Non-transitive Bidirectional Proxy Re-encryption Scheme

Abstract

In 1998, Blaze, Bleumer and Strauss proposed two kinds of cryptographic primitives called proxy re-encryption and proxy re-signature\cite{Blaze:98}. In proxy re-encryption, a proxy can transform a ciphertext computed under Alice's public key into one that can be opened under Bob's decryption key. In proxy re-signature, a proxy can transform a signature computed under Alice's secret key into one that can be verified by Bob's public key. They divided the proxy re-cryptography into two kinds: One kind is bidirectional proxy re-cryptography and the other kind is unidirectional proxy re-cryptography. In 2005, Ateniese et al proposed the first unidirectional proxy re-encryption schemes and discussed its several potential applications especially in secure distributed storage\cite{Ateniese:05}. In 2006, they proposed another few re-signature schemes and also discussed its several potential applications\cite{Ateniese:06}. In 2007, Canetti and Hohenberger proposed the first chosen ciphertext secure bidirectional proxy re-encryption schemes\cite{Canetti:07}. In this paper, we show that there exists a security flaw in all the bidirectional proxy re-cryptography schemes proposed until now. Specially, all the bidirectional proxy re-cryptography schemes can not satisfy the non-transitive property. The proxy himself can generate re-encryption key or re-signature key $rk_{a\leftrightarrow c}$ by giving re-encryption key $rk_{a \leftrightarrow b}$ and $rk_{b \leftrightarrow c}$. Thus we propose a new framework for proxy re-encryption. This new framework can bring us two benefits: First, the delegator can now relocate delegation right easily. Second, we can construct bidirectional proxy re-cryptography schemes which are no longer transitive. Based on this framework, we construct a concrete non-transitive proxy re-encryption scheme.