Abstract
In the simplest setting of proxy reencryption, there are three parties: Alice, Bob, and Polly (the proxy). Alice keeps some encrypted data that she can decrypt with a secret key known only to her. She wants to communicate the data to Bob, but not to Polly (nor anybody else). Using proxy reencryption, Alice can create a reencryption key that will enable Polly to reencrypt the data for Bob’s use, but which will not help Polly learn anything about the data.
There are two wellstudied notions of security for proxy reencryption schemes: security under chosenplaintext attacks (CPA) and security under chosenciphertext attacks (CCA). Both definitions aim to formalize the security that Alice enjoys against both Polly and Bob.
In this work, we demonstrate that CPA security guarantees much less security against Bob than was previously understood. In particular, CPA security does not prevent Bob from learning Alice’s secret key after receiving a single honestly reencrypted ciphertext. As a result, CPA security provides scant guarantees in common applications.
We propose security under honest reencryption attacks (HRA), a strengthening of CPA security that better captures the goals of proxy reencryption. In applications, HRA security provides much more robust security. We identify a property of proxy reencryption schemes that suffices to amplify CPA security to HRA security and show that two existing proxy reencryption schemes are in fact HRA secure.
Supported by Facebook Fellowship 2018, NSF GRFP, NSF MACS CNS1413920, DARPA IBM W911NF15C0236, and Simons Investigator Award Agreement Dated 6512. We would like to thank Rio LaVigne, Akshay Degwekar, Shafi Goldwasser, Vinod Vaikuntanathan, and anonymous reviewers for their helpful feedback.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
 1.
This description is an oversimplification. In the many party setting, the adversary has access to a reencryption oracle which will reencrypt ciphertexts between two uncorrupted parties or between two corrupted parties, but not from an honest party to a corrupted party.
 2.
While we don’t examine every pairingbased construction of proxy reencryption, we suspect that rerandomizing reencryption will suffice for reencryption simulation in many, if not all.
 3.
 4.
We might also appeal for support to [22], the only paper in the proxy reencryption literature of which we are aware adopting a security definition providing a reencryption oracle without a decryption oracle. One could look to the originators of proxy reencryption for guidance, but the shortcoming we identify does not manifest in the original setting of [5] (there is only Alice and Bob; there is no Proxy). It is therefore of little help.
 5.
Note that Ivan and Dodis do not adopt the CPA definition used elsewhere, but a definition much closer to our own. There is no gap between their security guarantees and the requirements of their brieflydescribed application.
Though primarily focused on the setting where the key escrow agent enforces the limited time requirement by eventually refusing to reencrypt, [22] considers the possibility of dividing time into epochs and enforcing the time limitation technically. Such a proxy reencryption is called temporary in [4]. We do not discuss temporary proxy reencryption further.
 6.
The literature is divided about whether “singlehop” is merely a correctness property (i.e., able to reencrypt at least once, but agnostic about whether reencrypting more than once is possible) or if it is also a security property (i.e., a ciphertext can be reencrypted once, but never twice). This distinction manifests in the security definition. In works that consider only singlehop correctness [3, 4, 21, 28], the oracle \(\mathcal {O}_\mathsf {ReKeyGen}\) in the security game will not accept queries from honest users to corrupted users (i.e., (i, j) such that \(i\in \mathsf {Hon}\) and \(j\in \mathsf {Cor}\)). We adopt this formalism in Definitions 3 and 5 for simplicity of presentation only.
In works that consider singlehop security [12, 17, 26], the oracle will answer such queries, but the challenge ciphertext must be encrypted under the key of an honest user \(i^*\) for which no such reencryption key was generated (which can be formalized in a number of ways).
This work adopts the simplest model, requiring only one hope of correctness, but neither requiring nor forbidding additional functionality.
 7.
Some existing notions in the proxy reencryption literature seem powerful enough to elevate CPA security to HRA security, including proxy invisibility [4], unlinkability [17], and punctured security [1]. However, these notions are not sufficiently well defined to draw any concrete conclusions. The notion of keyprivacy [3] does not in general suffice for HRA security.
 8.
While we do not examine every pairingbased construction of proxy reencryption, we suspect that rerandomizing reencryption will suffice for reencryption simulation in many, if not all.
 9.
[31] separate the computation of \(\theta _i^*\) from Bob’s public key, but this is only a matter of presentation.
 10.
The proof requires that an encryption scheme be both fully homomorphic and support proxy reencryption with RINDCPA security. For concreteness, we have chosen to assume that there exists an FHE scheme whose corresponding PRE is RINDCPA secure, but a different construction would suffice. We do not further explore the underlying cryptographic assumptions needed to instantiate this encryption scheme.
References
Ananth, P., Cohen, A., Jain, A.: Cryptography with updates. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 445–472. Springer, Cham (2017). https://doi.org/10.1007/9783319566146_15
Aono, Y., Boyen, X., Phong, L.T., Wang, L.: Keyprivate proxy reencryption under LWE. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 1–18. Springer, Cham (2013). https://doi.org/10.1007/9783319035154_1
Ateniese, G., Benson, K., Hohenberger, S.: Keyprivate proxy reencryption. In: Fischlin, M. (ed.) CTRSA 2009. LNCS, vol. 5473, pp. 279–294. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642008627_19
Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy reencryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(1), 1–30 (2006)
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122
Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circularsecure encryption from decision DiffieHellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540851745_7
Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400414_23
Borcea, C., Polyakov, Y., Rohloff, K., Ryan, G., et al.: PICADOR: endtoend encrypted publishsubscribe information distribution with proxy reencryption. Future Gener. Comput. Syst. 71, 177–191 (2017)
Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ringLWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642227929_29
Canetti, R., Hohenberger, S.: Chosenciphertext secure proxy reencryption. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 185–194. ACM (2007)
Chandran, N., Chase, M., Liu, F.H., Nishimaki, R., Xagawa, K.: Reencryption, functional reencryption, and multihop reencryption: a framework for achieving obfuscationbased security and instantiations from lattices. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 95–112. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642546310_6
Chow, S.S.M., Weng, J., Yang, Y., Deng, R.H.: Efficient unidirectional proxy reencryption. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 316–332. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642126789_19
Cohen, A.: What about Bob? The inadequacy of CPA security for proxy reencryption. Cryptology ePrint Archive, Report 2017/785 (2017). https://eprint.iacr.org/2017/785
Derler, D., Krenn, S., Lorünser, T., Ramacher, S., Slamanig, D., Striecks, C.: Revisiting proxy reencryption: forward secrecy, improved security, and applications. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 219–250. Springer, Cham (2018). https://doi.org/10.1007/9783319765785_8
Dttling, N., Nishimaki, R.: Universal proxy reencryption. Cryptology ePrint Archive, Report 2018/840 (2018). https://eprint.iacr.org/2018/840
Everspaugh, A., Paterson, K., Ristenpart, T., Scott, S.: Key rotation for authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 98–129. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_4
Fan, X., Liu, F.H.: Proxy reencryption and resignatures from lattices (2017)
Fuchsbauer, G., Kamath, C., Klein, K., Pietrzak, K.: Adaptively secure proxy reencryption. Cryptology ePrint Archive, Report 2018/426 (2018). https://eprint.iacr.org/2018/426
Gentry, C.: A Fully Homomorphic Encryption Scheme. Stanford University (2009)
He, Y.J., Hui, L.C., Yiu, S.M.: Avoid illegal encrypted DRM content sharing with nontransferable reencryption. In: 2011 IEEE 13th International Conference on Communication Technology (ICCT), pp. 703–708. IEEE (2011)
Hohenberger, S., Rothblum, G.N., Shelat, A., Vaikuntanathan, V.: Securely obfuscating reencryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 233–252. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540709367_13
Ivan, A.A., Dodis, Y.: Proxy cryptography revisited. In: NDSS (2003)
Jakobsson, M.: On quorum controlled asymmetric proxy reencryption. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 112–121. Springer, Heidelberg (1999). https://doi.org/10.1007/3540491627_9
Khurana, H., Heo, J., Pant, M.: From proxy encryption primitives to a deployable securemailinglist solution. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 260–281. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_19
Lee, S., Park, H., Kim, J.: A secure and mutualprofitable DRM interoperability scheme. In: 2010 IEEE Symposium on Computers and Communications (ISCC), pp. 75–80. IEEE (2010)
Libert, B., Vergnaud, D.: Unidirectional chosenciphertext secure proxy reencryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540784401_21
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ringLWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642383489_3
Nunez, D., Agudo, I., Lopez, J.: A parametric family of attack models for proxy reencryption. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF), pp. 290–301. IEEE (2015)
Oz, F., Murray, B., Dreyfuss, R.: What About Bob. Touchstone Pictures (1991)
Phong, L., Wang, L., Aono, Y., Nguyen, M., Boyen, X.: Proxy reencryption schemes with key privacy from LWE. Technical report, Cryptology ePrint Archive, Report 2016/327 (2016). http://eprint.iacr.org/2016/327
Polyakov, Y., Rohloff, K., Sahu, G., Vaikuntanathan, V.: Fast proxy reencryption for publish/subscribe systems. ACM Trans. Priv. Secur. (TOPS) 20(4), 14 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The Trivial Scheme
The following description and definition of circular security is adapted with slight modification from [6].
Let \((\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) be a publickey encryption scheme with key space \(\mathcal {K}\) and message space \(\mathcal {M}\) such that \(\mathcal {K}\subseteq \mathcal {M}\). Let \(n>0\) be an integer and let \(\mathcal {C}\) be the set of functions \(\mathcal {C}= \{f:\mathcal {K}^n \rightarrow \mathcal {M}\}\) consisting of

all \(\mathcal {M}\) constant functions \(f_m(z) = m\) for all \(z \in \mathcal {K}^n\), and

all n selector functions \(f_i(x_1,\dots ,x_n) = x_i\) for \(1\le i \le n\).
We define circular security using the following game between a challenger and an adversary \(\mathcal {A}\). For an integer \(n>0\) and a security parameter \(\lambda \), the game proceeds as follows:

Initialization: The challenger chooses a random bit \(b\leftarrow \{0,1\}\). It generates \((\mathsf {pk}_1,\mathsf {sk}_1),\dots ,(\mathsf {pk}_n,\mathsf {sk}_n)\) by running \(\mathsf {KeyGen}(1^\lambda )\) n times, and sends \((\mathsf {pk}_1,\dots ,\mathsf {pk}_n)\) to \(\mathcal {A}\).

Queries: The adversary repeatedly issues queries where each query is of the form (i, f) with \(1\le i\le n\) and \(f\in \mathcal {C}\). The challenger responds by setting \(y = f(\mathsf {sk}_1,\dots ,\mathsf {sk}_n)\) and
$$\begin{aligned} \mathsf {ct}\leftarrow {\left\{ \begin{array}{ll} \mathsf {Enc}(\mathsf {pk}_i,y) &{} \text {if } b=0 \\ \mathsf {Enc}(\mathsf {pk}_i,0^{y}) &{} \text {if } b=1 \end{array}\right. } \end{aligned}$$and sends \(\mathsf {ct}\) to \(\mathcal {A}\).

Finish: Finally, the adversary outputs a bit \(b' \in \{0,1\}\).
We say that \(\mathcal {A}\) wins the game if \(b=b'\). Let \(\mathsf {win}\) be the event that \(\mathcal {A}\) wins the game and define \(\mathcal {A}\)’s advantage as
Definition 8
(nCircular Security). We say that a publickey encryption scheme \((\mathsf {KeyGen},\mathsf {Enc},\mathsf {Dec})\) is nway circular secure if for all probabilistic polynomial time adversaries \(\mathcal {A}\), there exists a negligible function \(\mathsf {negl}\) such that
Because existing constructions of circularly secure encryption schemes based on standard assumptions require a bound on the total number of public keys n, the corresponding Trivial Scheme will only satisfy a boundedkey variant of CPA security, defined next.
Definition 9
(Proxy Reencryption: nCPA Security). For \(n\in \mathbb {N}\), the nCPA security game is identical to the CPA security game in Definition 3 except for the following underlined modifications. Recall that \(\mathsf {numKeys}\) is initialized to 0 and is incremented after every key generation call in the security game.

Uncorrupted Key Generation: obtain a new key pair \((\mathsf {pk}_i,\mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(\mathsf {pp})\). \(\mathcal {A}\) is given \(\mathsf {pk}_i\). The current value of \(\mathsf {numKeys}\) is added to \(\mathsf {Hon}\) and \(\mathsf {numKeys}\) is incremented.

Corrupted Key Generation: obtain a new key pair \((pk_i, \mathsf {sk}_i) \leftarrow \mathsf {KeyGen}(\mathsf {pp})\). \(\mathcal {A}\) is given \((\mathsf {pk}_i,\mathsf {sk}_i)\). The current value of \(\mathsf {numKeys}\) is added to \(\mathsf {Cor}\) and \(\mathsf {numKeys}\) is incremented.
The corresponding nCPA advantage of \(\mathcal {A}\) is denoted \(\mathsf {Adv}_{\mathsf {cpa},n}^\mathcal {A}(\lambda ).\) A proxy reencryption scheme is nCPA secure if for all probabilistic polynomialtime adversaries \(\mathcal {A}\), there exists a negligible function \(\mathsf {negl}\) such that
 Trivial Scheme. :

Let \((\mathsf {KeyGen}_\mathsf {circ}, \mathsf {Enc}_\mathsf {circ}, \mathsf {Dec}_\mathsf {circ})\) be an nway circular secure encryption scheme. Let \(\mathsf {Setup}\equiv \bot \), \(\mathsf {KeyGen}\equiv \mathsf {KeyGen}_\mathsf {circ}\); \(\mathsf {Enc}\equiv \mathsf {Enc}_\mathsf {circ}\);
$$\begin{aligned}&\mathsf {ReKeyGen}(\mathsf {sk}_i,\mathsf {pk}_j) := \mathsf {Enc}_\mathsf {circ}(\mathsf {pk}_j, \mathsf {sk}_i)\\&\mathsf {ReEnc}(\mathsf {rk}_{i\rightarrow j},\mathsf {ct}_i):= \mathsf {ct}_i \Vert \mathsf {rk}_{i\rightarrow j}\\&\mathsf {Dec}(\mathsf {sk}, \mathsf {ct}) := \left\{ \begin{array}{ll} \mathsf {Dec}_\mathsf {circ}(\mathsf {Dec}_\mathsf {circ}(\mathsf {sk},\mathsf {ct}^2),\mathsf {ct}^1) &{} \hbox {if } \mathsf {ct}= \mathsf {ct}^1 \Vert \mathsf {ct}^2 \\ \mathsf {Dec}_\mathsf {circ}(\mathsf {sk},\mathsf {ct}) &{} \hbox {otherwise} \end{array} \right. . \end{aligned}$$
Theorem 2 states that if \((\mathsf {KeyGen}_\mathsf {circ}, \mathsf {Enc}_\mathsf {circ}, \mathsf {Dec}_\mathsf {circ})\) is an nway circular secure encryption scheme, then the corresponding Trivial Scheme \(\mathsf {PRE}\) is an nCPA secure proxy reencryption scheme. In fact, the proof below extends the case when there are n uncorrupted keys and any number of corrupted keys.
Proof
(of Theorem 2). For all \(n\in \mathbb {N}\) and any probabilistic, polynomialtime algorithm \(\mathcal {A}\) (the adversary against the trivial scheme), we construct an efficient algorithm \(\mathcal {A}_\mathsf {circ}\) such that \(\mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}_\mathsf {circ}} = \frac{1}{2}\cdot \mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\). By the hypothesis, this advantage is negligible, completing the proof.
At the beginning of the game, the circular security challenger picks a random bit b. If \(b = 0\), then the Queries oracle encrypts all messages correctly; if \(b =1\), then the Queries oracle encrypts only the message 0. \(\mathcal {A}_\mathsf {circ}\) runs \(\mathcal {A}\) and simulates the CPA security game for \(\mathsf {PRE}\) (if \(\mathcal {A}\) does not follow the specification of the game, \(\mathcal {A}_\mathsf {circ}\) simply aborts).
At the start of Phase 1, \(\mathcal {A}_\mathsf {circ}\) calls its Initialization oracle in the circular security game. In return it receives the public keys \((\mathsf {pk}_1^\mathsf {circ},\dots ,\mathsf {pk}_n^\mathsf {circ})\). To answer an Uncorrupted Key Generation query, \(\mathcal {A}_\mathsf {circ}\) gives to \(\mathcal {A}\) the first unused public key \(\mathsf {pk}_i^\mathsf {circ}\) from this list. To answer a Corrupted Key Generation query, \(\mathcal {A}_\mathsf {circ}\) generates a new key pair \((\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KeyGen}\) and gives \((\mathsf {pk},\mathsf {sk})\) to the adversary.
\(\mathcal {A}\) begins Phase 2 by using its Queries oracle to learn the reencryption keys for all pairs of uncorrupted keys generated. Using its knowledge of the corrupted secret keys, it also computes reencryption keys for all the pairs of corrupted keys generated. Oracle calls from \(\mathcal {A}\) to \(\mathcal {O}_\mathsf {ReKeyGen}\) are answered with the corresponding reencryption key (or with \(\bot \)). To answer oracle calls from \(\mathcal {A}\) to \(\mathcal {O}_\mathsf {ReEnc}\), computes the appropriate response; namely, it concatenates the reencryption key to the ciphertext (or returns \(\bot \)).
At some point, \(\mathcal {A}\) queries the Challenge oracle with an honest key index i and a pair of messages \((\mathbf {m}_0,\mathbf {m}_1)\). \(\mathcal {A}_\mathsf {circ}\) chooses a random one of the messages \(\mathbf {m}\) and queries its own Queries oracle with the pair \((i,\mathbf {m})\), returning the resulting ciphertext to \(\mathcal {A}\).
Finally, \(\mathcal {A}\) guesses whether \(\mathbf {m}= \mathbf {m}_0\) or \(\mathbf {m}_1\). If \(\mathcal {A}\) guesses correctly, \(\mathcal {A}_\mathsf {circ}\) guesses the bit \(b' = 0\). Otherwise, \(\mathcal {A}_\mathsf {circ}\) guesses a random \(b' \leftarrow \{0,1\}\). Conditioned on \(b=0\), \(\mathcal {A}_\mathsf {circ}\) perfectly simulates the \(\mathsf {PRE}\) security game, and guesses \(b' = 0\) with probability \(\mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\). It follows that \(\mathsf {Adv}_{\mathsf {circ},n}^{\mathcal {A}_\mathsf {circ}} = \frac{1}{2}\cdot \mathsf {Adv}_{\mathsf {cpa},n}^{\mathcal {A}}\).
B Comparison to RINDCPA
The concurrent work of Derler, Krenn, Lorünser, Ramacher, Slamanig, and Striecks identify the same problem with CPA security as discussed [14]. They define a new security notion—RINDCPA security—as an additional property that proxy reencryptions schemes should guarantee.
The key feature of RINDCPA security is that the adversary gets access to an unrestricted \(\mathsf {ReEnc}\) oracle, but only before seeing the challenge ciphertext. The definition is similar to \(\mathsf {IND\text {}CCA}_{0,1}\) of [28]. The definition of the RINDCPA security experiment is from [14, Experiment 8].
Definition 10
(RINDCPA Security Experiment).

\(\mathsf {pp}\leftarrow \mathsf {Setup}(1^\lambda ), (\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {KeyGen}(\mathsf {pp}), b \leftarrow \{0,1\}\)

\((\mathsf {pk}^*,\mathsf {st})\leftarrow \mathcal {A}(\mathsf {pp},\mathsf {pk})\)

\(\mathsf {rk}\leftarrow \mathsf {ReKeyGen}(\mathsf {sk},\mathsf {pk}^*)\)

\((\mathbf {m}_0,\mathbf {m}_1,\mathsf {st}) \leftarrow \mathcal {A}^{\{\mathsf {ReEnc}(\mathsf {rk},\cdot )\}}(\mathsf {st})\)

\(b^* \leftarrow \mathcal {A}(\mathsf {st},\mathsf {Enc}(\mathsf {pk},\mathbf {m}_b))\)

if \(b = b^*\) return 1, else return 0.
RINDCPA security requires that for all efficient adversaries, the probability of outputting 1 in the experiment is \(\frac{1}{2} \pm \mathsf {negl}(\lambda )\).
In this section, we compare the approach of [14] with ours. We begin by describing RINDCPA security as defined by [14]. Next, we compare RINDCPA with HRA security informally, arguing that HRA provides the better generalization of EncCPA security to the PRE setting. Finally, we show that HRA and RINDCPA security are incomparable notions.
1.1 B.1 Informal Comparison
RINDCPA is less suitable than HRA as a replacement for CPA security of proxy reencryption. First and most importantly, HRA better captures the intuitive guarantees of EncCPA security for standard encryption. Second, access to an unrestricted \(\mathsf {ReEnc}\) oracle makes it a more useful as a testing ground for the development of new techniques. Finally, two idiosyncrasies of the [14] formulation of RINDCPA security present additional issues.
Capturing EncCPA security. In EncCPA security for standard encryption, the adversary is able to arbitrarily affect the distribution of plaintext messages. One way of viewing this aspect of the definition is that EncCPA requires security while being agnostic as to the true distribution over messages (except that it is efficiently sampleable). Other than choosing the distribution over messages, the adversary is only allowed to see publiclyavailable information (i.e. public keys and parameters) and honestly encrypted ciphertexts. Informally, the EncCPA guarantee is that security should hold under normal operating conditions against eavesdropping parties without making distributional assumptions on plaintext messages. However, EncCPA makes no guarantees about dishonestly generated or malformed ciphertexts.
HRA security captures this intuitive guarantee better than RINDCPA. In the course of normal operation of a proxy reencryption, an adversarial party will see reencrypted ciphertexts. These ciphertexts may come at any time—both before and after other ciphertexts whose contents should remain secret. While HRA allows reencryption both before and after the challenge, RINDCPA restricts the reencryption oracle to the period before the challenge.
HRA makes minimal assumptions about the distribution of plaintext messages by allowing the adversary to choose messages itself, just as in EncCPA. RINDCPA goes further by making requirements in the face of malformed or dishonestly generated ciphertexts.
A testing ground for new techniques. For classical encryption, EncCCA security is strictly stronger than EncCPA security. In fact, there are many settings where EncCPA security is demonstrably insufficient. Why then does the cryptography community continue to study it? There are many answers to this question, but we mention only two. First, although insufficient for some applications, EncCPA is useful in others. Second, it is useful as an intermediate goal because it seems to capture a sort of hard core of the general problem of encryption and spurs the development of new techniques.
HRA security enjoys these same features; RINDCPA does not. As for usefulness for applications, HRA is meaningful in many of the envisioned applications of proxy reencryption—many more than CPA security. Because RINDCPA restricts the reencryption oracle to the period before the challenge ciphertext, its usefulness in applications is less clear.
The challenge of constructing CCA secure proxy reencryption is the same as the challenge of EncCCA secure encryption: namely, dealing with dishonestly generated, possibly malformed ciphertexts. RINDCPA, by allowing malformed ciphertexts, presents similar challenges as full CCA security.
As for the usefulness of HRA as an intermediate goal towards CCA security, the historical development of proxy reencryption is proof itself. This sounds paradoxical: how can this be true if the notion has only just been introduced in this work? Many of cryptographers that were targeting CPA security developed schemes that achieve HRA security with only minimal modification. The techniques developed in these constructions were later adapted to achieve CCA security. This suggests that cryptographers’ intuitions for the hard core of reencryption were not flawed, only the formalization of these intuitions as CPA security. HRA security is a better formalization for these intuitions and thus an appropriate intermediate goal for reencryption research.
Idiosyncrasies of the RINDCPA definition. We mention two unusual properties of the [14] definition. Unlike the adversary’s access to a \(\mathsf {ReEnc}\) oracle, these properties are not inherent in the RINDCPA concept. It would be easy to propose a modified RINDCPA definition that did not have these properties (e.g., \(\mathsf {IND\text {}CCA}_{0,1}\) in [28]).
First, the definition only considers the two party setting. Much like the informal description of proxy reencryption in Sect. 1, there is only a single uncorrupted key and a single corrupted key. It is easy to show that security in the two party setting does not imply security in a many party setting.
Second, not only are inputs to \(\mathsf {ReEnc}\) allowed to be malformed, but the corrupted public key \(\mathsf {pk}^*\) can be malformed as well. The adversary outputs \(\mathsf {pk}^*\) itself and it needs not be honestly generated. This makes RINDCPA security as defined in [14] formally incomparable to all other definitions of proxy reencryption security we know of, including the \(\mathsf {IND\text {}CCA}_{0,1}\) of [28].
These drawbacks of the [14] definition do not affect the proof of Theorem 7, but neither does the proof depend on them.
1.2 B.2 Separating RINDCPA and HRA Security
The following pair of theorems support the conclusion that HRA security and RINDCPA security are incomparable.
Theorem 6
If there exists an HRA secure PRE scheme, then there exists a PRE scheme that is HRA secure but not RINDCPA secure.
Proof
Suppose \(\mathsf {PRE}\) is HRA secure, and let \(\top \) be a special symbol that is not a valid ciphertext. Define a new scheme \(\mathsf {PRE}'\) by modifying reencryption as follows:
\(\mathsf {PRE}'\) is still HRA secure: \(\mathcal {O}_{\mathsf {ReEnc}'}\) is functionally equivalent to \(\mathcal {O}_\mathsf {ReEnc}\) when restricted to honestly generated ciphertexts.
\(\mathsf {PRE}'\) is not RINDCPA secure: a single call to \(\mathcal {O}_{\mathsf {ReEnc}'}(i,j,\top )\) (made before the challenge) allows the adversary to learn the reencryption key \(\mathsf {rk}_{i\rightarrow j}\) and thereby decrypt the challenge ciphertext.
Theorem 7
Under the assumptions stated below, there exists a PRE scheme that is RINDCPA secure but not HRA secure.
The claim assumes the existence of pair of encryption schemes, \(\mathsf {PRE}\) and \(\mathsf {FHE}\) with the following properties. \(\mathsf {PRE}\) is a RINDCPA secure proxy reencryption scheme with a ciphertext space \(\mathcal {C}_\mathsf {inner}\). \(\mathsf {FHE}\) is a circuit private fully homomorphic encryption scheme with message space \(\mathcal {M}_\mathsf {fhe}= \mathcal {C}_\mathsf {inner}\). The message spaces and ciphertext spaces of the two schemes are all disjoint and efficiently decidable. Finally, the additional proxy reencryption scheme \(\mathsf {PRE}_\mathsf {FHE}\) corresponding to the FHE scheme (see Sect. 5.3) is RINDCPA secure.^{Footnote 10} For simplicity, we also assume perfect correctness of reencryption (for both schemes) and of homomorphic evaluation.
Below we present a intuition for the proof of Theorem 7. The proof is included in the full version [13].
Proof Intuition for Theorem 7. Recall that RINDCPA security allows the adversary access to an unrestricted \(\mathsf {ReEnc}\) oracle, but only before the challenge ciphertext is generated. The main difficulty in separating RINDCPA and HRA security is the restriction in the HRA reencryption oracle to honestly generated ciphertexts.
The first idea in our construction is the observation that separating RINDCPA and HRA security would be easy if it were possible to use \(\mathsf {Enc}\) oracle to generate a fresh, honest encryption of the challenge plaintext. This fresh encryption could be reencrypted by the HRA reencryption oracle to a corrupted key, revealing the challenge plaintext.
The second idea is to have two layers of encryption, where the message space of the outer layer is equal to the ciphertext space of the inner layer. If the challenge ciphertext comes from the inner layer, then it can be used as input to the \(\mathsf {Enc}\) oracle to generate a new outer ciphertext containing information about the challenge plaintext—namely, an encryption of the challenge ciphertext. The outer ciphertext is honestly generated and can be reencrypted to a corrupt party and decrypted. But it seems we are no better off; decrypting the outer ciphertext only returns the challenge ciphertext still encrypted under the key of an honest party.
The third idea is to modify \(\mathsf {ReEnc}\)—using fully homomorphic encryption—to reencrypt both the outer ciphertext and the inner challenge ciphertext. In addition to the usual reencrypted ciphertext, we augment \(\mathsf {ReEnc}\) to output an additional, doubly reencrypted ciphertext, where both the outer and inner ciphertexts have been reencrypted. If the recipient of the resulting ciphertext is corrupt, the adversary can decrypt both layers and recover the challenge plaintext, violating HRA security.
We now describe the intuition for how to perform double reencryption. Suppose the proxy reencryption scheme used for the outer layer of encryption is also fully homomorphic. Such a scheme can be constructed from any FHE scheme (see Sect. 5.3). Given input an outer layer ciphertext \(\mathsf {ct}_\mathsf {outer}= \mathsf {Enc}(\mathsf {ct}_\mathsf {inner})\), \(\mathsf {ReEnc}\) will homomorphically evaluate \(\mathsf {Eval}_\mathsf {fhe}(\mathsf {ReEnc},\mathsf {ct}_\mathsf {outer})\). The result is an (nonreencrypted) outer ciphertext containing a reencrypted inner ciphertext. Then, \(\mathsf {ReEnc}\) reencrypts that outer ciphertext. This produces a reencrypted outer ciphertext containing a reencrypted inner ciphertext.
Violating HRA security is simple: the adversary encrypts the challenge ciphertexts, reencrypts it to a corrupted key, then decrypts the doublyreencrypted component twice to recover the challenge message.
It remains to prove that the constructed PRE scheme is RINDCPA secure. The homomorphic double reencryption functionality can be simulated by a sequence of calls to \(\mathsf {Enc}\), \(\mathsf {Dec}\) and \(\mathcal {O}_\mathsf {ReEnc}\), allowing us to analyze the twolayered scheme without the doublereencryption modification to \(\mathsf {ReEnc}\). The RINDCPA security of that scheme follows directly from the RINDCPA security of the PRE scheme underlying the two layers.
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Cohen, A. (2019). What About Bob? The Inadequacy of CPA Security for Proxy Reencryption. In: Lin, D., Sako, K. (eds) PublicKey Cryptography – PKC 2019. PKC 2019. Lecture Notes in Computer Science(), vol 11443. Springer, Cham. https://doi.org/10.1007/9783030172596_10
Download citation
DOI: https://doi.org/10.1007/9783030172596_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030172589
Online ISBN: 9783030172596
eBook Packages: Computer ScienceComputer Science (R0)