Revisiting Proxy Re-encryption: Forward Secrecy, Improved Security, and Applications

  • David Derler
  • Stephan Krenn
  • Thomas Lorünser
  • Sebastian RamacherEmail author
  • Daniel Slamanig
  • Christoph Striecks
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10769)


We revisit the notion of proxy re-encryption (\(\mathsf {PRE}\)), an enhanced public-key encryption primitive envisioned by Blaze et al. (Eurocrypt’98) and formalized by Ateniese et al. (NDSS’05) for delegating decryption rights from a delegator to a delegatee using a semi-trusted proxy. \(\mathsf {PRE}\) notably allows to craft re-encryption keys in order to equip the proxy with the power of transforming ciphertexts under a delegator’s public key to ciphertexts under a delegatee’s public key, while not learning anything about the underlying plaintexts.

We study an attractive cryptographic property for \(\mathsf {PRE}\), namely that of forward secrecy. In our forward-secret \(\mathsf {PRE}\) (fs-\(\mathsf {PRE}\)) definition, the proxy periodically evolves the re-encryption keys and permanently erases old versions while he delegator’s public key is kept constant. As a consequence, ciphertexts for old periods are no longer re-encryptable and, in particular, cannot be decrypted anymore at the delegatee’s end. Moreover, delegators evolve their secret keys too, and, thus, not even they can decrypt old ciphertexts once their key material from past periods has been deleted. This, as we will discuss, directly has application in short-term data/message-sharing scenarios.

Technically, we formalize fs-\(\mathsf {PRE}\). Thereby, we identify a subtle but significant gap in the well-established security model for conventional \(\mathsf {PRE}\) and close it with our formalization (which we dub fs-\(\mathsf {PRE} ^+\)). We present the first provably secure and efficient constructions of fs-\(\mathsf {PRE}\) as well as \(\mathsf {PRE}\) (implied by the former) satisfying the strong fs-\(\mathsf {PRE} ^+\) and \(\mathsf {PRE} ^+\) notions, respectively. All our constructions are instantiable in the standard model under standard assumptions and our central building block are hierarchical identity-based encryption (\(\mathsf {HIBE}\)) schemes that only need to be selectively secure.


Forward secrecy Proxy re-encryption Improved security model 



Supported by H2020 project Prismacloud, grant agreement n\(\circ \)644962 and by H2020 project Credential, grant agreement n\(\circ \)653454. We thank all anonymous reviewers for their valuable comments.


  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  2. 2.
    Applebaum, B., Harnik, D., Ishai, Y.: Semantic security under related-key attacks and applications. In: ICS (2011)Google Scholar
  3. 3.
    Ateniese, G., Benson, K., Hohenberger, S.: Key-private proxy re-encryption. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 279–294. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  4. 4.
    Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: NDSS (2005)Google Scholar
  5. 5.
    Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006)CrossRefzbMATHGoogle Scholar
  6. 6.
    Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). Google Scholar
  7. 7.
    Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  8. 8.
    Berners-Lee, E.: Improved security notions for proxy re-encryption to enforce access control. In: Latincrypt (2017)Google Scholar
  9. 9.
    Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). Google Scholar
  10. 10.
    Blazy, O., Bultel, X., Lafourcade, P.: Two secure anonymous proxy-based data storages. In: SECRYPT (2016)Google Scholar
  11. 11.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  12. 12.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  13. 13.
    Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: CCS (2006)Google Scholar
  14. 14.
    Borceaa, C., Guptaa, A.B.D., Polyakova, Y., Rohloffa, K., Ryana, G.: PICADOR: end-to-end encrypted publish-subscribe information distribution with proxy re-encryption. Future Gener. Comput. Syst. 71, 177–191 (2016)CrossRefGoogle Scholar
  15. 15.
    Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  16. 16.
    Canetti, R., Hohenberger, S.: Chosen-ciphertext secure proxy re-encryption. In: CCS (2007)Google Scholar
  17. 17.
    Canetti, R., Raghuraman, S., Richelson, S., Vaikuntanathan, V.: Chosen-ciphertext secure fully homomorphic encryption. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 213–240. Springer, Heidelberg (2017). CrossRefGoogle Scholar
  18. 18.
    Chandran, N., Chase, M., Liu, F.-H., Nishimaki, R., Xagawa, K.: Re-encryption, functional re-encryption, and multi-hop re-encryption: a framework for achieving obfuscation-based security and instantiations from lattices. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 95–112. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  19. 19.
    Chandran, N., Chase, M., Vaikuntanathan, V.: Functional re-encryption and collusion-resistant obfuscation. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 404–421. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  20. 20.
    Cohen, A.: What about Bob? The inadequacy of CPA security for proxy re-encryption. Cryptology ePrint Archive, Report 2017/785 (2017)Google Scholar
  21. 21.
    Cohen, A., Holmgren, J., Nishimaki, R., Vaikuntanathan, V., Wichs, D.: Watermarking cryptographic capabilities. In: STOC (2016)Google Scholar
  22. 22.
    Delerablée, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 200–215. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  23. 23.
    Fan, X., Liu, F.H.: Proxy re-encryption and re-signatures from lattices. Cryptology ePrint Archive, Report 2017/456 (2017)Google Scholar
  24. 24.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC (2009)Google Scholar
  25. 25.
    Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  26. 26.
    Green, M., Ateniese, G.: Identity-based proxy re-encryption. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 288–306. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  27. 27.
    Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: IEEE S&P (2015)Google Scholar
  28. 28.
    Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990). Google Scholar
  29. 29.
    Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). CrossRefGoogle Scholar
  30. 30.
    Hanaoka, G., Kawai, Y., Kunihiro, N., Matsuda, T., Weng, J., Zhang, R., Zhao, Y.: Generic construction of chosen ciphertext secure proxy re-encryption. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 349–364. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  31. 31.
    Hohenberger, S., Rothblum, G.N., Shelat, A., Vaikuntanathan, V.: Securely obfuscating re-encryption. J. Cryptol. 24, 694–719 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Libert, B., Vergnaud, D.: Tracing malicious proxies in proxy re-encryption. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 332–353. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  33. 33.
    Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 360–379. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  34. 34.
    Libert, B., Vergnaud, D.: Unidirectional chosen-ciphertext secure proxy re-encryption. IEEE Trans. Inf. Theory 57, 1786–1802 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Myers, S., Shull, A.: Efficient hybrid proxy re-encryption for practical revocation and key rotation. Cryptology ePrint Archive, Report 2017/833 (2017)Google Scholar
  36. 36.
    Polyakov, Y., Rohloff, K., Sahu, G., Vaikuntanathan, V.: Fast proxy re-encryption for publish/subscribe systems. ACM Trans. Priv. Secur. 20(4), 14 (2017)CrossRefGoogle Scholar
  37. 37.
    Ren, Y., Gu, D., Wang, S., Zhang, X.: Hierarchical identity-based proxy re-encryption without random oracles. Int. J. Found. Comput. Sci. 21(6), 1049–1063 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Sakai, R., Furukawa, J.: Identity-based broadcast encryption. IACR Cryptology ePrint Archive (2007)Google Scholar
  39. 39.
    Tang, Q.: Type-based proxy re-encryption and its construction. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 130–144. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  40. 40.
    Tessaro, S., Wilson, D.A.: Bounded-collusion identity-based encryption from semantically-secure public-key encryption: generic constructions with short ciphertexts. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 257–274. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  41. 41.
    Weng, J., Yang, Y., Tang, Q., Deng, R.H., Bao, F.: Efficient conditional proxy re-encryption with chosen-ciphertext security. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 151–166. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  42. 42.
    Xu, P., Xu, J., Wang, W., Jin, H., Susilo, W., Zou, D.: Generally hybrid proxy re-encryption: a secure data sharing among cryptographic clouds. In: AsiaCCS (2016)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • David Derler
    • 1
  • Stephan Krenn
    • 2
  • Thomas Lorünser
    • 2
  • Sebastian Ramacher
    • 1
    Email author
  • Daniel Slamanig
    • 2
  • Christoph Striecks
    • 2
  1. 1.IAIKGraz University of TechnologyGrazAustria
  2. 2.AIT Austrian Institute of TechnologyViennaAustria

Personalised recommendations