In this letter, we formally present the definition of KDM-CCA1 security in public key setting, which falls in between the existing KDM-CPA and KDM-CCA2 security. We also prove that if a public key encryption scheme is CCA1 secure and has the properties of secret-key multiplication (or addition) homomorphism, and conditioned plaintext-restorability, then it is KDM-CCA1 secure w.r.t. two ensembles of functions that had been used in [15],[17], respectively. For concrete scheme, we show that the (tailored) Damgård's Elgamal scheme achieves this KDM-CCA1 security based on different assumptions.

In a proxy re-encryption (PRE) scheme, a delegator gives a re-encryption key to a semi-trusted proxy, then the proxy can transform the delegator's ciphertexts into one that can be decrypted by a delegatee who is appointed by the delegator. The proxy cannot, however, learn anything about the encrypted messages. At CCS 2007, Canetti and Hohenberger left an interesting open problem of how to design a PRE scheme that is simultaneously unidirectional and multi-hop. This is a rather interesting problem since in some applications we may need this feature, such as in the scenario of email forwarding, a delegatee wants forward his emails that received from the delegator to another delegatee. In this work we design an unidirectional and multi-hop PRE scheme by using multilinear maps. A shortcoming of our scheme is that its security relies on some rather strong assumptions in the setting of multilinear groups.

In this letter, we prove that the Kurosawa-Desmedt (KD) scheme [10], which belongs to the hybrid framework, is KDM-CCA secure w.r.t. an ensemble proposed by Qin et al. in [12] under the decisional Diffie-Hellman assumption. Since our proof does not rely on the random oracle model, we partially answer the question presented by Davies and Stam in [7], where they hope to achieve the KDM-CCA security for hybrid encryption scheme in the standard model (i.e. not random oracle model). Moreover, our result may also make sense in practice since KD-scheme is (almost) the most efficient CCA secure scheme.

Network coding signature (NCS) scheme is a cryptographic tool for network coding against pollution attacks. In [5], Chang et al. first introduced the related-key attack (RKA) to the NCS schemes and tried to give an instantiation of it. However, their instantiation is based on the random oracle (RO) model. In this letter, we present a standard-model instantiation. In particular, we prove that standard-model-based NCS scheme introduced by Boneh et al. in [4] (BFKW scheme, for short) can achieve Φ-RKA security if the underlying signature scheme is also Φ-RKA secure, where Φ is any family of functions defined on signing keys of NCS schemes.

In a proxy re-signatures (PRS) scheme, a semi-trusted proxy is given some information which allows it to translate a user i's signature on a message m into another user j's signature on the same message m. However, the proxy cannot, on it own, compute signatures for either i or j. This notion introduced by Blaze et a. at EUROCRYPT 1998, and then revisited by Ateniese and Hohenberger at CCS 2005. The existence of multi-use unidirectional PRS scheme is an open problem left by AH05. Whereafter, at CCS 2008, Libert and Vergnaud constructed the first multi-use unidirectional PRS scheme. However, there is a major drawback in the LV08 scheme that the size of the signatures is linear in the number of translations. Hence, Libert and Vergnaud said that a more challenging task would be to find out implementations of such primitives where the size of signatures and the verification cost do not grow linearly with the number of translations. In this work we resolve this task by constructing a such PRS scheme in the standard model by using indistinguishability obfuscation. A shortcoming of our construction is that the security is selective but not full.