Paper 2009/344

Comments on Shao-Cao's Unidirectional Proxy Re-Encryption Scheme from PKC 2009

Xi Zhang, Min-Rong Chen, and Xia Li

Abstract

In Eurocrypt'98, Blaze, Bleumer and Strauss [4] introduced a primitive named proxy re-encryption (PRE), in which a semi-trusted proxy can convert - without seeing the plaintext - a ciphertext originally intended for Alice into an encryption of the same message intended for Bob. PRE systems can be categorized into bidirectional PRE, in which the proxy can transform from Alice to Bob and vice versa, and unidirectional PRE, in which the proxy cannot transforms ciphertexts in the opposite direction. How to construct a PRE scheme secure against chosen-ciphertext attack (CCA) without pairings is left as an open problem in ACM CCS'07 by Canetti and Hohenberger [7]. In CANS'08, Deng et al. [8] successfully proposed a CCA-secure bidirectional PRE scheme without pairings. In PKC'09, Shao and Cao [10] proposed a unidirectional PRE without pairings, and claimed that their scheme is CCA-secure. They compared their scheme with Libert-Vergnaud's pairing-based unidirectional PRE scheme from PKC'08, and wanted to indicate that their scheme gains advantages over Libert-Vergnaud's scheme. However, Weng et al. [13] recently pointed out that Shao-Cao's scheme is not CCA-secure by giving a concrete chosen-ciphertext attack, and they also presented a more efficient CCA-secure unidirectional PRE scheme without parings. In this paper, we further point out that, Shao-Cao's comparison between their scheme and Libert-Vergnaud's scheme is unfair, since Shao-Cao's scheme is even not secure against chosen-plaintext attack (CPA) in Libert-Vergnaud's security model.