Direct Constructions of Bidirectional Proxy Re-Encryption with Alleviated Trust in Proxy

In this work, we study (the direct constructions of) bidirectional proxy re-encryption (PRE) with alleviated trust in the proxy, specifically the master secret security (MSS) and the nontransitivity (NT) security, in the standard model, and achieve the following: • A multi-hop MSS-secure bidirectional PRE scheme with security against chosen plaintext attacks (CPA) in the standard model, where the ciphertext remains constant size regardless how many times it has been re-encrypted. To the best of our knowledge, there exists previously no MSS-secure multi-hop bidirectional PRE scheme with constant size of ciphertexts (whether in the random oracle model or not). • A single-hop MSS-secure and non-transitive bidirectional PRE scheme with security against chosen ciphertext attacks (CCA) in the standard model. The CCA-secure scheme is based on the CPA-secure scheme, and particularly employs a new re-encryption key (REK) generation mechanism to which each user makes equal contributions, where a single REK is used in both directions with the same computation so that the proxy needs not to distinguish the transform direction when it re-encrypts ciphertexts. Besides alleviated trust in proxy, single-hop non-transitive bidirectional PRE schemes also enjoy better fine-grained delegate right control (against malicious proxy). The security analysis uses Coron’s technique [Coron, Crypto 2000], which particularly allows adaptive secret-key corruption. Along the way, we also refine and clarify the security models for bidirectional PRE.