Proxy Re-Encryption (PRE) allows a ciphertext encrypted using a key pk_i to be re-encrypted by a third party so that it is an encryption of the same message under a new key pk_j, without revealing the message. We define Post-Compromise Security (PCS) in the context of PRE. This ensures that an adversary cannot distinguish which of two adversarially chosen ciphertexts a re-encryption was created from even when given the old secret key and the update token used to perform the re-encryption. We give separating examples demonstrating how PCS is stronger than existing security definitions for PRE achieving similar goals, before showing that PCS can be achieved using a combination of existing security properties from the literature. In doing so, we show there are existing PRE schemes satisfying PCS. Finally, we give a construction demonstrating that natural modifications of practical PRE schemes prov-ably have PCS directly, without incurring overheads from the security reductions we have shown, and from weaker assumptions than existing schemes.
展开▼