Next Article in Journal
Developing Innovative Feature Extraction Techniques from the Emotion Recognition Field on Motor Imagery Using Brain–Computer Interface EEG Signals
Next Article in Special Issue
FIDO2 Facing Kleptographic Threats By-Design
Previous Article in Journal
Smartphone Accelerometer for Gait Assessment: Validity and Reliability in Healthy Adults
Previous Article in Special Issue
A Reliable Aggregation Method Based on Threshold Additive Secret Sharing in Federated Learning with Quality of Service (QoS) Support
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Chosen-Ciphertext Secure Unidirectional Proxy Re-Encryption Based on Asymmetric Pairings

Secure Systems Engineering, Fraunhofer AISEC, 14199 Berlin, Germany
*
Author to whom correspondence should be addressed.
Appl. Sci. 2024, 14(23), 11322; https://doi.org/10.3390/app142311322
Submission received: 15 October 2024 / Revised: 29 November 2024 / Accepted: 2 December 2024 / Published: 4 December 2024
(This article belongs to the Special Issue Cryptography in Data Protection and Privacy-Enhancing Technologies)

Abstract

:
Proxy re-encryption (PRE) is a cryptographic primitive that extends public key encryption by allowing ciphertexts to be re-encrypted from one user to another without revealing information about the underlying plaintext. This makes it an essential privacy-enhancing technology, as only the intended recipient is able to decrypt sensitive personal information. Previous PRE schemes were commonly based on symmetric bilinear pairings. However, these have been found to be slower and less secure than the more modern asymmetric pairings. To address this, we propose two new PRE scheme variants, based on the unidirectional symmetric pairing-based scheme by Weng et al. and adapted to utilize asymmetric pairings. We employ a known automated black-box reduction technique to transform the base scheme to the asymmetric setting, identify its shortcomings, and subsequently present an alternative manual transformation that fixes these flaws. The adapted schemes retain the properties of the base scheme and are therefore CCA-secure in the adaptive corruption model without the use of random oracles, while being faster, practical, and more secure overall than the base scheme.

1. Introduction

Proxy re-encryption (PRE), first introduced by Blaze et al. [1], is a cryptographic primitive that extends public key encryption by allowing ciphertexts to be re-encrypted from one user (delegator) to another (delegatee) without revealing information about the underlying plaintext. This privacy-friendly re-encryption is performed by a semi-trusted proxy using a re-encryption key and establishes PRE as an essential privacy-enhancing technology, as only the intended recipient is able to decrypt sensitive personal information.
A PRE scheme can be classified according to different properties. In a unidirectional scheme, re-encryption keys can re-encrypt ciphertexts from the delegator to the delegatee. In a bidirectional scheme, they can also be used vice versa. A scheme can be either single-use or multi-use. Single-use schemes do not allow re-encryption of ciphertexts that have already been re-encrypted, while multi-use schemes have no such restriction. This paper considers unidirectional single-use schemes.
Many different unidirectional PRE schemes have been proposed in the past. The first unidirectional schemes were proposed by Ateniese et al. [2], but they were only secure against chosen-plaintext attacks (CPAs). Libert and Vergnaud [3] proposed a unidirectional scheme in the selective corruption model and proved its security against replayable chosen-ciphertext attacks (RCCAs)—a slightly weaker variant of chosen-ciphertext attacks (CCAs). Weng et al. [4] further extended this result and presented a scheme which they proved to be CCA-secure in the adaptive corruption model. To the best of our knowledge, the scheme by Weng et al. is the only PRE scheme in the literature achieving CCA security under adaptive corruptions in the standard model. The adaptive corruption model is considered superior to approaches that only permit selected corruptions. This is because it provides a more realistic assessment of security, as it accounts for dynamic adversarial behavior.
All these schemes have in common that they are based on bilinear pairings, which can be categorized into three main types [5]. Type 1 pairings are called symmetric; Type 2 and Type 3 pairings are called asymmetric. To the best of our knowledge, all CCA-secure unidirectional single-use PRE schemes based on pairings proposed in the literature to date use Type 1 pairings.
However, it has been shown that Type 1 pairings exhibit a significantly poorer runtime [6] than their asymmetric counterparts [7,8] and are generally considered inferior in terms of security, flexibility, and efficiency, leading to the conclusion that modern asymmetric pairings should be the default choice when designing schemes based on pairings [9]. In the asymmetric setting, in turn, Type 3 pairings are the preferred choice, since it has been demonstrated that whatever is achievable in terms of functionality and security in Type 2 can also be achieved in Type 3 [10], but with better performance.
Although CCA-secure PRE schemes have been proposed that do not rely on pairings, their complexity often introduces a higher risk of errors. Shao et al. [11] proposed the first CCA-secure unidirectional PRE scheme without pairings under adaptive corruptions. However, Chow et al. [12] demonstrated a flaw in the scheme proposed in [11] and presented an adapted scheme that achieves CCA security, but only under selective corruptions. Selvi et al. [13] subsequently demonstrated that the proof in [12] was flawed and proposed another CCA-secure PRE scheme under selective corruptions. In contrast to the previously discussed pairing-based schemes, the security proofs of the proposed pairing-free schemes require the use of the random oracle model instead of the standard model. Recent work also includes quantum-safe PRE based on lattices. In this context, Dutta et al. [14] presented novel constructions for identity-based PRE, while Susilo et al. [15] advanced the field of attribute-based PRE. Zhou et al. [16] proposed a PRE scheme that is secure under adaptive corruptions and supports fine-grained re-encryptions. They subsequently extended this scheme to a multi-use scheme [17]. However, thus far, lattice-based PRE schemes have only achieved CPA security.
Consequently, pairing-based PRE schemes exhibit a unique characteristic within the field. Currently, they are the only PRE schemes that feature CCA security in the standard model. However, to date, all pairing-based schemes are based on Type 1 pairings, as opposed to Type 3 pairings. Type 1 pairing-based schemes require supersingular elliptic curves over large characteristic fields, which are mainly relevant for academic research, but not for practical implementations [9]. In contrast, Type 3 pairing-based schemes permit the use of established pairing-friendly elliptic curves (e.g., BN and BLS curves [18]), which exhibit better security margins and are practical for implementation.

1.1. Our Contribution

The goal of this paper is to address the gap in the existing literature by proposing a practical CCA-secure PRE scheme based on Type 3 pairings. Given the unique properties of achieving CCA security under adaptive corruptions, the Type 1 pairing-based scheme by Weng et al. [4] is used as the base scheme. By transforming the base scheme, a CCA-secure Type 3 pairing-based PRE scheme is obtained.
The initial evident methodology for obtaining a Type 3 pairing-based PRE scheme is to apply a generalized scheme transformation, which was first proposed by Abe et al. [19]. This approach is pursued by applying the automated black-box reduction technique by Akinyele et al. [20] to transform the base scheme and its security proof from the Type 1 to the Type 3 setting. However, we identify that the scheme resulting from the transformation exhibits flaws that render it an impractical PRE scheme, which is contrary to the goal of our paper. To resolve these issues, we next propose a manually transformed scheme. This scheme preserves the properties of the base scheme and the CCA security in the adaptive corruption model without the use of random oracles. We refine the hardness assumption for the Type 3 setting, ensuring that it is at least as hard as in the base scheme.

1.2. Organization of This Paper

This paper begins with a review of bilinear pairings and relevant complexity assumptions in Section 2. Furthermore, the notion of unidirectional PRE and the security model is reviewed. Section 3 outlines the application of the automated transformation and the resulting scheme is analyzed. Subsequently, Section 4 presents our adapted manually transformed Type 3 pairing-based PRE scheme and the necessary adjustments to the security proof. This is followed by a performance and ciphertext size evaluation of both transformed schemes. Finally, the paper concludes in Section 5.

2. Preliminaries

This section introduces our notation and reviews the definition of bilinear pairings. Subsequently, the complexity assumption that is used to modify the security proof of the base scheme for our manually transformed scheme is described and proven to be at least as hard as the assumptions used in previous schemes. The section concludes with a review of the definition of PRE and the security model used by Weng et al. [4].

2.1. Notation

We denote drawing an element x from a finite set S uniformly at random by x $ S . For a string x { 0 , 1 } n , we let [ x ] denote its first bits and [ x ] denote its last bits.

2.2. Bilinear Pairings

For cyclic groups G 1 , G 2 , and G T of large prime order p, a bilinear pairing is a function e : G 1 × G 2 G T that maps pairs of elements in ( G 1 , G 2 ) to elements of the group G T . The map e must satisfy the following properties:
  • Bilinear: For all u G 1 , v G 2 , and a , b Z p , it holds that e ( u a , v b ) = e ( u , v ) a b .
  • Computable: The map e is efficiently computable and so are the group operations in G 1 , G 2 , and G T .
  • Non-degenerate: There exist g 1 G 1 and g 2 G 2 such that e ( g 1 , g 2 ) 1 .
There are two forms of pairings used in the cryptography literature [5]. In the symmetric setting, it holds that G 1 = G 2 , whereas in the asymmetric setting G 1 G 2 . Besides the distinction between symmetric and asymmetric pairings, three basic types can be identified as possible pairing instantiations. Type 1 is the symmetric setting. In the asymmetric setting, a distinction is made between Type 2, where there is an efficiently computable isomorphism ψ : G 2 G 1 , and Type 3, where there are no efficiently computable isomorphisms between the source groups G 1 and G 2 .
In order to differentiate between the pairing types, we define, analogously to [10], the groups G 1 = g 1 , G 2 = g 2 , and G ^ 2 = g ^ 2 of prime order p, such that there is an isomorphism ψ : G 2 G 1 with g 1 = ψ ( g 2 ) and an isomorphism ρ : G 2 G ^ 2 with g ^ 2 = ρ ( g 2 ) 1 c for an arbitrary c Z p * . Finally, we define the Type 2 pairing e 2 : G 1 × G 2 G T and the Type 3 pairing e 3 : G 1 × G ^ 2 G T . The relation between e 2 and e 3 is established by the following Lemma.
Lemma 1 
(Chatterjee and Menezes [10] (Lemma 2)). Let g 1 , g 2 , and g ^ 2 be generators of G 1 , G 2 , and G ^ 2 with g 1 = ψ ( g 2 ) and g ^ 2 = ρ ( g 2 ) 1 c for some c Z n * . Then, e 2 g 1 , g 2 = e 3 g 1 , g ^ 2 2 c .
This notation is maintained throughout the paper in order to facilitate the differentiation between elements x G 1 and elements x ^ G ^ 2 .

2.3. Complexity Assumptions

We base the security of our manually transformed scheme on a variant of the 3-weak Decisional Bilinear Diffie–Hellman Inversion (3-wDBDHI) assumption, which was used by Libert and Vergnaud [3] and subsequently by Weng et al. [4] to construct their unidirectional PRE schemes.
Definition 1. 
The 3-weak Decisional Bilinear Diffie–Hellman Inversion Type 3 assumption (3- wDBDHI 3 ) states that, given ( g 1 , g 1 1 a , g 1 a , g 1 ( a 2 ) , g 1 b , g ^ 2 , g ^ 2 1 a , g ^ 2 a , g ^ 2 ( a 2 ) , g ^ 2 b , Q ) G 1 5 × G ^ 2 5 × G T with unknown a , b Z p * , it is computationally infeasible to decide whether Q = e 3 g 1 , g ^ 2 b a 2 . A distinguisher B ( t , ε ) breaks the assumption if it runs in time t and
| Pr [ B g 1 , g 1 1 a , g 1 a , g 1 ( a 2 ) , g 1 b , g ^ 2 , g ^ 2 1 a , g ^ 2 a , g ^ 2 ( a 2 ) , g ^ 2 b , Q = e 3 g 1 , g ^ 2 b a 2 = 1 | a , b $ Z p * ] Pr [ B g 1 , g 1 1 a , g 1 a , g 1 ( a 2 ) , g 1 b , g ^ 2 , g ^ 2 1 a , g ^ 2 a , g ^ 2 ( a 2 ) , g ^ 2 b , Q = e 3 g 1 , g ^ 2 z = 1 | a , b , z $ Z p * ] | ε .
Lemma 2 shows that the 3- wDBDHI 3 problem is at least as hard as the 3- wDBDHI 2 problem, where the task is to distinguish e 2 ( g 1 , g 2 ) b a 2 from random data given g 1 G 1 and g 2 , g 2 a , g 2 ( a 2 ) , g 2 b G 2 . The 3- wDBDHI 2 problem is the same assumption that Weng et al. [4] use in their scheme, but translated from the symmetric setting into the Type 2 setting.
Lemma 2. 
Let g 1 be a generator of G 1 and g 2 a generator of G 2 with g 1 = ψ ( g 2 ) . Then, 3- wDBDHI 3 is at least as hard as 3- wDBDHI 2 .
Proof. 
Given a 3- wDBDHI 2 instance ( g 1 , g 2 , g 2 1 a , g 2 a , g 2 ( a 2 ) , g 2 b , Q ) G 1 × G 2 5 × G T with a , b Z p * , we apply ρ : G 2 G ^ 2 to obtain g ^ 2 = ρ ( g 2 ) 1 c , g ^ 2 1 a = ρ ( g 2 1 a ) 1 c , g ^ 2 a = ρ ( g 2 a ) 1 c , g ^ 2 ( a 2 ) = ρ ( g 2 ( a 2 ) ) 1 c , g ^ 2 b = ρ ( g 2 b ) 1 c . Furthermore, we apply ψ : G 2 G 1 to g 1 = ψ ( g 2 ) , g 1 1 a = ψ ( g 2 1 a ) , g 1 a = ψ ( g 2 a ) , g 1 ( a 2 ) = ψ ( g 2 ( a 2 ) ) , g 1 b = ψ ( g 2 b ) . The resulting 3- wDBDHI 3 problem instance ( g 1 , g 1 1 a , g 1 a , g 1 ( a 2 ) , g 1 b , g ^ 2 , g ^ 2 1 a , g ^ 2 a , g ^ 2 ( a 2 ) , g ^ 2 b , Q 1 2 c ) G 1 5 × G 2 5 × G T is given to the 3- wDBDHI 3 solver, which determines whether Q 1 2 c = e 3 g 1 , g ^ 2 b a 2 which, by Lemma 1, is equivalent to Q = e 2 g 1 , g 2 b a 2 . This establishes that 3- wDBDHI 2 ≤ 3- wDBDHI 3 .    □

2.4. Model of PRE

We recall the syntax of PRE using the following definition.
Definition 2. 
A single-hop unidirectional PRE scheme consists of a tuple of algorithms  ( Setup , KeyGen , ReKeyGen , Enc 2 , Enc 1 , ReEnc , Dec 2 , Dec 1 ) :
  • Setup ( 1 k ) p a r a m : Given the security parameter k, output the public parameters   p a r a m  which will be used by all parties of the scheme.
  • KeyGen ( p a r a m ) ( s k i , p k i ) : Given the global parameters  p a r a m , output a secret/public key pair ( s k i , p k i ).
  • In the remaining algorithms that follow, the public parameter  p a r a m  will be implicitly included.
  • ReKeyGen ( s k i , p k j ) r k i j : Given the secret key  s k i  and another public key  p k j , output a re-encryption key  r k i j .
  • Enc 2 ( p k i , m ) CT i : Given a public key  p k i  and a message  m M , output a second-level ciphertext  CT i  that can be re-encrypted into a first-level ciphertext using the suitable re-encryption key.
  • Enc 1 ( p k j , m ) CT j : Given a public key  p k j  and a message  m M , output a first-level ciphertext  CT j  that cannot be re-encrypted for another party.
  • ReEnc ( p k i , r k i j , CT i ) CT j : Given the public key  p k i , a re-encryption key  r k i j , and a second-level ciphertext  CT i  encrypted under user i’s public key, output a first-level ciphertext  CT j  or if  CT i  is invalid.
  • Dec 2 ( s k i , CT i ) m : Given a secret key  s k i  and a second-level ciphertext  CT i , output either a message  m M  or if  CT i  is invalid.
  • Dec 1 ( s k j , CT j ) m : Given a secret key  s k j  and a first-level ciphertext  CT j , output a message  m M  or if  CT j  is invalid.
For any common public parameters, p a r a m ; for any message  m M ; and for any pair of secret/public key pairs,  ( s k i , p k i ) , ( s k j , p k j ) , these algorithms should satisfy the following correctness conditions:
Dec 1 ( s k i , Enc 1 ( p k i , m ) ) = m ; Dec 2 ( s k i , Enc 2 ( p k i , m ) ) = m ; Dec 1 ( s k j , ReEnc ( p k i , ReKeyGen ( s k i , p k j ) , Enc 2 ( p k i , m ) ) ) = m .

2.5. Security Model

The transformation of the base scheme to the Type 3 setting does not alter the security model in which the scheme is defined. Therefore, a brief overview of the game-based security model used by Weng et al. [4] is provided. The security game consists of five phases.
In the setup, the challenger B hands over the required information to the adversary A . Then, A can query oracles which the challenger responds to in the find stage. In the challenge phase, the adversary outputs two distinct messages m 0 , m 1 as well as the target public key p k i * . The challenger returns the encrypted message CT * = Enc ( p k i * , m δ ) with δ 0 , 1 . In the guess stage, A is given access to the oracles again, and in the output phase, they return their guess δ . The adversary has access to the following oracles in the find and guess phase.
  • Public key oracle O p k ( i ) : Create a key pair ( p k i , s k i ) analogously to KeyGen ( p a r a m ) and return p k i to A .
  • Secret key oracle O s k ( p k i ) : Return s k i to A with respect to p k i , which was generated by the oracle O p k beforehand.
  • Re-encryption key oracle O r k ( p k i , p k j ) : Given two public keys, p k i and p k j , which were generated by the oracle O p k beforehand, run r k i j ReKeyGen ( s k i , p k j ) and return the re-encryption key r k i j to A .
  • Re-encryption oracle O r e ( p k i , p k j , CT i ) : Given a second-level ciphertext CT i and two public keys, p k i and p k j , which were generated by the oracle O p k beforehand, return the re-encrypted first-level ciphertext CT j ReEnc ( p k i , ReKeyGen ( s k i , p k j ) , CT i ) to A .
  • First-level decryption oracle O 1 d ( p k j , CT j ) : Given a first-level ciphertext CT j and a public key p k j which was generated by the oracle O p k beforehand, return the result of Dec 1 ( s k j , CT j ) to A .
Weng et al. proved their scheme to be CCA-secure in the adaptive corruption model. This model allows the adversary A to adaptively corrupt users, thereby permitting them to query arbitrary secret keys from the secret key oracle during the find and guess phase. This stands in contrast to a selective corruption model, where the attacker must commit ahead of time to a certain set of users to corrupt in the setup.
Naturally, the oracle queries are constrained in such a way that it is not possible for the adversary to trivially win the security game by, for example, corrupting the target user of the challenge, submitting the challenge ciphertext directly to the decryption oracle, or using the re-encryption oracle on the challenge ciphertext and corrupting the target user of the re-encryption.
In accordance with the security game outlined above, Weng et al. defined security notions for both types of ciphertexts. A PRE scheme is called IND-2PRE-CCA-secure if the adversary’s advantage in winning the security game for a second-level challenge ciphertext is negligible in the security parameter k. The definition of IND-1PRE-CCA is analogous for first-level ciphertexts. Finally, we consider the notion of master secret security (MSS-PRE), also referred to as collusion-resistance, in [12,13]. This notion captures the requirement that it should not be possible for a dishonest proxy (holding r k i j ) and delegatee (holding s k j ) to reveal the delegator’s secret key s k i by colluding with each other. It can be shown that if a PRE scheme is IND-1PRE-CCA-secure, it is also MSS-PRE-secure.
Additionally, Weng et al. base the security of their scheme on target collision-resistant (TCR) hash function families and pseudorandom function families (PRFs). A hash function family H is said to be TCR if it is infeasible for an adversary, given a random hash function H from the family H and a random element x, to find another element y such that H ( x ) = H ( y ) . Further, a function family F is said to be a PRF if it is infeasible for an adversary to distinguish F from a true random function family.

3. Automated Transformation of the PRE Scheme

We begin this section with a brief review of the PRE scheme by Weng et al. [4], which we take as the base scheme for transforming into the asymmetric pairing setting. Next, we use the automated transformation by Akinyele et al. [20], which translates cryptographic schemes defined in the Type 1 setting to the Type 3 setting. We apply the transformation to the base scheme by using the software tool provided by the publication and obtain a variant of the scheme defined in the Type 3 setting. Finally, we analyze the resulting scheme and identify flaws, which we address in Section 4.

3.1. Symmetric Pairing-Based Scheme by Weng et al. [4]

Below (see Algorithms 1–8), we briefly review the scheme introduced by Weng et al. [4] in the symmetric setting, where k , , and 1 are security parameters.
Algorithm 1  Setup ( 1 k )
1:
Choose Type 1 bilinear groups G , G T of prime order p > 2 k
2:
g , g 1 , u , v , w $ G
3:
Z = e ( g , g )
4:
Choose a TCR hash function
H: G × { 0 , 1 } Z p *
5:
Choose a PRF
F: G T × G { 0 , 1 } 1 × { 0 , 1 } 1
6:
return  p a r a m = ( p , G , G T , g , g 1 , u , v , w , Z , H , F , 1 , )
Algorithm 2  KeyGen ( 1 k )
1:
x i $ Z p *
2:
p k i = g x i
3:
s k i = x i
4:
return  ( p k i , s k i )
Algorithm 3  ReKeyGen ( s k i , p k j )
1:
r k i j = p k j 1 / s k i = g x j / x i
2:
return  r k i j
Algorithm 4  Enc 2 ( p k i , m )
1:
r $ Z p *
2:
C 1 = g 1 r
3:
C 2 = p k i r
4:
K = Z r
5:
C 3 = [ F ( K , C 1 ) ] 1 | | ( [ F ( K , C 1 ) ] 1 m )
6:
t $ Z p *
7:
h = H ( C 1 , C 3 )
8:
C 4 = ( u h v t w ) r
9:
return  CT i = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 5  Enc 1 ( p k j , m )
1:
r $ Z p *
2:
C 1 = g 1 r
3:
C 2 = e ( p k j , g ) r
4:
K = Z r
5:
C 3 = [ F ( K , C 1 ) ] 1 | | ( [ F ( K , C 1 ) ] 1 m )
6:
t $ Z p *
7:
h = H ( C 1 , C 3 )
8:
C 4 = ( u h v t w ) r
9:
return  CT j = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 6  ReEnc ( p k i , r k i j , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( C 1 , p k i r 1 ( u h v t w ) r 2 ) e ( C 2 r 1 C 4 r 2 , g 1 )  then
5:
    return ⊥
6:
C 2 = e ( C 2 , r k i j )
7:
return  CT j = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 7  Dec 2 ( s k i , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( C 1 , p k i r 1 ( u h v t w ) r 2 ) e ( C 2 r 1 C 4 r 2 , g 1 )  then
5:
    return ⊥
6:
K = e ( C 2 , g ) 1 / s k i
7:
if  [ F ( K , C 1 ) ] 1 [ C 3 ] 1  then
8:
    return ⊥
9:
return  m = [ F ( K , C 1 ) ] 1 [ C 3 ] 1
Algorithm 8  Dec 1 ( s k i , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( C 1 , u h v t w ) e ( C 4 , g 1 )  then
5:
    return ⊥
6:
K = C 2 1 / s k j
7:
if  [ F ( K , C 1 ) ] 1 [ C 3 ] 1  then
8:
    return ⊥
9:
return  m = [ F ( K , C 1 ) ] 1 [ C 3 ] 1

3.2. Applying the Automated Transformation

For the automated transformation of the scheme from the symmetric to the asymmetric setting, we used the method by Akinyele et al. [20]. The method is based on the theoretical framework introduced by Abe et al. [19]. We note that there exists an improvement to this method presented by Abe et al. [21]; however, it only speeds up the transformation process and has no effect on the resulting scheme itself. We used the method by Akinyele et al. because the authors made their proposed transformation available as an open-source tool (https://github.com/JHUISI/auto-tools/tree/88d20b0/auto_group, (accessed on 31 January 2024)). The application of the transformation resulted in the following scheme. Differences from the base scheme are highlighted in gray (Algorithms 9–16).
Algorithm 9  Setup ( 1 k )
1:
Choose Type 3 bilinear groups G 1 , G ^ 2 , G T of prime order p > 2 k
2:
g $ G 1 , g ^ $ G ^ 2
3:
a $ Z p * , g 1 = g a , g ^ 1 = g ^ a
4:
b $ Z p * , u = g b , u ^ = g ^ b
5:
c $ Z p * , v = g c , v ^ = g ^ c
6:
d $ Z p * , w = g d , w ^ = g ^ d
7:
Z = e ( g , g ^ )
8:
Choose a TCR hash function
H: G 1 × { 0 , 1 } Z p *
9:
Choose a PRF
F: G T × G 1 { 0 , 1 } 1 × { 0 , 1 } 1
10:
return  p a r a m = ( p , G 1 , G ^ 2 , G T , g , g 1 , u , v , w , g ^ , g ^ 1 , u ^ , v ^ , w ^ , Z , H , F , 1 , )
Algorithm 10  KeyGen ( 1 k )
1:
x i $ Z p *
2:
p k i = ( p k i , 1 , p k i , 2 ) = ( g x i , g ^ x i )
3:
s k i = x i
4:
return  ( p k i , s k i )
Algorithm 11  ReKeyGen ( s k i , p k j )
1:
r k i j = p k j , 2 1 / s k i = g ^ x j / x i
2:
return  r k i j
Algorithm 12  Enc 2 ( p k i , m )
1:
r $ Z p *
2:
C 1 = g 1 r
3:
C 2 = p k i , 1 r
4:
K = Z r
5:
C 3 = [ F ( K , C 1 ) ] 1 | | ( [ F ( K , C 1 ) ] 1 m )
6:
t $ Z p *
7:
h = H ( C 1 , C 3 )
8:
C 4 = ( u h v t w ) r
9:
return  CT i = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 13  Enc 1 ( p k j , m )
1:
r $ Z p *
2:
C 1 = g 1 r
3:
C 2 = e ( p k j , 1 , g ^ ) r
4:
K = Z r
5:
C 3 = [ F ( K , C 1 ) ] 1 | | ( [ F ( K , C 1 ) ] 1 m )
6:
t $ Z p *
7:
h = H ( C 1 , C 3 )
8:
C 4 = ( u h v t w ) r
9:
return  CT j = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 14  ReEnc ( p k i , r k i j , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( C 1 , p k i , 2 r 1 ( u ^ h v ^ t w ^ ) r 2 ) e ( C 2 r 1 C 4 r 2 , g ^ 1 )  then
5:
    return ⊥
6:
C 2 = e ( C 2 , r k i j )
7:
return  CT j = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 15  Dec 2 ( s k i , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( C 1 , p k i , 2 r 1 ( u ^ h v ^ t w ^ ) r 2 ) e ( C 2 r 1 C 4 r 2 , g ^ 1 )  then
5:
    return ⊥
6:
K = e ( C 2 , g ^ ) 1 / s k i
7:
if  [ F ( K , C 1 ) ] 1 [ C 3 ] 1  then
8:
    return ⊥
9:
return  m = [ F ( K , C 1 ) ] 1 [ C 3 ] 1
Algorithm 16  Dec 1 ( s k i , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( C 1 , u ^ h v ^ t w ^ ) e ( C 4 , g ^ 1 )  then
5:
    return ⊥
6:
K = C 2 1 / s k j
7:
if  [ F ( K , C 1 ) ] 1 [ C 3 ] 1  then
8:
    return ⊥
9:
return  m = [ F ( K , C 1 ) ] 1 [ C 3 ] 1

3.3. Analysis of the Transformed Scheme

The scheme resulting from the automated transform retains the ciphertext size of the original scheme and adds a second group element to the public key. The main portion of the transformation to the asymmetric setting is realized by duplicating the generators from the public parameters into both source groups. However, for the practical application of the scheme, this leads to a problem. If we look at the public generator g 1 and its use in the ciphertext element C 1 , we notice that if the discrete logarithm a of g 1 to base g is known, it can function as a backdoor since any ciphertext could be decrypted by computing e ( C 1 , g ^ ) 1 / a = e ( g 1 r , g ^ ) 1 / a = e ( g a r , g ^ ) 1 / a = K . In the base scheme, g 1 is chosen uniformly at random, which in practice could be achieved by hashing a nothing-up-my-sleeve value, e.g., digits of π or a fixed string into G . In contrast, in the transformed scheme, a is explicitly chosen in the setup method to compute g 1 and g ^ 1 , which would pose a virtually insurmountable hurdle to establishing trust in the scheme in a practical instantiation. To tackle this issue, we propose an alternative transformation of the scheme that does not exhibit this design flaw in the following section.

4. Our PRE Scheme Design

In this section, we present our manual transformation of the base scheme to the Type 3 setting. The transformation fixes the identified design flaw of the automated transformation by preventing the duplication of generators to both source groups. This introduces the need for adjustments to the security proof, which can be found in Section 4.2.

4.1. Manually Transformed Scheme

As in Section 3.2, differences to the base scheme are highlighted in gray (Algorithms 17–24).
Algorithm 17  Setup ( 1 k )
1:
Choose Type 3 bilinear groups G 1 , G ^ 2 , G T of prime order p > 2 k
2:
g , u , v , w $ G
3:
g ^ , g ^ 1 $ G ^ 2
4:
Z = e ( g , g ^ )
5:
Choose a TCR hash function
H: G ^ 2 × { 0 , 1 } Z p *
6:
Choose a PRF
F: G T × G ^ 2 { 0 , 1 } 1 × { 0 , 1 } 1
7:
return  p a r a m = ( p , G 1 , G ^ 2 , G T , g , u , v , w , g ^ , g ^ 1 , Z , H , F , 1 , )
Algorithm 18  KeyGen ( 1 k )
1:
x i $ Z p *
2:
p k i = ( p k i , 1 , p k i , 2 ) = ( g x i , g ^ x i )
3:
s k i = x i
4:
return  ( p k i , s k i )
Algorithm 19  ReKeyGen ( s k i , p k j )
1:
r k i j = p k j , 2 1 / s k i = g ^ x j / x i
2:
return  r k i j
Algorithm 20  Enc 2 ( p k i , m )
1:
r $ Z p *
2:
C 1 = g ^ 1 r
3:
C 2 = p k i , 1 r
4:
K = Z r
5:
C 3 = [ F ( K , C 1 ) ] 1 | | ( [ F ( K , C 1 ) ] 1 m )
6:
t $ Z p *
7:
h = H ( C 1 , C 3 )
8:
C 4 = ( u h v t w ) r
9:
return  CT i = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 21  Enc 1 ( p k j , m )
1:
r $ Z p *
2:
C 1 = g ^ 1 r
3:
C 2 = e ( p k j , 1 , g ^ ) r
4:
K = Z r
5:
C 3 = [ F ( K , C 1 ) ] 1 | | ( [ F ( K , C 1 ) ] 1 m )
6:
t $ Z p *
7:
h = H ( C 1 , C 3 )
8:
C 4 = ( u h v t w ) r
9:
return  CT j = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 22  ReEnc ( p k i , r k i j , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( p k i , 1 r 1 ( u h v t w ) r 2 , C 1 ) e ( C 2 r 1 C 4 r 2 , g ^ 1 )  then
5:
    return ⊥
6:
C 2 = e ( C 2 , r k i j )
7:
return  CT j = ( t , C 1 , C 2 , C 3 , C 4 )
Algorithm 23  Dec 2 ( s k i , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( p k i , 1 r 1 ( u h v t w ) r 2 , C 1 ) e ( C 2 r 1 C 4 r 2 , g ^ 1 )  then
5:
    return ⊥
6:
K = e ( C 2 , g ^ ) 1 / s k i
7:
if  [ F ( K , C 1 ) ] 1 [ C 3 ] 1  then
8:
    return ⊥
9:
return  m = [ F ( K , C 1 ) ] 1 [ C 3 ] 1
Algorithm 24  Dec 1 ( s k i , CT i )
1:
( t , C 1 , C 2 , C 3 , C 4 ) CT i
2:
h = H ( C 1 , C 3 )
3:
r 1 , r 2 $ Z p *
4:
if  e ( u h v t w , C 1 ) e ( C 4 , g ^ 1 )  then
5:
    return ⊥
6:
K = C 2 1 / s k j
7:
if  [ F ( K , C 1 ) ] 1 [ C 3 ] 1  then
8:
    return ⊥
9:
return  m = [ F ( K , C 1 ) ] 1 [ C 3 ] 1

4.2. Transforming the Security Proof

The base scheme has been proven to be IND-2PRE-CCA-secure and IND-1PRE-CCA-secure. Given the analogous structure of the two proofs, the strategy for transforming the proofs to the Type 3 setting is applicable to both.
In the manually transformed scheme, C 1 G 1 is chosen from a different group than C 2 , C 3 , C 4 G 2 and the generators are not duplicated to both source groups. This prevents the implicit transformation of the security proofs from the base scheme that would otherwise occur through the automated transformation. Consequently, we present the necessary adjustments for transforming the proof to the Type 3 setting.
As indicated in Section 2.3, we replace the symmetric pairing-based assumption used by Weng et al. in the base scheme with the 3- wDBDHI 3 assumption (Definition 1) in the security proof. In the transformed proof, the challenger B is thus given a 3- wDBDHI 3 instance ( g , A 1 = g 1 / a , A 1 = g a , A 2 = g ( a 2 ) , B = g b , g ^ , A ^ 1 = g ^ 1 / a , A ^ 1 = g ^ a , A ^ 2 = g ^ ( a 2 ) , B ^ = g ^ b , Q ) G 1 5 × G ^ 2 5 × G T with unknown a , b $ Z p * , which is then used in the setup phase to provide the adversary A with the public parameters u = A 1 α 1 A 2 β 1 , v = A 1 α 2 A 2 β 2 , w = A 1 α 3 A 2 β 3 , and g ^ 1 = A ^ 2 α 4 for random α 1 , α 2 , α 3 , α 4 , β 1 , β 2 , β 3 $ Z p * , analogous to the proof of the base scheme. The majority of the proof of the base scheme can be transformed by making use of either A i or A ^ i according to the required group or by adjusting the positions of variables in a pairing to match the order of the source groups. However, in the proof of the base scheme both the re-encryption and the first-level decryption oracle recover K = e ( g , g ^ ) r by computing K = e ( A 1 , A 1 r ) , where
A 1 r = C 4 C 1 β 1 h + β 2 t + β 3 α 0 1 α 1 h + α 2 t + α 3 .
This is not feasible for the manually transformed scheme since C 1 G ^ 2 and C 4 G 1 are incompatible. Fortunately, there is an alternative approach to recovering K from C 1 and C 4 , which leverages the bilinearity of the pairing e by computing
K = e ( g , g ^ ) r = e ( C 4 , A ^ 1 ) e ( A 1 , C 1 1 / α 4 ) β 1 h + β 2 t + β 3 1 α 1 h + α 2 t + α 3 ,
since
e ( C 4 , A ^ 1 ) = e ( ( A 1 α 1 h + α 2 t + α 3 A 2 β 1 h + β 2 t + β 3 ) r , A ^ 1 ) = e ( g , g ^ ) r ( α 1 h + α 2 t + α 3 ) e ( g , g ^ ) a r ( β 1 h + β 2 t + β 3 )
and
e ( A 1 , C 1 1 / α 4 ) = e ( A 1 , A ^ 2 r ) = e ( g , g ^ ) a r .
The application of these adjustments allows for the transformation of both the chosen-ciphertext security proofs at the first and second level of the base scheme to the Type 3 setting for the manually transformed scheme.

4.3. Performance Evaluation

We compare the performance and ciphertext size of the schemes resulting from the automated transformation (Section 3.2) and the manual transformation (Section 4.1). To that end, we implemented the schemes using mcl-wasm (https://github.com/herumi/mcl, (accessed on 1 March 2024) ) [7] with the BLS12-381 curve, roughly targeting the 128-bits security level [22].
As we can see in Table 1, the manually transformed scheme outperforms the automatically transformed scheme in decryption and re-encryption at the cost of slightly slower encryption and larger ciphertexts. This can be explained by the difference that the manual transformation chooses C 1 to be in G ^ 2 instead of G 1 as in the automated transformation. This leads to the fact that the manually transformed scheme performs more computations in G ^ 2 for the encryption, whereas the automatically transformed scheme carries this out in the ciphertext validation, which is required when re-encrypting and decrypting. Since in the Type 3 setting G ^ 2 is usually defined over an extension field, group operations are slower in G ^ 2 than in G 1 . Furthermore, due to this fact, the representation of group elements of G ^ 2 is larger than in G 1 , leading to the slightly larger ciphertext sizes.

5. Conclusions

In conclusion, we presented the first unidirectional PRE scheme based on asymmetric pairings. We started with the application of the automated black-box reduction technique by Akinyele et al. [20] to transform the base scheme and its security proof from the Type 1 to the Type 3 setting. Our findings reveal that relying solely on this automated technique does not necessarily produce a scheme suitable for practical use, as it introduced flaws that rendered the resulting scheme impractical. To address these issues, we proposed an adapted manually transformed scheme. The scheme retains the properties of the base scheme, achieving CCA security under adaptive corruptions in the standard model. We refined the hardness assumption for the Type 3 setting, ensuring that it is at least as hard as in the base scheme, and outlined the necessary adjustments to the security proof. The transformed scheme enables the use of superior Type 3 pairing-friendly curves, thereby superseding the obsolete Type 1 setting of the base scheme.
The manual transformation is essential as it fixes the flaws present in the automatically transformed scheme, as discussed in Section 3.3, making it suitable for practical use. While this comes with slight computational overhead associated with encryption performance and increased ciphertext size, it also results in faster re-encryption and decryption, contributing to the scheme’s overall practicality. Therefore, we argue that our manually transformed scheme represents a preferable choice for the practical instantiation of a Type 3 pairing-based PRE scheme, while still being faster and more secure overall than the base scheme. Our scheme offers an alternative to more complex pairing-free PRE schemes, providing a practical and efficient solution for real-world applications.
Future work will focus on leveraging the distinctive properties of Type 3 pairings to construct an even more efficient asymmetric pairing-based PRE scheme or create a PRE scheme with advanced properties that is CCA-secure in the standard model.

Author Contributions

Conceptualization, B.Z. and N.B.; methodology, B.Z.; software, B.Z.; investigation, B.Z.; writing—original draft preparation, B.Z., N.B., P.D. and M.M.; writing—review and editing, B.Z., N.B., P.D. and M.M.; visualization, B.Z.; supervision, N.B.; project administration, B.Z. and N.B.; funding acquisition, M.M. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Blaze, M.; Bleumer, G.; Strauss, M. Divertible Protocols and Atomic Proxy Cryptography. In Proceedings of the EUROCRYPT, Espoo, Finland, 31 May–4 June 1998; Nyberg, K., Ed.; LNCS. Springer: Berlin/Heidelberg, Germany, 1998; Volume 1403, pp. 127–144. [Google Scholar] [CrossRef]
  2. Ateniese, G.; Fu, K.; Green, M.; Hohenberger, S. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 2006, 9, 1–30. [Google Scholar] [CrossRef]
  3. Libert, B.; Vergnaud, D. Unidirectional Chosen-Ciphertext Secure Proxy Re-encryption. In Proceedings of the PKC 2008, Barcelona, Spain, 9–12 March 2008; Cramer, R., Ed.; LNCS. Springer: Berlin/Heidelberg, Germany, 2008; Volume 4939, pp. 360–379. [Google Scholar] [CrossRef]
  4. Weng, J.; Chen, M.; Yang, Y.; Deng, R.; Chen, K.; Bao, F. CCA-secure Unidirectional Proxy Re-Encryption in the Adaptive Corruption Model without Random Oracles. Sci. China Inf. Sci. 2010, 53, 593–606. [Google Scholar] [CrossRef]
  5. Galbraith, S.D.; Paterson, K.G.; Smart, N.P. Pairings for cryptographers. Discret. Appl. Math. 2008, 156, 3113–3121. [Google Scholar] [CrossRef]
  6. Zhang, X.; Wang, K. Fast Symmetric Pairing Revisited. In Proceedings of the Pairing 2013, Beijing, China, 22–24 November 2013; Cao, Z., Zhang, F., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2013; Volume 8365, pp. 131–148. [Google Scholar] [CrossRef]
  7. Beuchat, J.L.; González-Díaz, J.E.; Mitsunari, S.; Okamoto, E.; Rodríguez-Henríquez, F.; Teruya, T. High-Speed Software Implementation of the Optimal Ate Pairing over Barreto-Naehrig Curves. In Proceedings of the Pairing 2010, Yamanaka Hot Spring, Japan, 13–15 December 2010; Joye, M., Miyaji, A., Otsuka, A., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2010; Volume 6487, pp. 21–39. [Google Scholar] [CrossRef]
  8. Aranha, D.F.; Karabina, K.; Longa, P.; Gebotys, C.H.; López, J. Faster Explicit Formulas for Computing Pairings over Ordinary Curves. In Proceedings of the EUROCRYPT 2011, Tallinn, Estonia, 15–19 May 2011; Paterson, K.G., Ed.; LNCS. Springer: Berlin/Heidelberg, Germany, 2011; Volume 6632, pp. 48–68. [Google Scholar] [CrossRef]
  9. Uzunkol, O.; Kiraz, M.S. Still wrong use of pairings in cryptography. Appl. Math. Comput. 2018, 333, 467–479. [Google Scholar] [CrossRef]
  10. Chatterjee, S.; Menezes, A. On cryptographic protocols employing asymmetric pairings—The role of Ψ revisited. Discret. Appl. Math. 2011, 159, 1311–1322. [Google Scholar] [CrossRef]
  11. Shao, J.; Cao, Z. CCA-Secure Proxy Re-encryption without Pairings. In Proceedings of the PKC 2009, Irvine, CA, USA, 18–20 March 2009; Jarecki, S., Tsudik, G., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2009; Volume 5443, pp. 357–376. [Google Scholar] [CrossRef]
  12. Chow, S.S.M.; Weng, J.; Yang, Y.; Deng, R.H. Efficient Unidirectional Proxy Re-Encryption. In Proceedings of the AFRICACRYPT 2010, Stellenbosch, South Africa, 3–6 May 2010; Bernstein, D.J., Lange, T., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2010; Volume 6055, pp. 316–332. [Google Scholar] [CrossRef]
  13. Selvi, S.S.D.; Paul, A.; Pandurangan, C. A Provably-Secure Unidirectional Proxy Re-encryption Scheme Without Pairing in the Random Oracle Model. In Proceedings of the CANS 2017, Hong Kong, China, 30 November–2 December 2017; Capkun, S., Chow, S.S.M., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2017; Volume 11261, pp. 459–469. [Google Scholar] [CrossRef]
  14. Dutta, P.; Susilo, W.; Duong, D.H.; Roy, P.S. Collusion-resistant identity-based Proxy Re-encryption: Lattice-based constructions in Standard Model. Theor. Comput. Sci. 2021, 871, 16–29. [Google Scholar] [CrossRef]
  15. Susilo, W.; Dutta, P.; Duong, D.H.; Roy, P.S. Lattice-Based HRA-secure Attribute-Based Proxy Re-Encryption in Standard Model. In Proceedings of the ESORICS 2021, Darmstadt, Germany, 4–8 October 2021; Bertino, E., Schulmann, H., Waidner, M., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2021; Volume 12973, pp. 169–191. [Google Scholar] [CrossRef]
  16. Zhou, Y.; Liu, S.; Han, S.; Zhang, H. Fine-Grained Proxy Re-encryption: Definitions and Constructions from LWE. In Proceedings of the ASIACRYPT 2023, Guangzhou, China, 4–8 December 2023; Guo, J., Steinfeld, R., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2023; Volume 14443, pp. 199–231. [Google Scholar] [CrossRef]
  17. Zhou, Y.; Liu, S.; Han, S. Multi-hop Fine-Grained Proxy Re-encryption. In Proceedings of the PKC 2024, Sydney, NSW, Australia, 15–17 April 2024; Tang, Q., Teague, V., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2024; Volume 14604, pp. 161–192. [Google Scholar] [CrossRef]
  18. Barbulescu, R.; Duquesne, S. Updating Key Size Estimations for Pairings. J. Cryptol. 2019, 32, 1298–1336. [Google Scholar] [CrossRef]
  19. Abe, M.; Groth, J.; Ohkubo, M.; Tango, T. Converting Cryptographic Schemes from Symmetric to Asymmetric Bilinear Groups. In Proceedings of the CRYPTO 2014, Santa Barbara, CA, USA, 17–21 August 2014; Garay, J.A., Gennaro, R., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2014; Volume 8616, pp. 241–260. [Google Scholar] [CrossRef]
  20. Akinyele, J.A.; Garman, C.; Hohenberger, S. Automating Fast and Secure Translations from Type-I to Type-III Pairing Schemes. In Proceedings of the CCS 2015, Denver, CO, USA, 12–16 October 2015; Ray, I., Li, N., Kruegel, C., Eds.; ACM: New York, NY, USA, 2015; pp. 1370–1381. [Google Scholar] [CrossRef]
  21. Abe, M.; Hoshino, F.; Ohkubo, M. Design in Type-I, Run in Type-III: Fast and Scalable Bilinear-Type Conversion Using Integer Programming. In Proceedings of the CRYPTO 2016, Santa Barbara, CA, USA, 14–18 August 2016; Robshaw, M., Katz, J., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2016; Volume 9816, pp. 387–415. [Google Scholar] [CrossRef]
  22. Bowe, S. BLS12-381: New zk-SNARK Elliptic Curve Construction. Available online: https://electriccoin.co/blog/new-snark-curve/ (accessed on 10 October 2024).
Table 1. Ciphertext sizes and benchmark of the automatically and manually transformed schemes on an Intel Core i7-6600U CPU with 16 GB of RAM.
Table 1. Ciphertext sizes and benchmark of the automatically and manually transformed schemes on an Intel Core i7-6600U CPU with 16 GB of RAM.
Method/SchemeAutomatedManual
KeyGen1.5 ms1.5 ms
ReKeyGen1.0 ms1.0 ms
Encrypt24.3 ms4.7 ms
Encrypt19.3 ms9.7 ms
ReEncrypt20.1 ms17.8 ms
Decrypt221.6 ms18.8 ms
Decrypt113.7 ms12.5 ms
Second-Level Ciphertext Size208 B256 B
First-Level Ciphertext Size736 B784 B
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zengin, B.; Deupmann, P.; Buchmann, N.; Margraf, M. Chosen-Ciphertext Secure Unidirectional Proxy Re-Encryption Based on Asymmetric Pairings. Appl. Sci. 2024, 14, 11322. https://doi.org/10.3390/app142311322

AMA Style

Zengin B, Deupmann P, Buchmann N, Margraf M. Chosen-Ciphertext Secure Unidirectional Proxy Re-Encryption Based on Asymmetric Pairings. Applied Sciences. 2024; 14(23):11322. https://doi.org/10.3390/app142311322

Chicago/Turabian Style

Zengin, Benjamin, Paulin Deupmann, Nicolas Buchmann, and Marian Margraf. 2024. "Chosen-Ciphertext Secure Unidirectional Proxy Re-Encryption Based on Asymmetric Pairings" Applied Sciences 14, no. 23: 11322. https://doi.org/10.3390/app142311322

APA Style

Zengin, B., Deupmann, P., Buchmann, N., & Margraf, M. (2024). Chosen-Ciphertext Secure Unidirectional Proxy Re-Encryption Based on Asymmetric Pairings. Applied Sciences, 14(23), 11322. https://doi.org/10.3390/app142311322

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop