In ReKeyGen step of section 5.2 of paper Fast Proxy Re-Encryption for Publish/Subscribe Systems, the policy authority calculates γ_i = θ_i − s · (2^r)^i. θ_i is public key of subscriber generated in Preprocess step. Wouldn’t subscriber be able to decrypt s (Proxy authority’s private key) from γ_i with their private key s* ?
Hi @jmall,
Thank you for your question. The assumption there was that the re-encryption key would not be shared with the subscriber.
Note that there has been further progress in this field, e.g., What about Bob? The Inadequacy of CPA Security for Proxy Reencryption OpenFHE currently implements significantly improved variants of the BV-PRE scheme originally proposed in Fast Proxy Re-Encryption for Publish/Subscribe Systems, which incorporate several changes, including addition of noise flooding and re-randomization. For instance, the most secure variant achieves HRA security. A paper describing these variants will be shared a little bit later (not publicly available yet).
1 Like
The paper describing the HRA variant of PRE is now available at HRA-Secure Homomorphic Lattice-Based Proxy Re-Encryption with Tight Security
1 Like