Non-transitive Bidirectional Proxy Re-encryption Scheme

In 1998, Blaze, Bleumer and Strauss proposed two kinds of cryptographic primitives called proxy re-encryption and proxy re-signature [4]. In proxy re-encryption, a proxy can transform a ciphertext computed under Alice´s public key into one that can be opened under Bob´s decryption key. In proxy re-signature, a proxy can transform a signature computed under Alice´s secret key into one that can be verified by Bob´s public key. They divided the proxy re-cryptography into two kinds: One kind is bidirectional proxy re-cryptography and the other kind is unidirectional proxy re-cryptography. In 2005, Ateniese et al proposed the first unidirectional proxy re-encryption schemes and discussed its several potential applications especially in secure distributed storage [1]. In 2006, they proposed another few re-signature schemes and also discussed its several potential applications [2]. In 2007, Canetti and Hohenberger proposed the first chosen ciphertext secure bidirectional proxy re-encryption schemes [6]. In this paper, we show that there exists a security flaw in all the bidirectional proxy re-cryptography schemes proposed until now. Specially, all the bidirectional proxy re- cryptography schemes can not satisfy the non-transitive property. The proxy himself can generate re-encryption key or re-signature key rk_aharrc by giving re-encryption key rk_aharrb and rk_bharrc. Thus we propose a new framework for proxy re-encryption. This new framework can bring us two benefits: First, the delegator can now relocate delegation right easily. Second, we can construct bidirectional proxy re-cryptography schemes which are no longer transitive. Based on this framework, we construct a concrete non-transitive proxy re-encryption scheme.