Paper 2017/785

What about Bob? The Inadequacy of CPA Security for Proxy Reencryption

Aloni Cohen

Abstract

Consider three parties: Alice, Bob, and Polly. Alice keeps some encrypted data that she can decrypt with a secret key known to her. She wants to communicate the data to Bob, but not to Polly (nor anybody else). Assuming Alice knows Bob's public key, how can she communicate the data to him? Proxy reencryption provides an elegant answer: Alice creates a reencryption key that will enable Polly (the proxy) to reencrypt her data for Bob's use, but that will not help Polly learn anything about the data. There are two well-studied notions of security for proxy reencryption schemes: security under chosen-plaintext attacks (CPA) and security under chosen-ciphertext attacks (CCA). Both definitions aim to formalize security against both Polly and Bob. However, we observe that CPA security guarantees much less security against Bob than was previously understood. In particular, CPA security does not prevent Bob from learning Alice's secret key after receiving a single honestly reencrypted ciphertext. In common applications of proxy reencryption, this means that CPA security provides scant guarantees. We propose security under honest-reencryption attacks (PRE-HRA), a new notion intermediate to CPA and CCA that better captures the goals of proxy reencryption. In applications, PRE-HRA security provides much more robust security. We identify a property of proxy reencryption schemes that suffices to amplify CPA security to PRE-HRA security and show that two existing proxy reencryption schemes are in fact PRE-HRA secure.