Progress in Cryptology – INDOCRYPT 2013

Volume 8250 of the series Lecture Notes in Computer Science pp 1-18

Key-Private Proxy Re-encryption under LWE

  • Yoshinori AonoAffiliated withNICT
  • , Xavier BoyenAffiliated withQueensland University of Technology
  • , Le Trieu PhongAffiliated withNICT
  • , Lihua WangAffiliated withNICT

* Final gross prices may vary according to local VAT.

Get Access


Proxy re-encryption (PRE) is a highly useful cryptographic primitive whereby Alice and Bob can endow a proxy with the capacity to change ciphertext recipients from Alice to Bob, without the proxy itself being able to decrypt, thereby providing delegation of decryption authority. Key-private PRE (KP-PRE) specifies an additional level of confidentiality, requiring pseudo-random proxy keys that leak no information on the identity of the delegators and delegatees.

In this paper, we propose a CPA-secure PK-PRE scheme in the standard model (which we then transform into a CCA-secure scheme in the random oracle model). Both schemes enjoy highly desirable properties such as uni-directionality and multi-hop delegation.

Unlike (the few) prior constructions of PRE and KP-PRE that typically rely on bilinear maps under ad hoc assumptions, security of our construction is based on the hardness of the standard Learning-With-Errors (LWE) problem, itself reducible from worst-case lattice hard problems that are conjectured immune to quantum cryptanalysis, or “post-quantum”.

Of independent interest, we further examine the practical hardness of the LWE assumption, using Kannan’s exhaustive search algorithm coupling with pruning techniques. This leads to state-of-the-art parameters not only for our scheme, but also for a number of other primitives based on LWE published the literature.


proxy re-encryption key privacy learning with errors chosen ciphertext security LWE practical hardness