International Association
for Cryptologic Research

Proxy re-encryption (PRE) allows a proxy with a re-encryption key rk_{A→B} to transform Alice's ciphertext to Bob's ciphertext without revealing the underlying message. Since its introduction, numerous PRE schemes and variants have been studied, but almost all of them assume that both Alice and Bob use a public-key encryption (PKE) system. However, it is more likely that Alice and Bob use different encryption systems like identity-based encryption (IBE), attribute-based encryption (ABE) and functional encryption (FE). This limitation restricts the broader applicability of PRE. In particular, Döttling and Nishimaki [PKC 2021] leave defining and realizing re-encryptions between different primitives as an open problem. In this paper, we explore the feasibility of re-encryptions across different encryption systems. To this end, we first define a primitive named generalized functional encryption (GFE) that unifies PKE, IBE, ABE and FE, and formalize the syntax and security models for re-encryptions from one GFE to another GFE (GFE_1 → GFE_2). Then, we present two generic constructions of GFE_1 → GFE_2 and show how to instantiate them. -- The core technical tool underlying our generic constructions is a new variant of functional encryption (FE) named {\it Key-Splittable} FE (KSFE), which splits the functional secret key into two pieces and divides the decryption process into two steps. By adapting the FE schemes in [Agrawal et al., CRYPTO 2016], we present three KSFE schemes from the LWE, DDH and DCR assumptions, respectively. -- With KSFE serving as a core building block, we propose a generic construction that achieves re-encryptions PKE → PKE/IBE/ABE/FE, and another generic construction that achieves re-encryptions FE → PKE/IBE/ABE/FE. By combining the concrete KSFE schemes with existing PKE/IBE/ ABE/FE schemes, we can obtain various concrete re-encryption schemes PKE/FE → PKE/IBE/ABE/FE, where FE is for bounded linear functions. This achieves re-encryptions across different encryption systems (PKE/IBE/ABE/FE) {\it for the first time}. -- Our generic construction PKE → PKE/IBE/ABE/FE even achieves {\it fine-grained} re-encryptions, where the re-encryption key rk_{A→B}^h is also associated with a function h. With rk_{A→B}^h, Alice's ciphertext encrypting m can be transformed to Bob's ciphertext encrypting h(m), thus achieving a flexible control of message spread by re-encryptions. This extends the recent work of fine-grained PRE [Zhou et al., ASIACRYPT 2023] from PKE to more encryption systems. Our concrete PKE → PKE/IBE/ABE/FE achieves fine-grained re-encryptions w.r.t. bounded linear functions h, the same as the functions supported by [Zhou et al., ASIACRYPT 2023]. As a complement, we also propose a generic construction of PKE/IBE/ABE/FE → PKE/IBE/ABE from garbled circuits, by extending the techniques in [Döttling and Nishimaki, PKC 2021]. This supports arbitrary PKE, IBE, ABE, FE schemes, but only achieves {\it non-fine-grained} re-encryption.} Overall, our fine-gained re-encryptions GFE_1 → GFE_2 allow Alice and Bob to use different encryption systems, broadening the applicability of re-encryption techniques to real-world scenarios, and resolving the open problem raised by Döttling and Nishimaki [PKC 2021].

Proxy re-encryption (PRE) allows a proxy to transform a ciphertext intended for Alice (delegator) to another ciphertext intended for Bob (delegatee) without revealing the underlying message. Recently, a new variant of PRE, namely fine-grained PRE (FPRE), was proposed in [Zhou et al., Asiacrypt 2023]. Generally, FPRE is designed for a function family F: each re-encryption key rk_{A→B}^f is associated with a function f ∈ F, and with rk_{A→B}^f, a proxy can transform Alice's ciphertext encrypting m to Bob's ciphertext encrypting f(m). However, their scheme only supports single-hop re-encryption and achieves only CPA security. In this paper, we formalize {\it multi-hop} FPRE (mFPRE) that supports multi-hop re-encryptions in the fine-grained setting, and propose two mFPRE schemes achieving CPA security and stronger HRA security (security against honest re-encryption attacks), respectively. -- For multi-hop FPRE, we formally define its syntax and formalize a set of security notions including CPA security, HRA security, undirectionality and ciphertext unlinkablity. HRA security is stronger and more reasonable than CPA security, and ciphertext unlinkablity blurs the proxy relations among a chain of multi-hop re-encryptions, hence providing better privacy. We establish the relations between these security notions. -- Our mFPRE schemes support fine-grained re-encryptions for bounded linear functions and have security based on the learning-with-errors (LWE) assumption in the standard model. In particular, one of our schemes is HRA secure and enjoys all the aforementioned desirable securities. To achieve CPA security and HRA security for mFPRE, we extend the framework of [Jafargholi et al., Crypto 2017] and the technique of the [Fuchsbauer et al., PKC 2019].

Proxy re-encryption (PRE) allows a proxy with a re-encryption key to translate a ciphertext intended for Alice (delegator) to another ciphertext intended for Bob (delegatee) without revealing the underlying message. However, with PRE, Bob can obtain the whole message from the re-encrypted ciphertext, and Alice cannot take flexible control of the extent of the message transmitted to Bob. In this paper, we propose a new variant of PRE, called Fine-Grained PRE (FPRE), to support fine-grained re-encryptions. An FPRE is associated with a function family F, and each re-encryption key rk_{A→B}^f is associated with a function f ∈ F. With FPRE, Alice now can authorize re-encryption power to proxy by issuing rk_{A→B}^f to it, with f chosen by herself. Then the proxy can translate ciphertext encrypting m to Bob's ciphertext encrypting f(m) with such a fine-grained re-encryption key, and Bob only obtains a function of message m. In this way, Alice can take flexible control of the message spread by specifying functions. For FPRE, we formally define its syntax and formalize security notions including CPA security, ciphertext pseudo-randomness, unidirectionality, non-transitivity, collusion-safety under adaptive corruptions in the multi-user setting. Moreover, we propose a new security notion named {\it ciphertext unlinkability}, which blurs the link between a ciphertext and its re-encrypted ciphertext to hide the proxy connections between users. We establish the relations between those security notions. As for constructions, we propose two FPRE schemes, one for bounded linear functions and the other for deletion functions, based on the learning-with-errors (LWE) assumption. Our FPRE schemes achieve all the aforementioned desirable securities under adaptive corruptions in the standard model. As far as we know, our schemes provide the {\it first} solution to PRE with security under adaptive corruptions in the standard model.