CCA Secure Unidirectional PRE with Key Pair in the Standard Model
without Pairings
Anass Sbai, Cyril Drocourt and Gilles Dequen
MIS Laboratory, University of Picardie Jules Verne, France
Keywords:
Proxy Re-Encryption, Unidirectional, Chosen Ciphertext Attack, Cramer-Shoup, Standard Model.
Abstract:
Secure Data sharing has become an ubiquitous need. One way of pursuing it is to use Proxy Re-Encryption
(PRE), which allows delegation of decryption rights selectively. This work tackles the problem of designing a
Proxy Re-Encryption that is unidirectional and CCA-secure in the standard model without pairings. In (Zhang
et al., 2013) they propose a solution that makes the Cramer-Shoup encryption scheme publicly verifiable and
use their result to construct a CCA secure PRE in the standard model. However, we show that their scheme is
vulnerable against adaptive chosen ciphertexts attacks. Then we propose a new construction based on Cramer-
Shoup crypto-system (Cramer and Shoup, 1998), that is CCA secure without pairings nor random oracle.
1 INTRODUCTION
Proxy Re-Encryption (PRE) is a very useful tool that
transforms ciphers intended for Alice into new ci-
phers that can be decrypted by Bob. Thus, it allows
the delegation of the decryption rights on Alice’s data,
only for the intended recipients (we will also refer to
Alice as the delegator and Bob as the delegate). The
first scheme was proposed by Blaze, Bleumer, and
Strauss (Blaze et al., 1998) whose goal was to avoid
that the data must be recovered, decrypted then en-
crypted with the delegate’s key. And thus, relying on
a semi-trusted proxy that converts the ciphers using
re-encryption keys created by the delegator. The ma-
jor disadvantage of their scheme is that Alice’s dele-
gation to Bob automatically allowed Bob’s delegation
to Alice, what will later be called bidirectional PRE.
This property is due to the fact that re-encryption keys
were created using the private keys of the two actors.
In terms of security, such as PKE (Public Key En-
cryption), we can assess the secrecy of the schemes
on three levels:
IND-CPA (indistinguishability under chosen
plaintexts attacks) , where we give the attacker
access to an encryption oracle. He has the pos-
sibility to query plaintexts of his choice and get
the corresponding ciphertexts. Then comes the
challenge where he generates two messages with
the same length and sends it to the challenger
who will then chose randomly to encrypt one of
them. The scheme is broken if the adversary is
able to guess which of the two messages has been
encrypted with a non-negligible probability.
IND-CCA-1 (indistinguishability under chosen
ciphertexts attack), here the attacker has access
to an encryption and a decryption oracle. He can
send decryption queries as much as he can before
the challenge. The later remains the same as in
IND-CPA game and the scheme is broken if the
adversary guesses which of the two messages has
been encrypted with a non-negligible probability.
IND-CCA-2 (indistinguishability under adaptive
chosen ciphertexts attack), the game runs the
same as in the IND-CCA-1, but in addition the
attacker can send decryption queries to the ora-
cle after the challenge except for the challenge ci-
phertext.
The main difference in the indistinguishability
game between PKE and PRE is that the adversary
has access to a re-encryption oracle, thus the proxy
should not learn any information about the message
during the re-encryption process. We give a more for-
mal definition in section 5. For the rest of this paper,
a CCA secure scheme will stand for the IND-CCA-2
security notion.
The construction of the BBS (Blaze et al., 1998)
PRE achieves CPA security. In (Ateniese et al.,
2006) the authors formalizes the properties and se-
curity requirements of PRE that we define in section
2 and propose the first unidirectional scheme. Since
then, several works have been published concerning
440
Sbai, A., Drocourt, C. and Dequen, G.
CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings.
DOI: 10.5220/0008955704400447
In Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP 2020), pages 440-447
ISBN: 978-989-758-399-5; ISSN: 2184-4356
Copyright
c
2022 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
PRE. The first functional system of an Identity-based
Proxy Re-Encryption (IB-PRE) using pairing that is
CPA secure was proposed in (Green and Ateniese,
2007). (Canetti and Hohenberger, 2007) proposes the
first bidirectional CCA secure PRE scheme where he
proves the security of his scheme using the UC frame-
work (Universal Composability framework (Canetti,
2001)). In (Deng et al., 2008), the authors deal with
the open problem presented by Canetti concerning
the construction of a CCA secure PRE without pair-
ing. (Ateniese et al., 2009) formalizes the notion of
key privacy which means that using the re-encryption
key we cannot recover the identity of both the del-
egate and the delegator. He shows why the previ-
ous systems were not key-private and proposes a new
re-encryption system considered as the first unidirec-
tional PRE that is key private. Their construction
is single-use CPA secure. (Chow et al., 2010) has
demonstrated the possibility of conducting a CCA at-
tack on the Shao’s system (Shao and Cao, 2009) and
shows how to fix the issue. They proposed their own
scheme without using pairing and relying only on El-
Gamal and the Schnorr signature. (Selvi et al., 2017)
find a flaw in the security proof of Chows construc-
tion and propose to fix it. The system is unidirectional
CCA secure in the random oracle model and was im-
plemented in (Sbai et al., 2019).
The security proofs in this model are founded on
the existence of an ideal hash function that guarantees
uniformly-random outputs which in practice, cannot
be instantiated. And there is no proof that a ran-
dom oracle can exist. Nevertheless, many schemes
base their security proofs on random oracle and are
used in practice e.g RSA-OAEP. Thus, without show-
ing any vulnerability so far. But still, it is recom-
mended to have a scheme which is proved secure un-
der standard cryptographic assumptions e.g discrete
logarithm problem or other. This does not mean that
we cannot use hash function, as long as the proofs
rely on the assumption of collision resistance or sec-
ond preimage and not as ideal hash function. Un-
til now, the only unidirectional PRE scheme that has
been claimed to be CCA secure without relying on
pairing nor random oracles is (Zhang et al., 2013).
Where the authors propose a PVPKE (Public Verifi-
able Public Key Encryption) and use their result to
construct a PRE scheme.
In this paper, we first evince that the proposal of
(Zhang et al., 2013) is not CCA-secure. Then, we
deal with the open problem of constructing a PRE
scheme with CCA-security in the standard model
without relying on pairing, based only on a DVPKE
(Designated Verifier Public Key Encryption) which
is Cramer Shoup cryptosystem. And thus, by giv-
ing the proxy a private and public key pair, that al-
lows him to check the validity of ciphertexts. Unlike
(Wei et al., 2010) we do not need to include a new
signature scheme and new key pairs. In this case, it
amounts to the same problem where all efficient sig-
nature schemes relies on random oracle or pairing.
Our method shows that the property of designated
verifier in the Cramer Shoup encryption is sufficient
to construct a CCA secure PRE, by setting the proxy
as peer. We show later in the paper its benefits and in-
conveniences. We explain our construction and prove
its CCA-security. This work was inspired by (Chow
et al., 2010) and (Wang et al., 2009) cryptosystems.
2 PRELIMINARIES
2.1 PRE Definition
Usually a PRE scheme can be defined as a tuple ζ :
{Setup, KGen,RkGen, Encrypt, ReEncrypt, Decrypt}
where:
Setup(1
λ
) : takes as input a security parameter
λ and generates the scheme parameters denoted
params.
KGen(params): take as input the scheme pa-
rameters and generate the pair public/private key
(Pk, Sk).
RkGen(Sk
a
,Pk
b
): in the case of unidirectional
PRE, it takes as input as private key denoted as
Sk
a
and bs public key Pk
b
to generate the re-
encryption key Rk
ab
.
Encrypt(m,Pk
a
) =C
a
: is the encryption function.
ReEncrypt(C
a
,Rk
ab
) = C
b
: is the re-encryption
function.This can be either deterministic or prob-
abilistic.
Decrypt(C,Sk) = M: is the decryption function.
In some cases, we can find two more functions used
for encryption and decryption in which the cipher
cannot be re-encrypted that we call non-transformable
ciphertexts, so that only the owner of the private
key can decrypt. There are also schemes like (Wei
et al., 2010) and (Purushothama et al., 2013) that uses
key pairs for the proxy. The definition remains the
same, but some properties can be missed especially
the transparency. In (Ateniese et al., 2006) Ateniese
gives a more formal definition for PRE and defines
concretely the properties such that :
Unidirectional: Delegation of decryption rights
from Alice to Bob does not allow Alice to decrypt
Bob’s cipher.
CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings
441
Non-interactive: The re-encryption key can be
generated by Alice without interacting with Bob,
and thus using only Bob’s public key.
Transparent: Or invisible, meaning that the del-
egate cannot distinguish between an encrypted
message and a re-encrypted message.
Key-optimal: The size of Bob’s secret storage
must remain unchanged, no matter how many del-
egations he accepts.
Original access: The sender can decrypt any re-
encrypted message of which he was originally the
owner.
Collusion-safe: If the proxy and Bob collude, they
should not get Alice’s secret key.
Non-transitive: The proxy cannot re-delegate re-
encryption rights. (e.g from Rk
ab
and Rk
bc
the
proxy cannot calculate Rk
ac
)
Non-transferable: The proxy and delegates can-
not redefine decryption rights. (e.g from Rk
ab
and Pk
c
and Sk
b
we cannot calculate Rk
ac
)
Temporary: Bob can decipher the messages re-
ceived from Alice only at a certain point in time.
2.2 Cramer-Shoup Encryption Scheme
(Cramer and Shoup, 1998)
It is the first efficient asymmetric encryption scheme
that fulfills CCA security in the standard model. This
under the assumption that we have a universal one-
way hash function, and the Decisional Diffie-Hellman
Problem is hard in the underlying group. Assume we
have a group G with large prime order q, the plain-
texts are elements of G and the key generation process
as follow : Choose g
1
, g
2
from G and x
i
$
Z
q
, i
{1,2,.., 5} then compute c = g
x
1
1
× g
x
2
2
, d = g
x
3
1
× g
x
4
2
,
h = g
x
5
1
. Next choose a hash function H from the fam-
ily of universal one-way hash functions. Set the pri-
vate key as Sk = (x
1
,x
2
,x
3
,x
4
,x
5
) and the public key
Pk = (q, g
1
,g
2
,H,c,d,h). To encrypt a message the
sender must choose r
$
Z
q
and compute u
1
= g
r
1
,
u
2
= g
r
2
, e = m × h
r
, α = H(u
1
,u
2
,e), v = c
r
× d
r×α
.
The ciphertext is (u
1
,u
2
,e,v), to be decrypted the first
step is to verify the validity of the ciphertext by com-
puting v = u
x
1
+α×x
3
1
× u
x
2
+α×x
4
2
. If this equality does
not hold reject the decryption request else compute
and return m =
e
u
x
5
1
.
3 ANALYSIS OF PVPKE BY
(ZHANG ET AL., 2013)
The trick that helps to create a CCA secure PRE is the
public verifiability of ciphertexts. the first step for the
proxy will be to check the validity of the ciphertext
before its re-encryption. As an example, (Chow et al.,
2010) relies on schnorr signature with a slight modifi-
cation to get the public verifiability. This makes also
ElGamal encryption CCA secure. The schnorr sig-
nature used is a sort of NIZK (Non Interactive Zero-
Knowledge) proof obtained from the Fiat and Shamir
transformation on the interactive schnorr identifica-
tion scheme. This transformation leads to the use of
random oracle in the security model.
As for (Zhang et al., 2013), their scheme is based
on Cramer-Shoup encryption. In order to make it pub-
licly verifiable, the authors opted for the use of com-
posite order groups. Thus, based on the problem of
factorization of large prime numbers, they can com-
pute using some elements of the private key a val-
ues in Z
φ(N)
that can be used for verification by rais-
ing it in exponent in Z
N
while keeping φ(N) hidden.
The scheme is CPA secure but not CCA as they had
claimed. We review the scheme due to (Zhang et al.,
2013), and show how to achieve an adaptive chosen
ciphertext attack below.
3.1 Review of the Scheme
KGen() :
Let p, q , p
0
and q
0
be big primes such that p =
2 × p
0
+ 1,q = 2 × q
0
+ 1 and N = p × q
Choose g
1
, g
2
from Z
N
such that g
φ(N)
i
1 mod
N (i = 1, 2)
Choose b
$
Z
φ(N)
and x
i
$
Z
φ(N)
(i = 1, 2, 3,
4, 5)
Choose a hash function H : {0,1}
Z
N
.
Compute x
0
i
b × x
i
mod φ(N) (i = 1, 2, 3, 4).
Compute c = g
x
1
1
× g
x
2
2
, d = g
x
3
1
× g
x
4
2
, h = g
x
5
1
Return Sk = (p
0
,q
0
,x
1
,x
2
,x
3
,x
4
,x
5
) and Pk =
(N,g
1
,g
2
,H,b,x
0
1
,x
0
2
,x
0
3
,x
0
4
,c,d, h)
Encrypt(Pk,m) :
Choose r
$
Z
N
Compute u
1
= g
r
1
, u
2
= g
r
2
.
Compute e = m × h
r
mod N, α = H(u
1
,u
2
,e),
v = c
r
× d
r×α
mod N
Return C = (u
1
,u
2
,e,v)
Decrypt(Sk,C) :
ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy
442
Compute α = H(u
1
,u
2
,e) and test if v
b
=
u
x
0
1
+α×x
0
3
1
× u
x
0
2
+α×x
0
4
2
mod N
If the condition does not hold return ”reject”
else return m =
e
u
x
5
1
3.2 Weakness in the PVPKE Scheme of
(Zhang et al., 2013)
In this section we demonstrate that their PVPKE is
not CCA2-secure. This imples that its use to design
the PRE is also not secure. We can easily prove it
based on IND-CCA2 game .
Recall that the game can be seen as two phases,
the first one gives the attacker access to a fixed public
key and to decryption oracles. The adversary can sub-
mit a large amount of decryption queries without any
restriction. Then it comes the challenge which con-
cerns the distinction between two ciphers created by
the challenger. Those ciphers correspond to two mes-
sages chosen by the attacker and encrypted under the
same public key, e.g the attacker sends m
0
& m
1
and
receives : C
= (u
1
,u
2
,e,v) which is the encryption of
m
i
with i
$
{0,1} . In the second phase the adversary
can submit decryption queries to the oracle except for
the challenge C
= (u
1
,u
2
,e,v).
The attack consists of computing an invalid but
uniformly distributed ciphertext C
0
such that C
0
6=
C
and still the decryption oracle will not reject
the request as the verification will pass. The in-
valid ciphertext could be constructed this way C
0
=
(u
b
1
,u
b
2
,e
b
,v
0
= u
(x
0
1
+x
0
3
×α)
1
× u
(x
0
2
+x
0
4
×α)
2
). The de-
cryption oracle will verify the signature : v
0b
=
u
0(x
0
1
+x
0
3
×α)
1
× u
0(x
0
2
+x
0
4
×α)
2
= (u
(x
0
1
+x
0
3
×α)
1
× u
(x
0
2
+x
0
4
×α)
2
)
b
which is valid . Thus the decryption will return
m
0
= e
0
/u
0x
5
1
= m
b
× h
r×b
/g
x
0
5
×r
1
= m
b
. Now the at-
tacker has only to test if m
b
0
= m
b
or m
b
1
= m
b
and win
the challenge.
The other schemes proposed in (Zhang et al.,
2013), could also be broken by the same attack.
4 OUR CONSTRUCTION BASED
ON THE CRAMER-SHOUP
SCHEME
As we have demonstrated in the latter section, the
public verifiability for the Cramer-Shoup in (Zhang
et al., 2013) scheme is not secure. In order to deflect
this issue, (Wei et al., 2010) they consider the delega-
tor, the proxy and the delegate as peers, having their
own encryption public/private keys and sign/verify
keys. Thus the proxy cannot modify the challenge
ciphertext and other outside adversaries cannot mod-
ify the original and the re-encrypted ciphertext. Nev-
ertheless their system is not fully CCA secure, since
no verification is made on the validity of the cipher-
texts by the proxy. The idea of using key pairs at the
proxy level seemed interesting to us. For our case
we use encryption public/private keys which permit
the proxy to verify the validity of original ciphertexts
and for the delegate to test the validity of re-encrypted
ciphertexts. It can be seen as constraining in terms
of flexibility and transparency, but is rather advanta-
geous in the sense that we can easily detect malicious
proxies with their public keys. In addition to check-
ing the validity of the ciphertexts and re-encrypted
ciphertexts, we can also check the well-formness of
the re-encryption keys which decreases the damage
of DDos attacks. The scheme is proved CCA-secure
under DDH assumption in the next section.
4.1 The Proposed Scheme
Setup(1
λ
) :
Let G be a group of prime order q, such that
the bit-length of q is the security parameter λ.
Choose random elements g
1
,g
2
G and two
universal one way hash function H
1
: {0,1}
Z
q
and H
2
: G
2
Z
q
. The parameters are
params : (G,q, g
1
,g
2
,H
1
,H
2
)
KGen(params) :
Let us denote (Sk
a
,Pk
a
) the couple of pri-
vate/public key associated to the user ’a’. Pick
Sk
a
= (x
i
: i {1,2, ...,7}) where x
i
$
Z
q
and
set Pk
a
= (c,d,h
1
,h
2
) such that c = g
x
1
1
× g
x
2
2
,
d = g
x
3
1
× g
x
4
2
,h
1
= g
x
5
+H
1
(c,d)×x
6
1
, h
2
= g
x
7
1
Encrypt(m,Pk
a
) :
For non-transformable ciphertexts :
Choose r
$
Z
q
Compute u
1
= g
r
1
, u
2
= g
r
2
Compute e = h
r
a2
× m, α = H
2
(u
1
,u
2
,e)
Compute v = c
r
a
× d
r×α
a
Output C
a
= (u
1
,u
2
,e,v)
For transformable ciphertext : add the proxy
public key Pk
p
as input :
Choose r
$
Z
q
Compute u
1
= g
r
1
, u
2
= g
r
2
Compute e = h
r
a1
× m, α
1
= H
2
(u
1
,u
2
,e)
Compute v = c
r
a
× d
r×α
1
a
, α
2
= H
2
(α
1
,v)
Compute v
p
= c
r
p
× d
r×α
2
p
Output C
a
= (u
1
,u
2
,e,v,v
p
)
CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings
443
RkGen(Sk
a
,Pk
b
,Pk
p
) :
On input user as private key Sk
a
and user bs
public key Pk
b
and the proxy public key Pk
p
:
Choose j
$
Z
q
, k
$
Z
q
Compute rk =
x
a
5
+H
1
(c,d)×x
a
6
k
Compute u
0
1
= g
j
1
, u
0
2
= g
j
2
Compute e
0
= h
j
b1
× k, α
0
1
= H
2
(u
0
1
,u
0
2
,e
0
)
Compute v
0
= c
j
b
× d
j×α
0
1
b
, α
0
2
= H
2
(α
0
1
,v
0
) ,
v
0
p
= c
j
p
× d
j×α
0
2
p
Return Rk
ab
= (rk,u
0
1
,u
0
2
,e
0
,v
0
,v
0
p
)
ReEncrypt(Rk
ab
,C
a
,Pk
p
,Sk
p
) :
On input a re-encryption key, a transformable
ciphertext and the proxy public/private key
pair:
Test if v
p
= u
(x
p
1
+x
p
3
×α
2
)
1
× u
(x
p
2
+x
p
4
×α
2
)
2
&
v
0
p
= u
0(x
p
1
+x
p
3
×α
0
2
)
1
× u
0(x
p
2
+x
p
4
×α
0
2
)
2
Choose ω
$
Z
q
Compute β = u
rk
1
, u
00
1
= g
ω
1
, u
00
2
= g
ω
2
Compute e
00
= e, α
00
= H
2
(u
00
1
,u
00
2
,e
00
,β)
Compute v
00
= c
ω
b
× d
ω×α
00
b
Output C
b
= (β, u
0
1
,u
0
2
,e
0
,v
0
,u
00
1
,u
00
2
,e
00
,v
00
)
Decrypt(sk
b
,C
b
) :
If C
b
= (u
1
,u
2
,e,v)
Test if v = u
(x
b
1
+x
b
3
×α)
1
× u
(x
b
2
+x
b
4
×α)
2
Compute m =
e
u
x
b
7
1
If C
b
= (u
1
,u
2
,e,v,v
p
)
Test if v = u
(x
b
1
+x
b
3
×α
1
)
1
× u
(x
b
2
+x
b
4
×α
1
)
2
Compute m =
e
u
(x
b
5
+H
1
(c,d)×x
b
6
)
1
If C
b
= (β, u
0
1
,u
0
2
,e
0
,v
0
,u
00
1
,u
00
2
,e
00
,v
00
)
Test if v
00
= u
00(x
b
1
+x
b
3
×α
00
)
1
× u
00(x
b
2
+x
b
4
×α
00
)
2
&
v
0
= u
0(x
b
1
+x
b
3
×α
0
)
1
× u
0(x
b
2
+x
b
4
×α
0
)
2
Compute k =
e
0
u
0(x
b
5
+H
1
(c,d)×x
b
6
)
1
Compute m =
e
00
β
k
4.2 Correctness and Security Analysis
The correctness of decryption for original cipher-
text (transformable or non transformable) is trivial
since it is the same as in Cramer-Shoup. Correct-
ness of decryption for re-encrypted ciphertexts
can be viewed as follow:
m =
e
00
β
k
=
e
00
u
rk×k
1
=
m×g
r×(x
5
+H
1
(c,d)×x
6
)
1
g
r×(x
5
+H
1
(c,d)×x
6
)
k
×k
1
Intuitively, we can check the IND-CCA security
of our scheme as follow :
For original non-transformable ciphertexts,
they’re a Cramer-Shoup ciphers which is
proved in (Cramer and Shoup, 1998) as CCA-
secure under DDH assumption and second
preimage.
With original transformable ciphers, encryption
is almost the same as Cramer-Shoup. However,
we compute a v
p
so that the proxy could ver-
ify the validity of the ciphertext. In the IND
CCA-2 game we give the challenger access to
both secret keys of the proxy and the delegator
so that he can verify the validity of v
p
. Oth-
erwise, it does not effect on the security of the
scheme since the v
p
is computed with another
public key, thus it will be linearly independent
of v even if we use the same random coin.
Re-encryption keys generation was inspired by
the work of (Chow et al., 2010), where even if k
is leaked which was chosen randomly to com-
pute rk =
x
5
+H
1
(c,d)×x
6
k
, eg. as the proxy and the
delegate collude, only x
5
+ H
1
(c,d) × x
6
could
be computed. This linear combination prevents
from finding x
5
and x
6
due to the fact that there
are as many possible solutions as the cardinal
of the group G to which x
i
belong. And thus
no information on the private keys is revealed
which make the scheme collusion resistant.
Re-encrypted ciphertexts are two different
Cramer-Shoup ciphers, the first one is used to
decrypt the substitution key k created by the
delegator which is primordial for the decryp-
tion of the second cipher as we saw before in
the correctness.
5 PROOF OF SECURITY
We first give the definition of unidirectional single-
hop PRE-CCA game following the model of (Canetti
and Hohenberger, 2007). We take into account the
changes proposed by the authors for unidirectional
schemes, since the formal model was intended to bidi-
rectional PRE. We have made changes related to the
addition of proxy key pairs :
Let λ be a security parameter. Let A be an oracle
T M representing the adversary. The game consists in
an execution of A with the following oracles. They
can be invoked several times in any order, subject to
the constraints below:
ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy
444
OKGen: For uncorrupted users return Pk ,
where (Pk,Sk) KGen(params). For corrupted
users return Pk and Sk , where (Pk, Sk)
KGen(params)
ORkGen: On input Pk
a
, Pk
b
and Pk
p
, the
re-encryption key generation algorithm outputs
Rk
ab
. We reject the query if it’s a re-encryption
key generation between a corrupted and uncor-
rupted key.
OEncryption: For non transformable cipher-
text, on input a message m, the output is C =
(u
1
,u
2
,e,v). For original transformable cipher-
text, output C = (u
1
,u
2
,e,v,v
p
).
OChallenge: This oracle can be queried only
once. On input, (Pk
,m
0
,m
1
). where Pk
is
called the challenge key, the oracle chooses a bit
b
$
{0,1} and returns the challenge ciphertext
C = Enc(Pk,m
b
). (As we note later, the challenge
key must be uncorrupted for A to win).
OReEncryption : On input (Pk
a
,Pk
b
,C
a
), if Pk
b
is corrupted or a = b returns . Otherwise it re-
turns C
b
ODecryption : On input (Pk,C), if Pk was
not generated before returns . Else returns
Decrypt(C,Sk)
ODecision : This oracle can also be queried only
once. On input b
0
: If b
0
= b and the challenge key
pk
is not corrupted , then outputs 1 else outputs
0.
We say that A wins the PRE-CCA game with ad-
vantage ε, if the probability over the random choices
of A and the oracles, that the decision oracle is in-
voked and outputs 1, is at least 1/2 + ε
Theorem 1. Our scheme is secure against adaptive
chosen ciphertexts attack assuming that (1) the hash
functions H
1
,H
2
are chosen from a universal one-way
family, and (2) the Diffie-Hellman decision problem is
hard in the group G.
We give our scheme’s formal proof based on
(Wang et al., 2009) and (Chow et al., 2010) proofs
as follows:
Assume the external adversaries algorithm B
breaking the IND-CCA2 property of the scheme ,we
use B to construct algorithm A distinguish a four
tuple (g
1
,g
2
,u
1
,u
2
) from G is a DDH tuple or not.
Oralce queries from B are handled by A as follow-
ing:
Query to OKGen: If user A is corrupted, A
randomly chooses Sk
a
= (x
a
i
)
$
Z
q
for (i =
1,2,..., 7), computes Pk
a
= (g
1
,g
2
,c
a
= g
x
a
1
1
×
g
x
a
2
2
,d
a
= g
x
a
3
1
×g
x
a
4
2
,h
a
1
= g
x
a
5
+H
1
(c,d)×x
a
6
1
,h
a
2
=
g
x
a
7
1
) returns Sk
a
,Pk
a
which is an identical distri-
bution to the real distribution of real private and
public key. For uncorrupted user B, randomly
chooses Sk
b
= (x
b
i
)
$
Z
q
for (i = 1,2,...,9), com-
putes Pk
b
= (g
1
,g
2
,c
b
= g
x
b
1
1
× g
x
b
2
2
,d
b
= g
x
b
3
1
×
g
x
b
4
2
,h
b
1
= g
x
b
5
+H
1
(c,d)×x
b
6
1
× g
x
b
8
2
,h
a
2
= g
x
a
7
1
×
g
x
b
9
2
) and returns Pk
b
. Assuming that g
2
= g
w
1
the
output has an identical distribution to the real dis-
tribution of real public key. Which gives us a per-
fect simulation.
Query to ORkGen: On input Pk
a
,Pk
b
and
Pk
p
if one of A and B is corrupted we re-
ject the query. Else A outputs Rk
ab
= (rk
$
Z
φ(N)
),C
a
1
,v
0
p
) which is indistinguishable with
Rk
i j
= (
(x
5
+H
1
(c,d)×x
6
)
k
,C
i
1
,v
0
p
)
Query to O Encryption: For a non transformable
encryption, given a message m, the encryption al-
gorithm returns C = (u
1
,u
2
,e,v) = (g
r
1
,g
r
2
,u
x
7
1
×
u
x
9
2
× m,c
r
× d
r×α
) where r
$
Z
q
. This is a
perfect simulation as in Cramer-Shoup encryp-
tion scheme. For an original transformable en-
cryption, if the users are uncorrupted the en-
cryption algorithm returns C = (u
1
,u
2
,e,v,v
p
) =
(g
r
1
,g
r
2
,u
(x
5
+H
1
(c,d)×x
6
)
1
× u
x
8
2
× m,c
r
× d
r×α
1
,c
0r
×
d
0r×α
1
) where r
$
Z
q
and v
p
is computed with
a random public key. Else, it output . This is
also a perfect simulation. We will show below
one cannot construct a valid tuple (u
1
,u
2
,e,v,v
p
)
by itself with (g
1
,g
2
,u
1
,u
2
) being not a DDH tu-
ple, relying on the same method used in Cramer-
Shoup Encryption.
Query to OReEncryption: On input
Pk
a
,Pk
b
,C
a
= (u
1
,u
2
,e,v,v
p
) from user i
to user j, search in the RkGen list an item
including i and j. If it does not exist run
the querying to ORkGen. Then the proxy
verifies ciphertext’s validity by testing, if
v
p
6= u
x
p
1
1
× u
x
p
2
2
× u
x
p
3
×α
2
1
× u
x
p
4
×α
2
1
return .
Else, return C
j
= (β,u
0
1
,u
0
2
,e
0
,v
0
,u
00
1
,u
00
2
,e
00
,v
00
) =
(u
(x
5
+H
1
(c,d)×x
6
)
1
,u
0
1
,u
0
2
,e
0
,v
0
,u
00
1
,u
00
2
,e
00
,v
00
)
which include two Cramer-Shoup ciphers
and have the same distribution as for
(u
rk
1
,u
0
1
,u
0
2
,e
0
,v
0
,u
00
1
,u
00
2
,e
00
,v
00
). Thus the real
output and simulated output are indistinguish-
able. So this is also a perfect simulation.
Query to O Decryption: In the real de-
cryption, given a re-encrypted ciphertext C =
(β,u
0
1
,u
0
2
,e
0
,v
0
,u
00
1
,u
00
2
,e
00
,v
00
) , the decryption al-
CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings
445
gorithm runs as follows. It first computes α
00
1
=
H
2
(u
00
1
,u
00
2
,e
00
,β), and tests if v
00
= u
00(x
1
+x
3
×α
00
1
)
1
×
u
00(x
2
+x
4
×α
00
1
)
2
& v
0
= u
0(x
1
+x
3
×α
0
1
)
1
× u
0(x
2
+x
4
×α
0
1
)
2
. If
this condition does not hold, the decryption al-
gorithm outputs , otherwise, it computes k =
e
0
u
0(x
5
+H
1
(c,d)×x
6
)
1
and outputs m =
e
00
β
k
. In our simula-
tion, on input C
j
from user i to j , B first verifies
ciphertexts’s validity. If it’s invalid ciphertexts
return ,else computes k =
e
0
u
0(x
j
5
+H
1
(c,d)×x
j
6
)
1
×u
0x
j
8
2
then outputs m =
e
00
β
k
=
e
00
u
1/(x
j
5
+H
1
(c,d)×x
j
6
)
1
As in Cramer-Shoup encryption, if (g
1
,g
2
,u
1
,u
2
)
is a DDH tuple, our simulated decryption is a
perfect decryption. For original ciphertexts the
same proof holds as for Cramer-Shoup encryp-
tion, there is a slightly difference in the proof for
original transformable ciphertexts which we will
explain below. And the simulated decryption is
also a perfect decryption.
Lemma 2. If (g
1
,g
2
,u
1
,u
2
) is not a DDH tuple, the
ODecryption will reject all invalid ciphertexts, except
with negligible probability.
The proof of this lemma is the same as (Cramer
and Shoup, 1998), the only difference is that in
ODecryption simulation for transformable cipher-
texts, the adversary must solve these equations :
x
1
+ w × x
2
= log
g
1
c mod q
x
3
+ w × x
4
= log
g
1
d mod q
x
0
p
1
+ w × x
0
p
2
= log
g
1
c
p
mod q
x
0
p
3
+ w × x
0
p
4
= log
g
1
d
p
mod q
r
1
x
1
+ r
2
α
1
x
3
+ r
1
wx
2
+ r
2
α
1
wx
4
= log
g
1
v mod q
r
1
x
p
1
+ r
2
α
2
x
p
3
+ r
1
wx
p
2
+ r
2
α
2
wx
p
4
= log
g
1
v
p
mod q
Which are linearly independent, thus our simulation
is perfect for the external adversary. Unless the proxy
reveals his private key. If A can break our re-
encryption scheme, B can solve the DDH problem
in G. Thus we prove our theorem.
6 CONCLUSION
In this paper, we point out that the schemes in (Zhang
et al., 2013) are not CCA-secure , we show how an ad-
versary could distinguish between two ciphers in the
IND-CCA2 game. Also, we present a construction
of unidirectional proxy re-encryption scheme without
bilinear pairing in the standard model. Our scheme is
proven CCA-secure in the standard model under deci-
sional Diffie-Hellman assumption and second preim-
age resistance of the chosen universal one way hash
family. We do not consider efficiency, but rather and
above all to come up with a solution for one of the two
open problems left by (Deng et al., 2008). As a per-
spective, we will implement the proposed algorithm
in order to compare it with other related works, and
try to design more efficient schemes.
ACKNOWLEDGEMENTS
We would like to thank Damien Vergnaud for the
valuable discussions and for his constructive com-
ments about the flaw, which leads us to find the con-
crete attack in (Zhang et al., 2013) . This work is
supported by ADEME on the VertPom project.
REFERENCES
Ateniese, G., Benson, K., and Hohenberger, S. (2009). Key-
private proxy re-encryption. In Cryptographers Track
at the RSA Conference, pages 279–294. Springer.
Ateniese, G., Fu, K., Green, M., and Hohenberger, S.
(2006). Improved proxy re-encryption schemes with
applications to secure distributed storage. ACM Trans-
actions on Information and System Security (TISSEC),
9(1):1–30.
Blaze, M., Bleumer, G., and Strauss, M. (1998). Divertible
protocols and atomic proxy cryptography. In Interna-
tional Conference on the Theory and Applications of
Cryptographic Techniques, pages 127–144. Springer.
Canetti, R. (2001). Universally composable security: A new
paradigm for cryptographic protocols. In Proceedings
42nd IEEE Symposium on Foundations of Computer
Science, pages 136–145. IEEE.
Canetti, R. and Hohenberger, S. (2007). Chosen-ciphertext
secure proxy re-encryption. In Proceedings of the 14th
ACM conference on Computer and communications
security, pages 185–194. ACM.
Chow, S. S., Weng, J., Yang, Y., and Deng, R. H. (2010).
Efficient unidirectional proxy re-encryption. In Inter-
national Conference on Cryptology in Africa, pages
316–332. Springer.
Cramer, R. and Shoup, V. (1998). A practical public key
cryptosystem provably secure against adaptive chosen
ciphertext attack. In Annual International Cryptology
Conference, pages 13–25. Springer.
Deng, R. H., Weng, J., Liu, S., and Chen, K. (2008).
Chosen-ciphertext secure proxy re-encryption without
pairings. In International Conference on Cryptology
and Network Security, pages 1–17. Springer.
Green, M. and Ateniese, G. (2007). Identity-based proxy
re-encryption. In International Conference on Applied
Cryptography and Network Security, pages 288–306.
Springer.
Purushothama, B., Shrinath, B., and Amberker, B. (2013).
Secure cloud storage service and limited proxy re-
encryption for enforcing access control in public
ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy
446
cloud. International Journal of Information and Com-
munication Technology, 5(2):167–186.
Sbai, A., Drocourt, C., and Dequen, G. (2019). Pre as a
service within smart grid cities. In 16th International
Conference on Security and Cryptography.
Selvi, S. S. D., Paul, A., and Pandurangan, C. (2017).
A provably-secure unidirectional proxy re-encryption
scheme without pairing in the random oracle model.
In International Conference on Cryptology and Net-
work Security, pages 459–469. Springer.
Shao, J. and Cao, Z. (2009). Cca-secure proxy re-
encryption without pairings. In International Work-
shop on Public Key Cryptography, pages 357–376.
Springer.
Wang, a. X., Wu, W., and Yang, X. (2009). On ddos at-
tack against proxy in re-encryption and re-signature.
Engineering College of Chinese, PR China.
Wei, P., Wang, X. A., and Yang, X. (2010). Proxy re-
encryption schemes with proxy having its own pub-
lic/private keys. In 2010 2nd International Workshop
on Database Technology and Applications, pages 1–4.
IEEE.
Zhang, M., Wang, X. A., Li, W., and Yang, X. (2013). Cca
secure publicly verifiable public key encryption with-
out pairings nor random oracle and its applications.
JCP, 8(8):1987–1994.
CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings
447