Comments on Shao-Cao\u27s Unidirectional Proxy Re-Encryption Scheme from PKC 2009

Abstract

In Eurocrypt\u2798, Blaze, Bleumer and Strauss [4] introduced a primitive named proxy re-encryption (PRE), in which a semi-trusted proxy can convert - without seeing the plaintext - a ciphertext originally intended for Alice into an encryption of the same message intended for Bob. PRE systems can be categorized into bidirectional PRE, in which the proxy can transform from Alice to Bob and vice versa, and unidirectional PRE, in which the proxy cannot transforms ciphertexts in the opposite direction. How to construct a PRE scheme secure against chosen-ciphertext attack (CCA) without pairings is left as an open problem in ACM CCS\u2707 by Canetti and Hohenberger [7]. In CANS\u2708, Deng et al. [8] successfully proposed a CCA-secure bidirectional PRE scheme without pairings. In PKC\u2709, Shao and Cao [10] proposed a unidirectional PRE without pairings, and claimed that their scheme is CCA-secure. They compared their scheme with Libert-Vergnaud\u27s pairing-based unidirectional PRE scheme from PKC\u2708, and wanted to indicate that their scheme gains advantages over Libert-Vergnaud\u27s scheme. However, Weng et al. [13] recently pointed out that Shao-Cao\u27s scheme is not CCA-secure by giving a concrete chosen-ciphertext attack, and they also presented a more efficient CCA-secure unidirectional PRE scheme without parings. In this paper, we further point out that, Shao-Cao\u27s comparison between their scheme and Libert-Vergnaud\u27s scheme is unfair, since Shao-Cao\u27s scheme is even not secure against chosen-plaintext attack (CPA) in Libert-Vergnaud\u27s security model