Non-Transferable Proxy Re-Encryption
A proxy re-encryption (PRE) scheme allows a proxy to reencrypt a ciphertext for Alice (delegator) to a ciphertext for Bob (delegatee) without seeing the underlying plaintext. With the help of the proxy, Alice can delegate the decryption right to any delegatee. However, existing PRE schemes generally suffer from one of the followings. Some schemes fail to provide the non-transferability property in which the proxy and the delegatee can collude to further delegate the decryption right to anyone. Other schemes assume the existence of a fully trusted private key generator (PKG) to generate the re-encryption key to be used by the proxy for encrypting a given ciphertext for a target delegatee. But this poses two problems in PRE schemes: the PKG in their schemes may decrypt all ciphertexts (referred as the key escrow problem) and the PKG can generate re-encryption key for arbitrary delegatees (we refer it as the PKG despotism problem). In this paper, we provide a more satisfactory solution to the problems. We follow the idea of using PKG to generate a re-encryption key to achieve the non-transferability property. To tackle the PKG despotisum problem in our scheme, if the PKG generates a re-encryption key for an unauthorized party, the delegator is able to retrieve the master secret of the PKG. We also show that with a tamper-proof hardware device, we can guarantee that the PKG cannot transfer decryption right to unauthorized delegatee. In addition, we solve the key escrow problem as well.