 Hi, I'm Lio, I'm going to talk about universal proxies encryption. This is a joint work with Nicodotoring. In this work, we put forward the notion of universal proxies encryption, which is a generalization of proxies encryption. We present two constructions. One is UPRE scheme based on obfuscation. The other one is a relaxed version of UPRE based on garbled circuits. First, I introduce standard proxies encryption. Let's consider the following scenario. Alice sends an encrypted email to Bob. Bob is on vacation, so he wants to forward emails to Chris during his vacation. However, Chris cannot decrypt the encrypted email since Chris does not have Bob's decryption key. Proxies re-encryption solves this problem. In proxies re-encryption, we have a re-encryption key generation algorithm that takes derivatives key and delegities key as inputs, and outputs a re-encryption key. Bob is a delegator, and Chris is a delegator. There is a proxy, which is given a re-encryption key and runs a re-encryption algorithm. The re-encryption algorithm takes delegator's ciphertext and the re-encryption key as inputs, and outputs a re-encrypted ciphertext for delegates. The delegates Chris can decrypt the re-encrypted ciphertext by using the delegates key. There are many applications of proxy re-encryption. Encrypted email forwarding, encrypted file storage, secure publish subscribe operation, secure payment system for credit cards. However, all existing PRE schemes are constructed from scratch. That is, we need to deploy a new PRE scheme. We cannot directly use already deployed cryptography as it is for achieving PRE. We want to use existing PRE schemes as they are for achieving proxy re-encryption mechanism. Moreover, existing PRE schemes cannot convert a ciphertext into a ciphertext of another scheme. Our question is, can we convert a ciphertext of some PRE scheme into a ciphertext of another PRE scheme? For example, an Elgarmal ciphertext into a Regiff ciphertext. Universal proxy re-encryption enables such conversions. There are two different PKE schemes, Elgarmal and Regiff, for example. Each key generation algorithm generates a key pair. Each encryption algorithm generates a ciphertext. UPR re-scheme consists of re-encryption key generation algorithm and re-encryption algorithm. Re-encryption key generation algorithm takes delegator's decryption key and delegates public key as inputs and outputs a re-encryption key. A re-encryption algorithm takes a delegator's ciphertext and the re-encryption key and outputs a re-encrypted ciphertext. Here, the re-encrypted ciphertext is in the ciphertext space of delegated scheme. So we can decrypt the re-encrypted ciphertext by using the decryption algorithm of delegated scheme and delegated decryption key. We can consider a relaxed version of UPR re. The difference is that a re-encrypted ciphertext is not in the ciphertext space of delegated scheme. So we need a modified decryption algorithm in relaxed UPR re. Although we cannot use the original decryption algorithm of delegated, we can use the original decryption key of delegated scheme. This is relaxed UPR re. There are two important notions in PRE and UPR re. One is the number of re-encryption. If a re-encrypted ciphertext cannot be re-encrypted anymore, we call single hop. If we can re-encrypt a re-encrypted ciphertext again and again, we call multi hop. The other one is the direction of re-encryption. If a re-encryption key can convert a delegated ciphertext into a delegated ciphertext and vice versa, we call bi-directional. If a re-encryption key can convert in one way direction, we call unidirectional. UPR has a new application. Let's consider the following scenario. We upload tremendous amount of encrypted data to a cloud storage. At some point, a practical quantum computer is available or a PK scheme is impaired. Then we need to migrate to another PK scheme. However, we do not want to download all ciphertext from the cloud. UPRE enables us to delegate the cloud to convert ciphertexts of all the schemes into ciphertexts of new schemes. In this work, we present definitions of UPRE and constructions of UPRE. The first scheme is multi hop UPRE scheme for some class of PK, based on probabilistic indistinguishability obfuscation and one way functions. The second scheme is multi hop relaxed UPRE scheme for any PK based on garbled circuits. Let's see more formal definitions of UPRE. This is the syntax of UPRE. Re-encryption key generation algorithm takes two descriptions of schemes, a decryption key and a public key as input and output re-encryption key. Note that two schemes could be different. Re-encryption algorithm takes two descriptions of schemes, a re-encryption key and a delegator's ciphertext as inputs and outputs are re-encrypted ciphertext. In UPRE, a re-encrypted ciphertext is a ciphertext of scheme sigma B. In relaxed UPRE, a re-encrypted ciphertext is not a ciphertext of sigma B. So in relaxed UPRE, we have a modified decryption algorithm. This is different from the decryption algorithm of sigma B, but we can use the decryption key SKB of sigma B as it is. We can define in the CPA security for UPRE by extending in the CPA security of PRRE. In this talk, we introduced the single hop case for simplicity, but we also defined the march hop case. Please see the paper for the detail. As the setup phase, the adversary sends honest or corrupted key queries. In the case of corrupted key queries, the adversary obtain both the public key and decryption key. In UPRE, the adversary can select a scheme in key queries. For example, sigma I is regf pke and pki and SKI are keys of regf pke. In the second phase, the adversary select a target user iStar, messages m0 and m1. The challenger chooses a bit b and send a target ciphertext ct star to the adversary. During the second phase, the adversary can send re-encryption key queries. The adversary selects two indices and receives a re-encryption key from user i to j. At some point, the adversary output a guess b prime. If the probability b prime is equal to b is half plus negligible, we say it is cpa secure. In fact, we define a stronger security notion called security against unnecessary encryption attacks. In this attack model, in addition to the re-encryption key oracle, the adversary also has access to unnecessary encryption oracle and re-encryption oracle. This is a natural extension of HRA security in PRE introduced by Cohen. However, it is a bit complex, so we omit it in this talk. Please see the paper for the detail. We also define security against corrupted delirator re-encryption attacks. In this security game, delirator i star is not corrupted, but the adversary corrupts delirator ic. So, the adversary has delirator's decryption key, skic. The adversary sends m0 and m1, then the challenger chooses a bit b and does the following. First, the challenger generates a ciphertext of the corrupted delirator. Next, the challenger generates a re-encryption key from ic to icetar. Finally, the challenger converts the delirator's ciphertext into a deligate's ciphertext. The adversary is given the re-encrypted ciphertext and re-encryption key. Note that the delirator's ciphertext is not given. Since if it is given, the adversary trivially wins the game. The adversary has access to the oracles as in the HRA security game. This security notion is required in the application to migration of encryption system. In the rest of this talk, we will see how to achieve upre. Our upre scheme, based on obfuscation, is quite simple. We consider the following circuit. A delirator's decryption key and deligate's public key are hard-coded in the circuit. It takes a delirator's ciphertext as an input, decrypts the ciphertext, and encrypts the resulting message by delirate's public key, and outputs the delirate's ciphertext. An obfuscated version of this circuit is a re-encryption key. Delirate's encryption algorithm is probabilistic, so we need PIO. However, if PKE is re-randomizable, we can use sub-exponentially secure I.O. and one-way functions instead of PIO. See the paper for the detail. I explain the high-level overview of the security proof. We want to use in the CPA security of the delirator's scheme, but the decryption key SKI-STIR is embedded in the re-encryption keys. So we need to erase information about SKI-STIR in re-encryption keys. We change the re-encryption circuit as follows. First, we do not decrypt the delirator's ciphertext anymore. Second, we encrypt a dummy message. This change cannot be detected due to the security of obfuscation. The modified circuit does not need information about delirator's decryption key. We gradually erase decryption keys in re-encryption keys. We can model the relationships among keys as a directed acyclic graph. We start from the leaf node and change the re-encryption keys from real one to simulated one. We move from the leaf node to a junction node and back and forth. When we finish erasing SKI-STIR, we use in the CPA security of the scheme I-STIR and complete the proof. Our relaxed UPRI scheme uses secret sharing and garbled circuit. Re-encryption key generation algorithm split delirator's decryption key into two shares. The first share S1 is encrypted by delirator's public key. The second share S2 is directly used as a part of re-encryption key. In re-encryption algorithm, we define the following reconstruction circuit RE. The second share S2 and a delirator's ciphertext CTE are hard-coded in circuit RE. The circuit takes the first share S1 as an input, reconstructs delirator's decryption key from the shares, decrypts the delirator's ciphertext, and output the message, µ. Re-encryption algorithm garbles this circuit. The garbled circuit and labels are sent to the deligates with encryption of the first share. Note that encryption of the first share is a part of the re-encryption key. The deligate decrypts ciphertext CTL children and obtain the first share S1. Then, select corresponding labels and evaluate the garbled circuit. By the definition of circuit RE, we can obtain the message µ. However, this construction is not secure, since if the proxy sends all labels of the garbled circuit, the deligate can obtain information about the second share S2. To solve the problem in the previous slide, we introduced weak batch encryption. This is a non-succinct variant of batch encryption introduced by Barker's key et al. A key generation algorithm takes the storing S as an input and outputs the public key and the secret key. The storing S means choice bits. A public key does not reveal any information about the choice bits. Choice bits are information theoretically hidden. An encryption algorithm takes the public key and 2L plaintext as input and outputs the ciphertext. A decryption algorithm takes the secret key and the ciphertext as input and outputs else plaintext. In each column, a plaintext corresponding to the choice bits is revealed. Even if the secret key BSK is given, we cannot obtain information about the other side plaintext. Unlike batch encryption, we can achieve weak batch encryption from in the CPA PKE. By using weak batch encryption, we can fix the first idea. We split delegator's decryption key by secret sharing. Next, we use the first share S1 as the choice bits of weak batch encryption. That is, we generate a key pair of weak batch encryption from S1. Then, we encrypt the secret key of weak batch encryption by delegator's public key. So, a re-encryption key consists of S2, BPK, and re-encryption of BSK. In the encryption algorithm, we consider the same circuit RE and GARBLIT. Unlike the first idea, we encrypt labels by weak batch encryption. Our re-encrypted ciphertext consists of the GARBLIT circuit, encryption of BSK, and weak batch encryption of labels. The delegated decrypt CTR children and obtain the secret key of weak batch encryption. Then, obtain labels corresponding to the first share by decrypting the first ciphertext of weak batch encryption. So, the delegated can evaluate the GARBLIT circuit by labels corresponding to the first share. Our re-encryption key does not leak information about delegator's decryption key. First, we need to erase information about delegator's decryption key from re-encrypted ciphertext. By the center security of weak batch encryption, we can change labels into labels corresponding to S1. Next, by the security of GARBLIT circuit, we can simulate the GARBLIT circuit only by using the message mu. That is, we do not need information about the second share S2 for simulated GARBLIT circuit. Next, we move to the re-encryption key part. We can erase information about BSK by delegator's encryption security. Next, we can erase information about the first share by the security of weak batch encryption. Then, we can use the security of secret sharing and erase information about delegator's decryption key. I explained the single hop case, but we can generalize this idea to the multi-hop case. As in our UPRE scheme, we gradually change re-encryption keys in a directed acyclic graph. This completes the proof outline. The scheme in the previous slide does not satisfy security against co-operated delegator re-encryption attacks, because the GARBLIT circuit might leak information about the message if the adversary has delegator's decryption key. We can solve this problem by encrypting the GARBLIT circuit by delegator's public key. However, this incurs size blow up, so the number of re-encryption is restricted. We can re-encrypt only a constant number of times. This is the summary of this talk. We put forward the notion of universal re-encryption and present generic constructions of UPRE and relaxed UPRE. Thank you.