Paper 2017/785

What about Bob? The Inadequacy of CPA Security for Proxy Reencryption

Aloni Cohen


In the simplest setting of proxy reencryption, there are three parties: Alice, Bob, and Polly (the proxy). Alice keeps some encrypted data that she can decrypt with a secret key known only to her. She wants to communicate the data to Bob, but not to Polly (nor anybody else). Using proxy reencryption, Alice can create a reencryption key that will enable Polly to reencrypt the data for Bob's use, but which will not help Polly learn anything about the data. There are two well-studied notions of security for proxy reencryption schemes: security under chosen-plaintext attacks (CPA) and security under chosen-ciphertext attacks (CCA). Both definitions aim to formalize the security that Alice enjoys against both Polly and Bob. In this work, we demonstrate that CPA security guarantees much less security against Bob than was previously understood. In particular, CPA security does not prevent Bob from learning Alice's secret key after receiving a single honestly reencrypted ciphertext. We also show that an existing construction of CPA secure proxy reencryption suffers from this type of weakness. As a result, CPA security provides scant guarantees in common applications. We propose security under honest reencryption attacks (HRA), a strengthening of CPA security that better captures the goals of proxy reencryption. In applications, HRA security provides much more robust security. We identify a property of proxy reencryption schemes that suffices to amplify CPA security to HRA security and show that two existing proxy reencryption schemes are in fact HRA secure.

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in PKC 2019
reencryptionchosen plaintext securitydefinitions
Contact author(s)
aloni @ mit edu
2018-12-26: last of 6 revisions
2017-08-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Aloni Cohen},
      title = {What about Bob? The Inadequacy of CPA Security for Proxy Reencryption},
      howpublished = {Cryptology ePrint Archive, Paper 2017/785},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.