gorithm runs as follows. It first computes α
00
1
=
H
2
(u
00
1
,u
00
2
,e
00
,β), and tests if v
00
= u
00(x
1
+x
3
×α
00
1
)
1
×
u
00(x
2
+x
4
×α
00
1
)
2
& v
0
= u
0(x
1
+x
3
×α
0
1
)
1
× u
0(x
2
+x
4
×α
0
1
)
2
. If
this condition does not hold, the decryption al-
gorithm outputs ⊥, otherwise, it computes k =
e
0
u
0(x
5
+H
1
(c,d)×x
6
)
1
and outputs m =
e
00
β
k
. In our simula-
tion, on input C
j
from user i to j , B first verifies
ciphertexts’s validity. If it’s invalid ciphertexts
return ⊥,else computes k =
e
0
u
0(x
j
5
+H
1
(c,d)×x
j
6
)
1
×u
0x
j
8
2
then outputs m =
e
00
β
k
=
e
00
u
1/(x
j
5
+H
1
(c,d)×x
j
6
)
1
As in Cramer-Shoup encryption, if (g
1
,g
2
,u
1
,u
2
)
is a DDH tuple, our simulated decryption is a
perfect decryption. For original ciphertexts the
same proof holds as for Cramer-Shoup encryp-
tion, there is a slightly difference in the proof for
original transformable ciphertexts which we will
explain below. And the simulated decryption is
also a perfect decryption.
Lemma 2. If (g
1
,g
2
,u
1
,u
2
) is not a DDH tuple, the
ODecryption will reject all invalid ciphertexts, except
with negligible probability.
The proof of this lemma is the same as (Cramer
and Shoup, 1998), the only difference is that in
ODecryption simulation for transformable cipher-
texts, the adversary must solve these equations :
x
1
+ w × x
2
= log
g
1
c mod q
x
3
+ w × x
4
= log
g
1
d mod q
x
0
p
1
+ w × x
0
p
2
= log
g
1
c
p
mod q
x
0
p
3
+ w × x
0
p
4
= log
g
1
d
p
mod q
r
1
x
1
+ r
2
α
1
x
3
+ r
1
wx
2
+ r
2
α
1
wx
4
= log
g
1
v mod q
r
1
x
p
1
+ r
2
α
2
x
p
3
+ r
1
wx
p
2
+ r
2
α
2
wx
p
4
= log
g
1
v
p
mod q
Which are linearly independent, thus our simulation
is perfect for the external adversary. Unless the proxy
reveals his private key. If A can break our re-
encryption scheme, B can solve the DDH problem
in G. Thus we prove our theorem.
6 CONCLUSION
In this paper, we point out that the schemes in (Zhang
et al., 2013) are not CCA-secure , we show how an ad-
versary could distinguish between two ciphers in the
IND-CCA2 game. Also, we present a construction
of unidirectional proxy re-encryption scheme without
bilinear pairing in the standard model. Our scheme is
proven CCA-secure in the standard model under deci-
sional Diffie-Hellman assumption and second preim-
age resistance of the chosen universal one way hash
family. We do not consider efficiency, but rather and
above all to come up with a solution for one of the two
open problems left by (Deng et al., 2008). As a per-
spective, we will implement the proposed algorithm
in order to compare it with other related works, and
try to design more efficient schemes.
ACKNOWLEDGEMENTS
We would like to thank Damien Vergnaud for the
valuable discussions and for his constructive com-
ments about the flaw, which leads us to find the con-
crete attack in (Zhang et al., 2013) . This work is
supported by ADEME on the VertPom project.
REFERENCES
Ateniese, G., Benson, K., and Hohenberger, S. (2009). Key-
private proxy re-encryption. In Cryptographers Track
at the RSA Conference, pages 279–294. Springer.
Ateniese, G., Fu, K., Green, M., and Hohenberger, S.
(2006). Improved proxy re-encryption schemes with
applications to secure distributed storage. ACM Trans-
actions on Information and System Security (TISSEC),
9(1):1–30.
Blaze, M., Bleumer, G., and Strauss, M. (1998). Divertible
protocols and atomic proxy cryptography. In Interna-
tional Conference on the Theory and Applications of
Cryptographic Techniques, pages 127–144. Springer.
Canetti, R. (2001). Universally composable security: A new
paradigm for cryptographic protocols. In Proceedings
42nd IEEE Symposium on Foundations of Computer
Science, pages 136–145. IEEE.
Canetti, R. and Hohenberger, S. (2007). Chosen-ciphertext
secure proxy re-encryption. In Proceedings of the 14th
ACM conference on Computer and communications
security, pages 185–194. ACM.
Chow, S. S., Weng, J., Yang, Y., and Deng, R. H. (2010).
Efficient unidirectional proxy re-encryption. In Inter-
national Conference on Cryptology in Africa, pages
316–332. Springer.
Cramer, R. and Shoup, V. (1998). A practical public key
cryptosystem provably secure against adaptive chosen
ciphertext attack. In Annual International Cryptology
Conference, pages 13–25. Springer.
Deng, R. H., Weng, J., Liu, S., and Chen, K. (2008).
Chosen-ciphertext secure proxy re-encryption without
pairings. In International Conference on Cryptology
and Network Security, pages 1–17. Springer.
Green, M. and Ateniese, G. (2007). Identity-based proxy
re-encryption. In International Conference on Applied
Cryptography and Network Security, pages 288–306.
Springer.
Purushothama, B., Shrinath, B., and Amberker, B. (2013).
Secure cloud storage service and limited proxy re-
encryption for enforcing access control in public
ICISSP 2020 - 6th International Conference on Information Systems Security and Privacy
446