Chosen-ciphertext secure proxy re-encryption

Ran Canetti*, Susan Hohenberger

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear Diffie-Hellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based definition and simulation-based definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein.

Original languageEnglish
Title of host publicationCCS'07 - Proceedings of the 14th ACM Conference on Computer and Communications Security
Number of pages10
StatePublished - 2007
Externally publishedYes
Event14th ACM Conference on Computer and Communications Security, CCS'07 - Alexandria, VA, United States
Duration: 29 Oct 20072 Nov 2007

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Conference14th ACM Conference on Computer and Communications Security, CCS'07
Country/TerritoryUnited States
CityAlexandria, VA


  • Chosen-ciphertext security
  • Encryption
  • Obfuscation
  • Re-encryption


Dive into the research topics of 'Chosen-ciphertext secure proxy re-encryption'. Together they form a unique fingerprint.

Cite this