Lattice-Based HRA-secure Attribute-Based Proxy Re-Encryption in Standard Model

Proxy re-encryption (PRE), introduced by Blaze, Bleumer, and Strauss at EUROCRYPT 98, offers delegation of decryption rights, i.e., it securely enables the re-encryption of ciphertexts from one key to another, without relying on trusted parties. PRE allows a semi-trusted third party termed as a “proxy” to securely divert ciphertexts of a user (delegator) to another user (delegatee) without revealing any information about the underlying messages to the proxy. Attribute-based proxy re-encryption (ABPRE) generalizes PRE by allowing such transformation of ciphertext under an access-policy into another ciphertext under a new access policy. Such a primitive facilitates fine-grained secure sharing of encrypted data in the cloud. In order to capture the application goals of PRE, the security model of (Attribute-based) PRE evolves over the decades. There are two well-established notions of security for (Attribute-based) proxy re-encryption schemes: security under chosen-plaintext attacks (CPA) and security under chosen-ciphertext attacks (CCA). Both definitions aim to address the security that the delegator enjoys against both proxy and delegatee. Recently, at PKC 19, Cohen points out that CPA security guarantees much less security against delegatee than was previously understood. In particular, CPA security does not prevent delegatee from learning delegator’s secret key after receiving a single honestly re-encrypted ciphertext. To circumvent this issue, Cohen proposes security against honest re-encryption attacks (HRA) to strengthen CPA security that better captures the goals of PRE, and shows that two existing proxy re-encryption schemes are HRA-secure, one of them is quantum-safe, which is constructed from fully homomorphic encryption scheme (FHE). In this work, we advance the studies on HRA-secure PRE for the ABE setting. We first formalize the definition of HRA-secure Key-Policy ABPRE (KP-ABPRE ) and propose a construction, which is quantum-safe and secure in the standard model based on the hardness of the LWE. As an important consequence, we have the first quantum-safe HRA-secure Identity-based PRE. Moreover, the underlying PRE of the proposed KP-ABPRE is the first quantum-safe HRA-secure PRE without FHE.