnet, and universal reencryption mixnet.[1,23].Each mixnet node has its own public key and private key.We denote public and private key of th mixnet node by (pk  , sk  ).

Decryption Mixnet
Encryption.Sender first encrypts the message using public key of the th mixnet node.First encryption is where  is the address of the receiver and  is the random number concatenated with the encryption.Similarly, sender again encrypts   with the public key of (−1)th mixnet node.Second encryption is Finally, sender sends the ciphertext  to the mixnet as Above ciphertext is concatenation of -encryptions which can be seen as building up of a  layered onion.
Decryption.First mixnet node receives ciphertext from many senders.It will decrypt all the ciphertexts using its private key (remove outer layer of the onion) and permute them before forwarding to the second mixnet node.Finally, the th mixnet node sends the messages to the respective receivers.Chaum's mixnet [1] preserves anonymous communication even with one honest mixnet node.But it has the following disadvantages.
(1) Mixnet is not robust because if one mixnet node fails, whole mixnet fails.
(2) Encryption cost is very high which grows with the number of mixnet nodes.

Reencryption Mixnet
Secret key of the mixnet is  and public key is  =   .Secret key  is distributed among  mixnet nodes in such a way that, at least,  mixnet nodes are required to compute secret key  but no group of  − 1 nodes can compute secret key .
Encryption.Sender encrypts the using public key  of the mixnet.Ciphertext is Sender sends the ciphertext  to the mixnet.
Reencryption.Mixnet node  reencrypts the encrypted message as follows: where   is random number.Mixnet node broadcasts this reencrypted to other mixnet nodes.There is no order of reencryption.Any mixnet node can reencrypt first and broadcast reencrypted to other nodes.It is also not required that reencryption has to be done by all the mixnet nodes.
Decryption.Now, in decryption phase, any  mixnet nodes can participate to compute secret key : where  ≤  and  is address of the receiver.[4].In 2004, Golle et al. [4] presented a new primitive called universal reencryption based on the Elgamal public key cryptosystem [24].Universal mixnet is a mixnet based on universal reencryption which takes the input as encrypted messages under the public key of the recipients not the public key of the universal mixnet.Even, there is no term like the public key of the universal mixnet.So it dispenses with cost of establishing public key infrastructure for mixnet nodes.The idea for universal reencryption is simple.In an additive homomorphic cryptosystem, we append a second ciphertext (encryption of zero) to the ciphertext.Since, in an additive homomorphic, ( + 0) = () + (0), we can use the second ciphertext to reencrypt (change the encryption factor) the first ciphertext such that the reencrypted ciphertext and the ciphertext decrypt the same plaintext.

Universal Reencryption Mixnet
Key Generation.It is the same as key generation algorithm in Elgamal cryptosystem.
Universal Encryption.On the input of a message , a public key , and a random encryption factor  = ( 0 ,  1 ) ∈  2   , ciphertext  is computed as follows: Here ciphertext ( 2 ,  3 ) is for message .
Here, message space  ∈  × 2 (the set of binary -by- matrices) and ciphertex space  ∈  ×  (the set of -by- matrices).Here, we briefly describe the GHV homomorphic cryptosystem because our scheme is based on it.

KeyGen(𝑛).
On the input of a security parameter , set the parameters  = poly() and  = ( log ) and a Gaussian distribution   () ×  with Gaussian error parameter  = 1/ poly().Uniform matrix  ∈  ×  together with the trapdoor  ∈  × is obtained by running algorithm TrapGen of Theorem 2. The public key is  and the secret key is .

Mobile Information Systems
(1) A random matrix  ←  ×  and an error matrix  ←   () ×  are chosen uniformly.
Multiplicative Homomorphic.The product of  1 and  2 is Product ciphertext  has the form  + 2 +  +     .Ciphertext would be decrypted to  1 ⋅   2 as long as all the entries in (2 + )  are smaller than /2.
For our scheme, we will use variant of GHV cryptosystem which is only additive homomorphic.For this variant, decryption algorithm will not have right multiplication of   .
The idea for universal reencryption is to append a new ciphertext (encryption of zero) to the GHV cryptosystem ciphertext.The new ciphertext can be used to reencrypt (change the encryption factor) the ciphertext such that the reencrypted ciphertext and the ciphertext decrypt the same plaintext because the GHV public key cryptosystem is additive homomorphic; that is, (( + 0) = () + (0)).
Universal KeyGen().On the input of a security parameter , we set the parameters  = poly() and  = ( log ) and Table 1: We compare our scheme with Singh et al. ' scheme [13] for plaintext size of ( × ) bits.
Otherwise, decryption fails and output is ⊥.
Proof.It is the same as proof of [13].

Lattice Based Efficient Universal Reencryption
We use Fairbrother's idea [14] to reduce the size of the ciphertext by half.It also reduces the computational cost.The idea is that larger files can be split into  segments and size of each segment is  ×  bits.In Singh et al. 's universal reencryption scheme [13], size of the plaintext is ( × ) and second part of the ciphertext is encryption of zero.In this scheme, size of the plaintext is ( × ) and, for all these  segments, second part of the ciphertext (encryption of zero) is made the same.
In [13], size of the ciphertext for plaintext of size ( × ) bits is 2( × ) bits.With our efficient universal reencryption scheme size of the ciphertext for plaintext of size (×) bits is ( + 1)( × ) bits.Since second part of the ciphertext is same for all the segments, there is also some improvement in computation cost.Now, we describe our efficient scheme which is similar to [13].
Universal KeyGen().It is same as Universal KeyGen(n) algorithm of our scheme given in Section 5.
Proof.We now show universal semantic security of the universal reencryption scheme.We will show that if there exists a PPT adversary A that breaks universal reencryption scheme with nonnegligible probability then there must exist a PPT challenger B that solves decision LWE hard problem with nonnegligible probability by simulating views of .
,   , and   are given for some random , ,  ∈   .The goal of the adversary is to decide whether  =  or not.For a security parameter , let  = poly(), modulus  = poly(), and a Gaussian distribution   over    .For a uniformly chosen vector  ∈    , let  , be the distribution on    ×   of the variable (, ⟨, ⟩ +e) where a vector  ∈    is chosen uniformly at random and  ∈   is chosen according to .Search LWE.The search LWE , problem is to find  ∈    with probability exponentially close to one, given  samples from  , .Decision LWE.Decision LWE is to distinguish with nonnegligible probability between the distribution  , for some uniform  ∈    and a random distribution on    ×   .
There is PPT algorithm TrapGen(, ) that generates a pair ( ∈  ×  ,  ∈  × ) such that  is a basis for Λ ⊥  () and  is statistically close to a uniform matrix in  ×  satisfying      T     ≤  (√ log ) , ‖‖ ≤  ( log ) (6) with overwhelming probability in .2.7.Decision Diffie-Hellman Problem.Let us consider a finite cyclic group   with generator , where  is a prime number.