Combined proxy re-encryption

Abstract

Among the variants of public key encryption schemes, the proxy re-encryption primitive (PRE) allows a user, say Alice, to decide that a delegate, say Bob, will be able to read her private messages. This is made possible thanks to a third party, the proxy, which is given a re-encryption key to transform a ciphertext intended to Alice into one intended to Bob. Different properties on PRE schemes exist. Some of them are unidirectional and allow the proxy to translate a ciphertext only from Alice to Bob. The other case is called bidirectional and permits the proxy, with only one re-encryption key, to translate from Alice to Bob but also from Bob to Alice. Most of the time, a bidirectional scheme is multi-hop, meaning that a ciphertext can be forwarded several times, and a unidirectional scheme is single-hop, meaning that a ciphertext can be transformed just once. We here investigate the way to design a combined (single/multi hop) PRE scheme which permits both unidirectional singlehop and bidirectional multi-hop. We formalize this concept, give several generic results and finally propose a practical construction. We argue that this case is very interesting in practice to the design of a secure and privacy-preserving cloud storage system, such as defined by Ateniese et al. in 2006, and particularly when the device of a user is lost.