| Abstract: |
Proxy re-encryption (PRE) allows a proxy with a re-encryption key rk_{A→B} to transform Alice's ciphertext to Bob's ciphertext without revealing the underlying message. Since its introduction, numerous PRE schemes and variants have been studied, but almost all of them assume that both Alice and Bob use a public-key encryption (PKE) system.
However, it is more likely that Alice and Bob use different encryption systems like identity-based encryption (IBE), attribute-based encryption (ABE) and functional encryption (FE). This limitation restricts the broader applicability of PRE. In particular, Döttling and Nishimaki [PKC 2021] leave defining and realizing re-encryptions between different primitives as an open problem.
In this paper, we explore the feasibility of re-encryptions across different encryption systems. To this end, we first define a primitive named generalized functional encryption (GFE) that unifies PKE, IBE, ABE and FE, and formalize the syntax and security models for re-encryptions from one GFE to another GFE (GFE_1 → GFE_2). Then, we present two generic constructions of GFE_1 → GFE_2 and show how to instantiate them.
-- The core technical tool underlying our generic constructions is a new variant of functional encryption (FE) named {\it Key-Splittable} FE (KSFE), which splits the functional secret key into two pieces and divides the decryption process into two steps. By adapting the FE schemes in [Agrawal et al., CRYPTO 2016], we present three KSFE schemes from the LWE, DDH and DCR assumptions, respectively.
-- With KSFE serving as a core building block, we propose a generic construction that achieves re-encryptions PKE → PKE/IBE/ABE/FE, and another generic construction that achieves re-encryptions FE → PKE/IBE/ABE/FE.
By combining the concrete KSFE schemes with existing PKE/IBE/ ABE/FE schemes, we can obtain various concrete re-encryption schemes PKE/FE → PKE/IBE/ABE/FE, where FE is for bounded linear functions. This achieves re-encryptions across different encryption systems (PKE/IBE/ABE/FE) {\it for the first time}.
-- Our generic construction PKE → PKE/IBE/ABE/FE even achieves {\it fine-grained} re-encryptions, where the re-encryption key rk_{A→B}^h is also associated with a function h. With rk_{A→B}^h, Alice's ciphertext encrypting m can be transformed to Bob's ciphertext encrypting h(m), thus achieving a flexible control of message spread by re-encryptions. This extends the recent work of fine-grained PRE [Zhou et al., ASIACRYPT 2023] from PKE to more encryption systems. Our concrete PKE → PKE/IBE/ABE/FE achieves fine-grained re-encryptions w.r.t. bounded linear functions h, the same as the functions supported by [Zhou et al., ASIACRYPT 2023].
As a complement, we also propose a generic construction of PKE/IBE/ABE/FE → PKE/IBE/ABE from garbled circuits, by extending the techniques in [Döttling and Nishimaki, PKC 2021]. This supports arbitrary PKE, IBE, ABE, FE schemes, but only achieves {\it non-fine-grained} re-encryption.} Overall, our fine-gained re-encryptions GFE_1 → GFE_2 allow Alice and Bob to use different encryption systems, broadening the applicability of re-encryption techniques to real-world scenarios, and resolving the open problem raised by Döttling and Nishimaki [PKC 2021]. |
