Full-grained proxy re-encryption for all circuits

Abstract

In this paper, we proposed a new concept called Full-Grained PRE (FG-PRE) to which a function set $F$ is attached. With FG-PRE, a delegator authorizes the proxy a full-grained re-encryption capability for $F$ with a single re-encryption key $r{k}_{i\to j}$. Then, the proxy can use this single re-encryption key to transform $c{t}^{\left(i\right)}$ encrypting message m for delegator i into an re-encrypted ciphertext $c{t}^{\left(j\right)}$ encrypting $f\left(m\right)$ with arbitrary $f\in F$ for delegatee j. Thus, the proxy has a full-grained (w.r.t. $F$) control of the information that can be transmitted to the delegatee j. This is in sharp contrast to fine-grained PRE (Zhou et al. ASIACRYPT 2023), which has to generate different re-encryption keys to support different functions. In their fine-grained PRE, the number of re-encryption keys generated by delegator and stored by the proxy for $F$ is linear to the size $\left|F\right|$. With our full-grained PRE, a single re-encryption key suffices.

We formalize the syntax of FG-PRE and define $\mathrm{HRA}$ security (security under honest re-encryption attack) and function private $\mathrm{HRA}$ security ($\mathrm{FP}\text{-}\mathrm{HRA}$) for FG-PRE. Compared to the $\mathrm{CPA}$ security (Zhou et al. ASIACRYPT 2023) and the $\mathrm{HRA}$ security (Zhou et al. PKC 2024) defined for the fine-grained PRE, our $\mathrm{HRA}$ security not only allows adversary to obtain re-encryption keys from honest users to corrupted users, but also has an enhancement: we even allow the adversary to query full-grained re-encryptions with f for the challenge ciphertext under the condition $f\left(m_0\right)=f\left(m_1\right)$. We construct a FG-PRE scheme ${\text{FG-PRE}}^{\text{lin}}$ for bounded linear function $F_{\text{lin}}$, enjoying single-hop, unidirectional and non-interactive properties. Our scheme achieves the $\mathrm{HRA}$ security and $\mathrm{FP}\text{-}\mathrm{HRA}$ security and can be tightly reduced to the eDBDH assumption.

Furthermore, we extend our ${\text{FG-PRE}}^{\text{lin}}$ scheme to a new FG-PRE scheme ${{\text{FG-PRE}}^{\prime }}^{\text{circuit}}$, supporting all circuits of bounded-size with the help of randomized encoding technique. We prove that our ${{\text{FG-PRE}}^{\prime }}^{\text{circuit}}$ scheme also has $\mathrm{HRA}$ security and $\mathrm{FP}\text{-}\mathrm{HRA}$ security. With our ${{\text{FG-PRE}}^{\prime }}^{\text{circuit}}$ scheme, the proxy is able to use a single re-encryption key to convert ciphertext under any circuit of polynomial-bounded size.