Keywords

1 Introduction

The goal of program obfuscation [2, 22] is to make a program “unintelligible” while preserving its functionality. This security goal was formalized in the seminal work of Barak et al. [2]. The strongest and the most intuitive notion of security considered in their work is known as the predicate black-box (also known as virtual black-box) obfuscation. This definition requires any predicate that is efficiently computable given access to the obfuscated program must also be efficiently computable given black-box access to the same program. Unfortunately, Barak et al. showed that a general program obfuscator satisfying the predicate black-box property does not exist. In spite of the general impossibility result, program obfuscators satisfying this strong security notion have been constructed for simple function families in [10, 12, 29].

Average-Case Secure Obfuscation. Hohenberger et al. [24] noted that the predicate black-box property does not give meaningful security guarantees when the obfuscated functionality (like re-encryption) is a part of a larger cryptographic system (like the underlying encryption scheme). They discussed a scenario where having access to the obfuscated program could compromise the security of the larger cryptographic system even if the obfuscator satisfied the predicate black-box property.

To address this issue, Hohenberger et al. proposed a new definition of obfuscation which they termed as average-case secure obfuscation. This definition guarantees that any adversary against a cryptographic scheme having access to an obfuscated program can be transformed into an adversary with only black box access to the program given that the cryptographic scheme has distinguishable attack property. Informally, a cryptographic scheme is said to have distinguishable attack property if there exists a distinguisher that can “test” if a given algorithm can break the security of the scheme. Hohenberger et al. in fact showed that several natural cryptographic functionalities like semantically secure encryption and re-encryption have this property.

1.1 Prior Work

A cryptographic functionality that has been shown to be obfuscatable under the average-case security notion is the re-encryption function. The re-encryption functionality transforms a ciphertext encrypted under a public key \(pk_1\) to a ciphertext of the same message encrypted under a different public key \(pk_2\). Hohenberger et al. [24] designed an average case secure obfuscator for the re-encryption functionality under Decision Linear and a variant of 3-party Decisional Diffie-Hellman assumptions. However, this construction could only support a message space of polynomial size. The decryption algorithm in their work performs an exhaustive search on the message space by computing a pairing operation on each message and tests the output of the pairing against a specific value. Thus, it has to compute a polynomial number of pairing operations in the worst case. Moreover, the security of their construction is based on a strong assumption, namely, Strong 3-party DDH.

Remark 1

We note that it is possible to extend the system of [24] to a message space of arbitrary size by using their construction for the boolean space \(\{0,1\}\). For an arbitrary message space \(\mathcal {M}\), one can encrypt each message bit by bit and thus incurring a \(O(\log (|\mathcal {M}|))\) overhead on encryption and decryption. For an exponential (in the security parameter \(\lambda \)) sized message space, the overhead on encryption and decryption algorithms would be \(\mathtt{poly}(\lambda )\). But it is desirable to have a system that performs constant number of operations (i.e., have a constant overhead) in every algorithm.

Chandran et al. [13] designed average case secure obfuscators for the re-encryption circuit assuming interactability of certain lattice problems. Their construction could only satisfy certain relaxed notions of correctness. In particular, they considered three relaxations of the correctness property. The first relaxation guarantees that the output of the original circuit and the obfuscated circuit are statistically close only on a subset of the actual inputs. The next relaxation guarantees that the output of the obfuscated program on a subset of inputs is correct with respect to some algorithm (like decryption). The final relaxation guarantees that the output of the obfuscated circuit and the original circuit are computationally indistinguishable. A natural question that arises from the prior work is:

Is there an efficient obfuscator for the re-encryption program under milder assumptions that satisfies the strongest notion of correctness, has a constant overhead in every algorithm and supports an exponential sized message space?

1.2 Our Contributions

We highlight the main contributions of this work.

Main Result. In this work, we propose a new encryption - re-encryption system that supports encryption of messages from an exponential (in security parameter) space, involves a constant number of group exponentiation operations in all algorithms. We also design an average-case secure obfuscator for the re-encryption program which achieves the strongest notion of correctness (as in [23, 24]). We prove the average case secure obfuscator property of our obfuscator and the security of our encryption - re-encryption system under the standard DDH assumption. All our proofs are in the standard model. Informally, the main result in this work is:

Informal Theorem 1

Under the DDH-assumption, there exists an average-case secure obfuscator for the family of circuits implementing the re-encryption functionality.

Remark 2

We observe that our construction of obfuscator for the re-encryption program is not secure when the holder of \(sk_2\) has access to the obfuscated circuit. This is the case with all prior constructions of average-case secure obfuscators for re-encryption [13, 24] as well as encrypted signatures [23]. The construction is secure as long as the obfuscated circuit is run by some (possibly malicious) party other than delegatee. It would be interesting to investigate the possibility of constructing average-case secure obfuscators which have “insider security.” That is, they remain secure even when the delegatee has access to the obfuscated circuit. We leave this as an open problem.

Strengthening the Black-Box Security Model. Recall that in the average-case obfuscation paradigm, we must first design an encryption - re-encryption system that is secure against adversaries that have black box access to the re-encryption program. The security model considered by Hohenberger et al. [24] for this purpose is as follows: the challenger samples two public key-secret key pairs \((pk_1,sk_1)\) and \((pk_2,sk_2)\) and then provides \(pk_1,pk_2\) to the adversary. The adversary (with oracle access to re-encryption program from \(pk_1\) to \(pk_2\)) chooses two messages \(m_0\) and \(m_1\) and also gives information about the public key as well as the ciphertext level on which it wishes to be challenged. More precisely, the adversary can choose either to be challenged on a first level ciphertextFootnote 1 under \(pk_1\) or a first level ciphertext under \(pk_2\) or a second level ciphertextFootnote 2 under \(pk_2\). The scheme is secure if the adversary is unable to distinguish between the corresponding encryptions of \(m_0\) and \(m_1\).

We observe that the above security model is insufficient in capturing the full security notion of encryption - re-encryption system (See Remark 4). In particular, the above security model allows the following trivial but insecure encryption - re-encryption system to be secure. Consider any semantically secure encryption scheme \(\varPi = (\mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt})\). To obtain a first level ciphertext of a message m under a public key pk, run the \(\mathsf {Encrypt}\) algorithm on m and pk. The re-encryption program from \(pk_1\) to \(pk_2\) has \(sk_1\), \(pk_1\) and \(pk_2\) hardwired into its description. When it is run with a first level ciphertext \(c \leftarrow \mathsf {Encrypt}(m,pk_1)\), it decrypts the ciphertext using \(sk_1\) and outputs \((\mathsf {Encrypt}(m,pk_1) || \mathsf {Encrypt}(sk_1,pk_2))\) where || denotes concatenation. In order to decrypt a second level ciphertext, one can first decrypt the second component using \(sk_2\) to obtain \(sk_1\) and then decrypt the first component to obtain m. This system has an obvious drawback as it reveals \(sk_1\) to the user with secret key \(sk_2\). But one can prove that this system is secure under the security model considered in [24]. We also observe that it is possible to construct an average-case secure obfuscator for the above re-encryption program when one instantiates \(\varPi \) with a semantically secure encryption system which allows re-randomization of ciphertexts (e.g., the standard El-Gamal encryption).

To address this issue, we strengthen the security model for encryption - re-encryption system as follows. We consider the security of the system under two different security games.

  1. 1.

    The first game called as Original Ciphertext Security proceeds exactly as in [24] but the adversary is either challenged on a first level ciphertext under \(pk_1\) or a first level ciphertext under \(pk_2\).

  2. 2.

    In the second game called as the Transformed Ciphertext Security, in addition to \((pk_1,pk_2)\) the adversary is also provided with \(sk_1\). In the challenge phase, the adversary obtains a second level ciphertext under \(pk_2\) as the challenge ciphertext. The goal of the adversary in both the games is to distinguish between encryptions of messages from encryptions of junk values.

Additionally, we require the encryption - re-encryption system to satisfy a special property called as statistical independence. Statistical independence requires that the output distribution of the re-encryption program (i.e., the distribution of the second level ciphertext) to be statistically independent of \(sk_1\).

Note that the above trivial encryption - re-encryption system is not transformed ciphertext secure as the adversary with access to \(sk_1\) can directly decrypt the first component of the challenge ciphertext to obtain the hidden message. We also stress that statistical independence property guarantees that the second level ciphertext cannot “leak” any information (in an information theoretic sense) regarding \(sk_1\). This in particular, disallows other contrived examples which may reveal the secret key \(sk_1\) to Bob but possibly is still transformed ciphertext secure.Footnote 3

Remark 3

Though this security model was not explicitly considered, all prior works [13, 14, 24] satisfy this security notion.

Remark 4

We consider a stronger model for encryption - re-encryption security since the output of the re-encryption program (which we obfuscate in this work) does not have the same probability distribution as a fresh encryption of the message m under \(pk_2\) (i.e., as an output of another encryption algorithm \(\mathsf {Encrypt} 2(m,pk_2)\) as in [24]). If the output was distributed identically to a fresh encryption under \(pk_2\) then the security model given by Hohenberger et al. is sufficient for our purposes.Footnote 4 The above discussion regarding the issues with the security model is for the generalized case where the output distribution of the re-encryption program and distribution of a freshly encrypted ciphertext under \(pk_2\) are not identical.

1.3 Related Work

Proxy Re-Encryption. A paradigm in cryptography which is closely related to re-encryption is proxy re-encryption. In a proxy re-encryption system, a semi-trusted proxy transforms ciphertexts intended for Alice (delegator) to a ciphertext of the same message for Bob (delegatee). Specifically, Alice provides the proxy with a re-key \(RK_{A \rightarrow B}\) which is a function of her secret key \(sk_1\) and Bob’s public key \(pk_2\). The proxy runs a specific algorithm (called as the re-encryption algorithm in literature) which takes the ciphertext encrypted under Alice’s public key and the re-key and outputs a ciphertext under Bob’s public key. A (non-exhaustive) list of proxy re-encryption schemes under different notions of security can be found in [1, 5, 11, 15, 25]. The security goal is that given the re-encryption key, the proxy cannot learn any information about the underlying message from the first level ciphertext. This is formalized as a game between the challenger and the proxy. This must be contrasted with the simulation based security guarantee provided by obfuscation of re-encryption program. In particular, obfuscation of re-encryption circuit guarantees that no non-black-box information about the re-encryption circuit is “leaked” to the proxy. On the other hand, it is not directly evident if such guarantees can be given from proxy re-encryption systems as it may be possible that the re-key could leak some non-black-box information. For example, the re-key could reveal a function of the secret key that still does not contradict the semantic security of the encryption scheme.

FHE. Fully Homomorphic Encryption (FHE) [26] allows arbitrary computations to be performed on a ciphertext. The first construction of FHE was provided in the breakthrough work by Gentry [20]. Following this result, there have been several works constructing FHE from worst-case intractability of several lattice problems [7,8,9]. We note that using re-randomizable (or circuit private) FHE, it is possible to obfuscate the re-encryption program. However, all known constructions of FHE are from specific assumptions on lattices and there is still someway to go before they become “truly” practical. In contrast, we propose an obfuscation of re-encryption program from the standard DDH assumption and our construction is very efficient as it involves only a (small) constant number of group exponentiation operations.

Indistinguishability Obfuscation. Since the strongest notion of program obfuscation (namely, predicate black-box obfuscation) was shown to be impossible, Barak et al. [2] proposed a weakened notion of obfuscation called as indistinguishability obfuscation or iO. Indistinguishability obfuscation guarantees that for any two functionally equivalent circuits having the same size, obfuscations of the circuits are indistinguishable. The first candidate construction of iO was given in the recent breakthrough work of Garg et al. [17]. Subsequently, several cryptographic primitives like functional encryption [17], deniable encryption [27], non-interactive key exchange without a trusted setup [6], two-round multiparty computation protocols [16], hard instances of the complexity class PPAD [3, 18] and trapdoor permutations [4, 19] (to name a few) were constructed from iO and other assumptions like one-way functions. We note that indistinguishability guarantee provided by iO is strictly weaker than the security guarantee needed in this work. In addition, our goal is to obfuscate a specific functionality namely, the re-encryption functionality.

2 Preliminaries

A function \(\mu (\cdot ): \mathbb {N} \rightarrow \mathbb {R}^+\) is said to be negligible, if for every positive polynomial \(p(\cdot )\), there exists an N such that for all \(n \ge N\), \(\mu (n) < {1}/{p(n)}\). Given a probability distribution D on a universe U, we denote \(x \leftarrow D\) as the process of sampling an element x from U according to the distribution D. Given a finite set X, we use the notation \(x \mathop {\leftarrow }\limits ^{\$}X\) for denoting the process of sampling x from the set X uniformly. If two probability distributions D and \(D'\) defined on a set X are identical, we denote it by \(D \approx D'\). We use notation similar to [23] to denote the following randomized process: given n probability distributions \(D_1,\cdots ,D_n\), let \(\{x_1 \leftarrow D_1; \cdots ;x_n \leftarrow D_n: f(x_1,\ldots ,x_n)\}\) be the probability distribution of a (possibly randomized) function f. PPT machines refer to Probabilistic Polynomial Time Turing machines. All PPT machines run in time polynomial in the security parameter denoted by \(\lambda \). We consider the non-uniform model of computation to model the adversaries. These machines take an additional auxiliary input z of length polynomial in \(\lambda \). If p is a prime number then let \(\mathbb {Z}_p^*\) denote the set \(\{1,2,\ldots ,p-1\}\).

We assume familiarity with the notion of computational indistinguishability and statistical distance (a.k.a. variation distance) and skip the standard definitions. We state the following simple lemma regarding statistical distance. The proof can be derived directly from the definition.

Lemma 1

For all distributions \(X_n\) and \(Y_n\), for all PPT distinguishers D that output a single bit and for all \(z \in \{0,1\}^{poly(n)}\) we have,

$$\varDelta (D(X_n,z), D(Y_n,z)) = \big |Pr[b \leftarrow D(X_n,z): b = 1] - Pr[b \leftarrow D(Y_n,z): b = 1]\big |$$

The above lemma implies that \(\{X_n\}_n \mathop {\approx }\limits ^{c}\{Y_n\}_n\) if and only if \(D(X_n,z)\) and \(D(Y_n,z)\) are statistically close for all PPT distinguishers D and for all auxiliary input z.

We now recall the Decisional Diffie-Hellman (DDH) assumption on prime order groups. Let \(\mathsf {Gen}\) be an algorithm which takes \(1^{\lambda }\) as input and randomly generates the parameters \((p,\mathbb {G},g)\) where p is a \(\lambda \) bit prime, \(\mathbb {G}\) is a multiplicative group of order p and g is a generator for \(\mathbb {G}\).

Definition 1

(DDH assumption). The DDH assumption states that the following distribution ensembles are computationally indistinguishable:

$$\begin{aligned} \{(p,\mathbb {G},g) \leftarrow \mathsf {Gen}(1^{\lambda }); a,b \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^*:(g,g^a,g^b,g^{ab})\}_{\lambda } \mathop {\approx }\limits ^{c}\\ \{(p,\mathbb {G},g) \leftarrow \mathsf {Gen}(1^{\lambda }); a,b,c \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^*:(g,g^a,g^b,g^{c})\}_{\lambda } \end{aligned}$$

We assume the reader’s familiarity with the syntax and security notion (multi message security) for a Public Key Encryption (PKE) system. We also assume familiarity with the El-Gamal encryption system. We recall the theorem regarding the multi-message security of El-Gamal encryption system and its variant.

Theorem 1

(Multi message security). Assuming the DDH-assumption holds in the group \(\mathbb {G}\), the El-Gamal encryption system is multi-message secure.

We assume familiarity with of the concept of Pseudo Random Generator (PRG) and refer the reader to [21] for a formal definition.

2.1 Average-Case Secure Obfuscation

Let \(\mathcal {C}= \{ C _{\lambda }\}_{\lambda \in \mathbb {N}}\) be a family of polynomial sized circuits. For a length parameter \(\lambda \), let \( C _{\lambda }\) be the set of circuits in \(\mathcal {C}\) with input length \(p_{in}(\lambda )\) and output length \(p_{out}(\lambda )\) where \(p_{in}(\cdot )\) and \(p_{out}(\cdot )\) are polynomials. The circuit family \(\mathcal {C}\) has an associated sampling algorithm \(\mathsf {Samp}\) which takes \(1^{\lambda }\) as input and outputs a circuit \( C \) chosen uniformly at random from \( C _{\lambda }\). We also assume that there exists efficient \((\mathsf {Encode},\mathsf {Decode})\) algorithms which encodes and decodes a given circuit \( C \) into binary strings when used as input/output of Turing machines. We make implicit use of such encoding and decoding algorithms and do not mention them explicitly.

We use similar notations (with some minor changes) as in [23] to denote probabilistic circuits. A probabilistic circuit \( C (x;r)\) takes two inputs. The first input is called as the regular input and the second input is termed as the random input. The output of a probabilistic circuit on a regular input (denoted by \( C (x;\cdot )\)) can be viewed as a probability distribution where the randomness in the distribution comes from the random choice of r. We say that a machine \(\mathcal {A}\) has oracle access to a probabilistic circuit \( C \) (denoted by \(\mathcal {A}^{\mathcal {O}( C )}\)) if during the oracle queries, \(\mathcal {A}\) can only specify the regular input x to the circuit and the random input r is chosen uniformly at random from the corresponding sample space by the oracle \(\mathcal {O}\). The output of a probabilistic machine \(\mathcal {A}\) having oracle access to a probabilistic circuit \( C \) (denoted by \(\mathcal {A}^{\mathcal {O}( C )}(x_1,\cdots ,x_n)\)) is a probability distribution where the randomness in the distribution comes from the random coins used by \(\mathcal {A}\) as well as the random coins used by \(\mathcal {O}\) in answering \(\mathcal {A}\)’s oracle queries. We say that \(\mathcal {B}\) evaluates a probabilistic circuit \( C \) (or in other words, \(\mathcal {B}\) is an evaluator of \( C \)) on regular input x, if \(\mathcal {B}\) supplies the regular input as well as the random input r chosen uniformly at random from the corresponding sample space and outputs \( C (x;r)\). We use \(| C |\) to denote the size of a circuit \( C \).

We recall the notion of average case secure obfuscation given in [24].

Definition 2

[23, 24]. A PPT machine \(\mathsf {Obf}\) that takes as input a (probabilistic) circuit and outputs a new (probabilistic) circuit is an average-case secure obfuscator for the circuit family \(\mathcal {C}= \{ C _{\lambda }\}_{\lambda \in \mathbb {N}}\) with an associated sampling algorithm \(\mathsf {Samp}\) if it satisfies the following properties:

  1. 1.

    Preserving Functionality: For all length parameter \(\lambda \in \mathbb {N}\) and for all \( C \in C _{\lambda }\):

    $$ Pr[ C ' \leftarrow \mathsf {Obf}( C ): \exists x \in {\{0,1\}}^{p_{in}(\lambda )}, \varDelta \big ( C '(x;\cdot ), C (x;\cdot )\big ) \ne 0] = 0 $$
  2. 2.

    Polynomial Slowdown: There exists a polynomial \(p(\cdot )\) such that for sufficiently large length parameters \(\lambda \), for any \( C \in C _{\lambda }\), we have

    $$Pr[ C ' \leftarrow \mathsf {Obf}( C ): | C '| \le p(| C |)] = 1$$
  3. 3.

    Average-case Secure Virtual Black Box: There exists a PPT machine (simulator) \(\mathsf {Sim}\) such that for every PPT distinguisher D, there exists a negligible function \(\mathsf {neg}(\cdot )\) such that for every length parameter \(\lambda \) and for every \(z \in \{0,1\}^{poly(\lambda )}\):

    $$\begin{aligned} | Pr [ C \leftarrow \mathsf {Samp}(1^{\lambda }); C ' \leftarrow \mathsf {Obf}( C );b \leftarrow D^{\mathcal {O}( C )}( C ',z): b = 1 ] - \\ Pr [ C \leftarrow \mathsf {Samp}(1^{\lambda }); C ' \leftarrow \mathsf {Sim}^{\mathcal {O}( C )}(1^{\lambda },z);b \leftarrow D^{\mathcal {O}( C )}( C ',z): b = 1] | \le \mathsf {neg}(\lambda ) \end{aligned}$$

Remark 5

The definition given in [24] considers a relaxed notion of correctness. Specifically, it allows a the output distribution of the obfuscated circuit and the original circuit to have a negligible statistical distance with a negligible probability. Here, as given in [23], we consider a stronger notion of correctness where we require that the output distribution of the original circuit and the obfuscated circuit to be identical.

3 Obfuscator for Re-Encryption Functionality

In this section, we describe our new encryption system, the re-encryption functionality which is to be obfuscated and finally the construction of an average case secure obfuscator for the functionality. New Encryption Scheme. The new encryption system under consideration is a variant of the El-Gamal system.

figure a

Re-encryption Functionality. Let \((pk_1,sk_1)\) and \((pk_2,sk_2)\) be two key-pairs which are obtained by running the \(\mathsf {KeyGen}\) algorithm with independent random tapes. Let \(h \mathop {\leftarrow }\limits ^{\$}\mathbb {G}\) be an element chosen uniformly and independently at random from the group \(\mathbb {G}\). The PPT algorithm performing re-encryption from \(pk_1\) to \(pk_2\) (denoted by \(\mathsf {Re-Enc}_{1 \rightarrow 2}\)) is described below.

figure b

Re-encryption Circuit Family. Let \( C _{sk_1,pk_1,pk_2,h}\) be the description of a probabilistic circuit implementing the program \(\mathsf {Re-Enc}_{1 \rightarrow 2}\). We note that the constants in the above program are hardwired in the circuit description. These constants can be extracted when given the description of the circuit. Formally, the class of circuits implementing the re-encryption functionality for a given length parameter \(\lambda \) is,

$$\begin{aligned} C _{\lambda } = \{ C _{sk_1,pk_1,pk_2,h} : (pk_1,sk_1) \leftarrow \mathsf {KeyGen}(1^{\lambda }), (pk_2,sk_2) \leftarrow \mathsf {KeyGen}(1^{\lambda }), h \mathop {\leftarrow }\limits ^{\$}\mathbb {G}\} \end{aligned}$$

The circuit family implementing the re-encryption functionality is given by \( C = \{ C _{\lambda }\}_{\lambda \in \mathbb {N}}\). The associated sampling algorithm \(\mathsf {Samp}\) proceeds by choosing \((p,\mathbb {G},g,H) \leftarrow \mathsf {Setup}(1^{\lambda })\). It then samples \((pk_1,sk_1) \leftarrow \mathsf {KeyGen}(1^{\lambda })\), \((pk_2,sk_2) \leftarrow \mathsf {KeyGen}(1^{\lambda })\) and \(h \mathop {\leftarrow }\limits ^{\$}\mathbb {G}\). It finally outputs the circuit description of \(C_{sk_1,pk_1,pk_2,h}\).

The evaluator of the circuit \( C _{sk_1,pk_1,pk_2,h}\) supplies the regular input which is either the ciphertext \(c_1 = [C_1,C_2]\) or the special symbol \(\mathsf {keys}\) and also supplies the random input \(\mathsf {rand}\) chosen uniformly at random from \(\{0,1\}^{3\lambda }\) to the circuit for sampling \(r',v,s\) uniformly from \(\mathbb {Z}_p^*\).

Decrypting the Circuit Output. The output of \(\mathsf {Re-Enc}_{1 \rightarrow 2}\) can be decrypted using the following algorithm \(\mathsf {Decrypt2}\):

figure c

Correctness. We note that correctness of \(\mathsf {Decrypt1}\) algorithm directly follows from the correctness of El-Gamal encryption scheme and correctness of \(\mathsf {Decrypt2}\) follows from inspection.

Obfuscator Construction. We now present the construction of an average-case secure obfuscator (denoted by \(\mathsf {Obf}\)) for the re-encryption circuit family defined in Sect. 3.

figure d
figure e

Let \( C '\) denote the circuit implementing \(\mathsf {Re-Enc}_{1 \rightarrow 2}'\). The evaluator for the circuit \( C '\) provides either \(c_1 = [C_1,C_2]\) or special symbol \(\mathsf {keys}\) as the regular input and \(\mathsf {rand} \mathop {\leftarrow }\limits ^{\$}\{0,1\}^{3\lambda }\) as the random input for sampling \(r',v',s\) uniformly from \(\mathbb {Z}_p^*\).

Remark 6

The obfuscated circuit \( C '\) is generated by the owner of \(sk_1\) but can be evaluated by anyone. We assume (as described in Remark 2) that the evaluator of \( C '\) and the owner of \(sk_2\) do not collude.

4 Security of New Encryption Scheme

We now describe the security model for semantic security of the encryption scheme when the adversary is given black box access to re-encryption functionality. In view of discussion presented in Sect. 1.2, we modify the security model given in [24] as follows.

4.1 Security Model

Let \( C \leftarrow \mathsf {Samp}(1^{\lambda })\) Footnote 5 be the re-encryption circuit from \(pk_1\) to \(pk_2\).

Original Ciphertext Security. Let \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\) be an adversary against the original ciphertext security.

Definition 3

Let \(\varPi \) be an encryption scheme and let \(IND_{b,ori}(\varPi ,\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2),\lambda ,i)\) where \(b \in \{0,1\}\) and \(i \in \{1,2\}\), denote the following experiment:

figure f

The scheme \(\varPi \) is said to be original ciphertext secure with respect to the oracle access to \( C \) if for all PPT adversaries \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\) and for all \(i \in \{1,2\}\), there exists a negligible function \(\mu (\cdot )\) such that for all \(\lambda \in \mathbb {N}\),

$$\begin{aligned} \varDelta \big (IND_{0,ori}(\varPi ,\mathcal {A},\lambda ,i),IND_{1,ori}(\varPi ,\mathcal {A},\lambda ,i)\big ) \le \mu (\lambda ) \end{aligned}$$

Transformed Ciphertext Security. Let \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\) be an adversary against the transformed ciphertext security.

Definition 4

Let \(\varPi \) be an encryption scheme and let \(IND_{b,tran}(\varPi ,\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2),\lambda )\) where \(b \in \{0,1\}\) denote the following experiment:

figure g

The scheme \(\varPi \) is said to be transformed ciphertext secure with respect to the oracle access to \( C \) if for all PPT adversaries \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\), there exists a negligible function \(\mu (\cdot )\) such that for all \(\lambda \in \mathbb {N}\),

$$\begin{aligned} \varDelta \big (IND_{0,tran}(\varPi ,\mathcal {A},\lambda ),IND_{1,tran}(\varPi ,\mathcal {A},\lambda )\big ) \le \mu (\lambda ) \end{aligned}$$

Statistical Independence. Let us consider the following experiment.

figure h

We require the output of \(\mathsf{{Stat}}(\varPi ,\lambda ,m)\) to be statistically independent of \(sk_1\).

4.2 Security Proof

We now show that the New Encryption Scheme is original ciphertext secure (in Theorem 2), transformed ciphertext secure (in Theorem 3) and has statistical independence property (in Lemma 2).

Theorem 2

The New Encryption Scheme is original ciphertext secure with respect to the oracle \( C _{sk_1,pk_1,pk_2,h}\) under the DDH-assumption.

Proof

We give the proof of this theorem in the full version of our paper [28].

We now show the transformed ciphertext security of our construction.

Theorem 3

The New Encryption Scheme is transformed ciphertext secure with respect to the oracle \( C _{sk_1,pk_1,pk_2,h}\) under the multi-message security (2 messages) of El-Gamal encryption system (Theorem 1).

Proof

The proof of this theorem appears in the full version of the paper [28].

We note that the statistical independence property of the re-encryption functionality directly follows from inspection of the output distribution of the re-encryption circuit. We record the following lemma.

Lemma 2

The output distribution of \( C _{sk_1,pk_1,pk_2,h}\) where \((pk_1,sk_1) \leftarrow \mathsf {KeyGen}(params)\), \((pk_2,sk_2) \leftarrow \mathsf {KeyGen}(params)\) and \(h \mathop {\leftarrow }\limits ^{\$}\mathbb {G}\) is statistically independent of \(sk_1\).

5 Average-Case Virtual Black Box Property

We note that obfuscator construction preserves functionality (the formal proof appears in the full version). We note that the polynomial slowdown property of our construction can be easily verified. It is interesting to note that the obfuscated circuit computes seven exponentiations whereas the original circuit computes eight exponentiations.

We now show that \(\mathsf {Obf}\) satisfies the average-case virtual black box property.

Lemma 3

\(\mathsf {Obf}\) satisfies the average case secure virtual black-box property.

Proof

The proof techniques used here are similar to that of Hohenberger et al. in [24] and the details follow.

Let \( C \leftarrow \mathsf {Samp}(1^{\lambda })\) be a circuit chosen randomly from the set \( C _{\lambda }\) using the \(\mathsf {Samp}\) algorithm. Let D be any distinguisher with oracle access to \( C \).

We first describe our simulator \(\mathsf {Sim}\) which has oracle access to the circuit \( C \) and takes as input the security parameter in unary form and auxiliary information string denoted by z.

figure i

It remains to show that the output distribution of the simulator is computationally indistinguishable to the output distribution of \(\mathsf {Obf}\) even to distinguishers having oracle access to \( C \).

We define two distributions \(\mathsf {Nice}(D^{\mathcal {O}( C )},\lambda ,z)\) and \(\mathsf {Junk}(D^{\mathcal {O}( C )},\lambda ,z)\) as follows:

figure j
figure k

We first observe that for all \(z \in \{0,1\}^{poly(\lambda )}\) and for all distinguishers D,

In order to show that \(\mathsf {Obf}\) satisfies the average case virtual black box property it is enough to show that (from Lemma 1), for all PPT distinguishers D, there exists a negligible function \(\mu (\cdot )\) such that for all \(z \in \{0,1\}^{poly(\lambda )}\),

We show that for all PPT distinguishers D, there exists a negligible function \(\mu (\cdot )\) such that for all \(z \in \{0,1\}^{poly(\lambda )}\),

We start with an useful lemma.

Lemma 4

figure l

Proof

The proof of this lemma appears in the full version of the paper [28].

First, we consider two distributions which are similar to \(\mathsf {Nice}\) and \(\mathsf {Junk}\) except that they consider a “dummy” distinguisher \(D^*\) which outputs whatever is given as input.

Proposition 1

Proof

The proof for the this proposition follows directly from the proof of Lemma 4. We note that left distribution in the lemma statement is identically distributed to \(\mathsf {Junk}(D^*, \lambda , z)\) and the right distribution is identically distributed to \(\mathsf {Nice}(D^*, \lambda , z)\). Hence,

$$ \mathsf {Nice}(D^*, \lambda , z) \mathop {\approx }\limits ^{c}\mathsf {Junk}(D^*, \lambda , z) $$

   \(\square \)

We now consider two more distributions which proceed as \(\mathsf {Nice}\) and \(\mathsf {Junk}\) except that they consider distinguishers \(D^{\mathcal {O}(R)}\) where R is a probabilistic circuit which on any input \([C_1,C_2]\), first checks if \(C_1, C_2\) belong to \(\mathbb {G}\) and if yes, outputs [ABCDE] where ABCDE are chosen uniformly and independently from \(\mathbb {G}\). Otherwise, it outputs \(\bot \).

Note that input to \(D^{\mathcal {O}(R)}\) is identically distributed to \(\mathsf {Nice}(D^*, \lambda , z)\) in \(\mathsf {Nice}(D^{\mathcal {O}(R)}, \lambda , z)\) and its input is identically distributed to \(\mathsf {Junk}(D^*, \lambda , z)\) in \(\mathsf {Junk}(D^{\mathcal {O}(R)}, \lambda , z)\). The following proposition is a direct consequence of Proposition 1.

Proposition 2

For all PPT distinguihsers D, there exists a negligible function \(\mu (\cdot )\) such that for all \(z \in \{0,1\}^{poly(\lambda )}\) and for all \(\lambda \in \mathbb {N}\), we have

Proof

Assume for the sake of contradiction that there exists a distinguisher \(D^{\mathcal {O}(R)}\) which can distinguish between \(\mathsf {Nice}(D^*, \lambda , z)\) and \(\mathsf {Junk}(D^*, \lambda , z)\) with non-negligible advantage. We construct an distinguisher between \(D'\) (without the oracle access to R) which distinguishes between \(\mathsf {Nice}(D^*, \lambda , z)\) and \(\mathsf {Junk}(D^*, \lambda , z)\) with the same advantage.

\(D'\) runs D internally by giving its own input as input to D. When D requests an oracle access to R, \(D'\) can simulate the responses on its own (It will choose five independent random elements from the group and return as the response for any oracle query after checking whether the input belongs to \(\mathbb {G}\times \mathbb {G}\)). \(D'\) finally outputs what D outputs.

It is easy to see that \(D'\) as the same distinguishing advantage that D has and hence we have arrived at a contradiction to Proposition 1.    \(\square \)

Consider any distinguisher D. Let us define,

$$ \alpha (\lambda ,z) = \varDelta \big (\mathsf {Nice}(D^{\mathcal {O}( C )},\lambda ,z),\mathsf {Junk}(D^{\mathcal {O}( C )},\lambda ,z)\big ) $$
$$ \beta (\lambda ,z) = \varDelta \big (\mathsf {Nice}(D^{\mathcal {O}(R)},\lambda ,z),\mathsf {Junk}(D^{\mathcal {O}(R)},\lambda ,z)\big ) $$

Let \(q_D\) be the number of oracle queries that D makes during its execution. Since D runs in polynomial time, \(q_D\) is polynomial in \(\lambda \).

Proposition 3

There exists an algorithm \(\mathcal {B}\) against the multi-message (\(2q_D\) messages) security of El-Gamal encryption scheme with an advantage \(|\alpha (\lambda ,z) - \beta (\lambda ,z)|/2\).

Proof

We prove the proposition by constructing an adversary \(\mathcal {B}\) against the El-Gamal challenger with advantage \(|\alpha (\lambda ,z) - \beta (\lambda ,z)|/2\).

\(\mathcal {B}\) receives the public key \(g^{y}\) from the El-Gamal challenger. It chooses \(x \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^*\) and sets \(pk_1 = (g,g^{x})\) and \(pk_2 = (g,g^{y})\). It chooses two message vectors \({{\varvec{M}}}_{\mathbf{0}}\) and \({{\varvec{M}}}_1\) each of length \(2q_{D}\) as follows. It sets \({{\varvec{M}}}_{\mathbf{0}} = \{1,1,\ldots ,1\}\) (of length \(2q_{D}\)) and \({{\varvec{M}}}_{\mathbf{1}} = \{m_1,m_2,\ldots ,m_{2q_{D}}\}\) where \(m_1,\ldots ,m_{2q_{D}}\) are chosen uniformly and independently at random from \(\mathbb {G}\). It then receives the challenge ciphertext vector \({{\varvec{C}}}^{\varvec{*}} = \{(g^{r_1},Q_1),(g^{r_2},Q_2),\ldots , (g^{r_{q_D}},Q_{2q_D})\}\) and auxiliary information z. Note that for all \(i \in \{1,2,\ldots 2q_{D}\}\), \(r_i\) is a random element in \(\mathbb {Z}_p^*\) and \(Q_i = g^{yr_i}\) or an uniformly chosen element depending on whether \({{\varvec{M}}}_{\mathbf{0}}\) was encrypted or \({{\varvec{M}}}_{\mathbf{1}}\) was encrypted (due to the random choice of \(m_1,\ldots ,m_{2q_{D}}\)).

\(\mathcal {B}\) now uses D to determine whether the challenge ciphertext vector is an encryption of \({{\varvec{M}}}_{\mathbf{0}}\) or \({{\varvec{M}}}_{\mathbf{1}}\). It first generates the tuples which are distributed exactly as \(\mathsf {Nice}(D^*, \lambda , z)\) and \(\mathsf {Junk}(D^*, \lambda , z)\). It tosses a random coin c and runs D with input \(\mathsf {Nice}(D^*, \lambda , z)\) if \(c=0\) and with input \(\mathsf {Junk}(D^*, \lambda , z)\) if \(c=1\). \(\mathcal {B}\) needs to answer the re-encryption oracle queries made by D. It uses the challenge ciphertext to answer those oracle queries. We show that if the challenge ciphertext is an encryption of \({{\varvec{M}}}_{\mathbf{0}}\), then the oracle responses given by \(\mathcal {B}\) are identically distributed to the output of the re-encryption circuit \( C \). If the challenge ciphertext was an encryption of \({{\varvec{M}}}_{\mathbf{1}}\), we show that the oracle responses are identically distributed to the output of R. The exact details follow.

\(\mathcal {B}\) chooses \(h \mathop {\leftarrow }\limits ^{\$}\mathbb {G}\) and \(v \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^*\) and computes \(Z_1 = h \cdot (g^{y})^v\) and \(Z_2 = g^v\). It then chooses \(Z_3 = H(h)/x\) and \(Z_3' \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p^*\). It tosses a random coin and chooses \(c \mathop {\leftarrow }\limits ^{\$}\{0,1\}\). If \(c=0\), it runs \(D^{\mathcal {O}(X)}(pk_1,pk_2,Z_1,Z_2,Z_3,z)\). Else it runs, \(D^{\mathcal {O}(X)}(pk_1,pk_2,Z_1,Z_2,Z'_3,z)\) where X is the circuit description of the program \(\mathsf {Re-Enc}''_{1 \rightarrow 2}\) described below. Note that if \(c=0\), input to D is identical to \(\mathsf {Nice}(D^*, \lambda , z)\). Else, it is identical to \(\mathsf {Junk}(D^*, \lambda , z)\).

When D makes \(i^{th}\) oracle query \([C_1,C_2]\), \(\mathcal {B}\) runs the following program and returns the output of the program to D as the response.

figure m

D finally outputs its guess. Let \(c'\) denote the output of D. If \(c=c'\), \(\mathcal {B}\) outputs 1. Else, it outputs 0.

We now prove the following two claims regarding the output of \(\mathcal {B}\).

Claim

If \({{\varvec{M}}}_{\mathbf{0}}\) was encrypted, the probability that \(\mathcal {B}\) outputs 1 is given by \(1/2 + \alpha (\lambda ,z)/2\).

Proof

We claim that if \({{\varvec{M}}}_{\mathbf{0}}\) was encrypted, then \(\mathcal {B}\) perfectly simulates \(D^{\mathcal {O}( C )}\big (pk_1, pk_2,h \cdot (g^{y})^r,g^r,H(h)/x,z\big )\) or \(D^{\mathcal {O}( C )}\big (pk_1,pk_2,h \cdot (g^{y})^r,g^r,Z'_3,z\big )\) depending upon the bit c. We already noted that the input to D is identically distributed to \(\mathsf {Nice}(D^*, \lambda , z)\) or \(\mathsf {Junk}(D^*, \lambda , z)\). It is enough to show that X simulates the circuit \( C \) perfectly. Since \(Q_i = (g^{y})^{r_i}\) for all \(i \in [1, 2q_{D}]\) and \(Z_1,Z_2,Z_3\) are properly generated as per the \(\mathsf {Obf}\) algorithm, the output of X is given by,

$$ (m \cdot g^{r+r'},(g^{r+r'})^{H(h)} \cdot (g^{y})^{r_{i + q_{D}}},h \cdot (g^{y})^{v + r_i}, g^{v + r_i},g^{r_{i + q_{D}}}) $$

which is identically distributed as the output of the re-encryption circuit since \(r',r_i, r_{i + q_{D}}\) are chosen uniformly at random from \(\mathbb {Z}_p^*\). Hence, the probability that \(\mathcal {B}\) outputs 1 in this case is same as the probability that \(D^{\mathcal {O}( C )}\) outputs \(c=c'\) which is same as \(1/2 + \alpha (\lambda ,z)/2\).    \(\square \)

Claim

If \({{\varvec{M}}}_{\mathbf{1}}\) was encrypted, the probability that \(\mathcal {B}\) outputs 1 is given by \(1/2 + \beta (\lambda ,z)/2 \).

Proof

We already noted that the input to D are perfectly generated according to either \(\mathsf {Nice}(D^*, \lambda , z)\) or \(\mathsf {Junk}(D^*, \lambda , z)\). We claim that the response given by \(\mathcal {B}\) are same as the one given by R. The output of \(\mathcal {B}\) is given by

$$ (m \cdot g^{r+r'},(g^{r+r'})^{H(h)} \cdot Q_{i + q_{D}},h \cdot (g^{y})^v \cdot {Q_i},g^{v+r_i},g^{r_{i + q_{D}}}) $$

Since \(Q_i\) and \(Q_{i + q_{D}}\) are uniformly chosen random elements in \(\mathbb {G}\) if \({{\varvec{M}}}_{\mathbf{1}}\) was encrypted and \(r',r_{i}, r_{i + q_{D}}\) are chosen uniformly at random from \(\mathbb {Z}_p^*\), we can easily see that all elements in the above distribution are random and independent for every invocation of the oracle.

Hence, in this case \(\mathcal {B}\) perfectly simulates \(D^{\mathcal {O}(R)}\big (pk_1,pk_2,h \cdot (g^{y})^r,g^r,H(h)/x,z\big )\) or \(D^{\mathcal {O}(R)}\big (pk_1,pk_2,h \cdot (g^{y})^r,g^r,Z'_3,z\big )\) depending on the bit c. Thus, the probability that \(\mathcal {B}\) outputs 1 in this case is same as the probability that \(D^R\) outputs \(c=c'\) which is given by \(\beta (\lambda ,z)/2 + 1/2\).    \(\square \)

Hence the advantage of \(\mathcal {B}\) in the multi message security game of the El-Gamal Encryption scheme is given by \(|\alpha (\lambda ,z) - \beta (\lambda ,z)|/2\).    \(\square \)

We know from Proposition 2 that \(\beta (\lambda ,z)\) is negligible. Hence from Proposition 3 we can infer that \(\alpha (\lambda ,z)\) is also negligible.

Hence, \(\mathsf {Obf}\) satisfies the average case secure virtual black box property and this concludes the proof of Lemma.

   \(\square \)

Since \(\mathsf {Obf}\) satisfies the three requirements given in Definition 2, we conclude that \(\mathsf {Obf}\) is an average-case secure obfuscator.