International Association
for Cryptologic Research

In Eurocrypt\'98, Blaze et al. introduced the concept of proxy re-encryption (PRE). It allows a semi-trusted proxy to convert a ciphertext originally intended for Alice into one which

can be decrypted by Bob, without the proxy knowing the corresponding plaintext. PRE has found many applications, such as in encrypted e-mail forwarding[8], distributed secure file systems[1,2], multicast[10] cloud computation etc. However, all the PRE schemes until now require the delegator (or the delegator and the delegatee cooperatively) to generate the re-encryption keys. We observe

that this is not the only way to generate the re-encryption keys, the encrypter also has the ability to generate re-encryption keys. Based on this observation, we introduce a new primitive: PRE^{+},

which is almost the same as the traditional PRE except the re-encryption keys generated by the encrypter. Interestingly, this PRE^{+} can be viewed as the dual of the traditional PRE. Compared

with PRE, PRE can easily achieve the non-transferable property and message-level based fine-grained delegation, while these two properties are very desirable in practical applications. We first

categorize PRE^{+} as the single-hop and multi-hop variant and discuss its potential applications, then we give the definition and security model for the single-hop PRE^{+}, construct a concrete scheme and

prove its security. Finally we conclude our paper with many interesting open problems.