**Efficiently Obfuscating Re-Encryption Program under DDH Assumption**

*Akshayaram Srinivasan and C. Pandu Rangan*

**Abstract: **A re-encryption program (or a circuit) transforms a ciphertext encrypted under Alice's public key $pk_1$ to a ciphertext of the same message encrypted under Bob's public key $pk_2$. Hohenberger et al. (TCC 2007) constructed a pairing-based obfuscator for a family of circuits implementing the re-encryption functionality under a new notion of obfuscation called as \textit{average-case secure obfuscation}. Chandran et al. (PKC 2014) proposed a lattice-based construction for the same.

The construction given by Hohenberger et al. could only support encryptions of messages from a polynomial space and the decryption algorithm may have to perform a polynomial number of pairing operations in the worst case. Moreover, the proof of security relies on strong assumptions. On the other hand, the construction given by Chandran et al. relies on standard assumptions on lattices but could only satisfy a relaxed notion of correctness.

In this work we propose a simple and efficient obfuscator for the re-encryption functionality which doesn't suffer from \textit{any} of the above mentioned drawbacks. In particular, our construction satisfies the strongest notion of correctness, supports encryption of messages from an exponential sized domain and relies on the standard DDH-assumption. We also strengthen the black-box security model for encryption - re-encryption system proposed by Hohenberger et al. and prove the average-case virtual black box property of our obfuscator as well as the security of our encryption - re-encryption system (in the strengthened model) under the DDH-assumption. All our proofs are in the standard model.

**Category / Keywords: **Re-encryption circuit, Average-case secure obfuscation, DDH Assumption, Standard Model

**Date: **received 20 Aug 2015, last revised 27 Nov 2016

**Contact author: **akshayram1993 at gmail com

**Available format(s): **PDF | BibTeX Citation

**Version: **20161127:151507 (All versions of this report)

**Short URL: **ia.cr/2015/822

[ Cryptology ePrint archive ]