CCA Secure Unidirectional PRE with Key Pair in the Standard Model

without Pairings

Anass Sbai, Cyril Drocourt and Gilles Dequen

MIS Laboratory, University of Picardie Jules Verne, France

Keywords:

Proxy Re-Encryption, Unidirectional, Chosen Ciphertext Attack, Cramer-Shoup, Standard Model.

Abstract:

Secure Data sharing has become an ubiquitous need. One way of pursuing it is to use Proxy Re-Encryption

(PRE), which allows delegation of decryption rights selectively. This work tackles the problem of designing a

Proxy Re-Encryption that is unidirectional and CCA-secure in the standard model without pairings. In (Zhang

et al., 2013) they propose a solution that makes the Cramer-Shoup encryption scheme publicly veriﬁable and

use their result to construct a CCA secure PRE in the standard model. However, we show that their scheme is

vulnerable against adaptive chosen ciphertexts attacks. Then we propose a new construction based on Cramer-

Shoup crypto-system (Cramer and Shoup, 1998), that is CCA secure without pairings nor random oracle.

1 INTRODUCTION

Proxy Re-Encryption (PRE) is a very useful tool that

transforms ciphers intended for Alice into new ci-

phers that can be decrypted by Bob. Thus, it allows

the delegation of the decryption rights on Alice’s data,

only for the intended recipients (we will also refer to

Alice as the delegator and Bob as the delegate). The

ﬁrst scheme was proposed by Blaze, Bleumer, and

Strauss (Blaze et al., 1998) whose goal was to avoid

that the data must be recovered, decrypted then en-

crypted with the delegate’s key. And thus, relying on

a semi-trusted proxy that converts the ciphers using

re-encryption keys created by the delegator. The ma-

jor disadvantage of their scheme is that Alice’s dele-

gation to Bob automatically allowed Bob’s delegation

to Alice, what will later be called bidirectional PRE.

This property is due to the fact that re-encryption keys

were created using the private keys of the two actors.

In terms of security, such as PKE (Public Key En-

cryption), we can assess the secrecy of the schemes

on three levels:

• IND-CPA (indistinguishability under chosen

plaintexts attacks) , where we give the attacker

access to an encryption oracle. He has the pos-

sibility to query plaintexts of his choice and get

the corresponding ciphertexts. Then comes the

challenge where he generates two messages with

the same length and sends it to the challenger

who will then chose randomly to encrypt one of

them. The scheme is broken if the adversary is

able to guess which of the two messages has been

encrypted with a non-negligible probability.

• IND-CCA-1 (indistinguishability under chosen

ciphertexts attack), here the attacker has access

to an encryption and a decryption oracle. He can

send decryption queries as much as he can before

the challenge. The later remains the same as in

IND-CPA game and the scheme is broken if the

adversary guesses which of the two messages has

been encrypted with a non-negligible probability.

• IND-CCA-2 (indistinguishability under adaptive

chosen ciphertexts attack), the game runs the

same as in the IND-CCA-1, but in addition the

attacker can send decryption queries to the ora-

cle after the challenge except for the challenge ci-

phertext.

The main difference in the indistinguishability

game between PKE and PRE is that the adversary

has access to a re-encryption oracle, thus the proxy

should not learn any information about the message

during the re-encryption process. We give a more for-

mal deﬁnition in section 5. For the rest of this paper,

a CCA secure scheme will stand for the IND-CCA-2

security notion.

The construction of the BBS (Blaze et al., 1998)

PRE achieves CPA security. In (Ateniese et al.,

2006) the authors formalizes the properties and se-

curity requirements of PRE that we deﬁne in section

2 and propose the ﬁrst unidirectional scheme. Since

then, several works have been published concerning

440

Sbai, A., Drocourt, C. and Dequen, G.

CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings.

DOI: 10.5220/0008955704400447

In Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP 2020), pages 440-447

ISBN: 978-989-758-399-5; ISSN: 2184-4356

Copyright

c

2022 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

PRE. The ﬁrst functional system of an Identity-based

Proxy Re-Encryption (IB-PRE) using pairing that is

CPA secure was proposed in (Green and Ateniese,

2007). (Canetti and Hohenberger, 2007) proposes the

ﬁrst bidirectional CCA secure PRE scheme where he

proves the security of his scheme using the UC frame-

work (Universal Composability framework (Canetti,

2001)). In (Deng et al., 2008), the authors deal with

the open problem presented by Canetti concerning

the construction of a CCA secure PRE without pair-

ing. (Ateniese et al., 2009) formalizes the notion of

key privacy which means that using the re-encryption

key we cannot recover the identity of both the del-

egate and the delegator. He shows why the previ-

ous systems were not key-private and proposes a new

re-encryption system considered as the ﬁrst unidirec-

tional PRE that is key private. Their construction

is single-use CPA secure. (Chow et al., 2010) has

demonstrated the possibility of conducting a CCA at-

tack on the Shao’s system (Shao and Cao, 2009) and

shows how to ﬁx the issue. They proposed their own

scheme without using pairing and relying only on El-

Gamal and the Schnorr signature. (Selvi et al., 2017)

ﬁnd a ﬂaw in the security proof of Chows construc-

tion and propose to ﬁx it. The system is unidirectional

CCA secure in the random oracle model and was im-

plemented in (Sbai et al., 2019).

The security proofs in this model are founded on

the existence of an ideal hash function that guarantees

uniformly-random outputs which in practice, cannot

be instantiated. And there is no proof that a ran-

dom oracle can exist. Nevertheless, many schemes

base their security proofs on random oracle and are

used in practice e.g RSA-OAEP. Thus, without show-

ing any vulnerability so far. But still, it is recom-

mended to have a scheme which is proved secure un-

der standard cryptographic assumptions e.g discrete

logarithm problem or other. This does not mean that

we cannot use hash function, as long as the proofs

rely on the assumption of collision resistance or sec-

ond preimage and not as ideal hash function. Un-

til now, the only unidirectional PRE scheme that has

been claimed to be CCA secure without relying on

pairing nor random oracles is (Zhang et al., 2013).

Where the authors propose a PVPKE (Public Veriﬁ-

able Public Key Encryption) and use their result to

construct a PRE scheme.

In this paper, we ﬁrst evince that the proposal of

(Zhang et al., 2013) is not CCA-secure. Then, we

deal with the open problem of constructing a PRE

scheme with CCA-security in the standard model

without relying on pairing, based only on a DVPKE

(Designated Veriﬁer Public Key Encryption) which

is Cramer Shoup cryptosystem. And thus, by giv-

ing the proxy a private and public key pair, that al-

lows him to check the validity of ciphertexts. Unlike

(Wei et al., 2010) we do not need to include a new

signature scheme and new key pairs. In this case, it

amounts to the same problem where all efﬁcient sig-

nature schemes relies on random oracle or pairing.

Our method shows that the property of designated

veriﬁer in the Cramer Shoup encryption is sufﬁcient

to construct a CCA secure PRE, by setting the proxy

as peer. We show later in the paper its beneﬁts and in-

conveniences. We explain our construction and prove

its CCA-security. This work was inspired by (Chow

et al., 2010) and (Wang et al., 2009) cryptosystems.

2 PRELIMINARIES

2.1 PRE Deﬁnition

Usually a PRE scheme can be deﬁned as a tuple ζ :

{Setup, KGen,RkGen, Encrypt, ReEncrypt, Decrypt}

where:

• Setup(1

λ

) : takes as input a security parameter

λ and generates the scheme parameters denoted

params.

• KGen(params): take as input the scheme pa-

rameters and generate the pair public/private key

(Pk, Sk).

• RkGen(Sk

a

,Pk

b

): in the case of unidirectional

PRE, it takes as input a’s private key denoted as

Sk

a

and b’s public key Pk

b

to generate the re-

encryption key Rk

a→b

.

• Encrypt(m,Pk

a

) =C

a

: is the encryption function.

• ReEncrypt(C

a

,Rk

a→b

) = C

b

: is the re-encryption

function.This can be either deterministic or prob-

abilistic.

• Decrypt(C,Sk) = M: is the decryption function.

In some cases, we can ﬁnd two more functions used

for encryption and decryption in which the cipher

cannot be re-encrypted that we call non-transformable

ciphertexts, so that only the owner of the private

key can decrypt. There are also schemes like (Wei

et al., 2010) and (Purushothama et al., 2013) that uses

key pairs for the proxy. The deﬁnition remains the

same, but some properties can be missed especially

the transparency. In (Ateniese et al., 2006) Ateniese

gives a more formal deﬁnition for PRE and deﬁnes

concretely the properties such that :

• Unidirectional: Delegation of decryption rights

from Alice to Bob does not allow Alice to decrypt

Bob’s cipher.

CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings

441

• Non-interactive: The re-encryption key can be

generated by Alice without interacting with Bob,

and thus using only Bob’s public key.

• Transparent: Or invisible, meaning that the del-

egate cannot distinguish between an encrypted

message and a re-encrypted message.

• Key-optimal: The size of Bob’s secret storage

must remain unchanged, no matter how many del-

egations he accepts.

• Original access: The sender can decrypt any re-

encrypted message of which he was originally the

owner.

• Collusion-safe: If the proxy and Bob collude, they

should not get Alice’s secret key.

• Non-transitive: The proxy cannot re-delegate re-

encryption rights. (e.g from Rk

a→b

and Rk

b→c

the

proxy cannot calculate Rk

a→c

)

• Non-transferable: The proxy and delegates can-

not redeﬁne decryption rights. (e.g from Rk

a→b

and Pk

c

and Sk

b

we cannot calculate Rk

a→c

)

• Temporary: Bob can decipher the messages re-

ceived from Alice only at a certain point in time.

2.2 Cramer-Shoup Encryption Scheme

(Cramer and Shoup, 1998)

It is the ﬁrst efﬁcient asymmetric encryption scheme

that fulﬁlls CCA security in the standard model. This

under the assumption that we have a universal one-

way hash function, and the Decisional Difﬁe-Hellman

Problem is hard in the underlying group. Assume we

have a group G with large prime order q, the plain-

texts are elements of G and the key generation process

as follow : Choose g

1

, g

2

from G and x

i

$

←− Z

q

, i ∈

{1,2,.., 5} then compute c = g

x

1

1

× g

x

2

2

, d = g

x

3

1

× g

x

4

2

,

h = g

x

5

1

. Next choose a hash function H from the fam-

ily of universal one-way hash functions. Set the pri-

vate key as Sk = (x

1

,x

2

,x

3

,x

4

,x

5

) and the public key

Pk = (q, g

1

,g

2

,H,c,d,h). To encrypt a message the

sender must choose r

$

←− Z

q

and compute u

1

= g

r

1

,

u

2

= g

r

2

, e = m × h

r

, α = H(u

1

,u

2

,e), v = c

r

× d

r×α

.

The ciphertext is (u

1

,u

2

,e,v), to be decrypted the ﬁrst

step is to verify the validity of the ciphertext by com-

puting v = u

x

1

+α×x

3

1

× u

x

2

+α×x

4

2

. If this equality does

not hold reject the decryption request else compute

and return m =

e

u

x

5

1

.

3 ANALYSIS OF PVPKE BY

(ZHANG ET AL., 2013)

The trick that helps to create a CCA secure PRE is the

public veriﬁability of ciphertexts. the ﬁrst step for the

proxy will be to check the validity of the ciphertext

before its re-encryption. As an example, (Chow et al.,

2010) relies on schnorr signature with a slight modiﬁ-

cation to get the public veriﬁability. This makes also

ElGamal encryption CCA secure. The schnorr sig-

nature used is a sort of NIZK (Non Interactive Zero-

Knowledge) proof obtained from the Fiat and Shamir

transformation on the interactive schnorr identiﬁca-

tion scheme. This transformation leads to the use of

random oracle in the security model.

As for (Zhang et al., 2013), their scheme is based

on Cramer-Shoup encryption. In order to make it pub-

licly veriﬁable, the authors opted for the use of com-

posite order groups. Thus, based on the problem of

factorization of large prime numbers, they can com-

pute using some elements of the private key a val-

ues in Z

φ(N)

that can be used for veriﬁcation by rais-

ing it in exponent in Z

N

while keeping φ(N) hidden.

The scheme is CPA secure but not CCA as they had

claimed. We review the scheme due to (Zhang et al.,

2013), and show how to achieve an adaptive chosen

ciphertext attack below.

3.1 Review of the Scheme

• KGen() :

– Let p, q , p

0

and q

0

be big primes such that p =

2 × p

0

+ 1,q = 2 × q

0

+ 1 and N = p × q

– Choose g

1

, g

2

from Z

N

such that g

φ(N)

i

≡ 1 mod

N (i = 1, 2)

– Choose b

$

←− Z

φ(N)

and x

i

$

←− Z

φ(N)

(i = 1, 2, 3,

4, 5)

– Choose a hash function H : {0,1}

∗

→ Z

N

.

– Compute x

0

i

≡ b × x

i

mod φ(N) (i = 1, 2, 3, 4).

– Compute c = g

x

1

1

× g

x

2

2

, d = g

x

3

1

× g

x

4

2

, h = g

x

5

1

– Return Sk = (p

0

,q

0

,x

1

,x

2

,x

3

,x

4

,x

5

) and Pk =

(N,g

1

,g

2

,H,b,x

0

1

,x

0

2

,x

0

3

,x

0

4

,c,d, h)

• Encrypt(Pk,m) :

– Choose r

$

←− Z

N

– Compute u

1

= g

r

1

, u

2

= g

r

2

.

– Compute e = m × h

r

mod N, α = H(u

1

,u

2

,e),

v = c

r

× d

r×α

mod N

– Return C = (u

1

,u

2

,e,v)

• Decrypt(Sk,C) :

ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy

442

– Compute α = H(u

1

,u

2

,e) and test if v

b

=

u

x

0

1

+α×x

0

3

1

× u

x

0

2

+α×x

0

4

2

mod N

– If the condition does not hold return ”reject”

else return m =

e

u

x

5

1

3.2 Weakness in the PVPKE Scheme of

(Zhang et al., 2013)

In this section we demonstrate that their PVPKE is

not CCA2-secure. This imples that its use to design

the PRE is also not secure. We can easily prove it

based on IND-CCA2 game .

Recall that the game can be seen as two phases,

the ﬁrst one gives the attacker access to a ﬁxed public

key and to decryption oracles. The adversary can sub-

mit a large amount of decryption queries without any

restriction. Then it comes the challenge which con-

cerns the distinction between two ciphers created by

the challenger. Those ciphers correspond to two mes-

sages chosen by the attacker and encrypted under the

same public key, e.g the attacker sends m

0

& m

1

and

receives : C

∗

= (u

1

,u

2

,e,v) which is the encryption of

m

i

with i

$

←− {0,1} . In the second phase the adversary

can submit decryption queries to the oracle except for

the challenge C

∗

= (u

1

,u

2

,e,v).

The attack consists of computing an invalid but

uniformly distributed ciphertext C

0

such that C

0

6=

C

∗

and still the decryption oracle will not reject

the request as the veriﬁcation will pass. The in-

valid ciphertext could be constructed this way C

0

=

(u

b

1

,u

b

2

,e

b

,v

0

= u

(x

0

1

+x

0

3

×α)

1

× u

(x

0

2

+x

0

4

×α)

2

). The de-

cryption oracle will verify the signature : v

0b

=

u

0(x

0

1

+x

0

3

×α)

1

× u

0(x

0

2

+x

0

4

×α)

2

= (u

(x

0

1

+x

0

3

×α)

1

× u

(x

0

2

+x

0

4

×α)

2

)

b

which is valid . Thus the decryption will return

m

0

= e

0

/u

0x

5

1

= m

b

× h

r×b

/g

x

0

5

×r

1

= m

b

. Now the at-

tacker has only to test if m

b

0

= m

b

or m

b

1

= m

b

and win

the challenge.

The other schemes proposed in (Zhang et al.,

2013), could also be broken by the same attack.

4 OUR CONSTRUCTION BASED

ON THE CRAMER-SHOUP

SCHEME

As we have demonstrated in the latter section, the

public veriﬁability for the Cramer-Shoup in (Zhang

et al., 2013) scheme is not secure. In order to deﬂect

this issue, (Wei et al., 2010) they consider the delega-

tor, the proxy and the delegate as peers, having their

own encryption public/private keys and sign/verify

keys. Thus the proxy cannot modify the challenge

ciphertext and other outside adversaries cannot mod-

ify the original and the re-encrypted ciphertext. Nev-

ertheless their system is not fully CCA secure, since

no veriﬁcation is made on the validity of the cipher-

texts by the proxy. The idea of using key pairs at the

proxy level seemed interesting to us. For our case

we use encryption public/private keys which permit

the proxy to verify the validity of original ciphertexts

and for the delegate to test the validity of re-encrypted

ciphertexts. It can be seen as constraining in terms

of ﬂexibility and transparency, but is rather advanta-

geous in the sense that we can easily detect malicious

proxies with their public keys. In addition to check-

ing the validity of the ciphertexts and re-encrypted

ciphertexts, we can also check the well-formness of

the re-encryption keys which decreases the damage

of DDos attacks. The scheme is proved CCA-secure

under DDH assumption in the next section.

4.1 The Proposed Scheme

• Setup(1

λ

) :

– Let G be a group of prime order q, such that

the bit-length of q is the security parameter λ.

Choose random elements g

1

,g

2

∈ G and two

universal one way hash function H

1

: {0,1}

∗

→

Z

q

and H

2

: G

2

→ Z

∗

q

. The parameters are

params : (G,q, g

1

,g

2

,H

1

,H

2

)

• KGen(params) :

– Let us denote (Sk

a

,Pk

a

) the couple of pri-

vate/public key associated to the user ’a’. Pick

Sk

a

= (x

i

: i ∈ {1,2, ...,7}) where x

i

$

←− Z

q

and

set Pk

a

= (c,d,h

1

,h

2

) such that c = g

x

1

1

× g

x

2

2

,

d = g

x

3

1

× g

x

4

2

,h

1

= g

x

5

+H

1

(c,d)×x

6

1

, h

2

= g

x

7

1

• Encrypt(m,Pk

a

) :

– For non-transformable ciphertexts :

Choose r

$

←− Z

q

Compute u

1

= g

r

1

, u

2

= g

r

2

Compute e = h

r

a2

× m, α = H

2

(u

1

,u

2

,e)

Compute v = c

r

a

× d

r×α

a

Output C

a

= (u

1

,u

2

,e,v)

– For transformable ciphertext : add the proxy

public key Pk

p

as input :

Choose r

$

←− Z

q

Compute u

1

= g

r

1

, u

2

= g

r

2

Compute e = h

r

a1

× m, α

1

= H

2

(u

1

,u

2

,e)

Compute v = c

r

a

× d

r×α

1

a

, α

2

= H

2

(α

1

,v)

Compute v

p

= c

r

p

× d

r×α

2

p

Output C

a

= (u

1

,u

2

,e,v,v

p

)

CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings

443

• RkGen(Sk

a

,Pk

b

,Pk

p

) :

– On input user as private key Sk

a

and user bs

public key Pk

b

and the proxy public key Pk

p

:

Choose j

$

←− Z

q

, k

$

←− Z

q

Compute rk =

x

a

5

+H

1

(c,d)×x

a

6

k

Compute u

0

1

= g

j

1

, u

0

2

= g

j

2

Compute e

0

= h

j

b1

× k, α

0

1

= H

2

(u

0

1

,u

0

2

,e

0

)

Compute v

0

= c

j

b

× d

j×α

0

1

b

, α

0

2

= H

2

(α

0

1

,v

0

) ,

v

0

p

= c

j

p

× d

j×α

0

2

p

Return Rk

a→b

= (rk,u

0

1

,u

0

2

,e

0

,v

0

,v

0

p

)

• ReEncrypt(Rk

a→b

,C

a

,Pk

p

,Sk

p

) :

– On input a re-encryption key, a transformable

ciphertext and the proxy public/private key

pair:

Test if v

p

= u

(x

p

1

+x

p

3

×α

2

)

1

× u

(x

p

2

+x

p

4

×α

2

)

2

&

v

0

p

= u

0(x

p

1

+x

p

3

×α

0

2

)

1

× u

0(x

p

2

+x

p

4

×α

0

2

)

2

Choose ω

$

←− Z

q

Compute β = u

rk

1

, u

00

1

= g

ω

1

, u

00

2

= g

ω

2

Compute e

00

= e, α

00

= H

2

(u

00

1

,u

00

2

,e

00

,β)

Compute v

00

= c

ω

b

× d

ω×α

00

b

Output C

b

= (β, u

0

1

,u

0

2

,e

0

,v

0

,u

00

1

,u

00

2

,e

00

,v

00

)

• Decrypt(sk

b

,C

b

) :

– If C

b

= (u

1

,u

2

,e,v)

Test if v = u

(x

b

1

+x

b

3

×α)

1

× u

(x

b

2

+x

b

4

×α)

2

Compute m =

e

u

x

b

7

1

– If C

b

= (u

1

,u

2

,e,v,v

p

)

Test if v = u

(x

b

1

+x

b

3

×α

1

)

1

× u

(x

b

2

+x

b

4

×α

1

)

2

Compute m =

e

u

(x

b

5

+H

1

(c,d)×x

b

6

)

1

– If C

b

= (β, u

0

1

,u

0

2

,e

0

,v

0

,u

00

1

,u

00

2

,e

00

,v

00

)

Test if v

00

= u

00(x

b

1

+x

b

3

×α

00

)

1

× u

00(x

b

2

+x

b

4

×α

00

)

2

&

v

0

= u

0(x

b

1

+x

b

3

×α

0

)

1

× u

0(x

b

2

+x

b

4

×α

0

)

2

Compute k =

e

0

u

0(x

b

5

+H

1

(c,d)×x

b

6

)

1

Compute m =

e

00

β

k

4.2 Correctness and Security Analysis

• The correctness of decryption for original cipher-

text (transformable or non transformable) is trivial

since it is the same as in Cramer-Shoup. Correct-

ness of decryption for re-encrypted ciphertexts

can be viewed as follow:

m =

e

00

β

k

=

e

00

u

rk×k

1

=

m×g

r×(x

5

+H

1

(c,d)×x

6

)

1

g

r×(x

5

+H

1

(c,d)×x

6

)

k

×k

1

• Intuitively, we can check the IND-CCA security

of our scheme as follow :

– For original non-transformable ciphertexts,

they’re a Cramer-Shoup ciphers which is

proved in (Cramer and Shoup, 1998) as CCA-

secure under DDH assumption and second

preimage.

– With original transformable ciphers, encryption

is almost the same as Cramer-Shoup. However,

we compute a v

p

so that the proxy could ver-

ify the validity of the ciphertext. In the IND

CCA-2 game we give the challenger access to

both secret keys of the proxy and the delegator

so that he can verify the validity of v

p

. Oth-

erwise, it does not effect on the security of the

scheme since the v

p

is computed with another

public key, thus it will be linearly independent

of v even if we use the same random coin.

– Re-encryption keys generation was inspired by

the work of (Chow et al., 2010), where even if k

is leaked which was chosen randomly to com-

pute rk =

x

5

+H

1

(c,d)×x

6

k

, eg. as the proxy and the

delegate collude, only x

5

+ H

1

(c,d) × x

6

could

be computed. This linear combination prevents

from ﬁnding x

5

and x

6

due to the fact that there

are as many possible solutions as the cardinal

of the group G to which x

i

belong. And thus

no information on the private keys is revealed

which make the scheme collusion resistant.

– Re-encrypted ciphertexts are two different

Cramer-Shoup ciphers, the ﬁrst one is used to

decrypt the substitution key k created by the

delegator which is primordial for the decryp-

tion of the second cipher as we saw before in

the correctness.

5 PROOF OF SECURITY

We ﬁrst give the deﬁnition of unidirectional single-

hop PRE-CCA game following the model of (Canetti

and Hohenberger, 2007). We take into account the

changes proposed by the authors for unidirectional

schemes, since the formal model was intended to bidi-

rectional PRE. We have made changes related to the

addition of proxy key pairs :

Let λ be a security parameter. Let A be an oracle

T M representing the adversary. The game consists in

an execution of A with the following oracles. They

can be invoked several times in any order, subject to

the constraints below:

ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy

444

OKGen: For uncorrupted users return Pk ,

where (Pk,Sk) ← KGen(params). For corrupted

users return Pk and Sk , where (Pk, Sk) ←

KGen(params)

ORkGen: On input Pk

a

, Pk

b

and Pk

p

, the

re-encryption key generation algorithm outputs

Rk

a→b

. We reject the query if it’s a re-encryption

key generation between a corrupted and uncor-

rupted key.

OEncryption: For non transformable cipher-

text, on input a message m, the output is C =

(u

1

,u

2

,e,v). For original transformable cipher-

text, output C = (u

1

,u

2

,e,v,v

p

).

OChallenge: This oracle can be queried only

once. On input, (Pk

∗

,m

0

,m

1

). where Pk

∗

is

called the challenge key, the oracle chooses a bit

b

$

←− {0,1} and returns the challenge ciphertext

C = Enc(Pk,m

b

). (As we note later, the challenge

key must be uncorrupted for A to win).

OReEncryption : On input (Pk

a

,Pk

b

,C

a

), if Pk

b

is corrupted or a = b returns ⊥. Otherwise it re-

turns C

b

ODecryption : On input (Pk,C), if Pk was

not generated before returns ⊥. Else returns

Decrypt(C,Sk)

ODecision : This oracle can also be queried only

once. On input b

0

: If b

0

= b and the challenge key

pk

∗

is not corrupted , then outputs 1 else outputs

0.

We say that A wins the PRE-CCA game with ad-

vantage ε, if the probability over the random choices

of A and the oracles, that the decision oracle is in-

voked and outputs 1, is at least 1/2 + ε

Theorem 1. Our scheme is secure against adaptive

chosen ciphertexts attack assuming that (1) the hash

functions H

1

,H

2

are chosen from a universal one-way

family, and (2) the Difﬁe-Hellman decision problem is

hard in the group G.

We give our scheme’s formal proof based on

(Wang et al., 2009) and (Chow et al., 2010) proofs

as follows:

Assume the external adversaries algorithm B

breaking the IND-CCA2 property of the scheme ,we

use B to construct algorithm A distinguish a four

tuple (g

1

,g

2

,u

1

,u

2

) from G is a DDH tuple or not.

Oralce queries from B are handled by A as follow-

ing:

• Query to OKGen: If user A is corrupted, A

randomly chooses Sk

a

= (x

a

i

)

$

←− Z

q

for (i =

1,2,..., 7), computes Pk

a

= (g

1

,g

2

,c

a

= g

x

a

1

1

×

g

x

a

2

2

,d

a

= g

x

a

3

1

×g

x

a

4

2

,h

a

1

= g

x

a

5

+H

1

(c,d)×x

a

6

1

,h

a

2

=

g

x

a

7

1

) returns Sk

a

,Pk

a

which is an identical distri-

bution to the real distribution of real private and

public key. For uncorrupted user B, randomly

chooses Sk

b

= (x

b

i

)

$

←− Z

q

for (i = 1,2,...,9), com-

putes Pk

b

= (g

1

,g

2

,c

b

= g

x

b

1

1

× g

x

b

2

2

,d

b

= g

x

b

3

1

×

g

x

b

4

2

,h

b

1

= g

x

b

5

+H

1

(c,d)×x

b

6

1

× g

x

b

8

2

,h

a

2

= g

x

a

7

1

×

g

x

b

9

2

) and returns Pk

b

. Assuming that g

2

= g

w

1

the

output has an identical distribution to the real dis-

tribution of real public key. Which gives us a per-

fect simulation.

• Query to ORkGen: On input Pk

a

,Pk

b

and

Pk

p

if one of A and B is corrupted we re-

ject the query. Else A outputs Rk

a→b

= (rk

$

←−

Z

φ(N)

),C

a

1

,v

0

p

) which is indistinguishable with

Rk

i→ j

= (

(x

5

+H

1

(c,d)×x

6

)

k

,C

i

1

,v

0

p

)

• Query to O Encryption: For a non transformable

encryption, given a message m, the encryption al-

gorithm returns C = (u

1

,u

2

,e,v) = (g

r

1

,g

r

2

,u

x

7

1

×

u

x

9

2

× m,c

r

× d

r×α

) where r

$

←− Z

q

. This is a

perfect simulation as in Cramer-Shoup encryp-

tion scheme. For an original transformable en-

cryption, if the users are uncorrupted the en-

cryption algorithm returns C = (u

1

,u

2

,e,v,v

p

) =

(g

r

1

,g

r

2

,u

(x

5

+H

1

(c,d)×x

6

)

1

× u

x

8

2

× m,c

r

× d

r×α

1

,c

0r

×

d

0r×α

1

) where r

$

←− Z

q

and v

p

is computed with

a random public key. Else, it output ⊥. This is

also a perfect simulation. We will show below

one cannot construct a valid tuple (u

1

,u

2

,e,v,v

p

)

by itself with (g

1

,g

2

,u

1

,u

2

) being not a DDH tu-

ple, relying on the same method used in Cramer-

Shoup Encryption.

• Query to OReEncryption: On input

Pk

a

,Pk

b

,C

a

= (u

1

,u

2

,e,v,v

p

) from user i

to user j, search in the RkGen list an item

including i and j. If it does not exist run

the querying to ORkGen. Then the proxy

veriﬁes ciphertext’s validity by testing, if

v

p

6= u

x

p

1

1

× u

x

p

2

2

× u

x

p

3

×α

2

1

× u

x

p

4

×α

2

1

return ⊥.

Else, return C

j

= (β,u

0

1

,u

0

2

,e

0

,v

0

,u

00

1

,u

00

2

,e

00

,v

00

) =

(u

(x

5

+H

1

(c,d)×x

6

)

1

,u

0

1

,u

0

2

,e

0

,v

0

,u

00

1

,u

00

2

,e

00

,v

00

)

which include two Cramer-Shoup ciphers

and have the same distribution as for

(u

rk

1

,u

0

1

,u

0

2

,e

0

,v

0

,u

00

1

,u

00

2

,e

00

,v

00

). Thus the real

output and simulated output are indistinguish-

able. So this is also a perfect simulation.

• Query to O Decryption: In the real de-

cryption, given a re-encrypted ciphertext C =

(β,u

0

1

,u

0

2

,e

0

,v

0

,u

00

1

,u

00

2

,e

00

,v

00

) , the decryption al-

CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings

445

gorithm runs as follows. It ﬁrst computes α

00

1

=

H

2

(u

00

1

,u

00

2

,e

00

,β), and tests if v

00

= u

00(x

1

+x

3

×α

00

1

)

1

×

u

00(x

2

+x

4

×α

00

1

)

2

& v

0

= u

0(x

1

+x

3

×α

0

1

)

1

× u

0(x

2

+x

4

×α

0

1

)

2

. If

this condition does not hold, the decryption al-

gorithm outputs ⊥, otherwise, it computes k =

e

0

u

0(x

5

+H

1

(c,d)×x

6

)

1

and outputs m =

e

00

β

k

. In our simula-

tion, on input C

j

from user i to j , B ﬁrst veriﬁes

ciphertexts’s validity. If it’s invalid ciphertexts

return ⊥,else computes k =

e

0

u

0(x

j

5

+H

1

(c,d)×x

j

6

)

1

×u

0x

j

8

2

then outputs m =

e

00

β

k

=

e

00

u

1/(x

j

5

+H

1

(c,d)×x

j

6

)

1

As in Cramer-Shoup encryption, if (g

1

,g

2

,u

1

,u

2

)

is a DDH tuple, our simulated decryption is a

perfect decryption. For original ciphertexts the

same proof holds as for Cramer-Shoup encryp-

tion, there is a slightly difference in the proof for

original transformable ciphertexts which we will

explain below. And the simulated decryption is

also a perfect decryption.

Lemma 2. If (g

1

,g

2

,u

1

,u

2

) is not a DDH tuple, the

ODecryption will reject all invalid ciphertexts, except

with negligible probability.

The proof of this lemma is the same as (Cramer

and Shoup, 1998), the only difference is that in

ODecryption simulation for transformable cipher-

texts, the adversary must solve these equations :

x

1

+ w × x

2

= log

g

1

c mod q

x

3

+ w × x

4

= log

g

1

d mod q

x

0

p

1

+ w × x

0

p

2

= log

g

1

c

p

mod q

x

0

p

3

+ w × x

0

p

4

= log

g

1

d

p

mod q

r

1

x

1

+ r

2

α

1

x

3

+ r

1

wx

2

+ r

2

α

1

wx

4

= log

g

1

v mod q

r

1

x

p

1

+ r

2

α

2

x

p

3

+ r

1

wx

p

2

+ r

2

α

2

wx

p

4

= log

g

1

v

p

mod q

Which are linearly independent, thus our simulation

is perfect for the external adversary. Unless the proxy

reveals his private key. If A can break our re-

encryption scheme, B can solve the DDH problem

in G. Thus we prove our theorem.

6 CONCLUSION

In this paper, we point out that the schemes in (Zhang

et al., 2013) are not CCA-secure , we show how an ad-

versary could distinguish between two ciphers in the

IND-CCA2 game. Also, we present a construction

of unidirectional proxy re-encryption scheme without

bilinear pairing in the standard model. Our scheme is

proven CCA-secure in the standard model under deci-

sional Difﬁe-Hellman assumption and second preim-

age resistance of the chosen universal one way hash

family. We do not consider efﬁciency, but rather and

above all to come up with a solution for one of the two

open problems left by (Deng et al., 2008). As a per-

spective, we will implement the proposed algorithm

in order to compare it with other related works, and

try to design more efﬁcient schemes.

ACKNOWLEDGEMENTS

We would like to thank Damien Vergnaud for the

valuable discussions and for his constructive com-

ments about the ﬂaw, which leads us to ﬁnd the con-

crete attack in (Zhang et al., 2013) . This work is

supported by ADEME on the VertPom project.

REFERENCES

Ateniese, G., Benson, K., and Hohenberger, S. (2009). Key-

private proxy re-encryption. In Cryptographers Track

at the RSA Conference, pages 279–294. Springer.

Ateniese, G., Fu, K., Green, M., and Hohenberger, S.

(2006). Improved proxy re-encryption schemes with

applications to secure distributed storage. ACM Trans-

actions on Information and System Security (TISSEC),

9(1):1–30.

Blaze, M., Bleumer, G., and Strauss, M. (1998). Divertible

protocols and atomic proxy cryptography. In Interna-

tional Conference on the Theory and Applications of

Cryptographic Techniques, pages 127–144. Springer.

Canetti, R. (2001). Universally composable security: A new

paradigm for cryptographic protocols. In Proceedings

42nd IEEE Symposium on Foundations of Computer

Science, pages 136–145. IEEE.

Canetti, R. and Hohenberger, S. (2007). Chosen-ciphertext

secure proxy re-encryption. In Proceedings of the 14th

ACM conference on Computer and communications

security, pages 185–194. ACM.

Chow, S. S., Weng, J., Yang, Y., and Deng, R. H. (2010).

Efﬁcient unidirectional proxy re-encryption. In Inter-

national Conference on Cryptology in Africa, pages

316–332. Springer.

Cramer, R. and Shoup, V. (1998). A practical public key

cryptosystem provably secure against adaptive chosen

ciphertext attack. In Annual International Cryptology

Conference, pages 13–25. Springer.

Deng, R. H., Weng, J., Liu, S., and Chen, K. (2008).

Chosen-ciphertext secure proxy re-encryption without

pairings. In International Conference on Cryptology

and Network Security, pages 1–17. Springer.

Green, M. and Ateniese, G. (2007). Identity-based proxy

re-encryption. In International Conference on Applied

Cryptography and Network Security, pages 288–306.

Springer.

Purushothama, B., Shrinath, B., and Amberker, B. (2013).

Secure cloud storage service and limited proxy re-

encryption for enforcing access control in public

ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy

446

cloud. International Journal of Information and Com-

munication Technology, 5(2):167–186.

Sbai, A., Drocourt, C., and Dequen, G. (2019). Pre as a

service within smart grid cities. In 16th International

Conference on Security and Cryptography.

Selvi, S. S. D., Paul, A., and Pandurangan, C. (2017).

A provably-secure unidirectional proxy re-encryption

scheme without pairing in the random oracle model.

In International Conference on Cryptology and Net-

work Security, pages 459–469. Springer.

Shao, J. and Cao, Z. (2009). Cca-secure proxy re-

encryption without pairings. In International Work-

shop on Public Key Cryptography, pages 357–376.

Springer.

Wang, a. X., Wu, W., and Yang, X. (2009). On ddos at-

tack against proxy in re-encryption and re-signature.

Engineering College of Chinese, PR China.

Wei, P., Wang, X. A., and Yang, X. (2010). Proxy re-

encryption schemes with proxy having its own pub-

lic/private keys. In 2010 2nd International Workshop

on Database Technology and Applications, pages 1–4.

IEEE.

Zhang, M., Wang, X. A., Li, W., and Yang, X. (2013). Cca

secure publicly veriﬁable public key encryption with-

out pairings nor random oracle and its applications.

JCP, 8(8):1987–1994.

CCA Secure Unidirectional PRE with Key Pair in the Standard Model without Pairings

447