Can proxy re-encrypted cyphertext be identical to encrypted text by the target?

Question

I have the following basic set-up for my question, I am getting to learn about proxy re-encryption and so far what I have looked at in more detail is this re-encryption algorithm from IronCore Labs and their Rust library. It is a multi hop re-encryption scheme (re-encryption steps can be chained), but I do not care so much about this property.

Alice and Bob each have their own public-private key pair and a unidirectional re-encryption algorithm. Alice encrypts $m$ with her $pb_a$ and obtains $C_a$. She also creates a re-encryption key $r_{a-to-b}$ using her $sk_a$ and $pb_b$ of Bob (Bob's public key).

After applying the re-encryption step on $C_a$, using $r_{a-to-b}$, we would obtain $C_a'$.

Bob also knows the message $m$ and he obtains $C_b$.

Question: Does or can $C_a' == C_b$ be a true statement?

Where I want to get with this: Can we check publicly that a re-encryption key is valid and transforms cyphertext from a key pair to another? Without using any of the secret keys, only the re-encryption key under question and the public keys of the parties. In my mind it would sound logical that $C_a' == C_b$ and this would be a nice check that the re-encryption key is valid, but I could not find any information regarding such checks. Actually, I could not find any public checks that verify a re-encryption key is valid.

Thanks in advance!

Answer 1

Can $C'_a == C_b$ ?

Short answer: Yes! In fact, what you seem to be asking here was defined as "proxy invisibility" by Ateniese et al (see https://eprint.iacr.org/2005/028.pdf); in short, this means that it's not possible to know if a re-encrypted ciphertext was the result of a re-encryption or produced by the original sender. There's a stronger notion called "perfect key-switching", proposed by yours truly, which I also suspect can be of interest to you (see https://nics.uma.es/pub/papers/nunez2017proxy.pdf); in this notion, re-encryption cleanly "switches" the public key of the original ciphertext, respecting the original randomness, so the resulting re-encryption is identical to an encryption with the target public key and the original randomness. Note that with proxy invisibility, the original randomness may be altered.

Long answer: Note that I talked about randomness before, and this is important. In your original question, you are asking if Bob, knowing the message, can produce the same ciphertext. However, in any public key encryption scheme, the randomness used during encryption is essential to guarantee at least IND-CPA security (see Can you help me understand indistinguishably as described in the CPA security definition?), and it's usually not known by the recipient. Hence, in general for any IND-CPA proxy re-encryption scheme (which is the most basic security notion for PRE), even if someone knows the underlying message, they wouldn't know the original randomness, and the ciphertext produced would be different.

---

Can we check publicly that a re-encryption key is valid and transforms cyphertext from a key pair to another? Without using any of the secret keys, only the re-encryption key under question and the public keys of the parties.

This is a very interesting question! I would say that your original intention is somewhat related to the IND-CCA security notion (see e.g., https://eprint.iacr.org/2007/171.pdf). Note how in the re-encryption step in section 3.2, the proxy can evaluate if the result is a valid ciphertext.

However, this would only be telling you that either the original ciphertext or the re-encryption key was invalid, but not which of them. I don't recall right now seeing any PRE schemes that introduce some validation step on the re-encryption key itself (but I may be wrong, for sure). Let me know if you find anything! I did my PhD thesis on PRE a long time ago, and it's always fun to see interesting PRE questions.