Notes on a provably-secure certificate-based encryption against malicious CA attacks

Certificate-based encryption (CBE) is a very useful cryptographic primitive which not only simplifies the certificate management in traditional public-key encryption, but also solves the key escrow problem inherent in identity-based encryption. How to construct a provably-secure CBE scheme without using random oracles has been attracting the attentions of the research community. Recently, Lu et al. introduced a CBE scheme and claimed that their scheme is secure against adaptive chosen ciphertext attacks even considering a malicious certification authority (CA). In this paper, we demonstrate that a chosen ciphertext attacker can easily distinguish the challenge ciphertext generated by the challenger according to their security model. Further, the CA can trivially decrypt any entity's ciphertext without knowing the entity's secret key. In addition, we also point out that their security proof has some flaws and give a new CBE scheme secure against malicious CA attacks in the standard model.