## 1 INTRODUCTION

There are many applications, such as encrypted email forwarding 1 and distritbuted file system 2, 3, demand the permission of blindly ciphertext transformation, such that a proxy can blindly perform meaningful transformations from one ciphertext to another, while the proxy cannot access the corresponding plaintext. To solve the problem, Blaze *et al*. 1 proposed a new cryptographic primitive, called proxy re-encryption (PRE), where a semi-trusted proxy with a re-encryption key *rk* can transform a ciphertext for Alice (delegator) into another ciphertext for Bob (delegatee) on the same plaintext, but the proxy cannot access the plaintext. In their paper, they classified PRE schemes by two methods. One is according to the direction of transformation, and the other is according to the times of transformation. Following the first method, the PRE schemes are classified into *bidirectional*, i.e., the proxy can transform from Alice to Bob and *vice versa*; and *unidirectional*, i.e., the proxy can only transform in one direction. Following the second method, the PRE schemes are classified into *multi-use*, i.e., the ciphertext can be transformed from Alice to Bob to Carol and so on; and *single-use*, i.e., the ciphertext can be transformed only once.

Due to its transformation property, PRE has been used in many applications, including encrypted email forwarding 1, key escrow 4, distributed file systems 2, 3, security in publish/subscribe systems 5, multicast 6, secure certified email mailing lists 7, 8, the DRM of Apple's iTunes 9, interoperable architecture of DRM 10, access control 11, and privacy for public transportation 12. Recently, Hohenberger *et al*. got a result of securely obfuscating re-encryption 13, which is the first positive result for obfuscating an encryption functionality and against a series of impossibility results 14–16. As mentioned in Reference 17, chosen plaintext security (CPA security), guaranteeing that the adversary without decryption oracle cannot effectively distinguish between the encryption of two messages of his choosing, is not enough for many applications. Consider the following PRE-based access control system.

In this access control system, there are four entities: the gateway, the central authority, the temper-resistant smart card, and the user. They play the roles of encryptor, proxy, delegator, and delegatee in PRE, respectively. In the beginning, the central authority gives the user a smart card with a re-encryption key *rk* corresponding to the public keys of the central authority and the user. When the user wants to access the system, he sends out a login message to the gateway, who responses with a ciphertext under the central authority's public key. Upon receiving the ciphertext, the user firstly uses the smart card to transform the ciphertext to another ciphertext under his own public key, and then uses his own private key to obtain the plaintext, which is returned to the gateway. If the received plaintext is corresponding to the ciphertext it sent out before, the gateway lets the user access the system. The advantages in this access control system are two folds. One is that the gateway only needs to know the central authority's public key, which makes the gateway easily to be implemented. The other is that the user can access the system anonymously, since he does not reveal any information related to himself during the access process.

The key point in the above PRE-based access control system is the method of proving the access rights: the user decrypts a random challenge ciphertext with the help of the smart card. However, this leaves him open a *secret leaking* door to an adversary who sends ciphertexts in the guise of challenges and obtains the corresponding plaintexts. If this attack was to reveal the private key, the adversary could access the system, since he would now possess the ability to decrypt the challenges sent by others. Based on this and other such applications, it is desired to design PRE schemes that are secure against chosen ciphertext attack, i.e., CCA security.

Though there have been many papers 1, 2, 4, 17–201 that have proposed different PRE schemes with different properties, *only two* schemes 17, 20 are CCA-secure 20. The difficulty in constructing a CCA-secure PRE scheme is to provide public verifiability to the ciphertext. The public verifiability allows the proxy to check the validity of the ciphertext before transforming it, which guarantees that the delegatee cannot make use of the proxy as an oracle. One-time signature and signature of knowledge 21, 22 are used in References 17, 20 to obtain public verifiability, respectively.

Furthermore, many existing PRE schemes, such as References 17, 18, suffer from the collusion attack, i.e., Bob can collude with the proxy to reveal Alice's private key. In this case, the delegator cannot delegate decryption rights, while keeping signing rights for the same public key. As a result, the non-repudiation property of Alice's signature does no longer exist. Still consider the above PRE-based access control system. If the central authority also uses the same private key to sign messages to authorize another kind of users, then the PRE schemes suffering from collusion attack cannot be used, since the user would reveal the re-encryption key from the smart card by some method, and obtains the central authority's private key. Though the central authority can always use two public keys for encryption and signatures, it is still *theoretically* interesting. To the best of our knowledge, there are only *three* existing collusion resistant schemes 2, 19, 20, but only the scheme in Reference 20 is CCA-secure.

There are many applications require CCA-secure, collusion resistant PRE, but there is *only one* choice for us. It is desired to design more CCA-secure and collusion resistant PRE schemes.

The concept of identity-based cryptography is proposed by Shamir 23, where the public key is the user's identity, hence solving several key-distribution issues in traditional public key cryptography. In Reference 18, Green and Ateniese extended the notion of PRE to the area of identity-based encryption (IBE), i.e., ID-based PRE (IBPRE), where the proxy can transform a ciphertext under Alice's identity into another ciphertext under Bob's identity. IBPRE can be applied in secure email with IBE, attribute-based delegations, bridging IBE and PKE, and access control in networked file storage 18. However, till now, there is *no* CCA-secure IBPRE scheme 18,2 and *no* existing collusion resistant IBPRE scheme.

Due to the usefulness and the lack of CCA-secure PRE schemes, and CCA-secure and collusion resistant PRE schemes, and CCA-secure and collusion resistant IBPRE schemes, we would like propose the *first* generic constructions for these three kinds of PRE schemes. Besides obtaining a series of these three kinds of PRE schemes, we can get other benefits from generic constructions as follows:

- –A real application environment might be distributed and heterogeneous that different computation methods are used. Some applications use the computation method of RSA, since it is an industrial standard, while some applications use the computation method on ellipse curves due to the requirement of short parameters. Generic construction can suit the different situations well, while concrete schemes cannot.
- –Generic construction allows the resulting CCA-secure schemes to build upon different complexity assumptions, even the computational Diffie-Hellman assumption. As a result, we can get more secure PRE schemes than the existing concrete schemes from the viewpoint of the underlying complexity assumption.3
- –Generic construction allows new technologies to be incrementally deployed. For instance, the computational speed of modular exponentiation is improved, we can apply it in the generic construction, since following the generic construction, we can get a scheme whose computational overhead is mainly related to modular exponentiation computation. However, the improvement of modular exponentiation computation cannot increase the computational efficiency of most of the existing CCA-secure schemes 17, 19, since they are built on bilinear maps where pairing computation is the main concern.

However, to obtain generic constructions for those three kinds of PRE, we should take the following more new challenges.

- –The methods for public verifiability and collusion-resistance should be
*universal*, which cannot build upon some specific mathematical structures, such as the groups where the computational problem (computational Diffie-Hellman problem) is hard, but the decisional problem (decisional Diffie-Hellman problem) is easy. - –We cannot directly make use of the existing paradigms for transforming CPA security to CCA security, such as the FO conversion, the CHK conversion, to obtain CCA-secure PRE.
- –There is no existing paradigm for achieving collusion-resistance in any encryption-type cryptographic primitives.

After investigating the above challenges and the characteristics of PRE, we obtain the following observations:

- –In PRE, the delegator delegates the decryption rights to the delegatee
*via*the proxy. In other words, the delegatee and the proxy definitely can cooperate to decrypt the ciphertexts for the delegator. There exists a similar situation in the threshold cryptosystem, where a group of threshold number decryption servers can cooperate to decrypt the ciphertexts. - –For the public verifiability, there also exists a similar situation in CCA-secure threshold cryptosystem, i.e., the decryption server should check the ciphertext's validity before he performs decryption.
- –A natural method to obtain collusion-resistance is to use a decryption key (but not the private key) to decrypt the ciphertext, and the decryption key can be computed from the private key, but the reverse does not work. There exists a similar situation in IBE. In IBE, the private key generator (PKG) holding a master key generates the user's private key, while from the private key, the user cannot reveal the master key.

The first two observations show that we can use CCA-secure (2, 2) threshold cryptosystem to obtain public verifiability, and the last observation shows that we can use the method of key management in IBE to resist collusion attack. Hence, we design the generic constructions based on the following three basic tools: CCA-secure (2, 2) threshold cryptosystem, CCA-secure ID-based (2, 2) threshold cryptosystem, CCA-secure 2-level hierarchical ID-based (2, 2) threshold cryptosystem. In particular, we use the first one, the second one, and the third one to obtain the generic constructions for CCA-secure PRE, CCA-secure and collusion resistant PRE, and CCA-secure and collusion resistant IBPRE, respectively.

### 1.1 Related work

The first PRE scheme is proposed by Blaze *et al*. 1. However, it suffers from collusion attacks and it is bidirectional. Note that unidirectional PRE is more powerful than bidirectional one, since a bidirectional scheme can always be implemented by a unidirectional one in two directions. As a result, many researcher recently tried to design unidirectional PRE. Jakobsson 25, and Zhou *et al*. 26 gave a partial solution by proposing a quorum-based protocol where the proxy is divided into sub-components. Based on key sharing technique, Ivan and Dodis 4 proposed a generic construction that can convert any public key encryption scheme to a unidirectional PRE scheme. By using modified Ivan-Dodis key sharing technique, Green and Ateninese 18, Chu and Tzeng 27, Deng *et al*. 24, and Kirtane and Rangan 28 proposed several unidirectional PRE schemes with different properties, such as ID-based 18, 27, without pairings24, 28. However, all above PRE schemes are neither CCA-secure 20 nor collusion resistant. To the best of our knowledge, only the scheme in Reference 17 is proven-secure against chosen-ciphertext attacks in the standard model, but it is a bidirectional scheme, and not collusion resistant.

Regarding the collusion resistant PRE, the first one is proposed by Ateniese *et al*. 2, 3 by using pairings, however, this scheme is only CPA-secure. Later, based on Ateniese *et al*.'s scheme, Libert and Vergnaud 19 proposed a replayable chosen-ciphertext (RCCA) secure and collusion resistant unidirectional PRE scheme in the standard model. Recently, based on scheme BCP03 29, we proposed the first CCA secure and collusion resistant unidirectional PRE scheme by using signature of knowledge 21, 22 and Fujisaki–Okamoto conversion 30, 31.

### 1.2 Our contribution

In this paper, based on threshold cryptosystem, we first propose a generic construction for *CCA-secure*, *single-use*, *unidirectional* PRE. In particular, we treat the delegator (Alice) as the trusted dealer in the (2, 2) threshold cryptosystem, and the proxy and the delegatee (Bob) as these two decryption servers in the (2, 2) threshold cryptosystem. Only if the underlying (2, 2) threshold cryptosystem is CCA-secure, we can obtain that the resulting unidirectional PRE scheme is CCA-secure. As we know, there are many CCA-secure (2, 2) threshold cryptosytems in the random oracle model or the standard model based on various assumptions, so we can easily obtain CCA-secure unidirectional PRE schemes in the random oracle model or the standard model based on various assumptions. Note that a CCA-secure (2, 2) threshold cryptosystem cannot be implemented by simply dividing a secret into two shares whose sum (or ‘XOR’) are the secret, since there is no public verifiability in this case. Public verifiability is *very important* in threshold cryptosystem, which is the basic requirement of CCA-secure threshold cryptosystem 32.

It is easy to see that the above generic construction suffers from the collusion attack, i.e., the proxy and the delegatee can cooperate to get the delegator's private key. Fortunately, we can use the key management technique in IBE to resist this attack. In particular, the user acts as PKG in IBE to generate a decryption key corresponding to his identity, and shares this key between the proxy and the delegatee. Furthermore, the encryption key changes to the original public key and the receiver's identity. More precise, the underlying (2, 2) threshold cryptosystem changes to the ID-based (2, 2) threshold cryptosystem. As a result, we can get the *first* unidirectional PRE which is CCA-secure and collusion resistant in the standard model, only if the underlying ID-based threshold cryptosystem is CCA-secure in the standard model. By using the similar method, we can get the *first* CCA-secure, collusion resistant, unidirectional IBPRE schemes in the standard model.

### 1.3 Organization

The remaining paper is organized as follows. In Section 2, we review the definitions related to our proposal. In Section 3, we propose our generic construction for CCA-secure PRE and its security proof. An example of the generic construction is also presented in Section 3. In Section 4, we give some extensions on the generic construction, including CCA-secure and collusion resistant (IB)PRE, and the generalized unidirectional PRE. Finally, we conclude the paper in Section 5.