Unidirectional Proxy Re-encryption with Applications to Secure Distributed Storage
The invention consists of three public-key encryption schemes that support �proxy re-encryption�. In a typical public-key encryption scheme, a sender (Alice) may encrypt messages to a recipient Bob under Bob�s public key, such that only Bob may decrypt (and learn the message contents) using his secret key. In our proxy re-encryption schemes, however, Bob may optionally �delegate� one or more other individuals (e.g., Charlie) and allow them to temporarily decrypt his messages. To achieve this, Bob grants a proxy (e.g., some semi-trusted machine) the ability to translate (�re-encrypt�) messages encrypted under Bob�s public key into equivalent messages encrypted under Charlie�s public key. Thus Charlie may decrypt them using his own secret key, and Bob does not have to reveal his secret key to allow this translation. The encryption scheme we describe is provably secure under certain standard mathematical assumptions. This invention has several useful security properties: � The proxy machine does not learn the content of the encrypted messages that it translates, and therefore it not need to be a �trusted� party. � In order to receive messages that have been �re-encrypted� to his key, Charlie does not need to reveal his secrets or otherwise interact with Bob. Furthermore, by receiving re-encrypted messages, Charlie does not compromise the security of any messages encrypted under his own key. � It is possible to encrypt messages such that Charlie does not learn whether the message was originally addressed to him, or was addressed to Bob and then re-encrypted to Charlie by a proxy. � Our scheme has two modes (or �levels�), which senders may choose when encrypting a message. Messages encrypted using the �first level� approach cannot be re-encrypted. Messages encrypted using the �second level� approach can be re-encrypted by a proxy. � The scheme we describe can be retrofitted into existing applications that employ the widely-used Elgamal encryption scheme, e.g., PGP email encryption. � Our scheme protects a portion of the secret key from recovery even in the extreme case that an adversary compromises both the proxy and one of the delegated recipients (e.g., Charlie).
Type of Offer:
« More Communications Patents