## Abstract

The notion of universal re-encryption is an established primitive used in the design of many anonymity protocols. It allows anyone to randomize a ciphertext without changing its size, without first decrypting it, and without knowing who the receiver is (i.e., not knowing the public key used to create it). By design it prevents the randomized ciphertext from being correlated with the original ciphertext. We revisit and analyze the security foundation of universal re-encryption and show a subtlety in it, namely, that it does not require that the encryption function achieve key anonymity. Recall that the encryption function is different from the re-encryption function. We demonstrate this subtlety by constructing a cryptosystem that satisfies the established definition of a universal cryptosystem but that has an encryption function that does not achieve key anonymity, thereby instantiating the gap in the definition of security of universal re-encryption. We note that the gap in the definition carries over to a set of applications that rely on universal re-encryption, applications in the original paper on universal re-encryption and also follow-on work. This shows that the original definition needs to be corrected and it shows that it had a knock-on effect that negatively impacted security in later work. We then introduce a new definition that includes the properties that are needed for a re-encryption cryptosystem to achieve key anonymity in *both* the encryption function and the re-encryption function, building on Goldwasser and Micali’s “semantic security” and the original “key anonymity” notion of Bellare, Boldyreva, Desai, and Pointcheval. Omitting any of the properties in our definition leads to a problem. We also introduce a new generalization of the Decision Diffie-Hellman (DDH) random self-reduction and use it, in turn, to prove that the original ElGamal-based universal cryptosystem of Golle et al. is secure under our revised security definition.

## Access this chapter

Tax calculation will be finalised at checkout

Purchases are for personal use only

### Similar content being viewed by others

## Notes

- 1.
See Theorem 1. The gap pertains to the “initial” encryption function,

**not**the re-encryption function. - 2.
i.e., that key anonymity and message indistinguishability both hold for the encryption and re-encryption functions.

- 3.
Per Sect. 2.1 of [26].

- 4.
blog.coinfabrik.com/review-appecoin-alternative-anonymous-cryptocurrency.

## References

Adida, B.: Helios: web-based open-audit voting. In: Proceedings of the Seventeenth Usenix Security Symposium, pp. 335–348 (2008)

Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33

Boneh, D.: The decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054851

Camenisch, J., Lehmann, A.: Privacy-preserving user-auditable pseudonym systems. In: IEEE European Symposium on Security and Privacy (2017)

Camenisch, J., Lysyanskaya, A.: A formal treatment of onion routing. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 169–187. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_11

Danezis, G.: Breaking four mix-related schemes based on universal re-encryption. Int. J. Inf. Sec.

**6**(6), 393–402 (2007)ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_2

Fairbrother, P.: An improved construction for universal re-encryption. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 79–87. Springer, Heidelberg (2005). https://doi.org/10.1007/11423409_6

Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci.

**28**(2), 270–299 (1984)Golle, P.: Reputable mix networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 51–62. Springer, Heidelberg (2005). https://doi.org/10.1007/11423409_4

Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_14

Gomułkiewicz, M., Klonowski, M., Kutyłowski, M.: Onions based on universal re-encryption – anonymous communication immune against repetitive attack. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 400–410. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31815-6_32

Groth, J.: Rerandomizable and replayable adaptive chosen ciphertext attack secure cryptosystems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 152–170. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_9

Halamka, J., Juels, A., Stubblefield, A., Westhues, J.: The security implications of VeriChip cloning. J. Am. Med. Inform. Assoc.

**13**(6), 384–396 (2006)Hohenberger, S., Rothblum, G.N., Shelat, A., Vaikuntanathan, V.: Securely obfuscating re-encryption. J. Cryptol.

**24**(4), 694–719 (2011)Klonowski, M., Kutyłowski, M., Lauks, A., Zagórski, F.: Universal re-encryption of signatures and controlling anonymous information flow. In: WARTACRYPT, pages 179–188 (2004)

Klonowski, M., Kutyłowski, M., Zagórski, F.: Anonymous communication with on-line and off-line onion encoding. In: Vojtáš, P., Bieliková, M., Charron-Bost, B., Sýkora, O. (eds.) SOFSEM 2005. LNCS, vol. 3381, pp. 229–238. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30577-4_26

Lu, T., Fang, B., Sun, Y., Guo, L.: Some remarks on universal re-encryption and a novel practical anonymous tunnel. In: Lu, X., Zhao, W. (eds.) ICCNMC 2005. LNCS, vol. 3619, pp. 853–862. Springer, Heidelberg (2005). https://doi.org/10.1007/11534310_90

Micali, S., Rackoff, C., Sloan, B.: The notion of security for probabilistic cryptosystems. SIAM J. Comput.

**17**(2), 412–426 (1988)Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: IEEE FOCS 1997, pp. 458–467 (1997)

Peng, K., Nieto, J.M., Desmedt, Y., Dawson, E.: Klein bottle routing: an alternative to onion routing and mix network. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 296–309. Springer, Heidelberg (2006). https://doi.org/10.1007/11927587_25

Prabhakaran, M., Rosulek, M.: Rerandomizable RCCA encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 517–534. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_29

Prabhakaran, M., Rosulek, M.: Homomorphic encryption with CCA security. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 667–678. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_54

Rieback, M.R., Crispo, B., Tanenbaum, A.S.: Uniting legislation with RFID privacy-enhancing technologies. In: Proceedings of the 3rd Conference on Security and Protection of Information–SPI 2005, pp. 15–23 (2005)

Saito, J., Ryou, J.-C., Sakurai, K.: Enhancing privacy of universal re-encryption scheme for RFID tags. In: Yang, L.T., Guo, M., Gao, G.R., Jha, N.K. (eds.) EUC 2004. LNCS, vol. 3207, pp. 879–890. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30121-9_84

Senftleben, M., Bucicoiu, M., Tews, E., Armknecht, F., Katzenbeisser, S., Sadeghi, A.-R.: MoP-2-MoP – mobile private microblogging. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 384–396. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_25

Stadler, M.: Publicly verifiable secret sharing. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_17

Young, A.L., Yung, M.: Semantically secure anonymity: foundations of re-encryption. Cryptology ePrint Archive, Report 2016/341, 29 March 2016. http://eprint.iacr.org/2016/341

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## Appendices

### A Proof for Cryptosystem A

Below is the proof of Theorem 1. \(\mathtt {DDHRerand5}\) is covered in Sect. B.

### Proof

Suppose for the sake of contradiction that there exists a successful probabilistic polynomial time USS distinguishing adversary \(\mathcal {A}\) for Cryptosystem A. Adversary \(\mathcal {A}\) is **stateful**. Consider algorithm \(\mathtt {AlgRA}\) that takes as input a Decision Diffie-Hellman problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. Clearly \(C_j\) is the ciphertext under public key \(PK_j\) as specified by \(\mathcal {A}\) for \(j=0,1\). It follows from the definition of \(\mathtt {DDHRerand5}\) that \(C_j'\) is a re-encryption of \(C_j\) in accordance with \(\mathtt {URe}\) for \(j=0,1\). Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in USS. Since \(\mathcal {A}\) distinguishes with non-negligible advantage, it follows that \(b = b'\) with probability greater than or equal to \(\frac{1}{2} + \gamma \) where \(\gamma \) is non-negligible in the security parameter.

Now consider the case that the input is not a DH 3-tuple. It follows from definition of \(\mathtt {DDHRerand5}\) that the 5-tuple \((\theta _j',\theta _j,y_j,\mu _j,\mu _j')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\) for \(j=0,1\). Therefore, \(C_j'\) is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\) for \(j=0,1\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(b' = 0\). Then the probability that \(b = b'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). It follows that \(\mathcal {A}\) has negligible advantage to distinguish in this case. \(\square \)

### B The New Construction: Expanded DDH Self-reduction

We now generalize the DDH random self-reduction to output five values instead of three. This allows us to transform a DDH problem instance into either two DH 3-tuples with a common “public key” or a random 5-tuple, depending on the input problem instance. We utilize this property in our proofs of security in Sect. 7 (granted, this new reduction is given for pragmatic and proof simplicity reasons, and not as an essential issue as are the modeling issues and their correction presented above). We define algorithm \(\mathtt {DDHRerand5}\) as follows. \(\mathtt {DDHRerand5}((p,q),g,x,y,z)\) randomizes a DDH problem instance by choosing the values \(u_1,u_2,v,v',u_1'\ {\in }_U\ [1,q]\) and computing,

**Case 1.** Suppose (*x*, *y*, *z*) is a valid Diffie-Hellman (DH) 3-tuple. Then \(x = g^a\), \(y=g^b\), \(z = g^{ab}\) for some *a*, *b*. It follows that \((x',y',z')\) is also a valid DH 3-tuple. It is straightforward to show that \((x'',y',z'')\) is a valid DH 3-tuple as well.

**Case 2.** Suppose (*x*, *y*, *z*) is not a valid DH 3-tuple. Then \(x=g^a\), \(y=g^b\), \(z=g^{ab+c}\) for some \(c \ne 0\). In this case, \(x' = g^{a'}\), \(y' = g^{b'}\), \(z' = g^{a'b'}g^{cv}\). Since \(c \ne 0\) it follows that \(g^c\) is a generator of \(G_{\mathfrak {p}}\). Also, \(x'' = g^{a''}\), \(y' = g^{b'}\), \(z'' = g^{a''b'}g^{cv'}\).

So, when (*x*, *y*, *z*) is a valid DH 3-tuple then \((x',y',z')\) and \((x'',y',z'')\) are random DH 3-tuples with \(y'\) in common and when (*x*, *y*, *z*) is not a valid DH 3-tuple then the output is a random 5-tuple.

### C Proofs

Below is proof of Theorem 2.

### Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(AnonEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\), and a sufficiently large \(\kappa \), such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR3}\) that takes as input a DDH problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that *c* is an encryption of *m* in accordance with \(\mathtt {UE}\) using \(y_u\) as the public key. Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 4. It follows that \(u = u'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents *a* and *b* in [1, *q*], Pr[\(\mathtt {AlgR3}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define \(\psi \) = Pr[\(\mathtt {AlgR3}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) that the 5-tuple \((\theta _u',\theta _u,y_u,\mu _u,\mu _u')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\). Therefore, *c* is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(u' = 0\). Then the probability that \(u = u'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents *a*, *b*, and *c* in [1, *q*], the probability Pr[\(\mathtt {AlgR3}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{q^2}{q^3}\psi + (1-\frac{q^2}{q^3})\frac{1}{2}\) \(= \frac{1}{2} + \frac{2\psi -1}{2q}\) which is overwhelmingly close to \(\frac{1}{2}\). \(\square \)

Below is proof of Theorem 3.

### Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(AnonReEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\), and a sufficiently large \(\kappa \) such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR4}\) that takes as input a Decision Diffie-Hellman problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. Clearly \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) is the ciphertext under public key \(y_u\) as specified by \(\mathcal {A}\). It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that \(c'\) is a re-encryption of \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) in accordance with \(\mathtt {URe}\). Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 5. It follows that \(u = u'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents *a* and *b* in [1, *q*], Pr[\(\mathtt {AlgR4}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define the value \(\psi \) to be Pr[\(\mathtt {AlgR4}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from definition of \(\mathtt {DDHRerand5}\) that the 5-tuple \((\theta _u',\theta _u,y_u,\mu _u,\mu _u')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\). Therefore, \(c'\) is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(u' = 0\). Then the probability that \(u = u'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents *a*, *b*, and *c* in [1, *q*], the probability Pr[\(\mathtt {AlgR4}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{1}{2} + \frac{2\psi -1}{2q}\). \(\square \)

Below is proof of Theorem 4.

### Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(PubKEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\) and a sufficiently large \(\kappa \), such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR1}\) that takes as input a DDH problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that *c* is an encryption of \(m_b\) according to \(\mathtt {UE}\) using *y* as the public key. Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 2. It follows that \(b = b'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents *a* and *b* in [1, *q*], Pr[\(\mathtt {AlgR1}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define \(\psi \) = Pr[\(\mathtt {AlgR1}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) that \((\theta ',\theta ,y,\mu ,\mu ')\) is uniformly distributed in \(G_{\mathfrak {p}}^5\). Therefore, *c* is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(b' = 0\). Then the probability that \(b = b'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents *a*, *b*, and *c* in [1, *q*], the probability Pr[\(\mathtt {AlgR1}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{1}{2} + \frac{2\psi -1}{2q}\). \(\square \)

Below is the proof of Theorem 5.

### Proof

Suppose there exists a probabilistic polynomial time adversary \(\mathcal {A}\) for \(PubKReEnc_{\mathcal {A},\varPsi }^{eav}\), an \(\alpha > 0\), and a sufficiently large \(\kappa \), such that \(\mathcal {A}\) succeeds with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^{\alpha }}\). Consider algorithm \(\mathtt {AlgR2}\) that takes as input a DDH problem instance \(((p,q),g,a_0,b_0,c_0)\).

Consider the case that the input is a DH 3-tuple. Clearly \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) is the ciphertext of \(m_b\) as specified by adversary \(\mathcal {A}\). It follows from the definition of \(\mathtt {DDHRerand5}\) in Appendix B that \(c'\) is a re-encryption of \(((\alpha _0,\beta _0),(\alpha _1,\beta _1))\) according to \(\mathtt {URe}\). Therefore, the input to \(\mathcal {A}\) is drawn from the same set and probability distribution as the input to \(\mathcal {A}\) in Definition 3. It follows that \(b = b'\) with probability greater than or equal to \(\frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). So, for random exponents *a* and *b* in [1, *q*], Pr[\(\mathtt {AlgR2}((p,q),g,g^a,g^b,g^{ab}) = \) “true”] \(\ge \frac{1}{2} + \frac{1}{{\kappa }^\alpha }\). Define the value \(\psi \) to be Pr[\(\mathtt {AlgR2}((p,q),g,g^a,g^b,g^{ab}) = \) “true”].

Now consider the case that the input is not a DH 3-tuple. It follows from the definition of \(\mathtt {DDHRerand5}\) that \((\theta ',\theta ,y,\mu ,\mu ')\) is uniformly distributed in the set \(G_{\mathfrak {p}}^5\). Therefore, \(c'\) is uniformly distributed in \(G_{\mathfrak {p}}^2 \times G_{\mathfrak {p}}^2\). Let \(p_1\) be the probability that \(\mathcal {A}\) responds with \(b' = 0\). Then the probability that \(b = b'\) is \(\frac{1}{2}p_1 + \frac{1}{2}(1-p_1) = \frac{1}{2}\). So, for randomly chosen exponents *a*, *b*, and *c* in [1, *q*], the probability Pr[\(\mathtt {AlgR2}((p,q),g,g^a,g^b,g^c) = \) “true”] \(= \frac{1}{2} + \frac{2\psi -1}{2q}\). \(\square \)

Theorems 2, 3, 4, and 5 show that Theorem 6 holds.

### D Related Work

Fairbrother sought a more efficient hybrid universal cryptosystem based on \(\mathtt {UCS}\) [8]. Universal re-encryption was used in a protocol to control anonymous information flow, e.g., to prevent spam from being injected into the anonymization network [16]. Onion-based routing and universal re-encryption were leveraged to form hybrid anonymous communication protocols [12, 17]. A circuit-based anonymity protocol was presented based on universal re-encryption [18]. Weaknesses in [12, 16,17,18] were presented in [6]. Golle presented a *reputable mix network* construction based on universal re-encryption [10].

Groth presented a re-randomizable and replayable cryptosystem based on DDH achieving adaptive chosen ciphertext security [13]. The construction and security arguments do not address key anonymity. Prabhakaran and Rosulek presented a construction for a rerandomizable encryption scheme [22] that aims to be CCA-secure under DDH. See also [23]. Re-encryption mix networks are utilized in actual electronic voting systems such as Helios [1]. They are also used in GR.NET’s Zeus system (github.com/grnet/zeus).

There has been more recent work on proxy encryption [15]. In proxy encryption a ciphertext of a message *m* encrypted under Alice’s public key is re-encrypted into a ciphertext of *m* under Bob’s public key. Our setting differs since the receiver’s public key does not change during re-encryption.

The notion of key anonymity was introduced by Bellare, Boldyreva, Desai, and Pointcheval [2]. They formally defined public key cryptosystems that produce ciphertexts that do not reveal the receiver and showed that ElGamal and Cramer-Shoup achieve key anonymity.

The present paper was published in 2016 on e-print [28]. It influenced the privacy-preserving user-auditable pseudonym system of Camenisch and Lehmann [4] who leverage our security definition for incomparable public keys and cite the applicability of our reduction technique from Appendix B. The present paper was also mentioned as a needed building block for universal re-encryption for AppeCoin^{Footnote 4}.

## Rights and permissions

## Copyright information

© 2018 Springer Nature Switzerland AG

## About this paper

### Cite this paper

Young, A.L., Yung, M. (2018). Semantically Secure Anonymity: Foundations of Re-encryption. In: Catalano, D., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2018. Lecture Notes in Computer Science(), vol 11035. Springer, Cham. https://doi.org/10.1007/978-3-319-98113-0_14

### Download citation

DOI: https://doi.org/10.1007/978-3-319-98113-0_14

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-319-98112-3

Online ISBN: 978-3-319-98113-0

eBook Packages: Computer ScienceComputer Science (R0)