Proxy re-encryption in a stronger security model extended from CT-RSA2012

Proxy re-encryption (PRE) realizes delegation of decryption rights, enabling a proxy holding a re-encryption key to convert a ciphertext originally intended for Alice into an encryption of the same message for Bob, and cannot learn anything about the encrypted plaintext. PRE is a very useful primitive, having many applications in distributed file systems, outsourced filtering of encrypted spam, access control over network storage, confidential email, digital right management, and so on. In CT-RSA2012, Hanaoka et al. proposed a chosen-ciphertext (CCA) security definition for PRE, and claimed that it is stronger than all the previous works. Their definition is a somewhat strengthened variant of the replayable-CCA one, however, it does not fully capture the CCA security notion. In this paper, we present a full CCA security definition which is extended from theirs. We then propose the first PRE scheme with this security in the standard model (i.e. without the random oracle idealization). Our scheme is efficient and relies on mild complexity assumptions in bilinear groups.