Combined Proxy Re-encryption

Abstract

Among the variants of public key encryption schemes, the proxy re-encryption primitive (PRE) allows a user, say Alice, to decide that a delegate, say Bob, will be able to read her private messages. This is made possible thanks to a third party, the proxy, which is given a re-encryption key to transform a ciphertext intended to Alice into one intended to Bob. Different properties on PRE schemes exist. Some of them are unidirectional and allow the proxy to translate a ciphertext only from Alice to Bob. The other case is called bidirectional and permits the proxy, with only one re-encryption key, to translate from Alice to Bob but also from Bob to Alice. Most of the time, a bidirectional scheme is multi-hop, meaning that a ciphertext can be forwarded several times, and a unidirectional scheme is single-hop, meaning that a ciphertext can be transformed just once. We here investigate the way to design a combined (single/multi hop) PRE scheme which permits both unidirectional single-hop and bidirectional multi-hop. We formalize this concept, give several generic results and finally propose a practical construction. We argue that this case is very interesting in practice to the design of a secure and privacy-preserving cloud storage system, such as defined by Ateniese et al. in 2006, and particularly when the device of a user is lost.

Appendices

A Proof of Lemma 1

We recall that Lemma 1 states that if \(\mathcal {C}\) is a secure combined Combined-PRE scheme, then \(\mathcal {U}\) is a secure unidirectional PRE and both \(\mathcal {B}_1\) and \(\mathcal {B}_2\) are secure BPRE.

It is obvious that if \(\mathcal {C}\) verifies the IND-CCA security of \(\mathsf {Enc}_1\), \(\mathsf {Enc}_2\) and \(\mathsf {ReEnc}\), then the underlying PRE scheme \(\mathcal {U}\) (resp. \(\mathcal {B}_1\) and \(\mathcal {B}_2\)) is also secure. An adversary against \(\mathcal {U}\) (resp. \(\mathcal {B}_1\) and \(\mathcal {B}_2\)) can be used to design an adversary against \(\mathcal {C}\). In a nutshell, this is done by simply forwarding the parameters, requests and answers to oracles between the adverary against \(\mathcal {U}\) (resp. \(\mathcal {B}_1\) and \(\mathcal {B}_2\)) and the challenger related to \(\mathcal {C}\). We have the following associations: (i) IND-CCA of \(\mathcal {U}\) related to \(\mathsf {Enc}_1\) (resp. \(\mathsf {Enc}_2\)) \(\longrightarrow \) IND-CCA of \(\mathcal {C}\) related to \(\mathsf {Enc}_1\) (resp. \(\mathsf {Enc}_2\)) with \(\ell =0\) (resp. \(\ell '=0\)); (ii) IND-CCA of \(\mathcal {U}\) related to \(\mathsf {ReEnc}\) \(\longrightarrow \) IND-CCA of \(\mathcal {C}\) related to \(\mathsf {ReEnc}\) with \(\ell =\ell '=0\); and (iii) IND-CCA of \(\mathcal {B}_1\) (resp. \(\mathcal {B}_2\)) \(\longrightarrow \) IND-CCA of \(\mathcal {C}\) related to \(\mathsf {Enc}_1\) (resp. \(\mathsf {Enc}_2\)) with \(\ell \ne 0\) (resp. \(\ell '\ne 0\)).   \(\square \)

B Generic Results on Combined-PRE

1.1 B.1 Definition of a BPRE

Definition of a BPRE. A BPRE scheme consists of the algorithms \((\mathsf{Setup}\), \({\mathsf {KeyGen}}\), \({\mathsf {ReKeyGen}}\), \({\mathsf {Enc}}\), \({\mathsf {ReEnc}}\), \({\mathsf {Decrypt}})\) defined as in Sect. 2. The IND-RCCA experiment is given as follows, where \(\mathcal {O}_B=\{\mathsf{ODec}\), \(\mathsf{OReKG}\), \(\mathsf{OReEnc}\), \(\mathsf {OSecKey}\}\) (with the “\(\mathsf{Obi }\)” oracles as defined in Sect. 2.2) and \(\mathsf {cond}_B\) states that the key \(pk_{i_\ell }\) should be a key of an uncorrupted user (meaning that \(pk_{i_\ell }\) has not been queried on input of \(\mathsf{OSecKey})\). First, execute \(\mathcal {PP} \leftarrow \mathsf{PGen }(\kappa ,n)\) and states \(\> \delta \xleftarrow {\$}\{0,1\}\). Then, \((m_0\), \(m_1\), \(\{pk_{i_j}\}_{j=1..\ell }\), \(st)\leftarrow \mathcal {A}_f^{\mathcal {O}_B}(\mathcal {PP})\). If \(\mathsf {cond}_B\), return \(\perp \). Else, \(C_1\leftarrow \mathsf {Enc}(pk_{i_1},m_\delta )\) and \(\forall j\in [2,\ell ]\), \(C_j\leftarrow \mathsf {ReEnc}(R_\mathsf{i _{j-1}\leftrightarrow \mathsf i _j},C_{j-1})\). Finally, we have \(\delta '\leftarrow \mathcal {A}_g^{\widetilde{\mathcal {O}}_B}(st,C_{\ell })\) and the experiment returns \((\delta '=\delta )\). The version \(\widetilde{\mathcal {O}}_B\) is defined such that (i) \(\mathcal {A}_g\) should not query \(pk_{i_\ell }\) to \(\mathsf{OSecKey}\), (ii) there is no path of re-encryption keys coming from \(\mathsf {OReKG}\) from \(pk_{i_\ell }\) to a corrupted \(pk^*\), (iii) \(\mathcal {A}_g\) should not query a decryption of the challenge ciphertext \(C_\ell \) using \(\mathsf{ODec}\) and (iv) \(\mathcal {A}_g\) is not allowed to query to \(\mathsf{ODec}\) a ciphertext \(C'\) for an honest entity such that \(\mathsf{Dec(sk,C')}\in \{m_0,m_1\}\).

1.2 B.2 BPRE + UPRE Combined-PRE?

We point out the reasons why the reciprocity seems to be wrong in general. Consider a UPRE \(\mathcal {U}=\{\mathsf {Setup}\), \(\mathsf {KeyGen}\), \(\mathsf {Uni.ReKG}\), \(\mathsf {Enc}_1\), \(\mathsf {Enc}_2\), \(\mathsf {Uni.ReEnc}\), \(\mathsf {Dec}_1\), \(\mathsf {Dec}_2\}\) and two BPRE \(\mathcal {B}_1=\{\mathsf {Setup}\), \(\mathsf {KeyGen}\), \(\mathsf {Bi.ReKG}_1\), \(\mathsf {Enc}_1\), \(\mathsf {Bi.ReEnc}_1\), \(\mathsf {Dec}_1\}\) and \(\mathcal {B}_2=\{\mathsf {Setup}\), \(\mathsf {KeyGen}\), \(\mathsf {Bi.ReKG}_2\), \(\mathsf {Enc}_2\), \(\mathsf {Bi.ReEnc}_2\), \(\mathsf {Dec}_2\}\).

It is first obvious that the combination of the three above schemes does not necessarily give a correct Combined-PRE scheme since there may be some non compatible transitions. More precisely, ciphertexts would not necessarily be compatible in the sense that the ciphertext formats corresponding to the two BPRE would not be compatible to level 1 ciphertext and level 2 ciphertext (respectively) of the UPRE.

Then, regarding security, we suppose having a black-box adversary against the Combined-PRE and we try to use it to break e.g. the IND-CCA security of the BPRE scheme. For this purpose, we need to simulate all the oracles of the adversary against the Combined-PRE, including the generation of re-encryption keys. However, in some cases (mainly the case of a re-encryption key from an uncorrupted to a corrupted user), we will not be able to create such key that will be coherent with the unknown keys related to the BPRE scheme (we need for the above example the secret key of an uncorrupted user). One may think of decreasing the power of the adversary by giving it only some “relevant” keys instead of all possible ones (such as defined in Sect. 2). But this leads to a less powerful adversary that will not necessarily be relevant in most practical cases. However, we show below that it exists an alternative way to design a secure Combined-PRE using one BPRE, but with some additional work.

1.3 B.3 BPRE + encrypted token \(\Longrightarrow \) Combined-PRE

Our generic scheme. Let \(\kappa \) be a security parameter. Suppose we have three secure BPRE schemes \(\mathsf{Bi_f}\), \(\mathsf{Bi_s}\) and \(\mathsf{Bi_r}\) with the following algorithms: \((\mathsf{Setup}\), \({\mathsf {KeyGen}}\), \({\mathsf {ReKeyGen}}\), \({\mathsf {Enc}}\), \({\mathsf {ReEnc}}\), \({\mathsf {Decrypt}})\) (see Appendix B.1). We moreover ask that (i) the space of secret key of \(\mathsf{Bi_s}\) is included in the space of plaintext of \(\mathsf{Bi_r}\) and (ii) the space of ciphertext of \(\mathsf{Bi_s}\) is included in the space of plaintext of \(\mathsf{Bi_f}\).

• \(\mathsf{Setup }(\kappa )\): run \({\mathsf {Bi_f.Setup}}(\kappa )\), \({\mathsf {Bi_s.Setup}}(\kappa )\) and \({\mathsf {Bi_r.Setup}}(\kappa )\) to create \(\mathcal {P}=(\mathcal {P}_f,\mathcal {P}_s,\mathcal {P}_r)\).

• \(\mathsf{KeyGen }(\mathcal {P})\): this algorithm first runs \({\mathsf {Bi_s.KeyGen}}(\mathcal {P}_s)\) (for the second level ciphertexts), then \({\mathsf {Bi_f.KeyGen}}(\mathcal {P}_f)\) and finally \({\mathsf {Bi_r.KeyGen}}(\mathcal {P}_r)\) to obtain the secret key \(sk=(sk_f,sk_s,sk_r)\) and the public one \(pk=(pk_f,pk_s,pk_r)\).

• \(\mathsf{Uni.ReKG}(\mathcal {P},sk_i,pk_\mathsf i )\): on input \(i\)’s private key \(sk_i\) and \(\mathsf i \)’s public key \(pk_\mathsf i \), this algorithm generates the unidirectional re-encryption key \(R_{i\rightarrow \mathsf i }\) as follows. It creates a new virtual entity “\(i\mathsf i \)” and run \({\mathsf {Bi_s.KeyGen}}(\kappa )\) to obtain \((sk_{i\mathsf i },pk_{i\mathsf i })\) and computes \(R_{i\leftrightarrow i\mathsf i ,s}={\mathsf {Bi_s.ReKG}}(\mathcal {P}_s,sk_{i,s},sk_{i\mathsf i })\). It runs \(R_{i,\mathsf i }={\mathsf {Bi_r.Enc}}(\mathcal {P}_r,pk_\mathsf{i ,r},sk_{i\mathsf i })\) as the encryption of \(sk_{i\mathsf i }\) and the unidirectional re-encryption key is \(R_{i\rightarrow \mathsf i }=(R_{i\leftrightarrow i\mathsf i ,s},R_{i,\mathsf i },pk_\mathsf{i ,f})\).

• \(\mathsf{Bi.ReKG_1}(\mathcal {P},sk_\mathsf i ,sk_\mathsf j )\): on input \(\mathsf i \)’s secret key \(sk_\mathsf i \) and \(\mathsf j \)’s secret key \(sk_\mathsf j \), this algorithm runs \({\mathsf {Bi_f.ReKG}}(\mathcal {P}_f,sk_\mathsf{i ,f},sk_\mathsf{j ,f})\) and \({\mathsf {Bi_r.ReKG}}(\mathcal {P},sk_\mathsf{i ,r},sk_\mathsf{j ,r})\) to obtain respectively \(R_\mathsf{i \leftrightarrow \mathsf j ,f}\) and \(R_\mathsf{i \leftrightarrow \mathsf j ,r}\). Then it outputs \(R_\mathsf{i \leftrightarrow \mathsf j ,1}=(R_\mathsf{i \leftrightarrow \mathsf j ,f},R_\mathsf{i \leftrightarrow \mathsf j ,r})\).

• \(\mathsf{Bi.ReKG_2}(\mathcal {P},sk_i,sk_j)\): on input \(i\)’s secret key \(sk_i\) and \(j\)’s secret key \(sk_j\), this algorithm runs \({\mathsf {Bi_s.ReKG}}(\mathcal {P}_s,sk_{i,s},sk_{j,s})\) to compute and output \(R_{i\leftrightarrow j,2}\).

• \(\mathsf{Enc_1}(\mathcal {P},pk,m)\): on input a user public key \(pk\) and a plaintext \(m\) belonging to the space of plaintext of the \(\mathsf{Bi_f}\) scheme, this algorithm generates a first level ciphertext of \(m\) as follows. It creates a new virtual entity \(\mathsf{tmp }\) and run \((sk_\mathsf{tmp },pk_\mathsf{tmp })={\mathsf {Bi_s.KeyGen}}(\kappa )\) and then encrypts (i) \(m\) with the virtual public key as \(T={\mathsf {Bi_s.Enc}}(\mathcal {P}_s,pk_\mathsf{tmp },m)\), (ii) the above resulting ciphertext with the user’s public key as \({\mathsf {Bi_f.Enc}}(\mathcal {P}_f,pk_{r},T)\) to obtain \(C_1'\) and (iii) the virtual secret key as \(R'={\mathsf {Bi_r.Enc}}(\mathcal {P}_r,pk_r,sk_\mathsf{tmp })\). It outputs the first level ciphertext \(C'=(C_1',R')\).

• \(\mathsf{Enc_2}(\mathcal {P},pk,m)\): on input a user public key \(pk\) and a plaintext \(m\) belonging to the space of plaintext of the \(\mathsf{Bi_s}\) scheme, this algorithm simply runs \({\mathsf {Bi_s.Enc}}(\mathcal {P}_s,pk_s,m)\) to obtain \(C\) and outputs it as a second level ciphertext of \(m\) intended to \(pk\).

• \(\mathsf{Uni.ReEnc}(\mathcal {P},R_{i\rightarrow \mathsf i },C_i)\): on input a unidirectional re-encryption key \(R_{i\rightarrow \mathsf i }=(R_{i\leftrightarrow i\mathsf i ,s},R_{i,\mathsf i },pk_\mathsf{i ,f})\) and a second level ciphertext \(C_i\), it works as follows. It first re-encrypts \(C_i\) to obtain a ciphertext w.r.t. \(\mathcal {P}_s\) and the virtual public key contained in \(R_{i\rightarrow \mathsf i }\) as \(T={\mathsf {Bi_s.ReEnc}}(\mathcal {P}_s,R_{i\leftrightarrow i\mathsf i ,s},C_i)\). It then encrypts \(T\) (to obtain a security without non-natural restrictions) as for the \(\mathsf{Enc_1}\) procedure, as \(C'_1={\mathsf {Bi_f.Enc}}(\mathcal {P}_f,pk_\mathsf{i ,f},T)\) and retrieves the encrypted virtual secret key from the re-encryption key (\(R'=R_{i,\mathsf i }\)) and output the first level ciphertext \(C'=(C'_1,R')\).

• \(\mathsf{Bi.ReEnc_1}(\mathcal {P},R_\mathsf{i \leftrightarrow \mathsf j ,1},C_\mathsf i ')\): on input a bidirectional re-encryption key \(R_\mathsf{i \leftrightarrow \mathsf j ,1}\) and a first level ciphertext \(C_\mathsf i '=(C_\mathsf{i ,1}',R_\mathsf i ')\), it works as follows. It computes \(C_\mathsf{j ,1}'={\mathsf {Bi_f.ReEnc}}(\mathcal {P}_f,R_\mathsf{i \leftrightarrow \mathsf j ,f},C_\mathsf{i ,1}')\) and \(R_\mathsf j '={\mathsf {Bi_r.ReEnc}}(\mathcal {P}_r,R_\mathsf{i \leftrightarrow \mathsf j ,r},R_\mathsf i ')\) and outputs the first level ciphertext \(C_\mathsf j '=(C_\mathsf{j ,1}',R_\mathsf j ')\).

• \(\mathsf{Bi.ReEnc_2}(\mathcal {P},R_{i\leftrightarrow j,2},C_i)\): on input a bidirectional re-encryption key \(R_{i\leftrightarrow j,2}\) and a second level ciphertext \(C_i\), it executes \({\mathsf {Bi_s.ReEnc}}(\mathcal {P}_s,R_{i\leftrightarrow j,2},C_i)\) to obtain the second level ciphertext \(C_j\).

• \(\mathsf{Dec_1}(\mathcal {P},sk,C')\): On input \(\mathcal {P}=(\mathcal {P}_f,\mathcal {P}_s,\mathcal {P}_r)\) and \(sk=(sk_f,sk_s,sk_r)\) and a first level ciphertext \(C'=(C_1',R')\), it works as follows. It retrieves \(T={\mathsf {Bi_f.Dec}}(\mathcal {P}_f,sk_f,C_1')\), computes \(sk_\mathsf{tmp }={\mathsf {Bi_r.Dec}}(\mathcal {P}_r,sk_r,R')\) and obtains \(m={\mathsf {Bi_s.Dec}}(\mathcal {P}_s,sk_\mathsf{tmp },T)\).

• \(\mathsf{Dec_2}(\mathcal {P},sk,C)\): on input the user secret key \(sk\) and a second level ciphertext \(C\), this algorithm runs \({\mathsf {Bi_s.Dec}}(\mathcal {P}_s,sk_s,C)\) to retrieve \(m\).

Remark 1

As explained in their paper, Chow et al. [6] make use, for the secret key of the second level encryption, of a random sum of two secret keys \(sk_1+\mathcal {H}_4(pk_2).sk_2\), where \(\mathcal {H}_4\) is a hash function. As \(sk_1\) is only used in this second level encryption, we have decided in our generic construction to replace this sum by a single secret key which will be used only for the second level encryption.

The two following theorems give the security of this construction.

Theorem 2

The scheme achieves the \(\mathsf{IND-RCCA }\) security of \(\mathsf{Enc_1}\) and \(\mathsf{Uni.ReEnc}\).

Theorem 3

The scheme achieves the \(\mathsf{IND-RCCA }\) security of \(\mathsf{Enc_2}\).

1.4 B.4 Proof of Theorem 2

In fact, a level 1 ciphertext can be seen as two ciphertexts: one related to a random token \(h\) and the other related to the message and encrypted with the \(h\). Therefore both \(\mathsf{Enc_1}\) and \(\mathsf{Uni.ReEnc}\) securities depend on the security of those two encryptions, which are supposed to be secure – with \(\mathsf{RCCA }\) restrictions and not \(\mathsf{CCA }\) ones due to this concatenation.   \(\square \)

1.5 B.5 Proof of Theorem 3

Let \(\mathcal {A}\) an adversary against the \(\mathsf{Enc_2}\) security, \(\mathcal {B}\) the algorithm to break the security of one of the two BPRE \(Bi_s\) and \(Bi_r\). Due to limited space, we only give the idea of the proof and we will provide a complete proof in the full version. Let \(q_{sk}\), \(q_{u}\), \(q_{bf}\) and \(q_{bs}\) be the number of queries to the secret key generation oracle, to the unidirectional re-encryption key generation oracle, to the bidirectional re-encryption key for first level oracle and to the bidirectional re-encryption key for second level oracle. We separate entities in two sets by using the Coron’s technique [7]: for an entity, \(c\) (for an entity \(i\), \(c\) is noted \(c_i\)) is a bit set to \(h\) with probability \(\frac{1}{1+q_{sk}+q_{u}+q_{bf}+q_{bs}}\) and to \(\bot \) otherwise. \(h\) is chosen to designate entities considered as honest by \(\mathcal {B}\) during all the simulation. Those entities are potential challenge entities. If the adversary queries for some requests involving such an entity - details of those queries are given in the simulation -, then \(\mathcal {B}\) aborts. The probability mentioned before minimizes the event “\(\mathcal {B}\) aborts” during different oracle’s queries. Then we separate the set of entities with \(c_i=\bot \) into two different sets (\(c_i=k\) and \(c_i=r\)) depending on different oracles’ queries. Definition of \(k\) and \(r\) are linked and defined as follows:

• if the adversary queries for a request to obtain the secret key of an entity \(\mathsf i \), not considered as honest by \(\mathcal {B}\) and such that the adversary has not already obtained a unidirectional re-encryption key from an honest entity \(i\) to this entity \(\mathsf i \), then \(\mathcal {B}\) returns the secret key and sets \(c_\mathsf i \) to \(k\). \(k\) is helpful for \(\mathcal {B}\) to remember that \(\mathsf i \) can not be involved in a unidirectional re-encryption key from an entity \(i\) as this last one is potentially the challenge entity.

• if the adversary queries for a request to obtain the unidirectional re-encryption key from an honest entity \(i\) to an entity \(\mathsf i \) not considered as honest by \(\mathcal {B}\) and not already corrupted by the adversary, then \(\mathcal {B}\) sets \(c_\mathsf{i }\) to \(r\). \(r\) is helpful for \(\mathcal {B}\) to remember that \(\mathsf i \) can not be corrupted as the entity \(i\) involved in this re-encryption key is potentially the challenge entity.

The Coron’s trick and its different values \(h\), \(r\) and \(k\) help \(\mathcal {B}\) to manage the adaptive corruption model. \(\mathcal {B}\) maintains four lists: \(\mathcal {K}^{\mathsf {list}}\), \(\mathcal {R}_{{\mathsf {Uni}}}^{{\mathsf {list}}}\), \(\mathcal {R}_{{\mathsf {Bi}1}}^{{\mathsf {list}}}\) and \(\mathcal {R}_{{\mathsf {Bi}2}}^{{\mathsf {list}}}\) which are initially set as empty and which will store respectively public/secret keys, unidirectional and (level 1 and 2) bidirectional re-encryption keys. The oracle are defined as follows.

• \(\mathsf {KeyGen}(\kappa )\): if \(c=h\), then \(\mathcal {B}\) queries for \(\mathsf{OBi_s.Keygen}(\kappa )\) for an honest entity and obtains \(pk_s\). It runs \({\mathsf {Bi_f.KeyGen}}(\kappa )\) and \({\mathsf {Bi_r.KeyGen}}(\kappa )\) to obtain \((sk_f,pk_f)\) and \((sk_r,pk_r)\). Then it defines \(pk=(pk_f,pk_s,pk_r)\) and \(sk=(sk_f,\bot ,sk_r)\) and adds \((pk,sk,c)\) to \(\mathcal {K}^{\mathsf {list}}\). If \(c=\bot \), \(\mathcal {B}\) queries for \(\mathsf{OBi_s.Keygen}(\kappa )\) for a corrupted entity and obtains \((sk_s,pk_s)\). It runs \({\mathsf {Bi_f.KeyGen}}(\kappa )\) and \({\mathsf {Bi_r.KeyGen}}(\kappa )\) to obtain \((sk_f,pk_f)\) and \((sk_r,pk_r)\). Then it defines \(pk=(pk_f,pk_s,pk_r)\) and \(sk=(sk_f,sk_s,sk_r)\) and adds \((pk,sk,c)\) to \(\mathcal {K}^{\mathsf {list}}\).

• \(\mathsf{OSecKey}(pk)\): \(\mathcal {B}\) recovers \((pk,sk,c)\) from \(\mathcal {K}^{\mathsf {list}}\). If \(c=h\) or \(r\), \(\mathcal {B}\) aborts. If \(c=\bot \), it returns \(sk\) to \(\mathcal {A}\), redefines \(c=k\) and updates it in \(\mathcal {K}^{\mathsf {list}}\).

• \({\mathsf {OUni.ReKG}}(pk_i,pk_\mathsf i )\): recover both entries \((pk_i,sk_i,c_i)\) and \((pk_\mathsf i ,sk_\mathsf i ,c_\mathsf i )\) from \(\mathcal {K}^{\mathsf {list}}\). Then \(\mathcal {B}\) proceeds as follows. If \(c_i=h\) and \(c_\mathsf i =\bot \), it redefines \(c_\mathsf i =r\) and updates it in \(\mathcal {K}^{\mathsf {list}}\). Create a new virtual entity \(i\mathsf i \) and run \({\mathsf {Bi_s.KeyGen}}(\kappa )\) to obtain \(pk_{i\mathsf i }\), query \(\mathsf{OBi_s.ReKeygen}(pk_{i,s},pk_{i\mathsf i })\) to obtain \(R_{i\leftrightarrow i\mathsf i ,s}\). Create a new virtual entity \(i\mathsf i '\) and run \({\mathsf {Bi_s.KeyGen}}(\kappa )\) to obtain \((sk_{i\mathsf i '},pk_{i\mathsf i '})\) and run \(R_{i,\mathsf i }={\mathsf {Bi_r.Enc}}(sk_{i\mathsf i '},pk_\mathsf{i ,r})\). Return the unidirectional re-encryption key \(R_{i\rightarrow \mathsf i }=(R_{i\leftrightarrow i\mathsf i ,s},R_{i,\mathsf i })\). \(\mathcal {B}\) adds the tuple \((pk_i,pk_\mathsf i ,pk_{i\mathsf i },sk_{i\mathsf i '},\bot ,R_{i\leftrightarrow i\mathsf i ,s},R_{i,\mathsf i })\) to \(\mathcal {R}_{{\mathsf {Uni}}}^{{\mathsf {list}}}\). If \(c_i=h\) and \(c_\mathsf i =k\), then \(\mathcal {B}\) aborts and outputs “failure”.

• \({\mathsf {OBi.ReKG_2}}(pk_i,pk_j)\): recover both entries \((pk_i,sk_i,c_i)\) and \((pk_j,sk_j,c_j)\) from \(\mathcal {K}^{\mathsf {list}}\). If \(c_i=c_j=h\) then query \(\mathsf{OBi_s.ReKeygen}(pk_{i,s},pk_{j,s})\) to obtain \(R_{i\leftrightarrow j,s}\) and output it as the bidirectional re-encryption key at second level. Then add the tuple \((pk_i,pk_j,R_{i\leftrightarrow j,s})\) to \(\mathcal {R}_{{\mathsf {Bi}2}}^{{\mathsf {list}}}\).

• \({\mathsf {OBi.ReKG_1}}(pk_,i,pk_j)\): recover both entries \((pk_i,sk_i,c_i)\) and \((pk_j,sk_j,c_j)\) from \(\mathcal {K}^{\mathsf {list}}\). If \(c_i=h\) and \(c_j\ne h\) or if \(c_j=h\) and \(c_i\ne h\), then \(\mathcal {B}\) aborts and outputs “failure”. \(\mathcal {B}\) proceeds as in the scheme in the other cases.

• \({\mathsf {OUni.ReEnc}}(pk_i,pk_\mathsf i ,C_i)\) with \(c_i=h\), \(c_\mathsf i =k\) and \(C\) a ciphertext different from the challenge - this last condition is unnecessary during the first phase: \(\mathcal {B}\) recovers \(sk_i=(sk_{i,f},sk_{i,s},sk_{i,r})\) and \(pk_\mathsf i =(pk_\mathsf{i ,f},pk_\mathsf{i ,s},pk_\mathsf{i ,r})\) from \(\mathcal {K}^{\mathsf {list}}\) and proceeds as follows. If there is an entry \((pk_i,pk_\mathsf i ,\bot ,sk_{i\mathsf i '},pk_{i\mathsf i '},\bot ,R_{i,\mathsf i })\) in \(\mathcal {R}_{{\mathsf {Uni}}}^{{\mathsf {list}}}\), then it queries \(\mathsf {OBi_s.Decrypt}(pk_{i,s},C)\) to obtain \(m\), run \({\mathsf {Bi_f.Enc}}(pk_\mathsf{i ,r},{\mathsf {Bi_s.Enc}}(pk_{i\mathsf i '}\), \(m))\) to obtain \(C_\mathsf{i ,1}'\) and then outputs the first level ciphertext \(C_\mathsf i '=(C_\mathsf{i ,1}',R_{i,\mathsf i }')\). If there is no such entry in \(\mathcal {R}_{{\mathsf {Uni}}}^{{\mathsf {list}}}\), then it creates a new virtual entity \(i\mathsf i '\) and run \({\mathsf {Bi_s.KeyGen}}(\kappa )\) to obtain \(sk_{i\mathsf i '}\) and \(pk_{i\mathsf i '}\). It runs \({\mathsf {Bi_r.Enc}}(pk_\mathsf{i ,r},sk_{i\mathsf i '})\) and add \((pk_i,pk_\mathsf i ,\bot ,sk_{i\mathsf i '},pk_{i\mathsf i '},\bot ,R_{i,\mathsf i })\) in \(\mathcal {R}_{{\mathsf {Uni}}}^{{\mathsf {list}}}\) and then proceeds as in the first case.

• \({\mathsf {OBi.ReEnc_2}}(pk_i,pk_j,C_i)\) with \(c_i=c_j=h\): \(\mathcal {B}\) queries \(\mathsf{OBi_s.ReEncrypt}(pk_i,pk_j,C_i)\) to obtain \(C_j\) and outputs it to \(\mathcal {A}\).

• \({\mathsf {OBi.ReEnc_1}}(pk_i,pk_j,C_i)\): \(\mathcal {B}\) proceeds as in the scheme.

• \(\mathsf{ODec_1}(pk,C')\) with \(pk\) honest - \(c\ne k\): on input a first level ciphertext \(C'=(C_1',R')\). Recover \(sk=(sk_f,sk_s,sk_r)\) from \(\mathcal {K}^{\mathsf {list}}\). Compute \(T={\mathsf {Bi_f.Dec}}(sk_f,C_1')\) and \(sk_\mathsf{tmp }={\mathsf {Bi_r.Dec}}(sk_r,R')\). If there is an entry \((pk_i,pk_\mathsf i ,sk_{i\mathsf i },sk_\mathsf{tmp },\bot ,R_{i\leftrightarrow i\mathsf i ,s},R_{i,\mathsf i })\) in \(\mathcal {R}_{{\mathsf {Uni}}}^{{\mathsf {list}}}\), then return \(m={\mathsf {Bi_s.Dec}}(sk_{i\mathsf i },T)\) or \(\perp \) if one decryption algorithm returns \(\perp \). If there are any such entry, proceed as in the scheme.

Regarding the challenge phase, \(\mathcal {A}\) outputs \(\{pk_{i_j}\}_{j=1..\ell '}\) and two messages \(m_0\) and \(m_1\). If the Coron’s trick \(c_{i_\ell }\) associated to \(pk_{i_\ell }\) – entity outputted by \(\mathcal {A}\) during the challenge – is different from \(h\), then \(\mathcal {B}\) aborts. \(\mathcal {B}\) recovers different re-encryption keys needed in the following execution or defined it as in different re-encryption key generation oracles. Then, \(\mathcal {B}\) outputs \((m_0,m_1,\{pk_{i_j,s}\}_{j=1..l'} ,st)\), receives the challenge \(C_{\ell }^*\) and gives it to \(\mathcal {A}\).   \(\square \)

C Security Proofs for Our Practical Construction

Regarding the security related to \(\mathsf {Enc}_2\), the proof is the same as the one the scheme [9] with some adaptations to include bidirectional re-encryption keys. The idea is to use the Coron’s trick [7] on uncorrupted keys: a public uncorrupted key \(pk\) with a trick \(c=0\) (resp. \(c=1\)) is computed as \(pk=(g^{(a^2)})^x\) (resp. \(pk=(g^a)^x\)). If the two keys \(pk_i\) and \(pk_j\), output by the adversary, have the same Coron’s trick (so of the form \(a^2.x\) or \(a.x\)), it is possible to compute the bidirectional re-encryption key corresponding as \(x_i/x_j\) (which one can be computed). One can choose the distribution related to \(c=0\) or 1, so that this is almost always the case. The value \(T=e(g, g)^{b/{a^2}}\) is used in \(C_3=m_{\delta }\cdot T\) which is given to the adversary.

Regarding the security related to \(\mathsf {Enc}_1\) and \(\mathsf {ReEnc}\), the proof is also the same and the above adaptations can be similarely applied, except that we do not use Coron’s trick. Indeed, all uncorrupted keys have the same form: \((g^a)^x\).   \(\square \)