Abstract

Proxy re-encryption (PRE) is a cryptographic primitive envisioned by Blaze, Bleumer and Strauss to realise delegation of decryption rights from a delegator to a delegatee via a semi-trusted proxy. The widely accepted model for PRE security prevents the proxy, which is equipped with transformation power, to learn anything about the underlying plaintext. However, such a security notion is not sufficient in practical scenarios wherein the proxy could be corrupted. In this work, we study an attractive property of PRE, namely non-transferability that prevents the colluding proxy and the delegatee from re-delegating decryption rights to a malicious user. In Pairing 2010, a CPA secure non-transferable identity-based PRE scheme was presented in the random oracle model. In this work, we show that the scheme does not realize non-transferability. Also, we formalize the notion of a non-transferable PRE and introduce a security definition for the same. We then present the first provably secure construction of a non-transferable PRE scheme in the PKI setting based on bilinear maps. Our scheme meets chosen ciphertext security and non-transferability in the random oracle model assuming a variant of the decisional bilinear Diffie-Hellman problem.